欧美bbbwbbbw肥妇,免费乱码人妻系列日韩,一级黄片

FreeBSD6.1Release下利用route和ipfilter架設路由的方法

 更新時間:2007年05月22日 00:00:00   作者:  
架設此服務器,使內(nèi)網(wǎng)用戶通過本服務器與外界通訊;基本原理為內(nèi)網(wǎng)用戶通過FreeBSD內(nèi)自帶的網(wǎng)關路由功能(route)與外網(wǎng)進行通訊,服務器的安全性及病毒的防護控制通過FreeBSD的ipfilter來完成。初步架設過程如下:

網(wǎng)卡接口說明:
vr0:外網(wǎng)網(wǎng)卡接口
vr1:內(nèi)網(wǎng)網(wǎng)卡接口

1、    最小化安裝FreeBSD6.1Release
從ftp://ftp.FreeBSD.org/pub/FreeBSD/下載FreeBSD6.1Release鏡像文件,然后刻成光盤,將服務器設置成從光驅(qū)啟動,開始安裝,安裝時我選擇最小化安裝,開通ftp及ssh。其它的默認安裝就可以。具體可參考這篇文章。安裝完后重啟機器。

2、    安裝內(nèi)核
將安裝光盤放入光驅(qū),然后:
# /usr/sbin/sysinstall
然后選擇Configure --> Distributions -> src -> sys,點install,安裝完成后重啟機器。

3、    基本的配置
配置/etc/rc.conf
# cd /etc
# ee rc.conf
內(nèi)容如下:
hostname="gatewall.wxic.edu.cn"
defaultrouter="172.16.252.17"
ifconfig_vr0="inet 172.16.252.x netmask 255.255.255.252"
ifconfig_vr1="inet 58.193.11x.25x netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
sendmail_enable="NONE"

配置/etc/resolv.conf
# ee /etc/rc.conf
內(nèi)容如下:
nameserver 58.193.112.1

4、    配置內(nèi)核,加入對ipfilter的支持
# cd /usr/src/sys/i386/conf
# cp GENERIC funpower
# ee funpower
然后開始編輯內(nèi)核文件,機器和應用方面的不同會有不同的內(nèi)核文件,因為需要用到ipfilter,我們加入對ipfilter的支持。在內(nèi)核中加入如下內(nèi)容:
options   IPFILTER
options   IPFILTER_LOG
options   IPFILTER_DEFAULT_BLOCK
其它選項可以參考這篇文章,然后自己定制。編輯完后保存退出。然后進行如下操作:
# /usr/sbin/config funpower
# cd ../compile/funpower
# make cleandepend
# make depend
# make
# make install
編譯完后重啟服務器(因為ipfilter默認是阻止所有通訊,所以確保你是在服務器前操作)。

5、    在/etc/rc.conf中加入路由選項
# cd /etc
# ee rc.conf
在最后加入如下幾行:
gateway_enable="YES"
static_routes="static1"
route_static1="-net 58.193.11x.0/21 172.16.252.x/30" //說明第一個IP為內(nèi)網(wǎng)IP范圍;第二個IP為外網(wǎng)網(wǎng)卡的網(wǎng)關地址

6、    配置ipfilter
在/etc/rc.conf中加入:
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
然后編輯/etc/ipf.conf文件
# cd /etc/
# ee ipf.conf
內(nèi)容如下:
#環(huán)路網(wǎng)卡lo0 
#out in 全部通過
pass in quick on lo0 all
pass out quick on lo0 all

#外網(wǎng)網(wǎng)卡vr0
#out 只讓開通的IP通訊
block out quick on vr0 from any to 192.168.0.0/16
block out quick on vr0 from any to 0.0.0.0/8
block out quick on vr0 from any to 169.254.0.0/8
block out quick on vr0 from any to 10.0.0.0/8
block out quick on vr0 from any to 127.16.0.0/12
block out quick on vr0 from any to 127.0.0.0/8
block out quick on vr0 from any to 192.0.2.0/24
block out quick on vr0 from any to 204.152.64.0/23
block out quick on vr0 from any to 224.0.0.0/3

#開通58.193.112.1
pass out quick on vr0 proto tcp/udp from 58.193.112.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.1/32 to any keep state

#開通58.193.112.3
pass out quick on vr0 proto tcp/udp from 58.193.112.3/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.3/32 to any keep state

#開通58.193.113.1
pass out quick on vr0 proto tcp/udp from 58.193.113.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.1/32 to any keep state

#開通58.193.113.2
pass out quick on vr0 proto tcp/udp from 58.193.113.2/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.2/32 to any keep state

block out on vr0 all

#in 阻止一些IP(比如私有IP)和一些病毒攻擊端口(如138139445等)
block in quick on vr0 from 192.168.0.0/16 to any
block in quick on vr0 from 172.16.0.0/12 to any
block in quick on vr0 from 10.0.0.0/8 to any
block in quick on vr0 from 127.0.0.0/8 to any
block in quick on vr0 from 0.0.0.0/8 to any
block in quick on vr0 from 169.254.0.0/16 to any
block in quick on vr0 from 192.0.2.0/24 to any
block in quick on vr0 from 204.152.64.0/23 to any
block in quick on vr0 from 224.0.0.0/3 to any
block in quick on vr0 from 58.193.112.0/21 to any

block in quick on vr0 proto udp from any to any port = 69
block in quick on vr0 proto tcp/udp from any to any port = 135
block in quick on vr0 proto udp from any to any port = 137
block in quick on vr0 proto udp from any to any port = 138
block in quick on vr0 proto tcp/udp from any to any port = 139
block in quick on vr0 proto tcp/udp from any to any port = 445
block in quick on vr0 proto tcp/udp from any to any port = 593
block in quick on vr0 proto tcp from any to any port = 1022
block in quick on vr0 proto tcp from any to any port = 1023
block in quick on vr0 proto tcp from any to any port = 1025
block in quick on vr0 proto tcp from any port = 1034 to any port = 80
block in quick on vr0 proto tcp from any to any port = 1068
block in quick on vr0 proto tcp from any to any port = 1433
block in quick on vr0 proto udp from any to any port = 1434
block in quick on vr0 proto tcp from any to any port = 1871
block in quick on vr0 proto tcp from any to any port = 2745
block in quick on vr0 proto tcp from any to any port = 3208
block in quick on vr0 proto tcp from any to any port = 3127
block in quick on vr0 proto tcp from any to any port = 4331
block in quick on vr0 proto tcp from any to any port = 4334
block in quick on vr0 proto tcp from any to any port = 4444
block in quick on vr0 proto tcp from any port = 4444 to any
block in quick on vr0 proto tcp from any to any port = 4510
block in quick on vr0 proto tcp from any to any port = 4557
block in quick on vr0 proto tcp from any to any port = 5554
block in quick on vr0 proto tcp from any to any port = 5800
block in quick on vr0 proto tcp from any to any port = 5900
block in quick on vr0 proto tcp from any to any port = 6129
block in quick on vr0 proto tcp from any to any port = 6667
block in quick on vr0 proto tcp from any to any port = 9995
block in quick on vr0 proto tcp from any to any port = 9996
block in quick on vr0 proto tcp from any to any port = 10080

block in quick on vr0 all with frags
block in quick on vr0 proto tcp all with short
block in quick on vr0 all with opt lsrr
block in quick on vr0 all with opt ssrr
block in log first quick on vr0 proto tcp from any to any flags FUP
block in quick on vr0 all with ipopts

pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 23 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state
pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

pass in quick on vr0 proto icmp from any to any icmp-type 0
pass in quick on vr0 proto icmp from any to any icmp-type 11
block in log quick on vr0 proto icmp from any to any

block in log on vr0 all


#內(nèi)網(wǎng)網(wǎng)卡vr1
#out 全部通過
pass out on vr1 all
#in 全部通過
pass in on vr1 all

配置完后重啟服務器。

找一臺客戶機測試,首先使用ipf.conf中開通的IP,然后ping edu.cn,可以ping通,說明可以連接外網(wǎng)了。
然后將IP設置為不是開通列表中的IP,如果ping不通,則說明ipf.conf的設置生效了。

相關文章

最新評論