as the company's Internet router needs to implement the functions of NAT address translation, DHCP, DNS caching, traffic control, application program management, NAT address translation through Iptables can be directly implemented, the DHCP service needs to install the DHCPD,DNS cache function requires the use of BIND, Flow control can use TC, application control: for example, the blocking of QQ can use netfilter-layer7-v2.22+17-protocols-2009-05-28.tar.gz to realize
1. Network Planning
Operating system is centos5.8
2, installation DHCPD
Yum Install Dhcp-3.0.5-31.el5
Vim/etc/dhcp/dhcpd.conf
Ddns-update-style Interim;
Ignore client-updates;
Subnet 10.0.0.0 netmask 255.255.255.0 {
Option routers 10.0.0.1;
Option Subnet-mask 255.255.255.0;
Option Domain-name-servers 10.0.0.1;
Range DYNAMIC-BOOTP 10.0.0.100 10.0.0.200;
Default-lease-time 21600;
Max-lease-time 43200;
}
3. Install bind to implement DNS caching
Yum Install bind97.i386 bind97-libs.i386 bind97-utils.i386
Vim/etc/named.conf
Options {
Directory "/var/named";
allow-recursion {10.0.0.0/24;};
recursion Yes;
Forward first; #将所有请求都进行转发
Forwarders {114.114.114.114;}; #定义转发服务器地址
};
Zone "." in {
Type hint;
File "named.ca";
};
Zone "localhost" in {
Type master;
File "Named.localhost";
Allow-transfer {none;};
};
Zone "0.0.127.in-addr.arpa" in {
Type master;
File "Named.loopback";
Allow-transfer {none;};
};
Create a root domain file, default
Dig-t NS. >/var/named/named.ca
chown:named/var/named/named.ca
Create a local forward parsing file, default
Vim/var/named/named.localhost
$TTL 1D
@ in SOA @ rname.invalid. (
0; Serial
1D; Refresh
1H; Retry
1W; Expire
3H); Minimum
NS @
A 127.0.0.1
Chown:named/var/named/named.localhost
Create a local reverse parse file, default
Vim/var/named/named.loopback
$TTL 1D
@ in SOA @ rname.invalid. (
0; Serial
1D; Refresh
1H; Retry
1W; Expire
3H); Minimum
NS @
A 127.0.0.1
PTR localhost.
Chown:named/var/named/named.loopback
Check the master configuration file
Named-checkconf
Check the root zone configuration file
Named-checkzone "."/var/named/named.ca
Check Zone files
Named-checkzone "localhost"/var/named/named.localhost
Start the service
Service named start
4. Recompile the compiled kernel and iptables to support application layer filtering
Because the firewall function is the NetFilter kernel module, it is necessary to recompile the kernel, the need to download new kernel source code, and use netfilter-layer7-v2.22 as the kernel patch together to compile into the kernel. Control Netfiler is the Iptables tool, so iptables must also recompile the installation, and finally install the application filtering signature library 17-protocols-2009-05028.tar.gz
1. Patch the kernel and recompile the kernel
2, to Iptables source code patching, and recompile iptables
3, Installation 17proto
Backing up iptables scripts and configuration files
Cp/etc/rc.d/init.d/iptables/root/iptables.sysv
Cp/etc/sysconfig/iptables-config/root/iptables-config
2.6 Cores
https://www.kernel.org/pub/linux/kernel/v2.6/
NetFilter
http://download.clearfoundation.com/l7-filter/
Iptables Source
Http://www.netfilter.org/projects/iptables/downloads.html
Application Signature Library
http://download.clearfoundation.com/l7-filter/
Xz-d LINUX-2.6.28.10.TAR.XZ
TAR-XVF linux-2.6.28.10.tar.gz-c/usr/src #新的内核源码 for recompilation
TAR-ZXVF netfilter-layer7-v2.22.tar.gz-c/usr/src #内核补丁和iptables补丁, supported only to 2.6.28
#进入解压目录并创建软连接 </p> <P>CD/USR/SRC
LN-SV linux-2.6.28.10 Linux
#进入内核目录 </p> <p>cd/usr/src/linux
#为当前内核打补丁 </p> <p>patch-p1 <. /netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.path
#为了方便编译内核将系统上的内核配置文件复制过来 </p> <p>cp/boot/config-2.6.18-164.el5/usr/src/linux/.config
Compiling the kernel
Make Menuconfig
Networking support, Networking Options, Network packet filtering framework, Core NetFilter Configuration
<M> NetFilter Connection Tracking support
<M> "Lawyer7" match support
<M> "string" Match support
<M> "Time" match support
<M> "IPRange" match support
<M> "Connlimit" match support
<M> ' state ' match support
<M> "Conntrack" Connection match support
<M> "Mac" address match support
<M> "Multiport" multiple port match support
Networking support, networign options, Network packet filtering framework, ip:netfiltr Configuration
<M> IPV4 Connection Tracking Support (required for NAT)
<M> Full NAT
<M> Masquerade Target Support
<M> Netmap Target Support
<M> REDIRECT Target Support
Select Networking Options in Networking support
Find the network packet filtering Framework (NetFilter) –>core Netfiler CONFIGRATIONG–>NETFILTER Connection Tracking Support (new), ' Layer7″match Support (new), ' time ' match support (new), ' IPRange '
Find Ip:netfilter CONFIGURATION–>IPV4 Connection tracking Support,full NAT (NEW)
Make
Make Modules_install
Make install
Restart operating system Select New Kernel Login
Uninstall the old iptables
Rpm-e iptables-1.3.5-9.1.el5 Iptables-ipv6-1.3.5-9.1.el5 Iptstate-1.4-2.el5--nodeps
Install the new iptables to support the new Netfiler module
TAR-JSVF iptables-1.4.6.tar.bz2-c/USR/SRC
cd/usr/src/netfilter-layer7-v2.23
CD Iptables-1.4.3forward-for-kernel-2.6.20forward
CP */usr/src/iptables-1.4.6/extensions/
cd/usr/src/iptables-1.4.6/
./configure--PREFIX=/USR--with-ksource=/usr/src/linux
Make
Make install
View the files for the iptables after installation
Ls/usr/sbin |grep iptables
Ls/usr/libexec/xtables
Copy the configuration files and scripts that were backed up before
cp/root/iptables-config/etc/sysconfig/
Cp/root/iptables.sysv/etc/rc.d/init.d/iptables
To modify the path of iptables in a script
Vim/etc/rc.d/init.d/iptables
:., [email protected]/sbin/[email protected]/usr/sbin/[email protected]
Let iptables service boot up automatically
Chkconfig--add iptables
Modifying the iptables configuration file
The/etc/sysconfig/iptables-config in the
iptables_modules= "Ip_conntrack_netbios_ns" comment out
Install Protocol signatures
Tar xvf 17-protocols-2009-05028.tar.gz
Make install
After completion, the file will be generated in/etc/l7-protocols
Supported Protocols/etc/l7-protocols/protocols
Add Iptables policy, run internal network Internet, prohibit QQ and video
Iptables-t nat-a postrouting-s 10.0.0.0/24-j SNAT--to-soure 192.168.6.67
Iptables-a forward-m layer7--l7proto qq-j DROP
Iptables-a forward-m layer7--l7proto httpvideo-j DROP
Iptables-a forward-m layer7--l7proto httpaudio-j DROP
No Internet access for 8 to 12 points
Iptables-a forward-m time--timestart--timestop 12:00-j DROP
5. Using TC to control bandwidth
For example, the company export bandwidth is 10Mbps, user a allocates 500KB maximum download bandwidth, the maximum download bandwidth assigned to User B is 200KB
A user ip:10.0.0.100
b User ip:10.0.0.101
#在eth0网卡上创建一个根队列规则, the algorithm for the queue rule uses Htb,default 2 to specify a default category number, the default traffic control policy, and if the IP is not matched in the subsequent filter, there is this policy
TC Qdisc Add dev eth0 root handle 1:0 HTB default 2
#在eth0网卡上定义一个类, the 1 in prant 1:0 corresponds to handle 1:0,classid 1:2 in the root queue rule, which is the identity of the current class, which is used in the subsequent get filter, the rate 200kbsp means the bandwidth is 200kb/s, Ceil 200kbps means maximum bandwidth also 200kb/s,prio 2 is priority
TC class Add dev eth0 parent 1:0 classid 1:2 HTB rate 200kbps ceil 200kbps prio 2
TC class Add dev eth0 parent 1:0 classid 1:3 HTB rate 500kbps ceil 500kbps prio 2
#将两个类的默认的fifq队列规则改为sfq
TC Qdisc Add dev eth0 parent 1:2 handle SFQ
TC Qdisc Add dev eth0 parent 1:3 handle SFQ
#在网卡eth0上的1:0 nodes (corresponding to handle in Qdisc 1:0) add a u32 filtering rule with a priority of 1, all packets with the destination address 10.0.0.100 are 1:2 classes (corresponding to ClassID 1:2 classes)
TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.100 flowid 1:2
TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.101 flowid 1:3
If there are other users such as user C and D IP is 102, 103, the required download bandwidth is also required 500 then join
TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.102 flowid 1:3
TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 match IP DST 10.0.0.103 flowid 1:3
Clear the rules on eth0
TC Qdisc del Dev eth1 root>/dev/null
A detailed approach to configuring iptables for routing functions under Linux