Linux Concise system maintenance Manual (IV)

Source: Internet
Author: User
Tags filter definition execution ftp functions versions ftp protocol iptables
(7) Install IMAP server
Almost all distribution packages have IMAP server software (typically the University of Washington version), and the best way is to install an IMAP server with your release package. In fact, I personally feel that IMAP servers are rarely used. Download the most general IMAP server source address is: Ftp://ftp.cac.washington.edu/imap/imap.tar.Z


Tar zxvf imap.tar.z
CD imap-2001a
Make SLX



(if not, then test the other system types you think possible, with VI look at the name of the column in makefile)

Then configure/etc/inetd.conf so that INETD allows IMAP services. [The content of this section is not tested successfully, compiling is always difficult]

(8) Install Squid server

Squid is an excellent proxy server software that can be flexibly configured for a variety of application forms, including forward proxies, reverse acceleration modes, and transparent proxies. But squid at present only proxy HTTP protocol, proxy FTP protocol needs to configure browser simulation active FTP protocol. The following steps are the process of installing squid.

1, download the reverse proxy server software using squid, download address: http://www.squid-cache.org/

stored in the/USR/LOCAL/SRC directory after downloading, the filename is squid-2.4.stable2-src.tar.gz

2, tar zxvf squid-2.4.stable2-src.tar.gz decompression

3, cd/usr/local/src/squid-2.4.stable2 into the catalogue

4./configure--prefix=/usr/local/squid--enable-heap-replacement--disable-internal-dns set up the environment to install squid/usr/local/ Squid in. The second parameter specifies the use of a more advanced buffering algorithm. The third parameter is to cancel the internal DNS resolution (if you are using a remote cache mode, such as GSLB, you need to add an option:--disable-internal-dns to shut down internal DNS.) Otherwise, internal DNS ignores your setting in Etc/hosts, Look for a domain name server directly, which can cause forwarding loops. is the cache sent to the physical server update request (because with the domain name) will also be the user's GSln device resolution back to form a cycle. )

5. Make starts compiling

6. Make install install to the path specified by--prefix= just now

7, installation is completed, will be in your designated installation path to produce a squid directory, squid directory has four directories: bin/etc/libexec/logs/. Etc inside is the configuration file, bin inside is the execution file, logs inside is the log file.

8, after the installation is finished debugging the server, so that it according to your request work. Squid configuration file only one, in the ETC directory, the name is squid.conf, all the configuration options are in this file. And each configuration item has a comment description. First, find the following configuration items inside the squid file:

Cache_mem---Here you can add the amount of memory you want to use for squid as a cache. Note that if your machine has n megabytes, the number recommended for you to add here is N/3.

Cache_dir/usr/local/squid/cache 100 16 256 Here's the first digit 100 is the size of the hard disk space you are prepared to use for the cache, the unit is trillion. If you want to 100M space as a cache, then write 100 here.

Cache_mgr webmaster@test.com.cn here fills in the cache administrator's email address, the system error will automatically remind the cache administrator.

Cache_replacement_policy and Memory_replacement_policy parameters cannot use the default LRU algorithm because of the use of--enable-heap-replacement compilation parameters. You can choose one of the following three types:

Heap Gdsf:greedy-dual Size Frequency

Heap Lfuda:least frequently Used with Dynamic aging

Heap LRU:LRU policy implemented using a heap

For example:


Cache_replacement_policy Heap LRU
Memory_replacement_policy Heap LRU



Set the ACL access control list below: For the sake of simplicity, we open all the permissions here. The ACL is divided into two parts: the ACL definition section, and the http_access part. The previous definition is used in the Access_http section. The preceding definition is:


ACL all src 0.0.0.0/0.0.0.0



Let's comment out all the http_access lines and add one sentence:

Http_access Allow all---Note: All is defined by the preceding ACL.

This opens up all the permissions. After the need, and then continue to add a variety of restrictions can be.

9. Create group Nogroup as root:


%SU Root (if not currently root)
#groupadd Nogroup
#useradd Nobody (if not this user)



10, the directory/usr/local, as root execution of the following command, change the entire squid directory owner for Nobody.nogroup


#cd/usr/local
#chown nobody.nogroup-r Squid



11, Su as nobody, carry out/usr/local/squid/bin directory, execute #squid-z Create cache Exchange Directory


#su Nobody
$ cd/usr/local/squid/bin
$./squid-z



12, after the success, test:/USR/LOCAL/SQUID/BIN/SQUID-NCD1 The order to officially start squid. If everything works, you'll see one line of output: Ready to serve requests.

13, with Ctrl-c exit the front test.

14, the squid as a daemon started on the direct operation:/usr/local/squid/bin/squid

15. Check the status with Squid–k

16, stop squid with squid-k shutdown

If you are configuring a basic forward proxy, the above can already be used. The following steps are used to configure a reverse proxy server that supports multiple domain names. Fortunately, all of squid's configuration is under/USR/LOCAL/SQUID/ETC, and reverse agent related to several of the following introduction:

17. The Http_port "Http_port" parameter specifies the port number on which squid listens for browser client requests.

18. The Icp_port 0 "icp_port" parameter specifies the port number from which squid sends and receives ICP requests from the neighbor (neighbour) server buffer. This is set to 0 because squid is configured as an accelerator for the internal Web server, so there is no need to use a neighbor server buffer.

19. Emulate_httpd_log on opens the "emulate_httpd_log" option, which makes squid create access records in the format of the Web server. If you want to use the Web Access Record Analyzer, you need to set this parameter.

20, Redirect_rewrites_host_header off by default, squid will overwrite any redirected request's host head. If the system is running Squid for accelerator mode, then the redirection feature is not required. This parameter is not opened until the redirector is bypassed when overloaded

21, Httpd_accel_host vartual here Set the reverse proxy hostname, if the next multiple domain name buffer, please use the virtual host mode (SO).

22, Httpd_accel_port 80 This sets the Web service port number for the reverse proxy.

23, #httpd_accel_with_proxy off the line to comment out, set up the reverse proxy at the same time, whether to open the general proxy caching services. If this line is not commented out, there is no caching capability.

24. Define Access Control List:


ACL port80 Port 80
ACL accel_host1 dstdomain. test.com
ACL accel_host2 dstdomain. test.net
... ...
Http_access Allow Accel_host1 port80
Http_access Allow Accel_host2 port80
Http_access deny all;



25. After completion, reload the configuration file with Squid–k reconfigure.

(9) Install SSH

---

(10) Configure Linux as a router

---

(11) Configure Linux gateway and install ipchains/iptables Firewall

The most commonly used firewall on Linux is IPChains, and is typically installed as an add-on to the gateway. The rules of IPChains are complex, flexible, and can be formulated in a variety of ways. These all need to be combined with your own reality. Here, we'll just introduce a simple, gateway based configuration.

Installing IPChains generally doesn't bother you, because almost all Linux distributions use the software as a provincial configuration that must be installed. Another reason is that ipchains is very much related to the kernel (kernel), so it is a good idea to select the relevant option (if any) when installing the system. In the title we also mention the iptables, the tool on the surface equivalent to IPChains, but for the 2.4 kernel (2.4 kernel in this aspect of the code is almost written back, the function has been greatly improved). About the configuration of the Iptables tool we'll explain later. You just have to remember to use the iptables under the ipchains,2.4 core under the 2.2 core.

First of all, your server needs two network cards (or more), this machine is called "multihomed host", is dedicated to do gateway or router. Here to insert a sentence: Generally, as a common server host even if the load is heavy to need a network card is enough, only do a gateway or router when the need for multihomed host. This is not as common people think that add a network card can increase a bandwidth, in fact, a network card can provide enough bandwidth. Also, it is wrong to put two network cards on the same switch to assign two addresses, which is more error, because it generates an extra loop route, generates a lot of internal warning errors, and some systems alarm.

1, the production of a dual-interface (dual-hosted) host.

In general, the current release package installer can identify two network cards, which makes it easier. But there are also a number of distributions that only identify the first NIC (perhaps for the reason given above), or if you want to add a network card to a machine (because you don't want to reload the system), follow the instructions below.

1. 1, we will say PCI network card. Before installation, first look at the card chip, remember the chip model (I hope you have saved the machine).

1. 2. Installation Man manual (with distribution package)

1. 3, in the/usr/doc/howto/english/txt/ethernet-howto file (if it is compressed on the release) search your network card model, find the corresponding driver module name.

1. 4, if the module does not, but also need to recompile the core. Select your model in the Menuconfig network device and mark it as * or M, and don't forget to compile the module after compiling the core: Make Modules;make Modules_install. (If not, please review the part of the previous compilation of the kernel)

1. 5, with the Depmod–a command to establish/etc/modules.conf (if there is no need), but also some of the distribution package is called Conf.modules

1. 6, edit the file plus one line: Alias eth1 xxxx, which xxxx is you just found the module name. Generally this module file is located in:/lib/modules/kernel version number/net ... The XXXX.O file in. This file is generated when you compile the kernel module, you are in the kernel configuration, usually marked as M will be compiled into the. o file here. Similarly, the NIC driver you choose will also be compiled into a module here.

1. 7, run Modprobe eth1 to make the module effective.

1. 8, modify the/etc/sysconfig/network files need to modify the part.

1. 9, create or modify/etc/sysconfig/network-script/ifcfg-eth1 file (copy that eth0 can), set the address is your real situation, such as set as eth1 to connect the network segment. These two files (Eth0/eth1 is the script parameter file at startup)

1. 10, restart the network:/etc/rc.d/init.d/network restart

1. 11, with Ifconfig to see if the eth0/eth1 are started.

1. 12, the accomplished

2, adjust and compile the core: if as a gateway, some core options need to be configured. Note: The kernel compilation option here is only suitable for the 2.2.X version, the 2.4 version is completely different.

2. 1. Run the Make Menuconfig configuration core option in/usr/src/linux:


Networking options in
[*] Network firewalls
[*] ip:advanced Router
[*] Ip:firewalling
[*] Ip:firewall Packet NetLink Device
[*] Ip:transparent Proxy Support
[*] Ip:masquerading
[*] IP:ICMP masquerading
[*] Ip:masquerading Special Modules Support
IP:IPAUTOFW MASQ Support (experimental)
IP:IPPORTFW MASQ Support (experimental)
Ip:ip Fwmark masq-forwarding Support (experimental)
[*] Ip:masquerading Virtual Server Support (experimental)
() IP masquerading VS table size (the nth power of 2)



Specific options different versions of the kernel are not the same, you look almost on it. Compiled into modules or programmed into the core [*] is free to choose.

2. 2, according to the previous compilation of the kernel, reboot after the gateway function. Verify the file after Startup:/proc/sys/net/ipv4/ip_forward content is 1. (Don't tell me I don't know how to see 8-))

3, set IPChains

Originally this work is very complex, but we speak here simple, let the gateway through the line.

3. 1, first look at our current hypothetical environment: your machine has two network cards, a connection in the intranet switch with the internal network address, another piece of external network switch with public network address. In this machine ping intranet and the external network of the machine should be able to pass. And in the intranet of the machine ping the machine's extranet address also pass, outside the machine ping the machine intranet address also pass. This means that the forwarding function is valid.

3. 2, try again: in the internal network to set the gateway to your machine intranet address, and then ping the external network of any machine (not the external network address of this machine), the result is impassability. The reason is that the ICMP packet sent to the extranet machine does not know how to answer, there is no suitable route, because the packet's response address is intranet.

3. 3, now set IPChains: (IPChains software for the 2.2.X kernel, in the 2.4.X kernel does not apply. The 2.4.X kernel recommends the use of iptables, which is described below for usage of the software


Ipchains–a forward–s 192.168.1.0/24–j MASQ



The bold part is the intranet address. This means that all the packets sent in the intranet disguised as an external network address (the machine's extranet address), so that the external machine to respond to the time will be sent to the machine, after the forwarding back to the intranet. OK, a simple gateway is done. If you need to implement a firewall (packet filtering function), you need to configure more complex filtering rules that should work on the Input/output/forward chain.

3. 4, automatic start: Set a complex chain, need to save. Create a file in/etc/rc.d: Rc.ipfwadm Add your chain script to it. Finally give this file +x attributes (chmod +x rc.ipfwadm).

4. Use iptables in the 2.4.X kernel to build a Linux firewall (gateway).

4.1 Description and download

As mentioned earlier, the 2.4 kernel uses iptables to do something similar to the ipchains in the 2.2 kernel. In fact, the iptables in the 2.4 kernel contains two completely different parts: packet filtering and address translation. These two functions are logically separate, and are integrated into a configuration program (iptables), taking into account the operational habits of the problem. If you install a release package with 2.4 cores, you typically have iptables and are configured on the kernel configuration as well. If you are compiling a new kernel or the original kernel does not support iptables, you need to select the relevant option. When using make menuconfig to configure the kernel: Enter: Networking options at least:


[*] Network packet filtering (replaces IPChains)
[*] network packet filtering debugging (NEW)
Entering: Ip:netfilter Configuration--->
[*] Connection tracking (required for Masq/nat) (NEW)
FTP protocol Support (NEW)
IRC protocol Support (NEW)
Wait a minute......
Mark all of the options below <*>



Go back to the top menu and save the configuration, then follow the set of programs that compile the kernel (see the previous section). What needs to be explained here is that the kernel supports the Iptables function and requires external programs to do so. If you are installing a release package with a 2.4 kernel directly, you should already have the Iptables utility. But if you are upgrading from a 2.2 core release package directly to the 2.4 kernel, you cannot use iptables, although the core is configured according to the above approach. You must also download and compile iptables external programs to use the Iptables feature. The download address is: http://www.netfilter.org, the downloaded file is a iptables-1.2.6a.tar.bz2 or newer version.

4.2 Installation:

this. bz2 file is strange, isn't it? Copy the files to/usr/local/src, and then release the compilation and installation with the following command: BZIP2-DC iptables-1.1.2.tar.bz2 |tar VXF-(The last '-' Don't forget)

Your system may not have bzip2 tools, if not, you go to the next:

Enter the newly generated directory: CD iptables-1.2.6a compilation and Installation: Make; Make install

4.3 Configuration

If you need to configure a simple gateway, you only need to configure a forwarding plus address translation function, I provide the following reference script:


#begin
Echo 1 >/proc/sys/net/ipv4/ip_forward
Modprobe Iptable_nat
Modprobe Ip_conntrack
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Iptables-f INPUT
Iptables-f FORWARD
Iptables–f OUTPUT
Iptables-f postrouting-t NAT
Iptables-t nat-f
Iptables-p FORWARD DROP
Iptables-a forward-s 192.168.1.0/24-j ACCEPT
Iptables-a forward-i eth1-m State--state established,related-j ACCEPT
Iptables-t nat-a postrouting-o eth1-s 192.168.1.0/24
-j SNAT--to 21.9.22.2
#end



3 lines of modprobe are used when you compile iptables-related functions into modules (optionally, more than 3 lines) in the kernel. The insertion module (modprobe) of several lines is more important, sometimes when you finish NAT, found that FTP is not good to use, it is necessary to manually insert the IP_NAT_FTP module (syntax is: modprobe ip_nat_ftp). The address part of the blackbody may need to be based on the actual situation of your network. The last sentence means to convert the address of the packet with 192.168.1.x of the source address to the 21.9.22.2 address of the gateway. Well, you've built a basic gateway. In fact, Iptables's function and its powerful, configuration is also very flexible. The firewall function is implemented through the-T filter parameter, and the address translation function is implemented through-t NAT (just like the above). Firewall function (packet filter) is mainly 3 chains: input,forward,output, Address translation work (NAT) is mainly 3 chains: Prerouting,postrouting,output. To observe the current state you can use the following command: Iptables–l–t filter or iptables–l–t nat.

All right, it's up to you to configure a more flexible, more powerful firewall feature. I recommend you two manuals: "Linux 2.4 Packet Filter HOWTO" and "Linux 2.4 NAT HOWTO". These two documents are written by Iptables's original author and are quite classic. English is not good? It doesn't matter, both documents have Chinese versions. Recommend you to: Forever Unix (http://www.fanqiang.com) download.



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.