Step by step, we will teach you how to implement soft routes for Linux in Internet cafes.

I am using RED HAT LINUX 9.0 for installation in English. This jump is not detailed, and you will be familiar with the installation. If you are not familiar with LINUX installation, You can first install it in Chinese. The interface is the same. The biggest drawback of Chinese installation is that garbled characters may occur in text.

During installation, the installation is minimized. No software package is selected, and no option is selected for the firewall. After installation, run the setup command and select system services. Only the network and ssh services are selected in the service items. Then go to the NIC file directory cd/etc/sysconfig/network-scripts. In text mode, only the IP address of one network card can be added. Copy the parameter cp eth0 eth1 of the other network card to modify the parameter of eth1 network card. Change vi./eth1 to your intranet IP Address

DEVICE = eth1
BOOTPROTO = static
BROADCAST = 192.168.0.255
IPADDR = 192.168.0.1
NETMASK = 255.255.255.0
NETWORK = 192.168.0.0
ONBOOT = yes
The IP address is 192.168.0.1.

In/etc/rc. d directory to create a file rc. fw command touch/etc/rc. d/rc. fw, and then add your script to rc. use vi/etc/rc in fw. d/rc. the following script used by fw

Touch/var/lock/subsys/local
/Sbin/modprobe ip_tables
/Sbin/modprobe ip_nat_ftp
/Sbin/modprobe ip_conntrack_ftp
/Sbin/iptables-F
/Sbin/iptables-F-t nat
/Sbin/iptables-X
/Sbin/iptables-Z
/Sbin/iptables-P INPUT ACCEPT
/Sbin/iptables-P FORWARD ACCEPT
/Sbin/iptables-P OUTPUT ACCEPT
Echo 1>/proc/sys/net/ipv4/ip_forward
/Sbin/iptables-t nat-a postrouting-o eth0-j MASQUERADE
/Sbin/iptables-a forward-s 0/0-d 0/0-j ACCEPT

Ptables-t nat-a prerouting-p udp-d 192.168.0.1 -- dport 53-j DNAT -- to 61.134.1.9: 53

Save and exit. edit/etc/rc. d/rc. local.

#! /Bin/sh
#
# This script will be executed * after * all the other init scripts.
# You can put your own initialization stuff in here if you dont
# Want to do the full Sys V style init stuff.

Touch/var/lock/subsys/local
/Etc/rc. d/rc. fw &
After restart, a gateway server is ready.

Another comprehensive point

We use the Internet. In particular, proxy servers are frequently used when the Intranet is connected to the Internet. With its good configurability, flexible information access mechanism, and information cache mechanism, the proxy server accelerates network access and becomes a common server. The system administrator of our internet cafe should be familiar with and understand the Agent Server installation and configuration.
The system structure of the proxy server is Redhat Linux 9.0. The "gateway-type" proxy structure is used to connect the Internet cafe's Intranet to the Internet.
The composition rules of the proxy server system are as follows:

1. Be familiar with the hardware configuration of the machine that acts as a proxy server
Verify that the hardware of the machine is compatible with Linux. You can check the Supported Hardware list at http://www.redhat.com/support/hardware( this step can be omitted ). Disable "virus detection" in the CMOS settings of the motherboard.

Ii. Start to install Linux (using the local CD installation mode)
1. boot the boot CD with Linux to boot the machine;
2. Use the text installation mode. In boot: Enter text at the prompt to install in text mode. Use Tab, space, arrow, and carriage return to control the installation interface.
3. Start Installation
(1) Language Selection (Language Selection); select Chinese
(2) keyboard configuration;
(3) Select a Local CD for installation;
(4) configure the mouse;
⑸, Select M (Custom) system installation;
Swap, partition (take 80 GB hard disk, mb ram as an example );
Partition type minimum space Size specification space size
/512 MB 1024 MB
/Var 1024 MB 2048 MB
Swap 1024 MB (RAM) 2048 MB (2 * RAM)
/Home 1024 MB MAX
Configure LILO;
Configure the network (set all network adapters one by one );
Eth0 *****. ****. *****. ***** Internet IP Address
Eth (1, 2, 3...) *****. *****. ****. **** Intranet IP Address
Set the time zone;
Reset, set the root password, and set the user account
Uninstall, install the software package; cancel all default installation software packages; select Custom (Custom) Installation Software Package; ssh (Remote Access );
Prepare, start formatting the partition, and install the software package;
Create a start disk, and choose not to create;
Installation is complete.
4. Configure Linux

3. Implement the gateway proxy Function

1. Write the script file rc.net to implement gateway proxy. The path for saving the script file is/etc/rc. d/rc.net. The script file is as follows:
#! /Bin/sh
/Sbin/modprobe ip_tables
/Sbin/modprobe ip_nat_ftp
/Sbin/modprobe ip_conntrack_ftp
/Sbin/iptables-F
/Sbin/iptables-F-t nat
/Sbin/iptables-X
/Sbin/iptables-Z
/Sbin/iptables-P INPUT ACCEPT
/Sbin/iptables-P FORWARD ACCEPT
/Sbin/iptables-P OUTPUT ACCEPT
/Sbin/iptables-t nat-a postrouting-o eth0-j MASQUERADE
/Sbin/iptables-a forward-s 0/0-j ACCEPT
/Sbin/iptables-a forward-d 0/0-j ACCEPT
Echo "1">/proc/sys/net/ipv4/ip_forward
/Sbin/iptables-t nat-a prerouting-p tcp -- dport 445-j DROP
/Sbin/iptables-t nat-a prerouting-p tcp -- dport 135-j DROP
/Sbin/iptables-t nat-a prerouting-p tcp -- dport 139-j DROP
/Sbin/iptables-t nat-a prerouting-p udp -- dport 6612-j DROP
# IGMP

Iptables-a input-p ICMP-d ***. ***-m limit -- limit 1/s -- limit-burst 10-j ACCEPT
Iptables-a input-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT


# Nmap fin/URG/PSH

Iptables-a input-I eth0-p tcp -- tcp-flags ALL FIN, URG, PSH-j DROP

# Xmas Tree
Iptables-a input-I eth0-p tcp -- tcp-flags ALL-j DROP

# Another Xmas Tree
Iptables-a input-I eth0-p tcp -- tcp-flags ALL SYN, RST, ACK, FIN, URG-j DROP

# Null Scan (possibly)
Iptables-a input-I eth0-p tcp -- tcp-flags ALL NONE-j DROP

# SYN/RST
Iptables-a input-I eth0-p tcp -- tcp-flags SYN, RST SYN, RST-j DROP

# SYN/FIN -- Scan (possibly)
Iptables-a input-I eth0-p tcp -- tcp-flags SYN, FIN SYN, FIN-j DROP

# Synfoold

Iptables-N synfoold
Iptables-A synfoold-p tcp -- syn-m limit -- limit 1/s-j RETURN
Iptables-A synfoold-p tcp-j REJECT -- reject-with tcp-reset
Iptables-a input-p tcp-m state -- state NEW-j synfoold

Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
Iptables-a forward-p tcp -- syn-m limit -- limit 1/s-j ACCEPT
Iptables-a forward-p tcp -- tcp-flags SYN, ACK, FIN, RST-m limit -- limit 1/s-j ACCEPT
Iptables-a forward-p icmp -- icmp-type echo-request-m limit -- limit 1/s-j ACCEPT
Iptables-N syn-flood
Iptables-a input-p tcp -- syn-j syn-flood
Iptables-I syn-flood-p tcp-m limit -- limit 3/s -- limit-burst 6-j RETURN
Iptables-A syn-flood-j REJECT
Sysctl-w net. ipv4.icmp _ echo_ignore_all = 1
Echo "1">/proc/sys/net/ipv4/tcp_syncookies
Note: letters are case sensitive. ***** is the Internet IP address.
2. in the Linux boot file/etc/rc. d/rc. add the command line:/etc/rc to the local file. d/rc.net to enable automatic execution of script files when the system starts.
3. Restart the machine.

Iv. network cable connection
1. The eth0 network adapter of the proxy server is directly connected to Internet access devices (such as optical cats) using a network cable. Note that the network cable requires a special Jumper as follows:
End: White orange, orange, white green, blue, white blue, green, white brown, brown
End: white green, green, white orange, blue, white blue, orange, white brown, brown
2. the proxy server's eth1, eth2 ..... And other network adapters connected to the trunk switch using a network cable

5. Maintenance
This proxy server is a maintenance-free server. For better operation, you can restart this proxy server every six months.

1 Nic multi-Gateway

It is easy to set multiple IP addresses for one network card.
You only need to copy multiple configuration files
Modify the name to eth1: 0 eth1: 1.
Note that the device file name must be modified accordingly.
The problem is that the number of 500 ip addresses is too large.
If a linux gateway has 500 machines, it must be well optimized.
In addition, if you use a network card with 500 NICs, the load is also very high.
We recommend that you use multiple NICs.