The server is configured as the firewall, Nat routing gateway, DHCP, and DNS.

Question: How to access the Internet through the server

Perform operations on the server's Internet and Internet (the operation sequence is adjustable ):

(1) inode connection

(2) It is automatically closed after the startmynetwork. Sh terminal runs the command.

Question: Which script files have been written by myself, under which paths are there, and what operations are mainly performed?

Storage location of the server network configuration script:

/Bin/myfirewall. Sh /Bin/startmynetwork. Sh /Etc/rc. Local (Change Mac upon startup) /Etc/Network/interfaces configure eth0 and eth1 For DHCP configuration, see.

Or modify ln/bin/startmynetwork. sh/home/Administrator/mynetwork at/home/Administrator/mynetwork.

Ln/bin/myfirewall. sh/home/administrtor/mynetwork

Ln/bin/startmynetwork. sh/home/Administrator/desktop

Question: How to bind a new Mac

Add Mac:Sudo myfirewall. Sh 00: 00: 00: 00: 00: 00 tomy' SMAC

Note: Do not write a string that describes the tomy' SMAC with no space in the middle. An error occurs if the MAC Number is incorrect.

Or on the desktopAddmac.txtFile

Restart iptables after adding a Mac:Sudo startmynetwork. Sh

Or execute the startmynetwork. Sh script on the desktop.

Q: How to restart iptables

Sudo startmynetwork. Sh

Or execute the startmynetwork. Sh script on the desktop.

 

1. inode authentication Client installation

First, add

Ifconfig eth0 down

Ifconfig eth0 HW ether ******

Ifconfig eth0 up

(1) download the Linux version from the school website.

(2) modify the install. Sh permission (755) and execute install. Sh.

(3) Modify inodeclient permissions (755) and run inodeclient authentication.

2. myfirewall. Sh firewall settings

#! /Bin/bash
# Written by *** 2012/3/29 QQ ***

#1. Main Function: only Mac bound by this script can access the Internet through the local machine, and all other Mac will not access the internet.
Step 2: Step 1 and Step 2 are the MACOs and keys of the new version, and redirect them to addmac.txt.

# Enable the IP forwarding function, which is equivalent to making the kernel route
Echo "1" & gt;/proc/sys/NET/IPv4/ip_forward

### Clear iptables rules
Iptables-F
Iptables-x
Iptables-z
Iptables-F-T Nat
Iptables-X-T Nat
Iptables-z-T Nat
### Clear iptables rules

### Set default rules
Iptables-P input accept
Iptables-P output accept
Iptables-P forward drop # Only the forward chain defaults to drop
Iptables-T nat-P prerouting accept
Iptables-T nat-P postrouting accept
Iptables-T nat-P output accept
### Set default rules

### Enable Nat forwarding and forward State to allow packet forwarding for Intranet request response from the Internet
Iptables-T Nat-A postrouting-s 192.168.0.0/24-O eth0-J Masquerade
Iptables-a forward-M state -- state related, established-J accept
### Enable Nat forwarding and forward State to allow packet forwarding for Intranet request response from the Internet

### Mac allowed by this script by default (the remaining Mac allowed in ~ /Desktop/addmac.txt)
Iptables-a forward-M Mac -- Mac-source ***-J accept
Iptables-a forward-M Mac -- Mac-source ***-J accept
### Mac allowed by this script by default (the remaining Mac allowed in ~ /Desktop/addmac.txt)

### $1 $2 of the redirection script
# Eg: sudo myfirewall. Sh 00: 00: 00: 00: 00: 00 zhangsan
# Indicates that 00: 00: 00: 00: 00: 00: 00 zhangsanis sent to addmac.txt in a row.
If [$1]; then
# If [$2]; then
# Echo \ #$2 & gt;/bin/myfirewall. Sh # backslash \ escape annotator #
# Else
#:
# Fi
# Echo iptables-a forward-M Mac -- Mac-source $1-J accept & gt;/bin/myfirewall. Sh
Echo $1 $2 & gt;/home/Administrator/desktop/addmac.txt
Else
:
Fi
### $1 $2 of the redirection script

 

Read the user-added mac from addmac.txt and allow it to access the Internet.
# Pipeline | read each row of the file displayed by CAT, and the row will exist in the line variable.

# Read is used to read a row.
CAT/home/Administrator/desktop/addmac.txt | while read line
Do
Usermac = 'echo $ Line | awk' {print $1 }''
# Username = 'echo $ Line | awk '{print $2 }''
# Echo \ # $ username & gt;/bin/myfirewall. Sh
# The if else statement does not assign blank lines to iptables statements as Mac.
If [$ usermac]; then
Iptables-a forward-M Mac -- Mac-source $ usermac-J accept
Else
:
Fi
Done
Read the user-added mac from addmac.txt and allow it to access the Internet.

3. DHCP server

(1)

Installing dhcp3-server: APT-Get install dhcp3-server

(2)

A, gedit/etc/default/dhcp3-server

Interfaces = "eth1"

B. gedit/etc/dhcp3/DHCPD. conf

Subnet 192.168.0.0 netmask 255.255.255.0 {
Range 192.168.0.2 192.168.0.254;
Option domain-name-servers 218.30.19.40, 202.117.112.3;
Option subnet-mask limit 255.0;
Option routers 192.168.0.1;
Option broadcast-address 192.168.0.255;
Default-lease-time 86400;
Max-lease-time 172800;
}

Host workstation {
Hardware Ethernet 2C: 41: 38: 94: 51: 90;
Fixed-address 192.168.0.30;
}

Note: The host name is arbitrary. If the client is manually configured, the client configuration prevails.

(3)

/Etc/init. d/dhcp3-server start

 4,Operations performed by the user on the desktop by startmynetwork. s

Enter the password for execution.

Sudo/sbin/ifconfig eth0 HW ether **:**:**:**:**:**

Sudo/home/Administrator/mynetwork/myfirewall. Sh

Sudo/sbin/dhclient eth0

5. Configure eth0 and eth1 in/etc/Network/interfaces

Auto eth0
Iface eth0 Inet DHCP
Pre-up ifconfig eth0 HW ether **: ** # change the NIC to an Internet-certified Nic.

Auto eth1
Iface eth1 Inet static
Address 192.168.0.1
Netmask 255.255.255.0

6. Set the startup Item for/etc/rc. Local.

Change the NIC to an Internet authentication Nic when starting the system, and start the inode service when starting the system.

/Sbin/ifconfig eth0 down

/Sbin/ifconfig eth0 HW ether **:**:**:**:**:**

/Sbin/ifconfig eth0 up

/Etc/init. d/inodeauthservice start

Exit 0

6. Modify the boot sequence of ubuntu10.10 and Windows XP.

In Windows XP, right-click my computer, select Properties> advanced> Start and fault recovery> Settings> default Operating System drop-down box, and select the default Operating System and class table display time.

7. enable SSH on the server

Install OpenSSH-server on the server: sudo apt-Get install OpenSSH-Server

8. Uninstall NetworkManager

9. Server Timed Shutdown

Gedit/etc/crontab

30 23 *** root/sbin/shutdown-H now

Shut down at every day.

10. Execute the script startmynetwork. Sh myfirewall. Sh as a command.

Copy startmynetwork. Sh myfirewall. Sh to the path indicated by path (/bin ).

For example, if you copy the two scripts to the/bin folder, the two scripts can be executed in any path of the terminal.

Supplement:

Path: If the command or script cannot be found in the current directory, search for it in the path indicated by path.

View environment variables in path: Echo $ path or export (view all environment variables)

Path modification: Export Path = **:**:**

11. xmanager switch the Chinese and English input methods (you must first enable the default -- Keyboard Input Method): Shift

Set in preference-Keyboard Input Method

12. View dhcp ip Address Allocation history

CAT/var/lib/dhcp3/DHCPD. Leases

Note: fixed IP addresses cannot be viewed (either specified by the client or specified by the server)

OrRecommendationView logs in pipelines

CAT/var/log/messages | grep dhcpack

Note:/var/log/messages stores messages of one day.

/Var/log/messages.1 is stored? How Long

13. Check the IP address in use to check which clients are currently connected to the server.

(1) ARP # All interfaces

(2) ARP-I eth1 # view the IP address connected to the eth1 interface and the corresponding MAC address

Note: If a specified IP address is assigned to a specific MAC address in/etc/dhcp3/DHCPD. conf, ARP can resolve the IP address to the corresponding MAC address. (The client specifies to be able to parse) When ARP commands are used, the current active package is parsed. Therefore, although the client connects to the server, it cannot parse the client.

14./var/lib/dhcp3/DHCPD. Leases field meaning

{Starts 6 2010/12/25 21:20:08; ends 6 2010/12/25 23:20:08; CLTT 6 2010/12/25 21:20:08; binding state active; next binding state free ;}{ starts 0 2010/12/19 15:56:00; ends 0 2010/12/19 17:56:00; tstp 0 2010/12/19 17:56:00; CLTT 0 2010/12/19 15:56:00; binding state free ;}

Start and end time are recorded using starts and ends statements. The tstp statement specifies the time when the partner deems the lease to expire when the failed recovery protocol is used, and the tsfp statement also specifies the lease expiration time confirmed by the partner when the failed recovery protocol is used. The binding state statement declares the binding status of the lease. When the DHCP server is not configured to use the failed Recovery Protocol, the binding status of the lease will be active and free ), the Failure Recovery Protocol adds some new transfer statuses CLTT. I found the DHCP English introduction. The time of the last transaction with the client on this lease. this is probably the last time the client was renewed.

FAQ

Problem 1: inode authentication failure (connect failed)

Solution: User Permissions? (Failed occurs when the Administrator uid is set to 0)

Change uid back to 1000, or the reason for the inode's execution permission, change its execution permission, or change the owner and group? Disconnect and reconnect. Or restart inode and try again.

Problem 2: inode connection timeout (overtime ).

Solution: disconnect and reconnect. (Or restart and re-connect .)

Problem 3: The Mac is incorrect when inode is connected.

Solution: ifconfig eth0 HW ether **: ** (changed to Internet Mac)

Problem 4: inode indicates that the authentication is successful but cannot be pingedWww.baidu.com

Solution: dhclient eth0 (IP address not obtained)

Question 5: DHCP server unavailable

Solution: Set the IP address of eth1 to 192.168.0.1.

Question 6: the MAC of eth0 changes after NetworkManager is used

Solution: ifconfig eth0 HW ether **: ** (changed to Internet Mac)

Or directly execute myfirewall. Sh

 

 

DNS Configuration

1. DNS configuration file
/Etc/hosts is the IP address file of the earliest hostname;

/Etc/resolv. conf: This is important! It is the IP address record of the ISP's DNS server;

/Etc/nsswitch. conf: whether to use/etc/hosts or
/Etc/resolv. conf setting!

 

In general, the search for the default host name and IP address in Linux takes/etc/hosts as the priority,

2. DNS commands

Root @ Ubuntu :~ # Dig + traceWww.baidu.com

DNS direct and reverse query commands: Host, NSlookup, dig

Root @ Ubuntu :~ # Host www.baidu.com
Www.baidu.com is an alias for www.a.shifen.com.
Www.a.shifen.com has address 119.75.218.77
Www.a.shifen.com has address 119.75.217.56
Host www.a.shifen.com not found: 3 (nxdomain)
Root @ Ubuntu :~ #

 

Root @ Ubuntu :~ # NSLookup www.baidu.com
Server: 192.168.77.2
Address: 192.168.77.2 #53

Non-Authoritative Answer:
Www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 119.75.218.77
Name: www.a.shifen.com
Address: 119.75.217.56

Root @ Ubuntu :~ #

3. Configure an instance

Refer:Http://www.xkedu.cn/blog/read.php? 478

1. Configure the environment:
A simple lan composed of a server and several clients is located in one CIDR block. One server is used as the DNS server. Note that DHCP cannot be used for the IP address of the DNS server. static IP addresses must be used. Server IP:192.168.0.1, The Client IP range is:192.168.0.2 -- 192.168.0.254Ping each other.

2. Check whether BIND is installed.
Run the command dpkg-l bind * to check whether the software is installed.
If no installation is available, proceed to the next step.
3. Installing bind9 (install bind9)
Command:Sudo apt-Get install bind9

We will configure DNS as the primary server type

The DNS configuration file is in/etc/BindDirectory. After bind9 is installed, the following three configuration files are generated:
Named. conf; named. conf. options; named. conf. Local.

Among them, named. conf is the main configuration file, which contains named. conf. Options and named. conf. Local. We only need to change named. conf. Local when setting up the local DNS.

Set instance

(1) Environment:
Server IP:192.168.0.1

The IP address range of the client is:192.168.0.2 -- 192.168.0.254Ping each other

Set the master rack to the primary DNS server, which requires resolution
Kxsrv.304.com 192.168.0.1

Www.304.com192.168.0.1

Mail.304.com 192.168.0.30

(2) Analysis: Based on the host name and IP address, we can see that:
① Need to addForward region "304.com"AndReverse region "0.168.192.in-ADDR. Arpa ",
②Add the record kxsrv corresponding to 192.168.0.1 in the "304.com" Area,Cname record WWW corresponds to kxsrv
③In "0.168.192.in-ADDR. Arpa"Add the host name corresponding to each IP address in the region

(3) edit the configuration file and remember the path/etc/bind/

① Edit named. conf. Local
Add write permission first:Sudo chmod 646 named. conf. Local
Editing:Sudo nano/etc/bind/named. conf. Local

Add the following statements
// Forward Region
Zone "304.com "{
Type master;
File "/etc/bind/db.304.com ";
};
// Reverse Region
Zone "0.168.192.in-ADDR. Arpa "{
Type master;
Y no;
File "/etc/bind/db.30.140.192 ";
};
Then save

② Create the region file specified in named. conf. Local
Create a forward region file under/etc/BIND (copy one copy)
Command:Sudo CP/etc/bind/DB. Local/etc/bind/db.304.com
Create a reverse region file under/etc/BIND (copy one copy)
Command:Sudo CP/etc/bind/db.127/etc/bind/db.0.168.192

③ Edit the forward region File
Command:Sudo nano/etc/bind/db.304.com
Modify the original text as follows:
;
; Bind data file for local loopback interface
;
$ TTL 604800
@ In SOA ns.304.com. root.304.com .(
2; Serial
604800; refresh
86400; retry
2419200; expire
604800); negative cache TTL
;
@ In NS ns.304.com.
@ In a 127.0.0.1
@ In AAAA: 1
NS in a 192.168.0.1

Kxsrv in a 192.168.0.1

Mail in a 192.168.0.30

WWW in cname kxsrv

Pay attention to the modification, change it in the localhost of the original text, and then add the host recordsNote: Use the tab key to separate alignment
In addition, when using an alias: WWW in cname 192.168.0.1, an error occurs,
To use WWW in cname kxsrv

④ Edit the reverse region File
Command:Sudo nano/etc/bind/db.0.168.192

Modify the original text as follows:
;
; Bind reverse data file for local loopback interface
;
$ TTL 604800
@ In SOA ns.304.com. root.304.com .(
1; Serial
604800; refresh
86400; retry
2419200; expire
604800); negative cache TTL
;
@ In NS ns.
9 In PTR ns.304.com.
9 In PTR kxsrv.304.com.
9 In PTR www.304.com.

9 In PTR mail.304.com

Pay attention to the modification, change it in the localhost of the original text, and add the host records again.Separate alignment with the tab key

(4) restart the DNS Service
Sudo/etc/init. d/bind9 restart
At this point, DNS configuration is complete. You can try NSLookup In the CMD environment of XP.
Note: bind9 must be restarted after the configuration file is changed.

(5)

For Linux DNS modification, modify the/etc/resolv. conf file.
For example:
Edit sudo nano/etc/resolv. conf
Change
Nameserver 192.168.0.1

Nameserver 202.117.112.3

DNS Client Configuration
Now the DNS server is working. To use this DNS server, take XP as an example, go to "Control Panel"-"network connection", find the network adapter for accessing the Internet, right-click and choose "properties ", change DNS address to 192.168.0.1

Verification: On the client

Ping kxsrv.304.com

Ping www.304.com

Ping mail.304.com

Summary: Relationships between files in/etc/bind,

1. There are three configuration files: named. conf; named. conf. options; named. conf. Local. (There are default files such as named. conf. Default-zones, so you don't need to worry about it)

2. named. conf is the main configuration file, which contains named. conf. options and named. conf. local, we only need to change the named when setting up the local DNS. conf. local.

3. Configure the forward and reverse regions in named. conf. Local,

The specific configuration of the forward region is in the/etc/bind/db.304.com file. (This test is used as an example)

The specific configuration of the forward region is in the/etc/bind/db.0.168.192 file. (This experiment is used as an example)

Then configure it in the forward and reverse configuration files.

To sum up, you only need to modify it in named. conf. add the forward and reverse regions to local, and then to the forward configuration file (in named. conf. local specifies the path and name of the file) and reverse configuration file (in named. conf. local specifies the path and name of the file.

That is, you need to replace the 304 string of the above three files with the modified string.

To add other domain names to be resolved (still 304.com domain, still in 192.168.0 segment, non-192.168.0.1 address), such as adding the corresponding address of ftp.304.com 192.168.0.20, you only need to add the corresponding domain name and address in/etc/bind/db.304.com and/etc/bind/db.0.168.192.