Ubuntu8.04 server vro setting

Source: Internet
Author: User
Ubuntu8.04 server vro setting

The advantage of Linux as a router is that compared with professional router equipment, the cost is much reduced, because the hardware is usually used to add a few NICs to the old computer, and the Linux system has many free to use. In addition, you can specify flexible network management rules for enterprise networks. However, this practice requires learning a lot of knowledge, which is often daunting. This article summarizes my personal experience and tries to help more Linux enthusiasts.

I used Ubuntu to set the NIC address, route command, and iptables in my router setting method. Use eth0 to directly connect to the Internet. The other two use IP packet forwarding methods to communicate with other subnets and therefore can connect to the Internet.


Set Nic

First, assign different addresses to the three NICs: (edit the/etc/Network/interfaces file using the sudo identity). The file content is as follows:


File edit options buffers tools help

# This file describes the network interfaces available on your system

# And how to activate them. For more information, see interfaces (5 ).


# The loopback network interface

Auto Lo

Iface lo Inet loopback


# The primary network interface

Auto eth0

Iface eth0 Inet static

Address 58.246.17.2

Netmask 255.255.255.248

Network 58.246.small

Broadcast 58.246.17.7

Gateway 58.246.17.1

# DNS-* options are implemented by the resolvconf package, if installed

DNS-nameservers 210.22.70.3

DNS-search longday.com

# The sencond Network Interface

Auto eth1

Iface eth1 Inet static

Address 192.168.10.244

Netmask 255.255.255.0

Network 192.168.10.0

Broadcast 192.168.10.255

Gateway 192.168.10.244

# DNS-* options are implemented by the resolvconf package, if installed

DNS-nameservers 192.168.10.244



After editing the preceding file, run sudo/etc/init. d/networking restart to restart the network service.

Modify the DNS in the/etc/resolv. conf file to 210.22.70.3 and restart the computer.


Set route

Now we need to use the route command to set the route so that:

1) all packets sent to the 58.246.17.0 network segment pass through the eth0 Nic

2) All packets sent to the 192.168.10.0 network segment pass through the eth1 Nic


The route command can be used to view the current route table settings. Route del is used to delete a route setting, and route add is used to add a route setting. The last set route table is as follows:

/Etc/Network # route

Kernel IP routing table

Destination gateway genmask flags metric ref use iface

58.246.20.* 255.255.255.255.248 u 0 0 eth0

Localnet * 255.255.255.0 u 0 0 0 eth1

Default 58.246.17.1 0.0.0.0 ug0 100 0 eth0


The following is our setting command. First, use the following command to delete the default setting of eth1, because it will interfere with our server's connection to the Internet through eth0

Route del default Dev eth1

Note that each time the network service is restarted, the default setting will be changed to what we don't want. I will later provide a method for automatic deletion.

Route add default GW 58.246.17.1 Dev eth0 // by default, this command is automatically added without manual addition.


The following three commands Add the routing policies for each NIC:

Route add-net 58.246.w.netmask implements route 248 Dev eth0

Route add-net 192.168.10.0 netmask 255.255.255.0 Dev eth1




(Note: with the same command, replace add with Del to delete these policies. The-net parameter refers to the network segment, so the last decimal number must be 0 ).




Set IP packet forwarding

1) execute the following command
/Proc/sys/NET/IPv4/ip_forward content modified to 1
(You can also use other editing programs to modify)
Echo 1>/proc/sys/NET/IPv4/ip_forward



2)
Edit the/etc/sysctl. conf file and cancel the # net. ipv4.ip _ forward = 1 annotation.

3) use the iptables command to change the source packet address to the IP address of the router when the Intranet packet is sent by the router. After the external packet is sent to the router, the destination IP address is changed to the Intranet IP Address by the router.

Iptables-F


Iptables-P input accept


Iptables-P forward accept


Iptables-T Nat-A postrouting-O eth0-J Masquerade
// Add a rule to the NAT rule table, which disguise the source of all outgoing data as the IP address of the eth0 Interface


(Note: This statement is less efficient, but more flexible. It is suitable for Dynamic IP address access.
)


The Nat rule table is mainly responsible for packet address translation. It has three rule chains:

The prerouting chain is responsible for modifying the package's target address, which is usually used to process received packets,

The postrouting chain is responsible for modifying the package source address, which is usually used for the package to be sent out. The following example shows

Iptables-T Nat-A postrouting-s 192.168.10.0/24-O eth0-j snat -- to-source 58.246.17.2 // This sentence does not seem to be available yet and will be resolved later
.




Port ing

Port ing mainly addresses how external requests are routed to the internal server, the following article introduces very good: http://hi.baidu.com/allenspace/blog/item/cbba05f3b41c5dcb0b46e0ef.html

First, execute the following command to map port 21 of FTP to the internal server 192.168.10.80.

Iptables-T Nat-A prerouting -- DST 58.246.17.2-p tcp -- dport 21-j dnat -- to-destination 192.168.10.80

Now we are faced with a new problem. You can connect to the FTP service through the Internet. Telnet 58.246.17.2 21 command is successfully tested, but the Intranet machine cannot, the following command converts the source addresses of all data packets sent to port 80 and port 21 to the eth1 address.

Iptables-T Nat-A postrouting-p tcp -- DST 192.168.10.80 -- dport 21-j snat -- to-source 192.168.10.244


Open the relevant ports of the forward chain, for example, the following example:


Sudo iptables-a forward-O eth1-D 192.168.10.51-p tcp -- dport 8080-J accept
Sudo iptables-a forward-I eth1-s 192.168.10.51-P TCP -- Sport 8080-J accept



FTP settings

FTP is a troublesome service. In addition to opening port ing mentioned in the previous section, some modules need to be loaded. The following command shows some FTP helper modules in ubuntu8.04.

Freebird @ freebird-desktop :~ $ Sudo modprobe-L | grep FTP

[Sudo] password for freebird:

/Lib/modules/2.6.24-20-rt/kernel/NET/IPv4/ipvs/ip_vs_ftp.ko

/Lib/modules/2.6.24-20-rt/kernel/NET/IPv4/Netfilter/nf_nat_tftp.ko

/Lib/modules/2.6.24-20-rt/kernel/NET/IPv4/Netfilter/nf_nat_ftp.ko

/Lib/modules/2.6.24-20-rt/kernel/NET/Netfilter/nf_conntrack_tftp.ko

/Lib/modules/2.6.24-20-rt/kernel/NET/Netfilter/nf_conntrack_ftp.ko



You can use commands such as modprobe ip_vs_ftp to load them one by one. To view which modules have been loaded, run the lsmod command, for example:
Lsmod | grep nf_nat_ftp
Nf_nat_ftp 4352 0
Nf_conntrack_ftp 10144 1 nf_nat_ftp
Nf_nat 20268 4 nf_nat_tftp, nf_nat_ftp, ipt_masquerade, iptable_nat
Nf_conntrack 66752 8 nf_nat_tftp, nf_conntrack_tftp, nf_nat_ftp, nf_conntrack_ftp, ipt_masquerade, iptable_nat, nf_nat, nf_conntrack_ipv4


If you want to automatically load data when the system starts, you must add the module name to the/etc/modules file as follows:
#/Etc/modules: Kernel Modules to load at boot time.
#
# This file contains the names of kernel modules that shoshould be loaded
# At boot time, one per line. Lines beginning with "#" are ignored.

Fuse
Lp
RTC
Nf_nat_ftp
Nf_nat_tftp
Ip_vs_ftp
Nf_conntrack_tftp
Nf_conntrack_ftp



Restrict some users to access the Internet

The following command allows 192.168.10.67 users to access the Internet and disallow 192.168.10.69 users to access the Internet:

# Iptables-a forward-s 192.168.10.67-D 0.0.0.0/0-J accept

# Iptables-a forward-s 192.168.10.69-D 0.0.0.0/0-J Drop


Now we can further bind the NIC and IP address so that others cannot steal the IP address to access the Internet:

Iptables-a forward-s 192.168.10.6-M Mac -- Mac-source 00: 1D: 92: 86: 9e: 2a-D 0.0.0.0/0-J accept

Iptables-I forward 2-s 192.168.10.11-M Mac -- Mac-source 00: 15: B7: 2b: A7: 6a-D 0.0.0.0/0-J accept

Iptables-I forward 3-s 192.168.10.22-M Mac -- Mac-source 00: 15: 58: BF: 92: CF-D 0.0.0.0/0-J accept

Iptables-I forward 4-s 192.168.10.14-M Mac -- Mac-source 00.11.d8.b6.3d.68-D 0.0.0.0/0-J accept

Iptables-I forward 5-s 192.168.10.68-M Mac -- Mac-source 00.18.372.166.32.df-D 0.0.0.0/0-J accept

Iptables-I forward 6-s 192.168.10.69-M Mac -- Mac-source 00.18.372.166.37.8e-D 0.0.0.0/0-J accept

Iptables-I forward 7-s 192.168.10.5-M Mac -- Mac-source 00.13.d3.5e.7c.3f-D 0.0.0.0/0-J accept

Iptables-I forward 8-s 192.168.10.90-M Mac -- Mac-source 00.1d.92.86.9d.4e-D 0.0.0.0/0-J accept

Iptables-I forward 9-s 192.168.10.61-M Mac -- Mac-source 00.1a.4d.2e. AB .2a-D 0.0.0.0/0-J accept

Iptables-I forward 10-s 192.168.10.13-M Mac -- Mac-source 00.11.d8.b6.3d.6b-D 0.0.0.0/0-J accept

Iptables-I forward 11-s 192.168.10.12-M Mac -- Mac-source 00.13.d3.1e.0e.12-D 0.0.0.0/0-J accept

Iptables-I forward 12-s 192.168.10.15-M Mac -- Mac-source 00.13.d3.5e.6d.e1-D 0.0.0.0/0-J accept

Iptables-I forward 13-s 192.168.10.9-M Mac -- Mac-source 002.16e.7b.a4.d1.66-D 0.0.0.0/0-J accept

Iptables-I forward 14-s 192.168.10.65-M Mac -- Mac-source 00.1d.92.86.9c.1e-D 0.0.0.0/0-J accept

Iptables-I forward 15-s 192.168.10.66-M Mac -- Mac-source 00.13.d3.1d.f6.a8-D 0.0.0.0/0-J accept

Iptables-I forward 16-s 192.168.10.220-M Mac -- Mac-source 00.13.46.e7.49.da-D 0.0.0.0/0-J accept

Iptables-I forward 17-s 192.168.10.102-M Mac -- Mac-source 00.11.d8.b6.3d.fe-D 0.0.0.0/0-J accept

Iptables-I forward 18-s 192.168.10.83-M Mac -- Mac-source 00.13.d3.1e.20.ef-D 0.0.0.0/0-J accept

Iptables-I forward 19-s 192.168.10.99-M Mac -- Mac-source 00.1d.09.4c.fe.8c-D 0.0.0.0/0-J accept

Iptables-I forward 20-s 192.168.10.72-M Mac -- Mac-source 00.30.18.a7.79.5f-D 0.0.0.0/0-J accept

Iptables-I forward 21-s 192.168.10.21-M Mac -- Mac-source 00.1a.4d.db.e8.22-D 0.0.0.0/0-J accept

Iptables-I forward 22-s 192.168.10.23-M Mac -- Mac-source 00.18.3720.2.bb.57-D 0.0.0.0/0-J accept

Iptables-I forward 23-s 192.168.10.25-M Mac -- Mac-source 00.1a.4d.1b.25.b1-D 0.0.0.0/0-J accept

Iptables-I forward 24-s 192.168.10.24-M Mac -- Mac-source 00.00.e1.6b.bb.00-D 0.0.0.0/0-J accept

Iptables-I forward 25-s 192.168.10.29-M Mac -- Mac-source 00.16.76.8c.63.12-D 0.0.0.0/0-J accept

Iptables-I forward 26-s 192.168.10.10-M Mac -- Mac-source 00.19.b9.2a.3b.7c-D 0.0.0.0/0-J accept

Iptables-I forward 27-s 192.168.10.3-M Mac -- Mac-source 000000b.2f00003.de.10-D 0.0.0.0/0-J accept

Iptables-I forward 27-s 192.168.10.62-M Mac -- Mac-source 00.15.58.bf.64.11-D 0.0.0.0/0-J accept

Iptables-I forward 27-s 192.168.10.243-M Mac -- Mac-source 00.1d.92.86.9a.2d-D 0.0.0.0/0-J accept

Iptables-I forward 27-s 192.168.10.87-M Mac -- Mac-source 00.18.372.166.35.87-D 0.0.0.0/0-J accept


The following command deletes the second rule of the forward chain
Sudo iptables-D forward 2



You can run the following command to view the settings.
Sudo iptables-l -- line-Number



At the same time, our 80 server should also allow outgoing packets:

Iptables-I forward 2-s 192.168.10.80-D 0.0.0.0/0-J accept

To modify an existing rule, run the following command:
Iptables-r forward 43-s 192.168.10.67-M Mac -- Mac-source 00.13.d3.1e.20.ef-D 0.0.0.0/0-J accept

Finally, prohibit other IP addresses from accessing the Internet. /24 indicates the class C website
Iptables-a forward-s 192.168.10.0/24-D 0.0.0.0/0-J Drop



Save iptables settings

The following command saves the current iptables settings to the specified file:


Sudo sh-c "iptables-save>/etc/iptables. Up. Rules"


Add two lines to the/etc/Network/interfaces file to save the current firewall settings and read the firewall settings at the next Startup before the system restarts.

Pre-up iptables-Restore </etc/iptables. Up. Rules

Post-down iptables-save>/etc/iptables. Up. Rules

 

Note that the two commands must be added

After iface eth0 Inet DHCP, or if DHCP is static, it should be added after the IP address, subnet mask, and gateway settings, for example:
Auto Lo
Iface lo Inet loopback

Iface eth0 Inet static
Address 192.168.10.67
Netmask 255.255.255.0
Gateway 192.168.10.244
Pre-up iptables-Restore </etc/iptables. Up. Rules
Post-down iptables-save>/etc/iptables. Up. Rules

Auto eth0
Then, you can restart the network service to check whether it is valid.

Website Restriction




Restrict Internet access time

Sometimes, we need to prevent people from surfing the internet in the company after work. This often happens in IT companies, and the company is regarded as an Internet cafe. Therefore, we need to make further time restrictions on some IP addresses and nic addresses:


Http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.19

Restrict P2P Technology

Http://www.xxlinux.com/linux/article/network/app/20051201/388.html



Traffic limit

Http://www.ymyasp.com/it/sort052/sort060/info15732.html




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.