Ubuntu8.04 server vro setting
The advantage of Linux as a router is that compared with professional router equipment, the cost is much reduced, because the hardware is usually used to add a few NICs to the old computer, and the Linux system has many free to use. In addition, you can specify flexible network management rules for enterprise networks. However, this practice requires learning a lot of knowledge, which is often daunting. This article summarizes my personal experience and tries to help more Linux enthusiasts.
I used Ubuntu to set the NIC address, route command, and iptables in my router setting method. Use eth0 to directly connect to the Internet. The other two use IP packet forwarding methods to communicate with other subnets and therefore can connect to the Internet.
Set Nic
First, assign different addresses to the three NICs: (edit the/etc/Network/interfaces file using the sudo identity). The file content is as follows:
File edit options buffers tools help
# This file describes the network interfaces available on your system
# And how to activate them. For more information, see interfaces (5 ).
# The loopback network interface
Auto Lo
Iface lo Inet loopback
# The primary network interface
Auto eth0
Iface eth0 Inet static
Address 58.246.17.2
Netmask 255.255.255.248
Network 58.246.small
Broadcast 58.246.17.7
Gateway 58.246.17.1
# DNS-* options are implemented by the resolvconf package, if installed
DNS-nameservers 210.22.70.3
DNS-search longday.com
# The sencond Network Interface
Auto eth1
Iface eth1 Inet static
Address 192.168.10.244
Netmask 255.255.255.0
Network 192.168.10.0
Broadcast 192.168.10.255
Gateway 192.168.10.244
# DNS-* options are implemented by the resolvconf package, if installed
DNS-nameservers 192.168.10.244
After editing the preceding file, run sudo/etc/init. d/networking restart to restart the network service.
Modify the DNS in the/etc/resolv. conf file to 210.22.70.3 and restart the computer.
Set route
Now we need to use the route command to set the route so that:
1) all packets sent to the 58.246.17.0 network segment pass through the eth0 Nic
2) All packets sent to the 192.168.10.0 network segment pass through the eth1 Nic
The route command can be used to view the current route table settings. Route del is used to delete a route setting, and route add is used to add a route setting. The last set route table is as follows:
/Etc/Network # route
Kernel IP routing table
Destination gateway genmask flags metric ref use iface
58.246.20.* 255.255.255.255.248 u 0 0 eth0
Localnet * 255.255.255.0 u 0 0 0 eth1
Default 58.246.17.1 0.0.0.0 ug0 100 0 eth0
The following is our setting command. First, use the following command to delete the default setting of eth1, because it will interfere with our server's connection to the Internet through eth0
Route del default Dev eth1
Note that each time the network service is restarted, the default setting will be changed to what we don't want. I will later provide a method for automatic deletion.
Route add default GW 58.246.17.1 Dev eth0 // by default, this command is automatically added without manual addition.
The following three commands Add the routing policies for each NIC:
Route add-net 58.246.w.netmask implements route 248 Dev eth0
Route add-net 192.168.10.0 netmask 255.255.255.0 Dev eth1
(Note: with the same command, replace add with Del to delete these policies. The-net parameter refers to the network segment, so the last decimal number must be 0 ).
Set IP packet forwarding
1) execute the following command
/Proc/sys/NET/IPv4/ip_forward content modified to 1
(You can also use other editing programs to modify)
Echo 1>/proc/sys/NET/IPv4/ip_forward
2)
Edit the/etc/sysctl. conf file and cancel the # net. ipv4.ip _ forward = 1 annotation.
3) use the iptables command to change the source packet address to the IP address of the router when the Intranet packet is sent by the router. After the external packet is sent to the router, the destination IP address is changed to the Intranet IP Address by the router.
Iptables-F
Iptables-P input accept
Iptables-P forward accept
Iptables-T Nat-A postrouting-O eth0-J Masquerade
// Add a rule to the NAT rule table, which disguise the source of all outgoing data as the IP address of the eth0 Interface
(Note: This statement is less efficient, but more flexible. It is suitable for Dynamic IP address access.
)
The Nat rule table is mainly responsible for packet address translation. It has three rule chains:
The prerouting chain is responsible for modifying the package's target address, which is usually used to process received packets,
The postrouting chain is responsible for modifying the package source address, which is usually used for the package to be sent out. The following example shows
Iptables-T Nat-A postrouting-s 192.168.10.0/24-O eth0-j snat -- to-source 58.246.17.2 // This sentence does not seem to be available yet and will be resolved later
.
Port ing
Port ing mainly addresses how external requests are routed to the internal server, the following article introduces very good: http://hi.baidu.com/allenspace/blog/item/cbba05f3b41c5dcb0b46e0ef.html
First, execute the following command to map port 21 of FTP to the internal server 192.168.10.80.
Iptables-T Nat-A prerouting -- DST 58.246.17.2-p tcp -- dport 21-j dnat -- to-destination 192.168.10.80
Now we are faced with a new problem. You can connect to the FTP service through the Internet. Telnet 58.246.17.2 21 command is successfully tested, but the Intranet machine cannot, the following command converts the source addresses of all data packets sent to port 80 and port 21 to the eth1 address.
Iptables-T Nat-A postrouting-p tcp -- DST 192.168.10.80 -- dport 21-j snat -- to-source 192.168.10.244
Open the relevant ports of the forward chain, for example, the following example:
Sudo iptables-a forward-O eth1-D 192.168.10.51-p tcp -- dport 8080-J accept
Sudo iptables-a forward-I eth1-s 192.168.10.51-P TCP -- Sport 8080-J accept
FTP settings
FTP is a troublesome service. In addition to opening port ing mentioned in the previous section, some modules need to be loaded. The following command shows some FTP helper modules in ubuntu8.04.
Freebird @ freebird-desktop :~ $ Sudo modprobe-L | grep FTP
[Sudo] password for freebird:
/Lib/modules/2.6.24-20-rt/kernel/NET/IPv4/ipvs/ip_vs_ftp.ko
/Lib/modules/2.6.24-20-rt/kernel/NET/IPv4/Netfilter/nf_nat_tftp.ko
/Lib/modules/2.6.24-20-rt/kernel/NET/IPv4/Netfilter/nf_nat_ftp.ko
/Lib/modules/2.6.24-20-rt/kernel/NET/Netfilter/nf_conntrack_tftp.ko
/Lib/modules/2.6.24-20-rt/kernel/NET/Netfilter/nf_conntrack_ftp.ko
You can use commands such as modprobe ip_vs_ftp to load them one by one. To view which modules have been loaded, run the lsmod command, for example:
Lsmod | grep nf_nat_ftp
Nf_nat_ftp 4352 0
Nf_conntrack_ftp 10144 1 nf_nat_ftp
Nf_nat 20268 4 nf_nat_tftp, nf_nat_ftp, ipt_masquerade, iptable_nat
Nf_conntrack 66752 8 nf_nat_tftp, nf_conntrack_tftp, nf_nat_ftp, nf_conntrack_ftp, ipt_masquerade, iptable_nat, nf_nat, nf_conntrack_ipv4
If you want to automatically load data when the system starts, you must add the module name to the/etc/modules file as follows:
#/Etc/modules: Kernel Modules to load at boot time.
#
# This file contains the names of kernel modules that shoshould be loaded
# At boot time, one per line. Lines beginning with "#" are ignored.
Fuse
Lp
RTC
Nf_nat_ftp
Nf_nat_tftp
Ip_vs_ftp
Nf_conntrack_tftp
Nf_conntrack_ftp
Restrict some users to access the Internet
The following command allows 192.168.10.67 users to access the Internet and disallow 192.168.10.69 users to access the Internet:
# Iptables-a forward-s 192.168.10.67-D 0.0.0.0/0-J accept
# Iptables-a forward-s 192.168.10.69-D 0.0.0.0/0-J Drop
Now we can further bind the NIC and IP address so that others cannot steal the IP address to access the Internet:
Iptables-a forward-s 192.168.10.6-M Mac -- Mac-source 00: 1D: 92: 86: 9e: 2a-D 0.0.0.0/0-J accept
Iptables-I forward 2-s 192.168.10.11-M Mac -- Mac-source 00: 15: B7: 2b: A7: 6a-D 0.0.0.0/0-J accept
Iptables-I forward 3-s 192.168.10.22-M Mac -- Mac-source 00: 15: 58: BF: 92: CF-D 0.0.0.0/0-J accept
Iptables-I forward 4-s 192.168.10.14-M Mac -- Mac-source 00.11.d8.b6.3d.68-D 0.0.0.0/0-J accept
Iptables-I forward 5-s 192.168.10.68-M Mac -- Mac-source 00.18.372.166.32.df-D 0.0.0.0/0-J accept
Iptables-I forward 6-s 192.168.10.69-M Mac -- Mac-source 00.18.372.166.37.8e-D 0.0.0.0/0-J accept
Iptables-I forward 7-s 192.168.10.5-M Mac -- Mac-source 00.13.d3.5e.7c.3f-D 0.0.0.0/0-J accept
Iptables-I forward 8-s 192.168.10.90-M Mac -- Mac-source 00.1d.92.86.9d.4e-D 0.0.0.0/0-J accept
Iptables-I forward 9-s 192.168.10.61-M Mac -- Mac-source 00.1a.4d.2e. AB .2a-D 0.0.0.0/0-J accept
Iptables-I forward 10-s 192.168.10.13-M Mac -- Mac-source 00.11.d8.b6.3d.6b-D 0.0.0.0/0-J accept
Iptables-I forward 11-s 192.168.10.12-M Mac -- Mac-source 00.13.d3.1e.0e.12-D 0.0.0.0/0-J accept
Iptables-I forward 12-s 192.168.10.15-M Mac -- Mac-source 00.13.d3.5e.6d.e1-D 0.0.0.0/0-J accept
Iptables-I forward 13-s 192.168.10.9-M Mac -- Mac-source 002.16e.7b.a4.d1.66-D 0.0.0.0/0-J accept
Iptables-I forward 14-s 192.168.10.65-M Mac -- Mac-source 00.1d.92.86.9c.1e-D 0.0.0.0/0-J accept
Iptables-I forward 15-s 192.168.10.66-M Mac -- Mac-source 00.13.d3.1d.f6.a8-D 0.0.0.0/0-J accept
Iptables-I forward 16-s 192.168.10.220-M Mac -- Mac-source 00.13.46.e7.49.da-D 0.0.0.0/0-J accept
Iptables-I forward 17-s 192.168.10.102-M Mac -- Mac-source 00.11.d8.b6.3d.fe-D 0.0.0.0/0-J accept
Iptables-I forward 18-s 192.168.10.83-M Mac -- Mac-source 00.13.d3.1e.20.ef-D 0.0.0.0/0-J accept
Iptables-I forward 19-s 192.168.10.99-M Mac -- Mac-source 00.1d.09.4c.fe.8c-D 0.0.0.0/0-J accept
Iptables-I forward 20-s 192.168.10.72-M Mac -- Mac-source 00.30.18.a7.79.5f-D 0.0.0.0/0-J accept
Iptables-I forward 21-s 192.168.10.21-M Mac -- Mac-source 00.1a.4d.db.e8.22-D 0.0.0.0/0-J accept
Iptables-I forward 22-s 192.168.10.23-M Mac -- Mac-source 00.18.3720.2.bb.57-D 0.0.0.0/0-J accept
Iptables-I forward 23-s 192.168.10.25-M Mac -- Mac-source 00.1a.4d.1b.25.b1-D 0.0.0.0/0-J accept
Iptables-I forward 24-s 192.168.10.24-M Mac -- Mac-source 00.00.e1.6b.bb.00-D 0.0.0.0/0-J accept
Iptables-I forward 25-s 192.168.10.29-M Mac -- Mac-source 00.16.76.8c.63.12-D 0.0.0.0/0-J accept
Iptables-I forward 26-s 192.168.10.10-M Mac -- Mac-source 00.19.b9.2a.3b.7c-D 0.0.0.0/0-J accept
Iptables-I forward 27-s 192.168.10.3-M Mac -- Mac-source 000000b.2f00003.de.10-D 0.0.0.0/0-J accept
Iptables-I forward 27-s 192.168.10.62-M Mac -- Mac-source 00.15.58.bf.64.11-D 0.0.0.0/0-J accept
Iptables-I forward 27-s 192.168.10.243-M Mac -- Mac-source 00.1d.92.86.9a.2d-D 0.0.0.0/0-J accept
Iptables-I forward 27-s 192.168.10.87-M Mac -- Mac-source 00.18.372.166.35.87-D 0.0.0.0/0-J accept
The following command deletes the second rule of the forward chain
Sudo iptables-D forward 2
You can run the following command to view the settings.
Sudo iptables-l -- line-Number
At the same time, our 80 server should also allow outgoing packets:
Iptables-I forward 2-s 192.168.10.80-D 0.0.0.0/0-J accept
To modify an existing rule, run the following command:
Iptables-r forward 43-s 192.168.10.67-M Mac -- Mac-source 00.13.d3.1e.20.ef-D 0.0.0.0/0-J accept
Finally, prohibit other IP addresses from accessing the Internet. /24 indicates the class C website
Iptables-a forward-s 192.168.10.0/24-D 0.0.0.0/0-J Drop
Save iptables settings
The following command saves the current iptables settings to the specified file:
Sudo sh-c "iptables-save>/etc/iptables. Up. Rules"
Add two lines to the/etc/Network/interfaces file to save the current firewall settings and read the firewall settings at the next Startup before the system restarts.
Pre-up iptables-Restore </etc/iptables. Up. Rules
Post-down iptables-save>/etc/iptables. Up. Rules
Note that the two commands must be added
After iface eth0 Inet DHCP, or if DHCP is static, it should be added after the IP address, subnet mask, and gateway settings, for example:
Auto Lo
Iface lo Inet loopback
Iface eth0 Inet static
Address 192.168.10.67
Netmask 255.255.255.0
Gateway 192.168.10.244
Pre-up iptables-Restore </etc/iptables. Up. Rules
Post-down iptables-save>/etc/iptables. Up. Rules
Auto eth0
Then, you can restart the network service to check whether it is valid.
Website Restriction
Restrict Internet access time
Sometimes, we need to prevent people from surfing the internet in the company after work. This often happens in IT companies, and the company is regarded as an Internet cafe. Therefore, we need to make further time restrictions on some IP addresses and nic addresses:
Http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.19
Restrict P2P Technology
Http://www.xxlinux.com/linux/article/network/app/20051201/388.html
Traffic limit
Http://www.ymyasp.com/it/sort052/sort060/info15732.html