公司有4M網路出口網路,公司把公司網站也構架在內網上。由於某些員工不自覺,經常使用高流量的應用,經過調整效果很好,先應用記錄如下:
公司網路拓撲架構
網路: 192.168.1.xxx
網關:192.168.1.2 DNS:取自電訊廠商
無線:192.168.1.1(原始設定,通過LAN口和主交換器串連)
交換器:最基本的TPLink交換器
系統運行CentOS Linux 5.x系統,eth0串連內網,eth1/ppp0串連電信ADSL。通過免費DNS解析一個花生殼免費DNS. temptest.51vip.biz,具體ppp0和免費網域名稱參見其它,資料太多了,遍地都是。
網路管理就是綁定 MAC/IP 使每個人都使用DHCP擷取IP,且和人綁定,這樣發現問題可以有案可查。
網路劃分:
192.168.1.1 -- 127 無限制 127個
192.168.1.128--254 127個 UDP限制,只允許MSN/QQ/DNS 其他基於UDP的p2p應用不予開放
192.168.1.176-191 16個,TCP連接埠限制,高區TCP隨機連接埠屏蔽防止p2p應用
192.168.1.192-229 38個, DHCP分配方案
/etc/rc.local 開機檔案配置
#/etc/rc.local 添加modprobe ip_nat_ftp#10 hoursecho 36000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_establishedecho 1 > /proc/sys/net/ipv4/ip_forwardecho 1 > /proc/sys/net/ipv4/ip_dynaddr#屏蔽除QQ外 UDP ,防止基於UDP p2p 應用, IP>128的則屏蔽iptables -i eth0 -A FORWARD -s 192.168.1.128/25 -p udp --sport 4001:55000 --dport ! 53 -j DROPiptables -i eth0 -A FORWARD -s 192.168.1.128/25 -p udp --sport 1500:3999 --dport ! 53 -j DROP#192.168.1.176-191 屏蔽 TCP 群發連接埠iptables -i eth0 -A FORWARD -s 192.168.1.176/28 -p tcp --dport 8100:45000 -j DROP#ban IP CallIE.exeiptables -i eth0 -A FORWARD -s 192.168.1.176/28 -p tcp -d 119.167.216.0/24 -j DROPiptables -i eth0 -A FORWARD -s 192.168.1.176/28 -p tcp -d 119.184.126.0/24 -j DROPiptables -i eth0 -A FORWARD -s 192.168.1.176/28 -p tcp -d 123.125.114.0/23 -j DROP#ban Xunleiiptables -i eth0 -A FORWARD -s 192.168.1.128/25 -p udp --dport 53 -m string --algo bm --string 'sandai.net' -j DROPiptables -i eth0 -A FORWARD -s 192.168.1.128/25 -d 219.134.132.0/24 -j DROP#開啟轉寄iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
我把相關的內容放在 /etc/dhcp_manager 目錄下 /etc/dhcp_manager/log 是儲存dhcpd.conf目錄 chkMAC.sh dhcp_manager.sh refreshdns.sh dhcp_manager.awk dhcpdhead.txt ComputerList.txt 分別構成不同模組
dhcp_manager.sh dhcp_manager.awk dhcphead.txt ComputerList.txt 是DNS協助工具輔助
ComputerList.txt 是網路內的MAC地址資料庫文字檔,Tab定位字元分割。第三列使用者不能重複,名稱必須唯一。一共8列,第一行注釋,不要寫具體內容,凡已經知道的都儲存在這裡,一台裝置分配一個地址。注意:如果一個筆記本既有有線網,也有無線網,請分配一個地址,且使用者不要重複。
IPMac電腦名稱(唯一)使用者(中文)類型MachineDeskTop/LaptopCable/Wireless192.168.1.5000:00:E8:14:1B:AAmycompany1Unknow管理員PCDeskTopCable192.168.1.116C:62:6D:21:27:D3mycompany3Unknow管理員PCDeskTopCable192.168.1.13CC:08:E0:37:C9:C0mycompany5Unknow管理員PCDeskTopCable192.168.1.1400:14:2A:7A:F3:AAmycompany6Unknow管理員PCDeskTopCable192.168.1.1500:14:2A:2D:B2:04mycompany7Unknow管理員PCDeskTopCable192.168.1.1800:11:5B:E9:F4:2Dmycompany10Unknow管理員PCDeskTopCable192.168.1.1900:40:63:E0:FC:14mycompany11Unknow管理員PCDeskTopCable192.168.1.2000:40:63:FF:FF:41mycompany12Unknow管理員PCDeskTopCable
dhcphead.txt 是dhcpd.conf檔案的基本配置
dhcp_manager.awk dhcpmanager.sh 會根據dhcphead.txt檔案產生dhcpd.conf設定檔, 如果要定義一些dhcpd.conf需要在此配置
dhcphead.txt
ddns-update-style interim;ignore client-updates;subnet 192.168.1.0 netmask 255.255.255.0 {# default-lease-time 21600;# max-lease-time 43200;# default-lease-time 1800; max-lease-time 7200;option time-offset -18000; # Eastern Standard Time option routers 192.168.1.2; option subnet-mask 255.255.255.0; range dynamic-bootp 192.168.1.192 192.168.1.229; option domain-name-servers 210.22.70.3,210.22.70.227;dhcp_manager.awk
根據dhcpdhead.txt和computerlist.txt檔案產生一個dhcpd.conf設定檔,包含mac地址IP地址綁定
#awk IP,MAC,uidBEGIN {FS="\t"system("cat dhcpdhead.txt");}END {print "\n\n}"}{if ( NR > 1 ) {print "\t\t\t host " $3 " \t{"print "\t\t\t\t hardware ethernet " $2 ";"print "\t\t\t\t fixed-address " $1 ";"print "\t\t\t\t #" $3 " " $4 " " $5 " " $6 " " $7print "\t\t\t }"}}dhcp_manager.sh
dhcp_manager執行檔案,會儲存當前dhcpd.conf原始檔案,並產生dhcpd.conf檔案
#!/bin/bash#cd /etc/dhcp_managerday=`date +%Y%m%d%H%M%S`/etc/init.d/dhcpd stopmv ../dhcpd.conf log/dhcpd.conf.$dayawk -f dhcp_manager.awk ComputerList.txt > ../dhcpd.conf/etc/init.d/dhcpd start
refreshdns.sh
重新整理dhcpd.conf DNS分配,該檔案置於rc.local末尾,可以重新整理DNS,防止電訊廠商更改DNS後,無法解析
#!/bin/bashdnsfile=/etc/resolv.confif [ -e $dnsfile ] ;then if grep nameserver $dnsfile ;thendns1=`cat $dnsfile |grep nameserver | cut -d' ' -f2 |tail -n1 | head -n1`dns2=`cat $dnsfile |grep nameserver | cut -d' ' -f2 |tail -n2 | head -n1`echo $dns1echo $dns2sed -e "s/\(^[ \t]\+option domain-name-servers[ \t]\)\+.\+/\1 $dns1,$dns2;/g" /etc/dhcpd.conf > /etc/dhcpd.conf2cd /etc/etc/init.d/dhcpd stopmv -f dhcpd.conf2 dhcpd.conf/etc/init.d/dhcpd start fifichkMAC.sh
網路檢查軟體,該檔案自動監控網路中的MAC地址,如果不是通過dhcpd.conf的規範地址,則會屏蔽其對於Internet的使用。每個5分鐘檢查一次,放在crontab中處理
#!/bin/bash#!/bin/bashexport PATH=$PATH:/sbin:/usr/sbinarplog=/var/log/arp.logmsglog=/var/log/messagesIPList=/etc/dhcp_manager/ComputerList.txtcurbanIP=/tmp/curBanfwdips.txtcurARPIP=/tmp/curARPIP.txtlastIPTables=/tmp/lastiptables.txtLANDev=eth0resvBegin=1resvEnd=127dhcpBegin=192dhcpEnd=229IDWORD=chkmac#Save arp logarp -n -i eth0 |grep ether| awk '{print strftime("%F %H:%M %w")"\t"$1"\t"$3"\t"$2}' >> $arplogiptstate -s | grep 192.168 | cut -d':' -f1 | cut -d' ' -f1 | sort | uniq -c | awk '{ print strftime("%F %H:%M %w")"\t"$2"\t"$1"\t state"}' >> $arplog#remove IP in INPUTiptables --line-numbers -L FORWARD -nv | grep MAC | awk '{if(match($9,"^!")) print $1"\t"substr($9,2)"\t"$12"\t"$2;else print $1"\t"$9"\t"$12"\t"$2 }' | tac > $curbanIParp -i $LANDev -n | grep ether | awk '{print $1"\t"$3}' > $curARPIPnum=`cat $curbanIP | wc -l`if [ $num -gt 0 ] ;then#>0cat $curbanIP | while read idx IP MAC pkgsdoif grep $MAC $curARPIP > /dev/null ;then#existif [ $IP = anywhere ] || [ $IP = '0.0.0.0/0' ];then#baned alreadyIPinArp=`grep $MAC $curARPIP | tail -n1 | cut -f1 | cut -d'.' -f4`if [ $IPinArp -ge $dhcpBegin ] && [ $IPinArp -le $dhcpEnd ];theniptables -D FORWARD $idxecho `date '+%b %e %T'` $0 ": iptables -D FORWARD $idx $IP was obained by DHCP" >> $msglogfielseIPinArp=`grep $MAC $curARPIP | head -n1 | cut -f1`IPinList=`grep $MAC $IPList | head -n1 | cut -f1`if [ $IPinArp = $IPinList ] ;theniptables -D FORWARD $idxecho `date '+%b %e %T'` $0 ": iptables -D FORWARD $idx $MAC $IP is OK" >> $msglogfifielse#not in arp listif grep $MAC $lastIPTables > /dev/null ;thenlastPkgs=`grep $MAC $lastIPTables|head -n1|cut -f4`if [ $pkgs = $lastPkgs ] ;then#no more forwareded pkgs#removed iptables -D FORWARD $idxecho `date '+%b %e %T'` $0 ": iptables -D FORWARD $idx $MAC is no more forwarded pkgs" >> $msglogfielse#removed iptables -D FORWARD $idxecho `date '+%b %e %T'` $0 ": iptables -D FORWARD $idx $MAC is not in arp-list" >> $msglogficontinuefidonefinum=`cat $curARPIP | wc -l`if [ $num -gt 0 ];thencat $curARPIP | while read IP MACdoif ! iptables -L FORWARD -nv|grep $MAC > /dev/null ;then#Newif grep $MAC $IPList > /dev/null ; thenIPinList=`grep $MAC $IPList | head -n1 | cut -f1`if [ $IP != $IPinList ] ;thentmpStr=`date '+%F %T'`tmpStmp=`date +%s`iptables -i $LANDev -A FORWARD -m mac --mac-source $MAC -s ! $IPinList -j DROP -m comment --comment "tmstmp:$tmpStmp ,add at $tmpStr,baned by $IDWORD"echo `date '+%b %e %T'` $0 ": $MAC $IP is illegal " >> $msglogfielse#Not in Compulist.txt,check DHCPsubIP=`echo $IP|cut -d'.' -f4`if [ $subIP -lt $dhcpBegin ] || [ $subIP -gt $dhcpEnd ];then#Not in Computlist.txt and not in DHCPtmpStr=`date '+%F %T'`tmpStmp=`date +%s`iptables -i $LANDev -A FORWARD -m mac --mac-source $MAC -j DROP -m comment --comment "tmstmp:$tmpStmp ,add at $tmpStr,baned by $IDWORD"echo `date '+%b %e %T'` $0 ": $MAC $IP is out of DHCP " >> $msglogfififidonefiiptables --line-numbers -L FORWARD -nv | grep MAC | awk '{if(match($9,"^!")) print $1"\t"substr($9,2)"\t"$12"\t"$2"\t"strftime("%F %T");else print $1"\t"$9"\t"$12"\t"$2"\t"strftime("%F %T") }' > $lastIPTablesrm -f $curbanIPrm -f $curARPIP
日常運營
日常運營需要 arp iptables iptstate 等日常工具,一般ip佔用資源書多的人,頻寬佔用多
iptstate -s | cut -d':' -f1 | sort | uniq -c
這條命令一般可以把佔用多的人給列出來
FAQ:
為何不用 MAC/IP靜態繫結?
答: 由於Centos 提供httpd samba 服務,所以私自使用IP者可以使用這些內網服務,但不能使用IP轉寄的Internet服務
我是Linux新手,需要掌握常用的那些Linux命令?
答:新手就是勤學勤練,多弄弄筆什麼都好。建議弄個三台舊電腦,類比一樣環境。從我日常的需求要來看,主要需求如下:
iptables 設定路由器,查看路由器
iptstate 查看當前網路客戶使用狀態
arp 查看當前arp-ip映射,如果有arp風暴或者欺騙,一查就知道了,然後通過iptables 直接ban掉mac地址,確保網關安全
netstate 查看當前主機串連,某些攻擊,這裡一看就知道
grep cut uniq awk 等一些通於日常統計的簡單命令
/var/log/message /var/log/secure 等常用記錄檔,都要知道
先這點,以後補充,多學多用就是王道
更新日誌
2012-06-25
更新chkMAC.sh 增加了 arp.log 記錄,刪除MAC地址是檢查是否活躍,不活躍才刪除,活躍繼續保留。
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
