|
|
在装有双网卡的机器上安装Debian linux 4.0 (etch)。
用eth0连接到WAN,用eth1连接到LAN。
两个网卡的IP设置在/etc/network/interfaces文件中:- # The loopback network interface
- auto lo
- iface lo inet loopback
- # The primary network interface
- allow-hotplug eth0
- iface eth0 inet dhcp
- # The secondary network interface
- auto eth1
- iface eth1 inet static
- address 192.168.45.1
- netmask 255.255.255.0
- up route add -host 255.255.255.255 dev eth1
安装dhcp服务器:sudo aptitude install dnsmasq
我想dhcpd也一样工作,好像dnsmasq配置简单一些:
/etc/dsnmasq.conf:- dhcp-range=192.168.45.100,192.168.45.250,72h
- interface=eth1
如果网络启动有问题请检查log日志文件监视安装情况:tail -f/var/log/daemon.log
这样你就可以看到LAN中的机器了。LAN中的机器可以看到192.168.45.1,
但是不能访问WAN。为了这个目的,需要使用iptables:
产生一个使用iptables前的备份:(好像是一个空文件)- iptables-save > /root/iptables.backup/origin.itables.conf
- cp /etc/sysctl.conf /root/iptables.backup/_etc_sysctl.conf
- #! reset iptables sch that it looks originally
- iptables-restore /root/iptables.backup/origin.iptables.conf
- echo 0 > /proc/sys/net/ipv4/ip_forward
- for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $f ; done
- cp /root/iptables.backup/_etc_sysctl.conf /etc/sysctl.conf
使用iptables设置规则如下:
- iptables -F
- iptables -t nat -F
- iptables -P INPUT ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD DROP
- export LAN=eth1
- export WAN=eth0
- iptables -I INPUT 1 -i ${LAN} -j ACCEPT
- iptables -I INPUT 1 -i lo -j ACCEPT
- iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
- iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
- # for WAN ssh server
- iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
- iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
- iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
- iptables -I FORWARD -i ${LAN} -d 192.168.1.0/255.255.0.0 -j DROP
- iptables -A FORWARD -i ${LAN} -s 192.168.1.0/255.255.0.0 -j ACCEPT
- iptables -A FORWARD -i ${WAN} -d 192.168.1.0/255.255.0.0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
- # for remote desktop
- iptables -A PREROUTING -t nat -i ${WAN} -p tcp --dport 3389 -j DNAT --to 192.168.45.181
- iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -i ${WAN} -p tcp --dport 3389 -j ACCEPT
- # iptables -A FORWARD -i eth0 -s a.b.c.d -p tcp --dport 3389 -j ACCEPT
- # where a.b.c.d is the address of your office machine - otherwise anyone will
- # be able to access your xp desktop :-)
说明:以上命令用root执行。以#开始的是注释。192.168.45.181是局域网Windows的IP。
IP的转换(ip forwarding):- echo 1 > /proc/sys/net/ipv4/ip_forward
- for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
这时LAN里的机器就可以访问internet了。
编辑/etc/sysctl.conf文件:- net.ipv4.ip_forward = 1
- net.ipv4.conf.default.rp_filter=1
- net.ipv4.ip_dynaddr = 1
保存iptables规则:- iptables-save > /root/iptables.conf
- #! set iptables such that both ssh and rdesktop works
- iptables-restore /root/iptables.conf
- echo 1 > /proc/sys/net/ipv4/ip_forward
- for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
- echo net.ipv4.ip_forward = 1 > /etc/sysctl.conf
- echo net.ipv4.conf.default.rp_filter=1 >> /etc/sysctl.conf
- echo net.ipv4.ip_dynaddr = 1 >> /etc/sysctl.conf
以后如果想还原iptables就执行- sh /root/iptables.backup/reset_iptables
参考文档:
http://www.gentoo.org/doc/en/home-router-howto.xml
http://www.debian-administration.org/articles/445 |
|
IP卡
狗仔卡
发表于 2008-3-19 13:59:44
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主