ssvmw
中級會員
 
積分 1117
發文 107
註冊 2006-7-10
狀態 離線
|
#1 〔教學〕REDFLAG DC 5.0 共享ADSL上网
REDFLAG DC 5.0 共享ADSL上网
版本:1.0
作者:wylon huang
撰写时间:2006年05月12日 16:52
一、操作环境:
机器系统与配置
第一台:PC机,双网卡,8139,操作系统REDFLAG DC 5.0 主机名:router1
第二台:PC机,单网卡,8139,操作系统windows系列或者linux系列 主机名:client
Hub[集线器]:Tp-Link 10M,8口
ADSL,以太口,没有路由功能
原理介绍:
1、由router1的eth0网卡连接上互联网,而router1的eth1连接内网,然后通过iptables-nat的功能将发向eth1的数据包转向eth0通向公网
2、这里clinet的机器的网卡必须是设置为router1的IP地址,即下面的10.0.0.1
3、通过iptables的数据包必须加上标识
二、网卡设置如下:
############################################################
在第一台router1机器的双网卡的接法:把ADSL接在eth0上,把eth1接在HUB上。
第一块网卡的ip设置:
ip地址:10.0.0.1 #这里的IP地址一般用私有地址,例如:10.*.*.*,192.168.*.*,172.16.*.*
掩码:255.255.255.0 #这三个网段的任意一个地址都行
第二块网卡的设置
ip地址:10.0.0.2
掩码:255.255.255.0
在这两块网卡中,不要设置网关。
**********************************************************************************************************************************************
第二台client的网卡设置
IP:10.0.0.3
掩码:255.255.255.0
网关:10.0.0.1
DNS:设置电信给的
61.144.56.100
############################################################
三、设置ppp拔号,
1]在终端上以root权限运行
引用:
#adsl-setup
引用:
[root@router1]# adsl-setup
Welcome to the ADSL client setup. First, I will run some checks on your system to make sure the PPPoE client is installed properly...
引用:
LOGIN NAME
Enter your Login Name (default root): ADSL提供商给的用户名,写在这里
引用:
INTERFACE
Enter the Ethernet interface connected to the ADSL modem For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0): eth0这是ADSL通过第一台机器router1的第一张网卡eth0提供上网
Do you want the link to come up on demand, or stay up continuously? If you want it to come up on demand, enter the idle time in seconds after which the link should be dropped. If you want the link to stay up permanently, enter 'no' (two letters, lower-case.) NOTE: Demand-activated links do not interact well with dynamic IP addresses. You may have some problems with demand-activated links.
Enter the demand value (default no):在这里按一下回车就行了。
引用:
DNS
Please enter the IP address of your ISP's primary DNS server.If your ISP claims that 'the server will provide dynamic DNS addresses',enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are doing and not modify your DNS setup.
Enter the DNS information here: 61.144.56.100这是DSN,最好用你本地电信给的
Please enter the IP address of your ISP's secondary DNS server. If you just press enter, I will assume there is only one DNS server.
Enter the secondary DNS server address here: 202.192.88.1这是第二个DNS,也是电信给的。
引用:
PASSWORD
Please enter your Password:在这里把ADSL提供商给的密码写上
Please re-enter your Password:
引用:
USERCTRL
Please enter 'yes' (two letters, lower-case.) if you want to allow normal user to start or stop DSL connection (default yes): yes
引用:
FIREWALLING
Please choose the firewall rules to use. Note that these rules are very basic. You are strongly encouraged to use a more sophisticated firewall setup; however, these will provide basic security. If you are running any servers on your machine, you must choose 'NONE' and set up firewalling yourself. Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc. If you are using SSH, the rules will block outgoing SSH connections which allocate a privileged source port.
引用:
The firewall choices are:
0 - NONE: This script will not set any firewall rules. You are responsible for ensuring the security of your machine. You are STRONGLY recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway for a LAN
Choose a type of firewall (0-2): 2
Start this connection at boot time
Do you want to start this connection at boot time?
Please enter no or yes (default no):yes
#############################################################
** Summary of what you entered **
Ethernet Interface: eth0
User name: ADSL用户名
Activate-on-demand: No
Primary DNS: 61.144.56.100
Secondary DNS: 202.192.88.1
Firewalling: MASQUERADE
User Control: yes
Accept these settings and adjust configuration files (y/n)?y
#############################################################
搞定了以面这些操作之后呢,你必须重启机器之后,你才可以通过adsl-connect 或者adsl-start连接上网了,并且可以通过adsl-status查看ADSL连接状态,如果你连重启系统的时间都想省去的话,我很遗憾地跟你说:你失败了!肯定连接不上的!还是乖乖地重启吧!
三、在/etc/rc.d/rc.local中加入如下:
引用:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ppp0 -j MASQUERADE
###请强烈注意:这上面的10.0.0.0/24这个网段必须是你内部网的网段,ppp0必须是刚才用adsl-setup建立的网卡接口########
四、重新启动机器。这一个步骤非常重要,如果你不重启的话,router1用adsl-start的时候是连接不上,所以你必须重启之后才能有提示信息出来的!
五、测试配置结果:我必须很郑重地跟你说:你成功了!快上网冲浪去咯!假如、万一,你很不幸成为言中的他,上不网,冷静下来,你可以从以下几方面检查!
1、现在你可以确定router1是否可以上网了
2、确定内部网的主机可以ping通router1
3、检查iptables的策略是否配置正确,而且iptables是否已经启动,系统默认是关闭的!
4、如果不行,请连接本人(这一招请慎重参考)
六 使用端口映射实现内网服务器对外发布
在防火墙规则中加入下面两句:
iptables -t nat -A PREROUTING -d 外网地址(0/0表示全部IP地址) -p tcp --dport $PORT(访问端口) -j DNAT --to-destination $SERVER_IP(WEB服务器地址)
(这条是为了让外网访问你的网关地址/注册地址时,端口映射到内网一台机器之上,就是你所说的内网服务器了)
iptables -t nat -A POSTROUTING -d $SERVER_IP(WEB服务器地址) -p tcp --dport $PORT(访问端口) -j SNAT --to-source 内网地址
(这条是为了让内网访问你的网关地址/注册地址,转向访问这台内网机器时,返回包不致丢失,如果不需要考虑内网访问,就可以不要这一条)
例如:架设内网FTP服务器,开放对外访问
原理:访问10.0.0.1端口8021的数据包转向10.0.0.228的21端口,linux的内核里面直接有支持ftp nat的模块
引用:
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
实现方法:
引用:
#!/bin/sh
echo '1'>/proc/sys/net/ipv4/ip_forward
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -t nat -A PREROUTING -d 0/0 -p tcp --dport 8021 -j DNAT --to-destinat
ion 10.0.0.228:21
iptables -t filter -A FORWARD -s 10.0.0.228 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.248/24 -j MASQUERADE
例如,将访问外网地址10.0.0.1(eth0)的8080端口映射到内网10.0.0.28的8080端口上:
# DNAT
引用:
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3000 -d 0/0 -j DNAT --to 10.0.0.28
# SDAT
引用:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 3000 -s 10.0.0.28 -j SNAT --to 10.0.0.1
|
|
