1, 背景與要求
朋友的辦公室用Cable Modem上網,合同上規定只能用一個IP,可是一共有十多台電腦,
結果朋友到ISP那裡說明情況補交了一大筆費用.要求都能上網,用一個IP.
2, 硬件&軟件
硬件:P90 32 RAM , 兩塊NIC卡, 一塊3Com, 一塊D-Link.好處:比較好分辨eth0, eth1.
一塊HUB.
軟件:RedHat 6.2 + Gnome Helix(可以運行FireStarter),最好升級kernel.
3, 安裝防火牆
設置IP 偽裝 + IPChains :
建立 /etc/rc.d/rc.firewall(或者任何文件名任何地方,如果手工運行的話) 如下:
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels
# using IPCHAINS
#
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a redUCtion
# in sound quality
#
#/sbin/modprobe ip_masq_raudio --> 收Real Audio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc -->去掉"#"如果你要玩IRC,我朋友不讓,:-)
# 連網打雷神
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to
# play Quake I, II, and III, use the second example.
#
# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
# ----- kernel that has bugs in it. Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme -->Cu-SeeMe 視頻電話
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive -->VDO-live 視頻電話
#CR99vICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#CR99vICAL: Enable automatic IP defragmenting since it is disabled by default
# in 2.2.x kernels. This used to be a compile-time option but the
# behavior was changed in 2.2.12
#
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Dynamic IP users: -->該ISP用DHCP方法給用戶分配IP,啟動該項
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# following option. This enables dynamic-ip address hacking in IP MASQ,
# making the life with Diald and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable the LooseUDP patch which some Internet-based games require
#
# If you are trying to get an Internet game to work through your IP MASQ box,
# and you have set it up to the best of your ability without it working, try
# enabling this option (delete the "#" character). This option is disabled
# by default due to possible internal machine UDP port scanning
# vunerabilities.
#
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or
# BOOTP such as ADSL or Cablemodem users, it is necessary to use the
# following before the deny command. The "bootp_client_net_if_name"
# should be replaced the name of the link that the DHCP/BOOTP server
# will put an address on to? This will be something like "eth0",
# "eth1", etc.
#
# This example is currently commented out.
#
# 該ISP用DHCP方法給用戶分配IP,啟動該項.
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on interface eth0.
#
# ** Please change this network number, subnet mask, and your Internet
# ** connection interface name to match your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth0 -s 192.168.0.0/24 -j MASQ
鍵入 chmod 700 /etc/rc.d/rc.firewall使可執行.
然後加一行/etc/rc.d/rc.firewall到/etc/rc.d/rc.local中,使它啟動時運行.
以上防火牆規則使子網(192.168.x.x)所有PC用一個ISP分配的IP上網,禁用IRC,RealPlayer,Quake...
4, DHCP Server
為了使其他局域網裡的Windows能方便設置網絡,順便安裝DHCP Server
到RedHat目錄下,rpm -ivh dhcp* 確保全部DHCP包已安裝.
touch /var/state/dhcp/dhcpd.leases,建立dhcpd的日志文件
建立 /etc/dhcpd.conf 文件:
# /etc/dhcpd.conf
# Type "route add -host 255.255.255.255 dev eth1 2> /dev/null" , and
# "usr/sbin/dhcpd eth1" to start DHCPD binded with eth1 !
# Don start it with eth0 , conflict with ISPs DHCPD !
#
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.100;
default-lease-time 1200;
max-lease-time 9200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name-servers xxx.xx.xx.xx, xxx.xx.xxx.x; -->ISP的DNS server
option domain-name "offfice.net";
}
以上設置自動分配192.168.0.10到192.168.0.100的內部IP.
綁定DHCPD到eth1,否則系統會綁定到eth0,無法啟動,也會導致和ISP的DHCPD發生沖突,
編輯/etc/rc.d/init.d/dhcpd,在/usr/sbin/dhcpd後加 eth1.
最後,為了客戶PC可以穩妥取得路由,運行:
route add -host 255.255.255.255 dev eth1 2> /dev/null
5,客戶端
很方便,到 start-->settings-->network-->TCP/IP-->OBTain an IP automatially.
default-lease-time 1200;
max-lease-time 9200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name-servers xxx.xx.xx.xx, xxx.xx.xxx.x; -->ISP的DNS server
option domain-name "offfice.net";
}
以上設置自動分配192.168.0.10到192.168.0.100的內部IP.
綁定DHCPD到eth1,否則系統會綁定到eth0,無法啟動,也會導致和ISP的DHCPD發生沖突,
編輯/etc/rc.d/init.d/dhcpd,在/usr/sbin/dhcpd後加 eth1.
最後,為了客戶PC可以穩妥取得路由,運行:
route add -host 255.255.255.255 dev eth1 2> /dev/null
5,客戶端
很方便,到 start-->settings-->network-->TCP/IP-->OBTain an IP automatially.