作為公司上網(wǎng)的路由器需要實(shí)現(xiàn)的功能有nat地址轉(zhuǎn)換���、dhcp、dns緩存、流量控制、應(yīng)用程序控制�,nat地址轉(zhuǎn)換通過iptables可以直 接實(shí)現(xiàn)���,dhcp服務(wù)需要安裝dhcpd��,dns緩存功能需要使用bind,流量控制可以使用tc���,應(yīng)用程序控制:例如對qq的封鎖可以使用 netfilter-layer7-v2.22+17-protocols-2009-05-28.tar.gz來實(shí)現(xiàn)
1�、網(wǎng)絡(luò)規(guī)劃
操作系統(tǒng)是centos5.8
2����、安裝dhcpd
代碼如下:
yum install dhcp-3.0.5-31.el5
vim /etc/dhcp/dhcpd.conf
ddns-update-style interim;
ignore client-updates;
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;
option domain-name-servers 10.0.0.1;
range dynamic-bootp 10.0.0.100 10.0.0.200;
default-lease-time 21600;
max-lease-time 43200;
}
3、安裝bind���,實(shí)現(xiàn)dns緩存
代碼如下:
yum install bind97.i386 bind97-libs.i386 bind97-utils.i386
vim /etc/named.conf
options {
directory "/var/named";
allow-recursion { 10.0.0.0/24; };
recursion yes;
forward first; #將所有請求都進(jìn)行轉(zhuǎn)發(fā)
forwarders { 114.114.114.114; }; #定義轉(zhuǎn)發(fā)服務(wù)器地址
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
創(chuàng)建根域文件��,默認(rèn)有
代碼如下:
dig -t NS . > /var/named/named.ca
chown :named /var/named/named.ca
創(chuàng)建本地正向解析文件���,默認(rèn)有
代碼如下:
vim /var/named/named.localhost
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
chown :named /var/named/named.localhost
創(chuàng)建本地反向解析文件,默認(rèn)有
代碼如下:
vim /var/named/named.loopback
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
PTR localhost.
chown :named /var/named/named.loopback
檢查主配置文件
代碼如下:
named-checkconf
檢查根區(qū)域配置文件
代碼如下:
named-checkzone “.” /var/named/named.ca
檢查區(qū)域文件
代碼如下:
named-checkzone “localhost” /var/named/named.localhost
啟動服務(wù)
代碼如下:
service named start
4��、重新編譯編譯內(nèi)核和iptables以支持應(yīng)用層過濾
由于實(shí)行防火墻功能的是netfilter內(nèi)核模塊,所以需要重新編譯內(nèi)核�,需要下載新的內(nèi)核源碼,并使用netfilter-layer7-v2.22作為內(nèi)核的補(bǔ)丁一起編譯到內(nèi)核中�����。而控制netfiler的是iptables工具�����,因此iptables也必須重新編譯安裝�����,最后再安裝應(yīng)用程序過濾特征碼庫17-protocols-2009-05028.tar.gz
1���、給內(nèi)核打補(bǔ)丁���,并重新編譯內(nèi)核
2、給iptables源碼打補(bǔ)丁��,并重新編譯iptables
3��、安裝17proto
備份iptables腳本和配置文件
代碼如下:
cp /etc/rc.d/init.d/iptables /root/iptables.sysv
cp /etc/sysconfig/iptables-config /root/iptables-config
2.6內(nèi)核下載地址
https://www.kernel.org/pub/linux/kernel/v2.6/
netfilter下載地址
iptables源碼下載地址
應(yīng)用程序特征碼庫下載地址
代碼如下:
xz -d linux-2.6.28.10.tar.xz
tar -xvf linux-2.6.28.10.tar.gz -C /usr/src #新的內(nèi)核源碼,用于重新編譯
tar -zxvf netfilter-layer7-v2.22.tar.gz -C /usr/src #內(nèi)核補(bǔ)丁和iptables補(bǔ)丁 ��,只支持到2.6.28
#進(jìn)入解壓目錄并創(chuàng)建軟連接
< p>cd /usr/src
ln -sv linux-2.6.28.10 linux
#進(jìn)入內(nèi)核目錄
< p>cd /usr/src/linux
#為當(dāng)前內(nèi)核打補(bǔ)丁
< p>patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.path
#為了方便編譯內(nèi)核將系統(tǒng)上的內(nèi)核配置文件復(fù)制過來
< p>cp /boot/config-2.6.18-164.el5 /usr/src/linux/.config
編譯內(nèi)核
代碼如下:
make menuconfig
Networking support -> Networking Options -> Network packet filtering framework -> Core Netfilter Configuration
Netfilter connection tracking support
"lawyer7" match support
"string" match support
"time" match support
"iprange" match support
"connlimit" match support
"state" match support
"conntrack" connection match support
"mac" address match support
"multiport" Multiple port match support
Networking support -> Networign options -> Network packet filtering framework -> IP:Netfiltr Configuration
IPv4 connection tracking support (required for NAT)
Full NAT
MASQUERADE target support
NETMAP target support
REDIRECT target support
在Networking support中選擇 Networking options
