17小时玩转AS3

这两天一直在研究AS3，初次使用，由RH73跨越到AS3，确实有很多东西不适应，配置方法也不太一样，下面就我在安装配置时出现的一些问题在这里说明一下

我的系统挂了MYSQL、PHP、APACHE2，做了SQUID和NAT、SAMBA、DHCP、SENDMAIL+SMTP认证、PROFTPD

1、安装MYSQL4.0.18

下了MYSQL以后，解压缩

引用:

./configure --prefix=/usr/local/mysql

make

make install

useradd mysql

chown -R mysql /usr/local/mysql/var

启动MYSQL，/usr/local/mysql/bin/mysqld_safe --user=mysql

2、安装APACHE 2.0.48

解压缩

引用:

./configure

make

make install

3、安装PHP 4.3.4

解压缩

引用:

./configure --with-mysql --with-apxs2=/usr/local/apache2/bin/apxs --enable-versioning --disable-debug --enable-track-vars

make

make install

修改/usr/local/apache2/conf/httpd.conf

看有没有以下两行

引用:

LoadModule php4_module modules/libphp4.so

AddType application/x-httpd-php .php

默认应该有第一行，第二行要自己添加

增加默认页面index.php

引用:

DirectoryIndex index.html index.php index.htm index.html.var

4、配置SENDMAIL

vi /etc/mail/sendmail.mc

将

引用:

dnl # TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

dnl # define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

修改为，以便支持SMTP发信认证

引用:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

将

引用:

DAEMON_OPTIONS(`Port=smtp,127.0.0.1,Name=MTA')dnl

修改为，支持远程访问

引用:

DAEMON_OPTIONS(`Port=smtp,Name=MTA')dnl

将

引用:

dnl # MASQUERADE_AS(`platinum.3322.org')dnl

改为

引用:

MASQUERADE_AS(`platinum.3322.org')dnl

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

vi /etc/mail/sendmail.cf

修改

引用:

Cwlocalhost

为

引用:

Cwlocalhost platinum.3322.org

vi /etc/mail/access 添加0.0.0.0 RELAY

vi /etc/mail/local-host-names

添加

引用:

localhost

platinum.3322.org

启动服务：

/etc/rc.d/init.d/sendmail start

/etc/rc.d/init.d/saslauthd start

setup，启用ipop3服务

/etc/rc.d/init.d/xinetd restart

测试：

adduser test

passwd test

用OUTLOOK测试

5、做ADSL拨号上网

adsl-setup

一步一步接着下一步

然后修改生成的配置文件/etc/sysconfig/network-scripts/ifcfg-ppp0

将里面的

引用:

PPPOE_TIMEOUT=60

改为

引用:

PPPOE_TIMEOUT=0

这样就不会因为没有数据传输而自动断线了

6、做NAT

vi /etc/sysctl.conf

修改

引用:

net.ipv4.ip_forward = 0

为

引用:

net.ipv4.ip_forward = 1

这样把默认允许转发打开，不用每次还有修改/proc/net/ipv4/ip_forward了

在防火墙里添加控制，允许NAT出去

引用:

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

7、做SQUID

我沿用的RH73的SQUID配置，但在AS3里却遇到了问题

后来仔细看提示才发现，说找不到一个DNS SERVER，奇怪，我的ADSL拨号能PING通www.163.com啊

后来发现/etc/resvol.conf为空，我添加了一个DNS SERVER就行了

我的SQUID做了1000M容量，保存HTTP的1M大小以下的文件，这里就不细说如何配置SQUID了

另外别忘了在iptables里将80端口指向SQUID的端口，我的是默认的3128

8、DHCP

我仍然沿用RH73的dhcpd.conf，结果提示错误，服务无法启动，后来发现需要加个参数

引用:

ddns-update-style ad-hoc;

我的配置文件如下

代码:

ddns-update-style ad-hoc;

max-lease-time -1;

default-lease-time -1;

option subnet-mask 255.255.255.0;

option broadcast-address 255.255.255.255;

option routers 192.168.0.1;

option domain-name-servers 192.168.0.1,202.106.196.152;

option domain-name "platinum.3322.org";

subnet 192.168.0.0 netmask 255.255.255.0 {

range 192.168.0.2 192.168.0.100;

host platinum {

hardware ethernet 00:0a:e6:a9:64:a2;

fixed-address 192.168.0.2;

}

host bchyi {

hardware ethernet 00:80:c8:e4:c1:e4;

fixed-address 192.168.0.3;

filename "/tftpboot/pxelinux.0";

}

}

9、SAMBA

这个是最头疼的，因为这个困惑了我半天的时间

最开始，我沿用RH73的配置文档，发现网上邻居能看见，却无法访问

我的配置文档如下

代码:

[global]

client code page = 936

workgroup = HOME

server string = Samba Server

security = USER

encrypt passwords = Yes

update encrypted = Yes

obey pam restrictions = Yes

pam password change = Yes

passwd program = /usr/bin/passwd %u

passwd chat = *New*password* %n

*Retype*new*password* %n

*passwd:*all*authentication*tokens*updated*successfully*

unix password sync = Yes

log file = /var/log/samba/%m.log

max log size = 0

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

wins proxy = Yes

wins support = Yes

remote announce = 192.168.0.255

remote browse sync = 192.168.0.255

create mask = 0777

directory mask = 0777

printing = lprng

[数据中心]

comment = DATACENTER

path = /share/DATACENTER

read only = No

于是我将security = DOMAIN改成了security = USER

结果发现能出来了，但是进去以后，英文目录名没问题，中文全是乱码（大方框）

在RH73和RH9里百试百灵的，怎么在AS3里不行了？

于是我ssh，直接进入我的硬盘ls了一下，结果傻了，原来RH73看到的都是中文名字，现在变成了???等东西

……

经好好先生提醒，我想起来了，可能是和字符集有关系，于是补装ttfonts-zh_CN库，结果发现少装了好多东西，关联东西太多，无奈，又重新装系统……

现在好了，ls，发现仍然是???，无奈，选择默认字符集为GB2312，ls，没事了！

/etc/rc.d/init.d/smb restart

回到网上邻居，进入，发现仍然事乱码！

看来和字符集没关系，和SAMBA的配置有关系

testparm发现，client code page = 936这句话在AS3里并不好使，提示这句话错误

难道没办法显示中文了？？？

找了N多资料，在一个老外的论坛了找到了正确配置方法（显示中文的东西竟然在老外论坛里），用这句话替代：unix charset=GB2312

现在SAMBA能用了，正确的配置文档如下

代码:

[global]

unix charset=GB2312

workgroup = HOME

server string = Samba Server

security = USER

encrypt passwords = Yes

update encrypted = Yes

obey pam restrictions = Yes

pam password change = Yes

passwd program = /usr/bin/passwd %u

passwd chat = *New*password* %n

*Retype*new*password* %n

*passwd:*all*authentication*tokens*updated*successfully*

unix password sync = Yes

log file = /var/log/samba/%m.log

max log size = 0

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

wins proxy = Yes

wins support = Yes

remote announce = 192.168.0.255

remote browse sync = 192.168.0.255

create mask = 0777

directory mask = 0777

printing = lprng

[数据中心]

comment = DATACENTER

path = /share/DATACENTER

read only = No

10、PROFTPD

这个对我来说是轻车熟路了，装了个1.2.9（最高版本，目前没漏洞），编译好

直接把配置文档贴出来吧

代码:

# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use. It establishes a single server

# and a single anonymous login. It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerType standalone

DefaultServer on

AllowRetrieveRestart on

AllowOverwrite on

AllowStoreRestart on

ServerIdent on "Welcome to PLATINUM's FTP !"

DefaultRoot ~

DisplayLogin .welcome

DisplayFirstChdir .message

UseReverseDNS off

IdentLookups off

SystemLog /var/log/ftp.syslog

TransferLog /var/log/ftp.transferlog

TransferRate RETR 20 group hMovie

# MaxClientsPerUser 10 "已超过最大上限 10 个guest用户，请少后再试！"

# MaxClientsPerHost 4

# Port 21 is the standard FTP port.

Port 21

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask 002

# To prevent DoS attacks, set the maximum number of child processes

# to 30. If you need to allow more than 30 concurrent connections

# at once, simply increase this value. Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd).

MaxInstances 30

# Set the user and group under which the server will run.

User nobody

Group nobody

# Normally, we want files to be overwriteable.

<Directory />

AllowOverwrite on

</Directory>

<Directory /share/DATACENTER/电影>

<Limit RNFR DELE WRITE>

DenyGroup hMovie

</Limit>

</Directory>

<Anonymous ~guest>

User guest

Group ftp

AllowOverwrite on

AllowRetrieveRestart on

AllowStoreRestart on

TransferRate RETR 10

# MaxClientsPerUser 30 "已超过最大上限 30 个guest用户，请少后再试！"

# MaxClientsPerHost 4

<Directory /share/ftp/上传目录>

Umask 000

<Limit RNFR DELE RETR>

DenyAll

</Limit>

</Directory>

</Anonymous>

11、网络安全问题

服务架好了，网络安全不容忽视

这是我的“反弹式”防火墙

代码:

#! /bin/bash

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_nat_ftp

/sbin/iptables -F -t filter

/sbin/iptables -F -t nat

/sbin/iptables -P INPUT ACCEPT

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -P FORWARD ACCEPT

/sbin/iptables -t nat -P PREROUTING ACCEPT

/sbin/iptables -t nat -P POSTROUTING ACCEPT

/sbin/iptables -t nat -P OUTPUT ACCEPT

# ALLOW ALL in PRIVATE NET

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -i eth1 -j ACCEPT

# FTP

/sbin/iptables -A INPUT -m limit --limit 100/s --limit-burst 100 -p tcp --dport 21 -j ACCEPT

# SSH & TELNET

/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# MAIL

/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT

# VPN

#/sbin/iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

#/sbin/iptables -A INPUT -p gre -j ACCEPT

# WWW

/sbin/iptables -A INPUT -m limit --limit 100/s --limit-burst 100 -p tcp --dport 80 -j ACCEPT

# MYSQL

# /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

# SOCKS5

# /sbin/iptables -A INPUT -p tcp --dport 8039 -j ACCEPT

# ICMP(PING)

/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

/sbin/iptables -A INPUT -p icmp --icmp-type ! echo-request -j ACCEPT

# NAT

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

# DNAT SQL-SERVER & RADMIN to PRIVATE NET

/sbin/iptables -A PREROUTING -t nat -p tcp -s ! 192.168.0.0/24 --dport 4899 -j DNAT --to 192.168.0.2:4899

/sbin/iptables -A PREROUTING -t nat -p tcp -s ! 192.168.0.0/24 --dport 5000 -j DNAT --to 192.168.0.3:4899

iptables -t nat -A PREROUTING -p tcp -m tcp -s 192.168.0.0/24 --dport 80 -j DNAT --to 192.168.0.1:3128

# DENY OTHERS

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A INPUT -j MIRROR

终于写完了，不容易，这17小时没白费

• ·利用LINUX做路由器+网关+防火墙进行远程办
• ·韩国小姐金娜娜(走进哈佛的美少女)|报价￥13
• ·AS3+Apache+Sendmail+ope
• ·RedHatLinux9.0服务器架设全程实录
• ·为你飘零(邓颖超妹妹的传奇一生)/我这一辈子系
• ·Linux网络服务软件安装备忘录ver0.4
• ·美丽与哀愁-一个真实的张爱玲|报价￥51.90
• ·Linux网络服务软件安装备忘录ver0.3
• ·Linux网络服务软件安装备忘录ver0.2
• ·美丽与哀愁：一个真实的林徽因|报价￥41.60