1, 背景与要求
朋友的办公室用Cable Modem上网,合同上规定只能用一个IP,可是一共有十多台电脑,
结果朋友到ISP那里说明情况补交了一大笔费用.要求都能上网,用一个IP.
2, 硬件&软件
硬件:P90 32 RAM , 两块NIC卡, 一块3Com, 一块D-Link.好处:比较好分辨eth0, eth1.
一块HUB.
软件:RedHat 6.2 + Gnome Helix(可以运行FireStarter),最好升级kernel.
3, 安装防火墙
设置IP 伪装 + IPChains :
建立 /etc/rc.d/rc.firewall(或者任何文件名任何地方,如果手工运行的话) 如下:
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels
# using IPCHAINS
#
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
#/sbin/modprobe ip_masq_raudio --> 收Real Audio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc -->去掉"#"如果你要玩IRC,我朋友不让,:-)
# 连网打雷神
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to
# play Quake I, II, and III, use the second example.
#
# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
# ----- kernel that has bugs in it. Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme -->Cu-SeeMe 视频电话
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive-->VDO-live 视频电话
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#CRITICAL: Enable automatic IP defragmenting since it is disabled by default
# in 2.2.x kernels. This used to be a compile-time option but the
# behavior was changed in 2.2.12
#
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Dynamic IP users: -->该ISP用DHCP方法给用户分配IP,启动该项
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# following option. This enables dynamic-ip address hacking in IP MASQ,
# making the life with Diald and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable the LooseUDP patch which some Internet-based games require
#
# If you are trying to get an Internet game to work through your IP MASQ box,
# and you have set it up to the best of your ability without it working, try
# enabling this option (delete the "#" character). This option is disabled
# by default due to possible internal machine UDP port scanning
# vunerabilities.
#
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or
# BOOTP such as ADSL or Cablemodem users, it is necessary to use the
# following before the deny command. The "bootp_client_net_if_name"
# should be replaced the name of the link that the DHCP/BOOTP server
# will put an address on to? This will be something like "eth0",
# "eth1", etc.
#
# This example is currently commented out.
#
# 该ISP用DHCP方法给用户分配IP,启动该项.
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on interface eth0.
#
# ** Please change this network number, subnet mask, and your Internet
# ** connection interface name to match your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth0 -s 192.168.0.0/24 -j MASQ
键入 chmod 700 /etc/rc.d/rc.firewall使可执行.
然后加一行/etc/rc.d/rc.firewall到/etc/rc.d/rc.local中,使它启动时运行.
以上防火墙规则使子网(192.168.x.x)所有PC用一个ISP分配的IP上网,禁用IRC,Realplayer,Quake...
4, DHCP Server
为了使其他局域网里的Windows能方便设置网络,顺便安装DHCP Server
到RedHat目录下,rpm -ivh dhcp* 确保全部DHCP包已安装.
touch /var/state/dhcp/dhcpd.leases,建立dhcpd的日志文件
建立 /etc/dhcpd.conf 文件:
# /etc/dhcpd.conf
# Type "route add -host 255.255.255.255 dev eth1 2> /dev/null" , and
# "usr/sbin/dhcpd eth1" to start DHCPD binded with eth1 !
# Don start it with eth0 , conflict with ISPs DHCPD !
#
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.100;
default-lease-time 1200;
max-lease-time 9200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name-servers xxx.xx.xx.xx, xxx.xx.xxx.x; -->ISP的DNS server
option domain-name "offfice.net";
}
以上设置自动分配192.168.0.10到192.168.0.100的内部IP.
绑定DHCPD到eth1,否则系统会绑定到eth0,无法启动,也会导致和ISP的DHCPD发生冲突,
编辑/etc/rc.d/init.d/dhcpd,在/usr/sbin/dhcpd后加 eth1.
最后,为了客户PC可以稳妥取得路由,运行:
route add -host 255.255.255.255 dev eth1 2> /dev/null
5,客户端
很方便,到 start-->settings-->network-->TCP/IP-->Obtain an IP automatially.