FreeBSD6.1Release下利用route和ipfilter架设路由的方法

架设此服务器,使内网用户通过本服务器与外界通讯;基本原理为内网用户通过FreeBSD内自带的网关路由功能(route)与外网进行通讯,服务器的安全性及病毒的防护控制通过FreeBSD的ipfilter来完成。初步架设过程如下:

网卡接口说明:
vr0:外网网卡接口
vr1:内网网卡接口

1、    最小化安装FreeBSD6.1Release
从ftp://ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件,然后刻成光盘,将服务器设置成从光驱启动,开始安装,安装时我选择最小化安装,开通ftp及ssh。其它的默认安装就可以。具体可参考这篇文章。安装完后重启机器。

2、    安装内核
将安装光盘放入光驱,然后:

# /usr/sbin/sysinstall

然后选择Configure --> Distributions -> src -> sys,点install,安装完成后重启机器。

3、    基本的配置
配置/etc/rc.conf

# cd /etc
# ee rc.conf

内容如下:
hostname="gatewall.wxic.edu.cn"
defaultrouter="172.16.252.17"
ifconfig_vr0="inet 172.16.252.x netmask 255.255.255.252"
ifconfig_vr1="inet 58.193.11x.25x netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
sendmail_enable="NONE"

配置/etc/resolv.conf

# ee /etc/rc.conf

内容如下:
nameserver 58.193.112.1

4、    配置内核,加入对ipfilter的支持

# cd /usr/src/sys/i386/conf
# cp GENERIC funpower
# ee funpower

然后开始编辑内核文件,机器和应用方面的不同会有不同的内核文件,因为需要用到ipfilter,我们加入对ipfilter的支持。在内核中加入如下内容:
options   IPFILTER
options   IPFILTER_LOG
options   IPFILTER_DEFAULT_BLOCK
其它选项可以参考这篇文章,然后自己定制。编辑完后保存退出。然后进行如下操作:

# /usr/sbin/config funpower
# cd ../compile/funpower
# make cleandepend
# make depend
# make
# make install

编译完后重启服务器(因为ipfilter默认是阻止所有通讯,所以确保你是在服务器前操作)。

5、    在/etc/rc.conf中加入路由选项

# cd /etc
# ee rc.conf

在最后加入如下几行:
gateway_enable="YES"
static_routes="static1"
route_static1="-net 58.193.11x.0/21 172.16.252.x/30" //说明第一个IP为内网IP范围;第二个IP为外网网卡的网关地址

6、    配置ipfilter
在/etc/rc.conf中加入:
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
然后编辑/etc/ipf.conf文件

# cd /etc/
# ee ipf.conf

内容如下:
#环路网卡lo0 
#out in 全部通过
pass in quick on lo0 all
pass out quick on lo0 all

#外网网卡vr0
#out 只让开通的IP通讯
block out quick on vr0 from any to 192.168.0.0/16
block out quick on vr0 from any to 0.0.0.0/8
block out quick on vr0 from any to 169.254.0.0/8
block out quick on vr0 from any to 10.0.0.0/8
block out quick on vr0 from any to 127.16.0.0/12
block out quick on vr0 from any to 127.0.0.0/8
block out quick on vr0 from any to 192.0.2.0/24
block out quick on vr0 from any to 204.152.64.0/23
block out quick on vr0 from any to 224.0.0.0/3

#开通58.193.112.1
pass out quick on vr0 proto tcp/udp from 58.193.112.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.1/32 to any keep state

#开通58.193.112.3
pass out quick on vr0 proto tcp/udp from 58.193.112.3/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.3/32 to any keep state

#开通58.193.113.1
pass out quick on vr0 proto tcp/udp from 58.193.113.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.1/32 to any keep state

#开通58.193.113.2
pass out quick on vr0 proto tcp/udp from 58.193.113.2/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.2/32 to any keep state

block out on vr0 all

#in 阻止一些IP(比如私有IP)和一些病毒攻击端口(如138139445等)
block in quick on vr0 from 192.168.0.0/16 to any
block in quick on vr0 from 172.16.0.0/12 to any
block in quick on vr0 from 10.0.0.0/8 to any
block in quick on vr0 from 127.0.0.0/8 to any
block in quick on vr0 from 0.0.0.0/8 to any
block in quick on vr0 from 169.254.0.0/16 to any
block in quick on vr0 from 192.0.2.0/24 to any
block in quick on vr0 from 204.152.64.0/23 to any
block in quick on vr0 from 224.0.0.0/3 to any
block in quick on vr0 from 58.193.112.0/21 to any

block in quick on vr0 proto udp from any to any port = 69
block in quick on vr0 proto tcp/udp from any to any port = 135
block in quick on vr0 proto udp from any to any port = 137
block in quick on vr0 proto udp from any to any port = 138
block in quick on vr0 proto tcp/udp from any to any port = 139
block in quick on vr0 proto tcp/udp from any to any port = 445
block in quick on vr0 proto tcp/udp from any to any port = 593
block in quick on vr0 proto tcp from any to any port = 1022
block in quick on vr0 proto tcp from any to any port = 1023
block in quick on vr0 proto tcp from any to any port = 1025
block in quick on vr0 proto tcp from any port = 1034 to any port = 80
block in quick on vr0 proto tcp from any to any port = 1068
block in quick on vr0 proto tcp from any to any port = 1433
block in quick on vr0 proto udp from any to any port = 1434
block in quick on vr0 proto tcp from any to any port = 1871
block in quick on vr0 proto tcp from any to any port = 2745
block in quick on vr0 proto tcp from any to any port = 3208
block in quick on vr0 proto tcp from any to any port = 3127
block in quick on vr0 proto tcp from any to any port = 4331
block in quick on vr0 proto tcp from any to any port = 4334
block in quick on vr0 proto tcp from any to any port = 4444
block in quick on vr0 proto tcp from any port = 4444 to any
block in quick on vr0 proto tcp from any to any port = 4510
block in quick on vr0 proto tcp from any to any port = 4557
block in quick on vr0 proto tcp from any to any port = 5554
block in quick on vr0 proto tcp from any to any port = 5800
block in quick on vr0 proto tcp from any to any port = 5900
block in quick on vr0 proto tcp from any to any port = 6129
block in quick on vr0 proto tcp from any to any port = 6667
block in quick on vr0 proto tcp from any to any port = 9995
block in quick on vr0 proto tcp from any to any port = 9996
block in quick on vr0 proto tcp from any to any port = 10080

block in quick on vr0 all with frags
block in quick on vr0 proto tcp all with short
block in quick on vr0 all with opt lsrr
block in quick on vr0 all with opt ssrr
block in log first quick on vr0 proto tcp from any to any flags FUP
block in quick on vr0 all with ipopts

pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 23 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state
pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

pass in quick on vr0 proto icmp from any to any icmp-type 0
pass in quick on vr0 proto icmp from any to any icmp-type 11
block in log quick on vr0 proto icmp from any to any

block in log on vr0 all

#内网网卡vr1
#out 全部通过
pass out on vr1 all
#in 全部通过
pass in on vr1 all

配置完后重启服务器。

找一台客户机测试,首先使用ipf.conf中开通的IP,然后ping edu.cn,可以ping通,说明可以连接外网了。
然后将IP设置为不是开通列表中的IP,如果ping不通,则说明ipf.conf的设置生效了。

(0)

相关推荐

  • FreeBSD6.1Release下利用route和ipfilter架设路由的方法

    架设此服务器,使内网用户通过本服务器与外界通讯:基本原理为内网用户通过FreeBSD内自带的网关路由功能(route)与外网进行通讯,服务器的安全性及病毒的防护控制通过FreeBSD的ipfilter来完成.初步架设过程如下: 网卡接口说明:vr0:外网网卡接口vr1:内网网卡接口 1.    最小化安装FreeBSD6.1Release从ftp://ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件,然后刻成光盘,将服务器设置成从光驱启动,开

  • FreeBSD6.1Release下利用BIND架设DNS服务器的方法

    通过此服务器,使内网用户能正常访问INTERNET,这里我们使用FreeBSD自带的BIND来实现DNS的解析,事实上INTERNET上很多DNS都使用了这个软件.基本的操作步骤如下: ◇ DNS父域(edu.cn)给我的信息如下:域 -> wxicab.edu.cnDNS主服务器 -> 58.193.128.55 [dns1.wxicab.edu.cn]DNS辅服务器 -> 58.193.128.56 [dns2.wxicab.edu.cn](本笔记中只架设主服务器的配置过程) ◇ 网

  • 在Java下利用log4j记录日志的方法

    1.前言 log4j是一个用Java编写的可靠,快速和灵活的日志框架(API),它在Apache软件许可下发布. Log4j已经被移植到了C,C++,C#,Perl,Python和Ruby等语言中. Log4j是高度可配置的,并可通过在运行时的外部文件配置.它根据记录的优先级别,并提供机制,以指示记录信息到许多的目的地,例如:数据库,文件,控制台,UNIX系统日志等. Log4j中有三个主要组成部分: loggers: 负责捕获记录信息. appenders : 负责发布日志信息,以不同的首选目

  • Linux下利用Opencv打开笔记本摄像头问题

    新建test文件夹,文件夹存在test.cpp和CMakeLists.txttest.cpp#include <iostream> #include <string> #include <sstream> #include <opencv2/core.hpp> #include <opencv2/highgui.hpp> #include <opencv2/videoio.hpp> using namespace cv; using

  • 详解linux下利用crontab创建定时任务

    Linux下可以利用crontab创建定时任务. 常用搭配 crontab -e 编辑任务 crontab -l 查看所有任务[该用户] crontab -r 取消所有任务[该用户] 任务格式 × × × × × +命令(具体任务) 前5个参数表示时间,依次为: 参数 范围 分钟 0-59 小时 0-23 日期 1-31 月份 1-12 星期 0-6(0代表星期日) 特殊符号 为了精确表示定时,需要一些特殊符号来描述具体的任务执行时间.有以下几个符号: "/" 代表每,每隔多长时间 &

  • centOS7 下利用iptables配置IP地址白名单的方法

    编辑iptables配置文件,将文件内容更改为如下,则具备了ip地址白名单功能 #vim /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -N whitelist -A whitelist -s 1.2.3.0/24 -j ACCEPT -A whitelist -s 4.5.6.7 -j ACCEPT -A INPUT -m state --state

  • Docker下利用jenkins和docker实现持续交付

    一.什么是持续交付 让软件产品的产出过程在一个短周期内完成,以保证软件可以稳定.持续的保持在随时可以发布的状况.它的目标在于让软件的构建.测试与发布变得更快以及更频繁.这种方式可以减少软件开发的成本与时间,减少风险. 二.对比持续交付和传统交付 传统交付的发布周期可以表示为下图: 传统交付的缺点: 慢交付:在这里,客户在指定需求之后很长时间才收到产品.这导致了不满意的上市时间和客户反馈的延迟. 反馈周期长:反馈周期不仅与客户有关,还与开发人员有关.假设您意外地创建了一个bug,并在UAT阶段了解

  • 在Vue环境下利用worker运行interval计时器的步骤

    今天在code review时,发现之前遗留的问题: 在一个视频播放页面,有一个40ms的interval一直在阻碍,导致视频延时逐渐增大 于是写了一个worker单独把计时器拉出去跑了 实现步骤如下 由于用的是vue-cli,在webpack下要安装worker-loader依赖才能单独加载worker.js npm install worker-loader --save-dev 更改 vue.config.js 文件的配置项 configureWebpack:{ module: { rul

  • linux下利用shell在指定的行添加内容的方法

    在linux的一些配置中总会要进行某个文件中的某行的操作,进行增加,修改,删除等操作. 而这里主要是进行的是指定的行添加数据的操作: 脚本如下: sed -i '3i asdf 1.sh' 1.sh 这个就是在1.sh中的第3行加入asdf的数据. 首先看1.sh内容如下: 执行sed命令如下: 这个就是一个比较简单的操作,比较实用. 以上这篇linux下利用shell在指定的行添加内容的方法就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持我们.

  • 浅析Linux下利用coredump技术追查进程崩溃原因

    最近项目中出现了一个问题,服务器端程序会突然崩溃退出,我们采取了coredump技术以找到崩溃原因,即确定进程退出时正在执行的函数是哪个,其状态如何. 如果系统开启了coredump,准确的说如果当前的shell环境开启了coredump,当前shell环境下的程序崩溃退出时,会把当时进程的栈的内存状态写入core文件.使用gdb可以查看这个core文件中保存的栈的状态,gdb a.out core.(关于coredump的开启和对shell的理解,请参考本人另一篇博客<使用dotnet-dum

随机推荐