操作基于ubuntu server10.10 上进行安装配置.进行配置iptables.ip转换.mac过虑功能.
1.建iptables
| 以下是代码片段: root@ptubuntufirewall:/# vi /etc/init.d/iptables #fLUSH THE FILTER,NAT,Mangle chain! /sbin/iptables -F -t filter /sbin/iptables -F -t nat /sbin/iptables -F -t mangle #Flush the user’s chain /sbin/iptables -t filter -X /sbin/iptables -t nat -X /sbin/iptables -t mangle -X #Set default policies to DROP /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT #LAN NAT /sbin/iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE #/sbin/iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE if [ -f /etc/access_mac.conf ] then for i in `cat /etc/access_mac.conf | grep "^[^#]" | tr -s "[\\012]" | cut -c1-17` ; do /sbin/iptables -A FORWARD -m mac -mac-source $i -i eth0 -j ACCEPT done fi /sbin/iptables -A FORWARD -i eth0 -j DROP #VNC View Ptubuntu 这下面两条指:访问外网ip可以转换到内网ip:端口 /sbin/iptables -A PREROUTING -t nat -p tcp -m tcp -i eth1 -dport 5888 -j DNAT -to-destination 192.168.0.110:5888 /sbin/iptables -A PREROUTING -t nat -p tcp -m tcp -i eth1 -dport 5988 -j DNAT -to-destination 192.168.0.110:5988 |
2.设置要过虑的网卡:access_mac.conf
| 以下是代码片段: root@ptubuntufirewall:/#vi /etc/access_mac.conf #MAC address Employee Name OR SERVER Name #Server Netcard Mac Address 00:e0:4c:39:00:00 System Server eth0 00:e0:4c:39:00:00 System Server eth1 00:e0:4c:39:00:00 ptubuntu Server eth0 在这里添加你需要上网的网卡mac地址 |
3.sysctl设置参数.能用sysctl来设置或重新设置连网功能,如IP转发、IP碎片去除及源路由检查等
| 以下是代码片段: root@ptubuntufirewall:/# cat /etc/sysctl.conf net.ipv4.ip_forward=1 #把0改为1就可以了 |
4.设置让它自动启动iptalbes.
| 以下是代码片段: root@ptubuntufirewall:/# update-rc.d iptables defaults 99 |
显示如下表示成功.
| 以下是代码片段: update-rc.d: warning: /etc/init.d/iptables missing LSB information update-rc.d: see Adding system startup for /etc/init.d/iptables … /etc/rc0.d/K99iptables -> ../init.d/iptables /etc/rc1.d/K99iptables -> ../init.d/iptables /etc/rc6.d/K99iptables -> ../init.d/iptables /etc/rc2.d/S99iptables -> ../init.d/iptables /etc/rc3.d/S99iptables -> ../init.d/iptables /etc/rc4.d/S99iptables -> ../init.d/iptables /etc/rc5.d/S99iptables -> ../init.d/iptables |
5.还需要安装dhcp服务器.
| 以下是代码片段: root@ptubuntufirewall:/#aptitude install dhcp3-server root@ptubuntufirewall:/#vi /etc/dhcp3/dhcpd.conf |
文档内容:
| 以下是代码片段: option domain-name "ptubuntufirewall.com"; option domain-name-servers 8.8.4.4, 8.8.8.8; default-lease-time 18000; max-lease-time 36000; subnet 192.168.0.0 netmask 255.255.255.0 { range dynamic-bootp 192.168.0.100 192.168.0.255; option subnet-mask 255.255.255.0; option broadcast-address 192.168.0.255; option routers 192.168.0.252; option time-offset -18000; } |
完后需要重启计算机才可以使用.
6.测试:ping
| 以下是代码片段: root@ptubuntufirewall:/# ping 192.168.0.252 root@ptubuntufirewall:/#ping 8.8.8.8外网IP都可以正常. |
7.设置客户端.
现在就可以自动获取ip地址.如果你需要手动设置IP那么你的默认网关就是你路由的IP地址.192.168.0.252
注:在dhcp没有配置好启动会出错.Starting DHCP server: dhcpd3 failed to start - check syslog for diagnostics.