Gentoo下简单路由搭建(做双线接入中的nat)
1.在下载livecd
2.使用livecd启动
3.net-setup eth0 配置网络
4.fdisk && mkfs (按自己的需求安排磁盘分区)
本例分为三个区 /dev/hda1 (/boot) /dev/hda2(swap) /dev/hda3(/)
5.mount /dev/hda3 /mnt/gentoo
mkdir /mnt/gentoo/boot
mount /dev/hda1 /mnt/gentoo/boot
6.cd /mnt/gentoo
links
下载最新的 portage-xxx.tar.bz2 , stage3-xxx-xxx.tar.bz2
7.tar xvjpf /mnt/gentoo/stage3-xxx-xxx.tar.bz2
tar xvjf /mnt/gentoo/portage-xxx.tar.bz2 -C /mnt/gentoo/usr
8.nano -w /mnt/gentoo/etc/make.conf
加入 USE="-X -gtk -alsa cjk nls zh_CN"
在编译安装软件是不加入X,gtk,alsa支持(如果该软件有这些部件),加入中日韩语言支持.内码加入zh_CN支持.
9.cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
10.mount -t proc none /mnt/gentoo/proc
mount -o bind /dev /mnt/gentoo/dev
11.chroot /mnt/gentoo /bin/bash
env-update && source /etc/profile
export PS1="chroot) $PS1"
12.emerge --sync 同步最新的portage
13.echo "sys-libs/glibc userlocales" >> /etc/portage/package.use
在glibc中加入用户本地化支持.
14.localedef -i en_US -f UTF-8 zh_CN.UTF-8
nano -w /etc/locales.build
如下(安排本地化列表):
en_US/ISO-8859-1
en_US.UTF-8/UTF-8
zh_CN/GBK
zh_CN/GB18030
zh_CN/GB2312
zh_CN.UTF-8/UTF-8
15.cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
16.nano -w /etc/env.c/02.locale
如下(系统默认使用本地化配置):
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
17.env-update && source /etc/profile (更新环境)
18.cd /usr/portage/scripts
./bootstrap.sh (从新编译系统工具链)
19.emerge -e system (从新编译系统工具)
20.emerge genkernel (安装Gentoo内核编译工具)
21.links 下载最新内核.
tar xvjf linux-xxx.tar.bz2 -C /usr/src/
ln -s /usr/src/linux-xxx /usr/src/linux
22.links 下载最新的iptables 和 patch-o-matic-ng
tar xvjf patch-o-matic-ng-xxx.tar.bz2
tar xvjf iptables-xxx.tar.bz2
23.cd (patch-o-matic-ng-xxx的path)
KERNEL_DIR=/usr/src/linux IPTABLES_DIR=(iptables的path) ./runme base
KERNEL_DIR=/usr/src/linux IPTABLES_DIR=(iptables的path) ./runme extra
按需求选项择相关功能安装
.
24.emerge grub (安装bootloader)
25.genkernel --menuconfig --bootloader=grub all (编译内核)
Block layer ---> IO Schedulers ---> Default I/O scheduler (Anticipatory)
Processor type and features --> Timer frequency (100 HZ)
Processor type and features --> Preemption Model (No Forced Preemption (Server))
然后根据自己的需求配置Network packet filtering 和 Network options.
其它内核配置视需求而定.
26. nano -w /etc/fstab
nano -w /etc/conf.d/hostname
nano -w /etc/conf.d/domainname
nano -w /etc/conf.d/net
如下:
config_eth0=("192.168.xxx.xxx network 255.255.255.0 brd 192.168.xxx.255") 内网ip
config_eth1=("xxx.xxx.xxx.xxx network 255.255.255.0 brd xxx.xxx.xxx.255") 外1网ip
config_eth1=("xxx.xxx.xxx.xxx network 255.255.255.0 brd xxx.xxx.xxx.255") 外2网ip
不配置默认外关.
ln -s net.eth0 net.eth1
ln -s net.eth0 net.eth2
rc-update add net.eth0 default (使网卡启动时打开)
rc-update add net.eth1 default
rc-update add net.eth2 default
27. nano -w /etc/hosts
nano -w /etc/rc.conf
UNICODE="yes"
28. emerge syslog-ng vixie-cron slocate rp-pppoe dhcpd (rp-pppoe 及 dhcpd 在拨号接入时安装,/etc/conf.d/net的配置有所不同)
rc-update add syslog-ng default
rc-update add vixie-cron default
29. nano -w /boot/grub/grub.conf
title=Gentoo Linux (2.6.16.11)
root(hd0,0)
kernel /kernel-genkernel-xxx root=/dev/ram0 ramdisk=8192 real_root=/dev/hda3 udev
initrd /initramfs-genkernel-xxx
30.grep -v rootfs /proc/mounts > /etc/mtab
grub-install /dev/hda
31. cd (iptables的path) && make && make install
32. emerge iproute2 arpd( iprouter2 自带的arpd 不会自动reply arp 请求,arpd 会自动回应)
32. exit && cd && umount /mnt/gentoo/dev && umount /mnt/gentoo/proc && umount /mnt/gentoo/boot && umount /mnt/gentoo
33. reboot
34. nano /etc/conf.d/local.start
/bin/sysctl.bash
/bin/router.bash
35. 文件sysctl.bash
#!/bin/sh
#
# setproc This shell script takes care of setting some good basic
# security measures by setting some variables in /proc
# Some of these are enabled in the default install, but it
# is good to make sure that they are being set on boot.
#
# Note: the file /etc/sysctl.conf could be used to do this
# in a saner way, but this works in cases when sysctl
# doesn't exist (some distributions)
#
# Note: kernel is not compiled to do ip forwarding or
# masquerading so setting options such as
# ip_forward, ip_masq_debug is not necessary (it
# could be argued that rp_filter doesn't need to be
# set either.
#
# For more information on these values, visit:
#
# Micah Jan, 14 2001
# Modified March 31 2002 for sarai -- micah
# Enable always defragging protection in /proc/sys/net/ipv4/ip_always_defrag
#echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo protection
# If you ping the broadcast address of a network, all hosts are supposed to
# respond. This makes for a dandy denial-of-service tool. Setting to 1 will ignore these broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection - This to ignore ICMP errors caused by hosts in the network
# reacting badly to frames sent to what they perceive to be the broadcast address.
# in /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# The following six /proc settings are all nested in one for loop
# because they are in the same directory:
#
# * Enable IP spoofing protection turn in Source Address
# By default, routers route everything, even packets which 'obviously' don't
# belong on your network. A common example is private IP space escaping onto
# the internet. If you have an interface with a route of 195.96.96.0/24 to it,
# you do not expect packets from 212.64.94.1 to arrive there.
# Lots of people will want to turn this feature off, so the kernel hackers
# have made it easy. There are files in /proc where you can tell
# the kernel to do this for you. The method is called "Reverse Path
# Filtering". Basically, if the reply to this packet wouldn't go out the
# interface this packet came in, then this is a bogus packet and should be ignored.
# /proc/sys/net/ipv4/conf/*/rp_filter
#
# * Disable ICMP Redirect Acceptance in
# /proc/sys/net/ipv4/conf/*/accept_redirects and
# /proc/sys/net/ipv4/conf/*/send_redirects
#
# * Disable Source Routed Packets in
# /proc/sys/net/ipv4/conf/*/accept_source_route
#
# * Log Spoofed Packets, Source Routed Packets, Redirect Packets in
# /proc/sys/net/ipv4/conf/*/log_martians
#
# * Enable ICMP redirect security so that only redirect messages originating
# from gateways listed in the default gateway list are accepted in
# /proc/sys/net/ipv4/conf/*/secure_redirects
for device in `ls /proc/sys/net/ipv4/conf`
do
echo "2" > /proc/sys/net/ipv4/conf/$device/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$device/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$device/send_redirects
echo "1" > /proc/sys/net/ipv4/conf/$device/secure_redirects
echo "0" > /proc/sys/net/ipv4/conf/$device/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/$device/log_martians
done
# Enable TCP SYN Cookie protection in /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# stops anyone doing an OS finger print scan on the IP stack, 64 will show as linux, 61 will screw them up
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
# Increase maximum number of files that the system can use
echo "65535" > /proc/sys/fs/file-max
# Incrase maximum inodes that the system can allocate, generally recommended that
# inode-max is set to be four times the value of file-max
#echo "65535" > /proc/sys/fs/inode-max
# Maximal number of remembered connection requests, which still did not
# receive an acknowledgement from connecting client. Default value is 1024 for
# systems with more than 128Mb of memory, and 128 for low memory machines.
echo "4096" > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Number of SYN packets the kernel will send before giving up on the new connection. (def. 10)
echo "5" > /proc/sys/net/ipv4/tcp_syn_retries
echo "512" > /proc/sys/net/ipv4/route/mtu_expires
# How often TCP/IP sends out keepalive messages, default 7200 (2 hours)
echo "7600" > /proc/sys/net/ipv4/tcp_keepalive_time
# The rate at which echo replies are sent to any one destination, helps slow down ping floods
#echo "10" > /proc/sys/net/ipv4/icmp_echoreply_rate
# Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer
# can be broken and never close its side, or even died unexpectedly. Default
# value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it,
# but remember that if your machine is even underloaded WEB server, you risk
# to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are
# less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but
# they tend to live longer. Cf. tcp_max_orphans.
# echo "360" > /proc/sys/net/ipv4/tcp_fin_timeout
# This enables a fix for 'time-wait assassination hazards in tcp', described
# in RFC 1337. If enabled, this causes the kernel to drop RST packets for
# sockets in the time-wait state.
echo "1" > /proc/sys/net/ipv4/tcp_rfc1337
# Set this if you want to disable Path MTU discovery - a technique to
# determine the largest Maximum Transfer Unit possible on your path. 0 by default
echo "0" > /proc/sys/net/ipv4/ip_no_pmtu_disc
# If a router decides that you are using it for a wrong purpose (ie, it needs
# to resend your packet on the same interface), it will send us a ICMP
# Redirect. This is a slight security risk however, so you may want to turn it
# off, or use secure redirects.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Set timeout on kernel panics (auto reboots after # seconds):
echo 5 > /proc/sys/kernel/panic
echo 5 > /proc/sys/kernel/panic_on_oops
36.文件router.bash
#!/bin/bash
echo "8376320" > /proc/sys/net/ipv4/ip_conntrack_max
echo "1" > /proc/sys/net/ipv4/ip_forward
killall arpd
echo "1" > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo "1" > /proc/sys/net/ipv4/conf/eth2/proxy_arp
arpd -i eth1 xxx.xxx.xxx.xxx/x
arpd -i eth2 xxx.xxx.xxx.xxx/x
iptables -t nat -F
#edu-net
iptables -A POSTROUTING -t nat -s 192.168.xxx.xxx -p all -o eth2 -j SNAT --to xxx.xxx.xxx.xxx
iptables -A PREROUTING -t nat -d xxx.xxx.xxx.xxx -p all -i eth2 -j DNAT --to 192.168.xxx.xxx
(以上为静态nat,xxx.xxx.xxx.xxx为外网ip可与eth2地址不同)
iptables -A POSTROUTING -t nat -s xxx.xxx.xxx.xxx/x -p all -o eth2 -j SNAT --to xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
(以上为动态nat)
#public-net
iptables -A POSTROUTING -t nat -s 192.168.xxx.xxx -p all -o eth1 -j SNAT --to xxx.xxx.xxx.xxx
iptables -A PREROUTING -t nat -d xxx.xxx.xxx.xxx -p all -i eth1 -j DNAT --to 192.168.xxx.xxx
iptables -A POSTROUTING -t nat -s 192.168.xxx.xxx/x -p all -o eth1 -j SNAT --to xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
#route rule
ip rule add prio 6 from 192.168.xxx.xxx/16 table 6
ip route replace 192.168.xxx.xxx/24 dev eth0 proto static src xxx.xxx.xxx.xxx table 6
ip route replace xxx.xxx.xxx.xxx/x dev eth1 proto static src xxx.xxx.xxx.xxx table 6
ip route replace xxx.xxx.xxx.xxx/x dev eth2 proto static src xxx.xxx.xxx.xxx table 6
(以上保证网卡所在地址段能正确路由)
ip route replace 192.168.xxx.xxx via 192.168.xxx.xxx dev eth0 proto static table 6
ip route replace xxx.xxx.xxx.xxx/21 via xxx.xxx.xxx.xxx dev eth2 proto static table 6
(以上保证网卡所在网络地址段能正确路由)
ip rule add prio 10 from 192.168.xxx.xxx table 10
ip route replace default via xxx.xxx.xxx.xxx dev eth2 proto static table 10
(此为对外开放服务器所走路由线路,其它对外服务类似)
ip route replace 58.17.0.0/16 proto static nexthop via xxx.xxx.xxx.xxx dev eth1weight 1 nexthop via xxx.xxx.xxx.xxx dev eth2 weight 3
ip route replace 58.19.0.0/16 proto static nexthop via xxx.xxx.xxx.xxx dev eth1weight 1 nexthop via xxx.xxx.xxx.xxx dev eth2 weight 3
...
....
ip route replace 222.248.0.0/16 proto static via xxx.xxx.xxx.xxx dev eth2
ip route replace 192.168.0.0/16 via 192.168.xxx.xxx dev eth0 proto static (内网默认路由)
ip route replace xxx.xxx.xxx.xxx/x via xxx.xxx.xxx.xxx dev eth2 proto static (外网1默认路由)
ip route replace default via xxx.xxx.xxx.xxx dev eth1 proto static (默认路由)
ip route flush cache
#iptables-firewall
iptables -F INPUT
iptables -A INPUT -s 192.168.xxx.xxx/24 -d 192.168.xxx.xxx -p tcp --syn --dport 22 -i eth2 -j ACCEPT
iptables -A INPUT -d xxx.xxx.xxx.xxx -p tcp --syn --dport 22 -i eth2 -j REJECT
iptables -A INPUT -d xxx.xxx.xxx.xxx -p tcp --syn --dport 22 -i eth0 -j REJECT
iptables -A INPUT -d xxx.xxx.xxx.xxx -p tcp --syn --dport 22 -i eth1 -j REJECT
iptables -A INPUT -p tcp --syn --dport 4444 -j DROP
iptables -A INPUT -p tcp --syn --dport 135 -j DROP
iptables -A INPUT -p tcp --syn --dport 136 -j DROP
iptables -A INPUT -p tcp --syn --dport 137 -j DROP
iptables -A INPUT -p tcp --syn --dport 138 -j DROP
iptables -A INPUT -p tcp --syn --dport 139 -j DROP
iptables -A INPUT -p tcp --syn --dport 445 -j DROP
iptables -A INPUT -p tcp --syn --dport 593 -j DROP
iptables -A INPUT -p tcp --syn --dport 3127 -j DROP
iptables -A INPUT -p tcp --syn --dport 42 -j DROP
iptables -A INPUT -p tcp --syn --dport 1025 -j DROP
iptables -A INPUT -p tcp --syn --dport 5554 -j DROP
iptables -A INPUT -p tcp --syn --dport 9996 -j DROP
iptables -A INPUT -p tcp --syn --dport 389 -j DROP
iptables -A INPUT -p tcp --syn --dport 636 -j DROP
iptables -A INPUT -p tcp --syn --dport 3268 -j DROP
iptables -A INPUT -p tcp --syn --dport 3269 -j DROP
iptables -A INPUT -p tcp --syn --dport 1503 -j DROP
iptables -A INPUT -p tcp --syn --dport 707 -j DROP
iptables -A INPUT -p tcp --syn --dport 1999 -j DROP
iptables -A INPUT -p tcp --syn --dport 2001 -j DROP
iptables -A INPUT -p tcp --syn --dport 2023 -j DROP
iptables -A INPUT -p tcp --syn --dport 2583 -j DROP
iptables -A INPUT -p tcp --syn --dport 6129 -j DROP
iptables -A INPUT -p tcp --syn --dport 6267 -j DROP
iptables -A INPUT -p tcp --syn --dport 6670 -j DROP
iptables -A INPUT -p tcp --syn --dport 6671 -j DROP
iptables -A INPUT -p tcp --syn --dport 6939 -j DROP
iptables -A INPUT -p tcp --syn --dport 6969 -j DROP
iptables -A INPUT -p tcp --syn --dport 7306 -j DROP
iptables -A INPUT -p tcp --syn --dport 7511 -j DROP
iptables -A INPUT -p tcp --syn --dport 7526 -j DROP
iptables -A INPUT -p tcp --syn --dport 8011 -j DROP
iptables -A INPUT -p tcp --syn --dport 9989 -j DROP
iptables -A INPUT -p tcp --syn --dport 19191 -j DROP
iptables -A INPUT -p tcp --syn --dport 1029 -j DROP
iptables -A INPUT -p tcp --syn --dport 20168 -j DROP
iptables -A INPUT -p tcp --syn --dport 23444 -j DROP
iptables -A INPUT -p tcp --syn --dport 27374 -j DROP
iptables -A INPUT -p tcp --syn --dport 30100 -j DROP
iptables -A INPUT -p tcp --syn --dport 31337 -j DROP
iptables -A INPUT -p tcp --syn --dport 50766 -j DROP
iptables -A INPUT -p tcp --syn --dport 45576 -j DROP
iptables -A INPUT -p tcp --syn --dport 61466 -j DROP
iptables -A INPUT -p udp --dport 135 -j DROP
iptables -A INPUT -p udp --dport 136 -j DROP
iptables -A INPUT -p udp --dport 137 -j DROP
iptables -A INPUT -p udp --dport 138 -j DROP
iptables -A INPUT -p udp --dport 139 -j DROP
iptables -A INPUT -p udp --dport 445 -j DROP
iptables -A INPUT -p udp --dport 593 -j DROP
iptables -A INPUT -p udp --dport 1434 -j DROP
37.ipcalc.bash(用于教育网的掩码计算,print 部分可以根据要求改写,可用于生成ip route replace 58.19.0.0/16 proto static nexthop via xxx.xxx.xxx.xxx dev eth1weight 1 nexthop via xxx.xxx.xxx.xxx dev eth2 weight 3 这部分)
#/bin/bash
awk '{ ("ipcalc -p "$1" "$3) | getline var;var=substr(var,8); print $1"/"var}' $1 > $2
39.加入本地化支持(在lib与内核中),将来可以使用iptables的string做内容控制.:)
40.未尽事宜:使用vlan来减少网卡数量.使用tc做流控,加入radius做认证,加入pppoe,加入vpn等.把以前的实验整合.
41.使用情况:同时在线用户2,000左右,并发最大80,000左右,平均流量110Mbps/s 左右,工作正常.
42.硬件配置:cpu 2.0GHZ, mem 1G.
43.补遗,保证数据原路返回的设置.
iptables -t mangle -A PREROUTING -i WAN1dev -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
iptables -t mangle -A PREROUTING -i WAN2dev -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x200
iptables -t mangle -A POSTROUTING -o WAN1dev -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
iptables -t mangle -A POSTROUTING -o WAN2dev -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x200
iptables -t mangle -A PREROUTING -i Landev -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
ip rule add prio 100 from Wan1subnet subnet 100
ip rule add fwmark 0x100 prio 101 table 100
ip route add table 100 to Wan1subnet dev WAN1dev proto kernel scope link
ip route add table 100 to Wan2subnet dev WAN2dev proto kernel scope link
ip route add table 100 to Lansubnet dev Landev proto kernel scope link
ip route add default via GW1 dev WAN1dev table 100
ip rule add prio 100 from Wan2subnet subnet 200
ip rule add fwmark 0x200 prio 101 table 200
ip route add table 200 to Wan1subnet dev WAN1dev proto kernel scope link
ip route add table 200 to Wan2subnet dev WAN2dev proto kernel scope link
ip route add table 200 to Lansubnet dev Landev proto kernel scope link
ip route add default via GW2 dev WAN2dev table 200
44.iproute2要安与内核一致的版本.