鸿 记5d13.cn

a programer log.

Home work

centos6.2 配置备忘

centos6.2 配置备忘

By 鸿记

本文是我google无数次、苦逼无数次成功配置双网卡路由的备忘。

1. 路由服务器的软硬件配置及需求

  • centos 6.2
  • dnsmasq (yum install dnsmasq)
  • 双网卡:
    • eth1 接adsl pppoe上网(yum install rp-pppoe)
    • eth2 接内网192.168.1.1
  • 需求:
    • 内网所有用户可以通过192.168.1.1 访问外网

2. pppoe 配置

* 以下代码里**...**包起来的为我填写的,(*...*)括起来为注释

[root@localhost ~]# pppoe-setup
LOGIN NAME

Enter your Login Name: g112001229(adsl 账号)

INTERFACE

Enter the Ethernet interface connected to the PPPoE modem For Solaris, this is likely to be something like /dev/hme0. For Linux, it will be ethX, where 'X' is a number. (default eth0): eth1 (*连接adsl的网卡)

Do you want the link to come up on demand, or stay up continuously? If you want it to come up on demand, enter the idle time in seconds after which the link should be dropped. If you want the link to stay up permanently, enter 'no' (two letters, lower-case.) NOTE: Demand-activated links do not interact well with dynamic IP addresses. You may have some problems with demand-activated links. Enter the demand value (default no): no (是否按需拨号?一般是要永久连接,填“no”

DNS

Please enter the IP address of your ISP's primary DNS server. If your ISP claims that 'the server will provide dynamic DNS addresses', enter 'server' (all lower-case) here. If you just press enter, I will assume you know what you are doing and not modify your DNS setup. Enter the DNS information here: server (adsl 一般是有isp提供dns和IP,所以这里填“server”,否则回车填写dns server ip

PASSWORD

Please enter your Password: ( 填写adsl密码) Please re-enter your Password: ( 再次填写adsl密码

USERCTRL

Please enter 'yes' (three letters, lower-case.) if you want to allow normal user to start or stop DSL connection (default yes): yes

FIREWALLING

Please choose the firewall rules to use. Note that these rules are very basic. You are strongly encouraged to use a more sophisticated firewall setup; however, these will provide basic security. If you are running any servers on your machine, you must choose 'NONE' and set up firewalling yourself. Otherwise, the firewall rules will deny access to all standard servers like Web, e-mail, ftp, etc. If you are using SSH, the rules will block outgoing SSH connections which allocate a privileged source port.

The firewall choices are: 0 - NONE: This script will not set any firewall rules. You are responsible for ensuring the security of your machine. You are STRONGLY recommended to use some kind of firewall rules. 1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation 2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway for a LAN Choose a type of firewall (0-2): 0 ( 建议不要再此配置firewall )

Start this connection at boot time

Do you want to start this connection at boot time? Please enter no or yes (default no):yes

Summary of what you entered

Ethernet Interface: eth1 User name: g112291229 Activate-on-demand: No DNS addresses: Supplied by ISP's server Firewalling: NONE User Control: yes Accept these settings and adjust configuration files (y/n)? y Adjusting /etc/sysconfig/network-scripts/ifcfg-ppp0 Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets (But first backing it up to /etc/ppp/chap-secrets.bak) (But first backing it up to /etc/ppp/pap-secrets.bak)

Congratulations, it should be all set up!

Type '/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0' to bring it down. Type '/sbin/pppoe-status /etc/sysconfig/network-scripts/ifcfg-ppp0' to see the link status.

[root@localhost ~]# pppoe-setup [root@localhost ~]# ifup ppp0 ( 启动adsl拨号 )

3. 路由器配置

linux配置路由器,一¬有两种方法:iptables 转发和route 路由表,我采用了iptables方法。

[root@localhost ~]# vim /etc/sysconfig/iptables
( 以下为iptables文件内容,注意加粗行
# Generated by iptables-save v1.4.7 on Mon Apr  8 09:30:48 2013
filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth2 -j ACCEPT ( eth2 为内网网卡 )
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT  ( dns 用端口 )
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8888 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# -A FORWARD -j REJECT --reject-with icmp-host-prohibited  ( 卡了我一个小时才搞清楚是因为这句导致不能转发,大家要谨记注释或删除这句!!!)
COMMIT

# Completed on Mon Apr 8 09:30:48 2013 # Generated by iptables-save v1.4.7 on Mon Apr 8 09:30:48 2013

nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o ppp0 -j MASQUERADE ( ppp0 为连接外网的网卡 *) COMMIT # Completed on Mon Apr 8 09:30:48 2013

[root@localhost ~]# service iptables restart

4. 配置dns cache 服务器(可以提高局域网域名解析速度即提高打开网页的速度)

本来经过上面的,路由器就配置好了,但是我们做个优化————配置dns服务缓存dns数据提高局域网上网速度,并可以省少少的dns解析流量。用linux的bind 就可以很方便的设置dns服务,但是经过google,最终采用dnsmasq 来实现。

在本机上配置好该dns服务,然后把自己系统的dns服务器地址设置为本地的127.0.0.1,那么因为dns的信息全部保存在了本地,而不用通过网络进行访问,所以速度会非常快.

而即便你把dnsmasq需要访问的dns服务器设置为一个相对比较慢,但是却很可靠的地址上,那么,除了第一次访问某个新网页比较慢之外(与远程dns服务器的传送速度慢),以后打开该网页都会非常快----起码说来,拿来防御那个该死的域名劫持是非常有用的(不小心敲错地址就给你弹出电信广告或者115查询,而且对此非常恶心的非常适合用这个..)

  1. 编辑dnsmasq的配置文件 vim /etc/dnsmasq.conf

  2. 找到下面这一项

    resolv-file=

  3. 用下面的一条语句替换 resolv-file=/etc/resolv.dnsmasq.conf

  4. 将原dns配置复制至resolv.dnsmasq.conf 确保你没有更改过/etc/resolv.conf文件,如果改过,恢复原状

cp /etc/resolv.conf /etc/resolv.dnsmasq.conf

  1. 编辑resolv.conf

vim /etc/resolv.conf

将其中的域名服务器全部去掉,加入以下这行 nameserver 127.0.0.1

  1. 改完要重启: service dnsmasp restart

5. 将客户机的网关和dns服务器都设置成 192.168.1.1 就 ok了

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=3 ttl=48 time=39.1 ms
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 1 received, 83% packet loss, time 5039ms
rtt min/avg/max/mdev = 39.109/39.109/39.109/0.000 ms

$ ping www.baidu.com PING www.a.shifen.com (115.239.210.27): 56 data bytes 64 bytes from 115.239.210.27: icmp_seq=0 ttl=56 time=19.533 ms 64 bytes from 115.239.210.27: icmp_seq=1 ttl=56 time=21.491 ms 64 bytes from 115.239.210.27: icmp_seq=2 ttl=56 time=20.710 ms 64 bytes from 115.239.210.27: icmp_seq=3 ttl=56 time=19.898 ms 64 bytes from 115.239.210.27: icmp_seq=4 ttl=56 time=19.833 ms ^C --- www.a.shifen.com ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 19.533/20.293/21.491/0.715 ms

总结:

  • google 很神奇,同行们很open,但是我还是用了三个小时才搞定。主要原因是我没有对linux 的iptables 理解(现在也是一知半解),经验、知识这东西很玄!
  • 配了dnsmasq后,dns解析的确快了很多。

孙铭鸿logo
by 鸿记

声明:本站文章除注明转载外,均为本站原创或者翻译。
本文采用 署名-非商业性使用-相同方式共享(BY-NC-SA) 协议进行授权。
转载请注明转自: 【鸿记】centos6.2 配置备忘

Fork me on GitHub