鸿 记5d13.cn

a programer log.

Home work

centos6.2 配置备忘

centos6.2 配置备忘

By 鸿记


1. 路由服务器的软硬件配置及需求

  • centos 6.2
  • dnsmasq (yum install dnsmasq)
  • 双网卡:
    • eth1 接adsl pppoe上网(yum install rp-pppoe)
    • eth2 接内网192.168.1.1
  • 需求:
    • 内网所有用户可以通过192.168.1.1 访问外网

2. pppoe 配置

* 以下代码里**...**包起来的为我填写的,(*...*)括起来为注释

[root@localhost ~]# pppoe-setup

Enter your Login Name: g112001229(adsl 账号)


Enter the Ethernet interface connected to the PPPoE modem For Solaris, this is likely to be something like /dev/hme0. For Linux, it will be ethX, where 'X' is a number. (default eth0): eth1 (*连接adsl的网卡)

Do you want the link to come up on demand, or stay up continuously? If you want it to come up on demand, enter the idle time in seconds after which the link should be dropped. If you want the link to stay up permanently, enter 'no' (two letters, lower-case.) NOTE: Demand-activated links do not interact well with dynamic IP addresses. You may have some problems with demand-activated links. Enter the demand value (default no): no (是否按需拨号?一般是要永久连接,填“no”


Please enter the IP address of your ISP's primary DNS server. If your ISP claims that 'the server will provide dynamic DNS addresses', enter 'server' (all lower-case) here. If you just press enter, I will assume you know what you are doing and not modify your DNS setup. Enter the DNS information here: server (adsl 一般是有isp提供dns和IP,所以这里填“server”,否则回车填写dns server ip


Please enter your Password: ( 填写adsl密码) Please re-enter your Password: ( 再次填写adsl密码


Please enter 'yes' (three letters, lower-case.) if you want to allow normal user to start or stop DSL connection (default yes): yes


Please choose the firewall rules to use. Note that these rules are very basic. You are strongly encouraged to use a more sophisticated firewall setup; however, these will provide basic security. If you are running any servers on your machine, you must choose 'NONE' and set up firewalling yourself. Otherwise, the firewall rules will deny access to all standard servers like Web, e-mail, ftp, etc. If you are using SSH, the rules will block outgoing SSH connections which allocate a privileged source port.

The firewall choices are: 0 - NONE: This script will not set any firewall rules. You are responsible for ensuring the security of your machine. You are STRONGLY recommended to use some kind of firewall rules. 1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation 2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway for a LAN Choose a type of firewall (0-2): 0 ( 建议不要再此配置firewall )

Start this connection at boot time

Do you want to start this connection at boot time? Please enter no or yes (default no):yes

Summary of what you entered

Ethernet Interface: eth1 User name: g112291229 Activate-on-demand: No DNS addresses: Supplied by ISP's server Firewalling: NONE User Control: yes Accept these settings and adjust configuration files (y/n)? y Adjusting /etc/sysconfig/network-scripts/ifcfg-ppp0 Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets (But first backing it up to /etc/ppp/chap-secrets.bak) (But first backing it up to /etc/ppp/pap-secrets.bak)

Congratulations, it should be all set up!

Type '/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0' to bring it down. Type '/sbin/pppoe-status /etc/sysconfig/network-scripts/ifcfg-ppp0' to see the link status.

[root@localhost ~]# pppoe-setup [root@localhost ~]# ifup ppp0 ( 启动adsl拨号 )

3. 路由器配置

linux配置路由器,一¬有两种方法:iptables 转发和route 路由表,我采用了iptables方法。

[root@localhost ~]# vim /etc/sysconfig/iptables
( 以下为iptables文件内容,注意加粗行
# Generated by iptables-save v1.4.7 on Mon Apr  8 09:30:48 2013
-A INPUT -i eth2 -j ACCEPT ( eth2 为内网网卡 )
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT  ( dns 用端口 )
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8888 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# -A FORWARD -j REJECT --reject-with icmp-host-prohibited  ( 卡了我一个小时才搞清楚是因为这句导致不能转发,大家要谨记注释或删除这句!!!)

# Completed on Mon Apr 8 09:30:48 2013 # Generated by iptables-save v1.4.7 on Mon Apr 8 09:30:48 2013

nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o ppp0 -j MASQUERADE ( ppp0 为连接外网的网卡 *) COMMIT # Completed on Mon Apr 8 09:30:48 2013

[root@localhost ~]# service iptables restart

4. 配置dns cache 服务器(可以提高局域网域名解析速度即提高打开网页的速度)

本来经过上面的,路由器就配置好了,但是我们做个优化————配置dns服务缓存dns数据提高局域网上网速度,并可以省少少的dns解析流量。用linux的bind 就可以很方便的设置dns服务,但是经过google,最终采用dnsmasq 来实现。



  1. 编辑dnsmasq的配置文件 vim /etc/dnsmasq.conf

  2. 找到下面这一项


  3. 用下面的一条语句替换 resolv-file=/etc/resolv.dnsmasq.conf

  4. 将原dns配置复制至resolv.dnsmasq.conf 确保你没有更改过/etc/resolv.conf文件,如果改过,恢复原状

cp /etc/resolv.conf /etc/resolv.dnsmasq.conf

  1. 编辑resolv.conf

vim /etc/resolv.conf

将其中的域名服务器全部去掉,加入以下这行 nameserver

  1. 改完要重启: service dnsmasp restart

5. 将客户机的网关和dns服务器都设置成 就 ok了

$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=3 ttl=48 time=39.1 ms
--- ping statistics ---
6 packets transmitted, 1 received, 83% packet loss, time 5039ms
rtt min/avg/max/mdev = 39.109/39.109/39.109/0.000 ms

$ ping www.baidu.com PING www.a.shifen.com ( 56 data bytes 64 bytes from icmp_seq=0 ttl=56 time=19.533 ms 64 bytes from icmp_seq=1 ttl=56 time=21.491 ms 64 bytes from icmp_seq=2 ttl=56 time=20.710 ms 64 bytes from icmp_seq=3 ttl=56 time=19.898 ms 64 bytes from icmp_seq=4 ttl=56 time=19.833 ms ^C --- www.a.shifen.com ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 19.533/20.293/21.491/0.715 ms


  • google 很神奇,同行们很open,但是我还是用了三个小时才搞定。主要原因是我没有对linux 的iptables 理解(现在也是一知半解),经验、知识这东西很玄!
  • 配了dnsmasq后,dns解析的确快了很多。

by 鸿记

本文采用 署名-非商业性使用-相同方式共享(BY-NC-SA) 协议进行授权。
转载请注明转自: 【鸿记】centos6.2 配置备忘

Fork me on GitHub