[2006-12下],HpVL400为充当木马路由安装红帽9手记

文章摘要
我们实在不堪忍受所里的网速，决定另辟蹊径自谋出路。最终决定在内网畅通的情况下，通过内网经由省肿芯上网。需要一台路由器，我只好忍痛割爱、以大局为重，献出双机中的“双子座”，安装并配置红帽Linux9。

     安装类型选择工作站。
     磁盘分区设置选择了自动分区，事后发现40G的硬盘只显示了20G，另一半不翼而飞了，早知道的话就手动分区了，不过就当路由，丢了20G也懒得去找了。
     语言选了简体中文并设为默认，结果新插上设备之后，报错信息显示的都是乱码。语言问题比较复杂，如果需求比较单一，还是选择英文为默认的好。
     禁用防火墙。
     主机名：ＬinuxＷSＦ。后来觉得还是Ｊinterｎet比较好，可不知道在哪改，知道的时候也已经晚了（参见Linux一句话精彩问答）。以后再装Linux，事先一定要起好名字。
     根口令：ｃuｔheｒe。新建一用户：ｊyｓoｆt／ｃuｗheｒe。
     配好防火墙以后，还要安装OpenVPN，同事帮着装的。
     安装的时候总有静电，从家里拿了一根避雷针。
 

【2008-02】BEGIN

〖rt_tables〗

#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
200 jt
#
# local
#
#1 inr.ruhep

〖ifcfg-eth0〗

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
IPADDR=10.21.36.221
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=no
TYPE=Ethernet
GATEWAY=10.21.36.254
NETWORK=10.21.36.0
BROADCAST=10.21.36.255

〖ifcfg-eth1〗

DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
IPADDR=10.0.0.111
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=no
TYPE=Ethernet
NETWORK=10.0.0.0
BROADCAST=10.0.0.255

〖rc.local〗

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

ip route replace default via 10.0.0.1 dev eth1 table main
ip route add default via 10.21.36.254 table jt
ip rule add to 10.21.0.0/16 pref 10001 table jt
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -t nat -s 192.168.3.0/24 -o eth1 -j MASQUERADE

【2008-02】END 


     【 rc.local 】old
#===== Start The Firewall......
#----- Firewall With Only "IpTables", Very Fast
/etc/rc.d/firewall_IpTbl
#----- Firewall With Only "IpTables", Very Fast, But Only Free IP Are Available
# /etc/rc.d/freewall
#----- Firewall With Both "IpTables" And "Squid", Only Http's Speed Is Slow
# /etc/rc.d/firewall_SqIt

# /home/lgz/ntop/ntop/ntop -w 3000 -d
# /home/lgz/ntop/ntop/ntop -P /home/lgz/ntop/Output -d -i eth1

#===== Start Samba Service
# /etc/rc.d/init.d/smb start
 
 
     【 rc.local 】new
echo 1 > /proc/sys/net/ipv4/ip_forward

ip route add default via 10.21.36.254 table jt
ip rule add to 10.21.0.0/16 pref 10000 table jt

iptables -A POSTROUTING -t nat -s 192.168.3.0/24 -o eth0 -j MASQUERADE 
 
 
     【防火墙脚本】最简洁的   2006/12
$IT=iptables
$ExtIP=192.168.2.1
$Exth=eth0
$LclIPs=192.168.0.0/24

ip route replace default via $ExtIP dev $Exth table main
echo 1 > /proc/sys/net/ipv4/ip_forward
$IT -A POSTROUTING -t nat -s $LclIPs -o $Exth -j MASQUERADE
 
 
     【防火墙脚本】freewall_5   2002/10
#===== Complete stateful firewall script. Maintained by Li Guangzhe
#!/bin/bash

#===== Some varities
ExtIP=202.118.228.151
IntIP=192.168.0.1
LclIP=192.168.0.0/24
Exth=eth0
Inth=eth1
NAT=202.118.228.151
INTERFACES="lo eth0 eth1"
SERVICES="http ftp smtp telnet"

IpTables=/sbin/iptables
ModProbe=/sbin/modprobe

FreeIPList=/home/lgz/DirFreeIPList/FileFreeIPList

#===== Make sure FreeIPList exits
if ! [ -f $FreeIPList ]; then
    echo "Not Found necessory files: $FreeIPList"
    echo "IpTables firewall not be set!"
    exit 1
fi

#===== Display information that we start the firewall service
echo "Starting firewall..."

#===== Load necessary modules for IpTables (netfilter, nat, etc.)
echo 1 > /proc/sys/net/ipv4/ip_forward

Modules="ip_tables ip_nat_ftp ip_conntrack_ftp"
for i in $Modules ;
do
    $ModProbe $i
done

$IpTables -t nat -A POSTROUTING -o $Exth -j SNAT --to $ExtIP

#===== Refresh all chains, flush standard tables: default nat mangle
$IpTables -F
$IpTables -F -t nat
$IpTables -F -t mangle

$IpTables -P INPUT DROP
$IpTables -P OUTPUT DROP
$IpTables -P FORWARD DROP

$IpTables -t nat -P POSTROUTING DROP
$IpTables -t nat -P PREROUTING DROP
$IpTables -t nat -P OUTPUT  ACCEPT

$IpTables -t mangle -P PREROUTING ACCEPT
$IpTables -t mangle -P OUTPUT  ACCEPT

#===== INPUT chain
$IpTables -A INPUT -i lo -j ACCEPT
$IpTables -A INPUT -i $Inth -j ACCEPT
$IpTables -A INPUT -i $Exth -m state --state ESTABLISHED,RELATED -j ACCEPT

#===== OUTPUT chain
$IpTables -A OUTPUT -o lo -j ACCEPT
$IpTables -A OUTPUT -o $Inth -j ACCEPT

#===== nat POSTROUTING
$IpTables -t nat -A POSTROUTING -s $ExtIP -j ACCEPT
$IpTables -t nat -A POSTROUTING -s $IntIP -j ACCEPT
$IpTables -t nat -A POSTROUTING -s 127.0.0.1 -j ACCEPT
$IpTables -t nat -A POSTROUTING -s $LclIP -o $Exth -j SNAT --to $ExtIP

#===== nat PREROUTING
$IpTables -t nat -A PREROUTING -i $Inth -s $LclIP -j ACCEPT
$IpTables -t nat -A PREROUTING -i $Exth -d $ExtIP -j ACCEPT
$IpTables -t nat -A PREROUTING -i lo -j ACCEPT

#===== Enable some services that comes from outside
for x in ${SERVICES}
do
    $IpTables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done

#===== If there are some attackers, cheat them
$IpTables -A INPUT -p tcp -i $Exth -j REJECT --reject-with tcp-reset
$IpTables -A INPUT -p udp -i $Exth -j REJECT --reject-with icmp-port-unreachable

#===== Explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
    echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi

#===== Disable spoofing on all interfaces
for x in ${INTERFACES}
do
    echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done

#====================
#===== FORWARD chain
#====================

#===== Enbale LAN access The Internet, but only Free IP available
while read aFreeIP
do
    # echo $aFreeIP
    $IpTables -A FORWARD -o $Exth -d $aFreeIP -i $Inth -s $LclIP -j ACCEPT
    $IpTables -A FORWARD -i $Exth -s $aFreeIP -o $Inth -d $LclIP -j ACCEPT
done < $FreeIPList

# $IpTables -A FORWARD -o $Exth -d www.google.com -i $Inth -s $LclIP -j ACCEPT
# $IpTables -A FORWARD -i $Exth -s www.google.com -o $Inth -d $LclIP -j ACCEPT

$IpTables -t nat -A POSTROUTING -o $Exth -s $LclIP -j MASQUERADE

echo "Free IP over!"

#===== Log some events or links that access to charge sites
#----- /etc/rc.d/init.d/syslog restart  -> /var/log/messages
# $IpTables -A FORWARD -j LOG --log-prefix "<$>"
# $IpTables -A FORWARD -j ACCEPT

# echo "Charge IP over!"

#===== Tell Firewall builded
echo "Firewall established successfully!"
 
 
     【防火墙脚本】firewall_SqIt   2002/9
#===== Complete stateful firewall script. Maintained by Li Guangzhe
#!/bin/bash

#===== Some varities
UPLINK="eth0"
UPIP="202.118.228.151"
NAT="202.118.228.151"
INTERFACES="lo eth0 eth1"
SERVICES="http ftp smtp telnet"

#===== Display information that we start the firewall service
echo "Starting firewall..."

#===== Refresh all chains
/sbin/iptables -F
# /sbin/iptables -F -t nat

#===== Refuse Access From Internet
#iptables -P INPUT DROP
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#===== Enable some services that comes from outside
#for x in ${SERVICES}
#do
#/sbin/iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
#done

#===== If there are some attackers, cheat them
#/sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
#/sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable

#===== Explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi

#===== Disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done

#===== Load Necessary Module
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}

#===== Use Squid Proxy HTTP Service
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.0.1:8080

#===== Tell Firewall builded
echo "Firewall established successfully!" 
 
 
     【防火墙脚本】firewall_IpTbl   2002/10
#===== Complete stateful firewall script. Maintained by Li Guangzhe
#!/bin/bash

#===== Some varities
UPLINK="eth0"
UPIP="202.118.228.151"
NAT="202.118.228.151"
INTERFACES="lo eth0 eth1"
SERVICES="http ftp smtp telnet"

#===== Display information that we start the firewall service
echo "Starting firewall..."

#===== Refresh all chains
/sbin/iptables -F
/sbin/iptables -F -t nat

#===== Refuse Access From Internet
# /sbin/iptables -P INPUT  ACCEPT
# iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#===== Enable some services that comes from outside
for x in ${SERVICES}
do
/sbin/iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done

#===== If there are some attackers, cheat them
# /sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
# /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable

#===== Explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi

#===== Disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done

#===== Load Necessary Module
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}

#===== Added By Thering
#/sbin/iptables -t nat -A PREROUTING -i eth1 -d 192.168.0.1 -j DNAT --to 202.118.224.25
#/sbin/iptables -t nat -A PREROUTING -i eth0 -d 202.118.228.151 -j DNAT --to 202.118.224.25
#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to 192.168.0.1

#===== Enbale LAN access The Internet
/sbin/iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE

#===== HIT, 2002-09-27, By WebMaster
# /sbin/iptables -A FORWARD -p tcp -o eth0 -d ! 202.118.0.0/16 -i eth1 -s ! 192.168.0.80 -j DROP
# /sbin/iptables -A FORWARD -p tcp -i eth0 -s ! 202.118.0.0/16 -o eth1 -d ! 192.168.0.80 -j DROP

#===== Log some events or links
#/sbin/iptables -A FORWARD -s ! 202.118.0.0/16 -d ! 192.168.0.254 -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix "<>"
#/sbin/iptables -A FORWARD -s ! 202.118.0.0/16 -j LOG --log-prefix "<#>"

#===== Use Squid Proxy HTTP Service
# /sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.0.78 --dport 80 -j DNAT --to 192.168.0.1:8080

#===== Tell Firewall builded
echo "Firewall established successfully!"