Сервер Red Hat Linux 9.0
Настройка маршрутизатора shrek.technet
Если сразу установлены и ipchains и iptables,
то ipchains надо удалить из запуска следующими командами:
chkconfig --level 0123456 ipchains off service ipchains stop chkconfig --level 235 iptables on rmmod ipchains
Конфигурационный файл /etc/sysctl.conf
[root@shrek /root]# less /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1
Конфигурационный файл ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/networking/devices/ifcfg-eth0
/etc/sysconfig/networking/profiles/default/ifcfg-eth0
[root@shrek /root]# less /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=none IPADDR=172.18.1.200 NETMASK=255.255.255.0 GATEWAY=81.176.142.9 TYPE=Ethernet USERCTL=no PEERDNS=no NETWORK=172.18.1.0 BROADCAST=172.18.1.255
Конфигурационный файл ifcfg-eth1
/etc/sysconfig/network-scripts/ifcfg-eth1
/etc/sysconfig/networking/devices/ifcfg-eth1
/etc/sysconfig/networking/profiles/default/ifcfg-eth1
[root@shrek /root]# less /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=no TYPE=Ethernet
Конфигурационный файл ifcfg-eth1 (v.2)
/etc/sysconfig/network-scripts/ifcfg-eth1
/etc/sysconfig/networking/devices/ifcfg-eth1
/etc/sysconfig/networking/profiles/default/ifcfg-eth1
[root@shrek /root]# less /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 ONBOOT=yes BOOTPROTO=none IPADDR=81.176.142.10 NETMASK=255.255.255.252 GATEWAY=81.176.142.9 TYPE=Ethernet USERCTL=no PEERDNS=no NETWORK=81.176.142.8 BROADCAST=81.176.142.11
Конфигурационный файл /etc/sysconfig/networking/devices/eth0.route
[root@shrek /root]# less /etc/sysconfig/networking/devices/eth0.route GATEWAY0=81.176.142.9 NETMASK0=255.255.255.252 ADDRESS0=81.176.142.10
Конфигурационный файл /etc/sysconfig/networking/devices/eth1.route
[root@shrek /root]# less /etc/sysconfig/networking/devices/eth1.route GATEWAY0=172.18.1.200 NETMASK0=255.255.255.0 ADDRESS0=172.18.1.0
Конфигурационный файл resolv.conf
/etc/resolv.conf
/etc/sysconfig/networking/profiles/default/resolv.conf
[root@shrek /root]# less /etc/resolv.conf ; generated by /sbin/dhclient-script search ga34.local nameserver 81.176.142.9
Конфигурационный файл resolv.conf (v.2)
/etc/resolv.conf
/etc/sysconfig/networking/profiles/default/resolv.conf
[root@shrek /root]# less /etc/resolv.conf ; generated by /sbin/dhclient-script search ga34.7w.ru nameserver 81.176.143.2
Конфигурационный файл /etc/iptables
[root@shrek /root]# less /etc/sysconfig/iptables # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -dport 80 -syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -dport 21 -syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -dport 22 -syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -dport 25 -syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 -sport 67:68 -d 0/0 -dport 67:68 -i eth0 j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 -sport 67:68 -d 0/0 -dport 67:68 -i eth1 j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 81.176.142.9 -sport 53 -d 0/0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT COMMIT *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] #:RH-SunTechnic-0-50-OUTPUT - [0:0] #-A OUTPUT -j RH-SunTechnic-0-50-OUTPUT #-A PREROUTING -j RH-SunTcchnic-0-50-OUTPUT #-A POSTROUTING -j RH-SunTechnic-0-50-OUTPUT #-A RH-SunTechnic-0-50-OUTPUT -s 172.18.1.0/24 -j SNAT -to-source 81.176.142.10 -A POSTROUTING -s 172.18.1.0/24 -j SNAT --to-source 81.176.142.10 COMMIT
Для динамического включения, команда будет выглядеть таким образом:
[root@shrek /root]# iptables -t nat -A POSTROUTING -s 172.18.1.0/24 -j SNAT --to-source 81.176.142.10
Проброска порта в локальной сети (например если неудаётся зайти не сервер напрямую).
Параметр net.ipv4.ip_forward = 1 такми должен быть в файле /etc/sysctl.conf
[root@labuch /root]#less /etc/sysconfig/iptables # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # #-A PREROUTING -d 172.18.84.5 -p tcp --dport 80 -j DNAT --to-destination 172.18.94.1:80 #-A POSTROUTING --dst 172.18.94.1 -p tcp --dport 80 -j SNAT --to-source 172.18.84.5 -A PREROUTING -d 172.18.84.5 -p tcp --dport 119 -j DNAT --to-destination 172.18.87.42:119 -A POSTROUTING --dst 172.18.87.42 -p tcp --dport 119 -j SNAT --to-source 172.18.84.5 -A PREROUTING -s 172.18.66.27 -d 172.18.84.5 -p udp --dport 137:139 -j DNAT --to-destination 172.18.94.5:137-139 -A PREROUTING -s 172.18.66.27 -d 172.18.84.5 -p tcp --dport 137:139 -j DNAT --to-destination 172.18.94.5:137-139 -A POSTROUTING -s 172.18.66.27 --dst 172.18.94.5 -p udp --dport 137:139 -j SNAT --to-source 172.18.84.5 -A POSTROUTING -s 172.18.66.27 --dst 172.18.94.5 -p tcp --dport 137:139 -j SNAT --to-source 172.18.84.5 #-I POSTROUTING -d 172.18.94.1 -p tcp --dport 80 -j MASQUERADE #-A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT #-A FORWARD -j RH-Lokkit-0-50-INPUT -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 172.18.66.27 -p tcp --dport 80 -j ACCEPT # -A RH-Lokkit-0-50-INPUT -s 172.18.66.246 -i eth0 -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT #-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 119 --syn -j ACCEPT #-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT #-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 119 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT COMMIT