当前位置：首页 > 资讯 > 技术文档

FreeBSD6.1Release下利用route和ipfilter架设路由的方法

时间：2022-10-20 12:34 编辑：来源：阅读：
扫一扫，手机访问

摘要：FreeBSD6.1Release下利用route和ipfilter架设路由的方法

架设此服务器，使内网用户通过本服务器与外界通讯；基本原理为内网用户通过[url=http://www.freebsd.org/]FreeBSD[/url]内自带的[url=http://cnsnap.cn.freebsd.org/doc/zh_CN.GB2312/books/handbook/network-routing.html]网关路由功能（route）[/url]与外网进行通讯，服务器的安全性及病毒的防护控制通过FreeBSD的[url=http://cnsnap.cn.freebsd.org/doc/zh_CN.GB2312/books/handbook/firewalls-ipf.html]ipfilter[/url]来完成。初步架设过程如下：网卡接口说明： vr0：外网网卡接口 vr1：内网网卡接口 1、最小化安装[url=http://www.freebsd.org/releases/6.1R/announce.html]FreeBSD6.1Release[/url] 从ftp://ftp.FreeBSD.org/pub/FreeBSD/下载[url=http://www.freebsd.org/releases/6.1R/announce.html]FreeBSD6.1Release[/url]镜像文件，然后刻成光盘，将服务器设置成从光驱启动，开始安装，安装时我选择最小化安装，开通ftp及ssh。其它的默认安装就可以。具体可参考[url=http://cnsnap.cn.freebsd.org/doc/zh_CN.GB2312/books/handbook/install-start.html]这篇文章[/url]。安装完后重启机器。 2、安装内核将安装光盘放入光驱，然后：

# /usr/sbin/sysinstall

然后选择Configure --> Distributions -> src -> sys，点install，安装完成后重启机器。 3、基本的配置配置/etc/rc.conf

# cd /etc # ee rc.conf

内容如下： hostname="gatewall.wxic.edu.cn" defaultrouter="172.16.252.17" ifconfig_vr0="inet 172.16.252.x netmask 255.255.255.252" ifconfig_vr1="inet 58.193.11x.25x netmask 255.255.248.0" inetd_enable="YES" linux_enable="YES" sshd_enable="YES" usbd_enable="YES" sendmail_enable="NONE" 配置/etc/resolv.conf

# ee /etc/rc.conf

内容如下： nameserver 58.193.112.1 4、配置内核，加入对ipfilter的支持

# cd /usr/src/sys/i386/conf # cp GENERIC funpower # ee funpower

然后开始编辑内核文件，机器和应用方面的不同会有不同的内核文件，因为需要用到ipfilter，我们加入对ipfilter的支持。在内核中加入如下内容： options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK 其它选项可以参考[url=http://cnsnap.cn.freebsd.org/doc/zh_CN.GB2312/books/handbook/kernelconfig.html]这篇文章[/url]，然后自己定制。编辑完后保存退出。然后进行如下操作：

# /usr/sbin/config funpower # cd ../compile/funpower # make cleandepend # make depend # make # make install

编译完后重启服务器(因为ipfilter默认是阻止所有通讯，所以确保你是在服务器前操作)。 5、在/etc/rc.conf中加入路由选项

# cd /etc # ee rc.conf

在最后加入如下几行： gateway_enable="YES" static_routes="static1" route_static1="-net 58.193.11x.0/21 172.16.252.x/30" //说明第一个IP为内网IP范围；第二个IP为外网网卡的网关地址 6、配置ipfilter 在/etc/rc.conf中加入： ipfilter_enable="YES" ipfilter_rules="/etc/ipf.conf" 然后编辑/etc/ipf.conf文件

# cd /etc/ # ee ipf.conf

内容如下： #环路网卡lo0 #out in 全部通过 pass in quick on lo0 all pass out quick on lo0 all #外网网卡vr0 #out 只让开通的IP通讯 block out quick on vr0 from any to 192.168.0.0/16 block out quick on vr0 from any to 0.0.0.0/8 block out quick on vr0 from any to 169.254.0.0/8 block out quick on vr0 from any to 10.0.0.0/8 block out quick on vr0 from any to 127.16.0.0/12 block out quick on vr0 from any to 127.0.0.0/8 block out quick on vr0 from any to 192.0.2.0/24 block out quick on vr0 from any to 204.152.64.0/23 block out quick on vr0 from any to 224.0.0.0/3 #开通58.193.112.1 pass out quick on vr0 proto tcp/udp from 58.193.112.1/32 to any keep state pass out quick on vr0 proto icmp from 58.193.112.1/32 to any keep state #开通58.193.112.3 pass out quick on vr0 proto tcp/udp from 58.193.112.3/32 to any keep state pass out quick on vr0 proto icmp from 58.193.112.3/32 to any keep state #开通58.193.113.1 pass out quick on vr0 proto tcp/udp from 58.193.113.1/32 to any keep state pass out quick on vr0 proto icmp from 58.193.113.1/32 to any keep state #开通58.193.113.2 pass out quick on vr0 proto tcp/udp from 58.193.113.2/32 to any keep state pass out quick on vr0 proto icmp from 58.193.113.2/32 to any keep state block out on vr0 all #in 阻止一些IP(比如私有IP)和一些病毒攻击端口(如138139445等) block in quick on vr0 from 192.168.0.0/16 to any block in quick on vr0 from 172.16.0.0/12 to any block in quick on vr0 from 10.0.0.0/8 to any block in quick on vr0 from 127.0.0.0/8 to any block in quick on vr0 from 0.0.0.0/8 to any block in quick on vr0 from 169.254.0.0/16 to any block in quick on vr0 from 192.0.2.0/24 to any block in quick on vr0 from 204.152.64.0/23 to any block in quick on vr0 from 224.0.0.0/3 to any block in quick on vr0 from 58.193.112.0/21 to any block in quick on vr0 proto udp from any to any port = 69 block in quick on vr0 proto tcp/udp from any to any port = 135 block in quick on vr0 proto udp from any to any port = 137 block in quick on vr0 proto udp from any to any port = 138 block in quick on vr0 proto tcp/udp from any to any port = 139 block in quick on vr0 proto tcp/udp from any to any port = 445 block in quick on vr0 proto tcp/udp from any to any port = 593 block in quick on vr0 proto tcp from any to any port = 1022 block in quick on vr0 proto tcp from any to any port = 1023 block in quick on vr0 proto tcp from any to any port = 1025 block in quick on vr0 proto tcp from any port = 1034 to any port = 80 block in quick on vr0 proto tcp from any to any port = 1068 block in quick on vr0 proto tcp from any to any port = 1433 block in quick on vr0 proto udp from any to any port = 1434 block in quick on vr0 proto tcp from any to any port = 1871 block in quick on vr0 proto tcp from any to any port = 2745 block in quick on vr0 proto tcp from any to any port = 3208 block in quick on vr0 proto tcp from any to any port = 3127 block in quick on vr0 proto tcp from any to any port = 4331 block in quick on vr0 proto tcp from any to any port = 4334 block in quick on vr0 proto tcp from any to any port = 4444 block in quick on vr0 proto tcp from any port = 4444 to any block in quick on vr0 proto tcp from any to any port = 4510 block in quick on vr0 proto tcp from any to any port = 4557 block in quick on vr0 proto tcp from any to any port = 5554 block in quick on vr0 proto tcp from any to any port = 5800 block in quick on vr0 proto tcp from any to any port = 5900 block in quick on vr0 proto tcp from any to any port = 6129 block in quick on vr0 proto tcp from any to any port = 6667 block in quick on vr0 proto tcp from any to any port = 9995 block in quick on vr0 proto tcp from any to any port = 9996 block in quick on vr0 proto tcp from any to any port = 10080 block in quick on vr0 all with frags block in quick on vr0 proto tcp all with short block in quick on vr0 all with opt lsrr block in quick on vr0 all with opt ssrr block in log first quick on vr0 proto tcp from any to any flags FUP block in quick on vr0 all with ipopts pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state pass in quick on vr0 proto tcp from any to any port = 23 flags S keep state pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state pass in quick on vr0 proto tcp from any to any port = ftp-data flags S/SA keep state pass in quick on vr0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state pass in quick on vr0 proto icmp from any to any icmp-type 0 pass in quick on vr0 proto icmp from any to any icmp-type 11 block in log quick on vr0 proto icmp from any to any block in log on vr0 all #内网网卡vr1 #out 全部通过 pass out on vr1 all #in 全部通过 pass in on vr1 all 配置完后重启服务器。找一台客户机测试，首先使用ipf.conf中开通的IP，然后ping edu.cn，可以ping通，说明可以连接外网了。然后将IP设置为不是开通列表中的IP，如果ping不通，则说明ipf.conf的设置生效了。

全部评论(0)

上一篇：linux设置tomcat自启动的方法
下一篇：Linux无盘工作站架设实例

资讯排行榜
更多>>