freebsd5.4下ipfilter+ipnat包过滤、转发和DHCP服务器架构笔记

通过架设此服务器,使网内客户端不用任何网络的配置,就可以直接网络互联网。
网络信息:
网段 -> 192.168.61.0/24
xl0 -> 内网网卡 192.168.61.254 (dhcp网卡)
em0 -> 外网网卡 218.104.52.x/32

一、安装freebsd4.11STABLE

http://www.freebsd.org/releases/4.11R/announce.html选择一个FTP服务器下载,然后刻成光盘。接下来从光盘安装,我的几点选项:

1、选择软件包时选择最小化安装。
2、编辑inetd.conf时开通ftp及telnet服务。

其它的都默认安装,具体可参考:<http://www.freebsd.org.cn/snap/doc/zh_CN.GB2312/books/handbook/install-start.html>,安装完后重启机器。

二、配置freebsd

1、配置/etc/rc.conf:

hostname="gateway_bake.jscpu.com"
defaultrouter="218.104.52.x"
ifconfig_em0="inet 218.104.52.x netmask 255.255.255.248"
ifconfig_xl0="inet 192.168.61.254 netmask 255.255.255.0"

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.conf"
gateway_enable="YES"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="NO"

2、配置/etc/resolv.conf:

domain jscpu.com
nameserver 218.104.48.106
nameserver 221.6.4.66

3、将光盘放入光驱中,安装ports和src

# /stand/sysinstall
然后选择Configure–>Distributions,然后利用空格键选择src和ports两项,点install,安装完成后重启机器。

三、配置内核

# cd /usr/src//sys/i386/conf
# cp GENERIC funpower
# ee funpower

内核文件具体如下:

#
# GENERIC — Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you’ve installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ./LINT configuration file. If you are
# in doubt as to the purpose or necessity of a line, check first in LINT.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.62.2.1 2005/01/14 03:07:39 scottl Exp $

machine i386
#cpu I386_CPU
#cpu I486_CPU
#cpu I586_CPU
cpu I686_CPU
ident funpower
maxusers 0

#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols

options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
#options INET6 #IPv6 communications protocols
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories
options MFS #Memory Filesystem
options MD_ROOT #MD is a potential root device
options NFS #Network Filesystem
options NFS_ROOT #NFS usable as root device, NFS required
options MSDOSFS #MSDOS Filesystem
options CD9660 #ISO 9660 Filesystem
options CD9660_ROOT #CD-ROM usable as root, CD9660 required
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
options UCONSOLE #Allow users to grab the console
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM #Rate limit bad replies
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.

# To make an SMP kernel, the next two are needed
#options SMP # Symmetric MultiProcessor Kernel
#options APIC_IO # Symmetric (APIC) I/O

options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK

device isa
device eisa
device pci

# Floppy drives
device fdc0 at isa? port IO_FD1 irq 6 drq 2
device fd0 at fdc0 drive 0
device fd1 at fdc0 drive 1
#
# If you have a Toshiba Libretto with its Y-E Data PCMCIA floppy,
# don’t use the above line for fdc0 but the following one:
#device fdc0

# ATA and ATAPI devices
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID #Static device numbering

# SCSI Controllers
#device ahb # EISA AHA1742 family
#device ahc # AHA2940 and onboard AIC7xxx devices
#device ahd # AHA39320/29320 and onboard AIC79xx devices
#device amd # AMD 53C974 (Tekram DC-390(T))
#device isp # Qlogic family
#device mpt # LSI-Logic MPT/Fusion
#device ncr # NCR/Symbios Logic
#device sym # NCR/Symbios Logic (newer chipsets)
#options SYM_SETUP_LP_PROBE_MAP=0x40
# Allow ncr to attach legacy NCR devices when
# both sym and ncr are configured

device adv0 at isa?
device adw
device bt0 at isa?
device aha0 at isa?
device aic0 at isa?#

device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50

# SCSI peripherals
device scbus # SCSI bus (required)
#device da # Direct Access (disks)
#device sa # Sequential Access (tape etc)
#device cd # CD
#device pass # Passthrough device (direct SCSI access)

# RAID controllers interfaced to the SCSI subsystem
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device dpt # DPT Smartcache – See LINT for options!
#device iir # Intel Integrated RAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device ciss # Compaq SmartRAID 5* series
#device twa # 3ware 9000 series PATA/SATA RAID

# RAID controllers
#device aac # Adaptec FSA RAID, Dell PERC2/PERC3
device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device ips # IBM/Adaptec ServeRAID
#device amr # AMI MegaRAID
#device mlx # Mylex DAC960 family
#device pst # Promise Supertrak SX6000
#device twe # 3ware Escalade

# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device psm0 at atkbdc? irq 12

device vga0 at isa?

# splash screen/screen saver
pseudo-device splash

# syscons is the default console driver, resembling an SCO console
device sc0 at isa? flags 0x100

# Enable this and PCVT_FREEBSD for pcvt vt220 compa tible con sole driver
#device vt0 at isa?
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
# If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines
#options PCVT_SCANSET=2 # IBM keyboards are non-std

device agp # support several AGP chipsets

# Floating point support – do not disable.
device npx0 at nexus? port IO_NPX irq 13

# Power management support (see LINT for more options)
device apm0 at nexus? disable flags 0x20 # Advanced Power Management

# PCCARD (PCMCIA) support
#device card
#device pcic0 at isa? irq 0 port 0x3e0 iomem 0xd0000
#device pcic1 at isa? irq 0 port 0x3e2 iomem 0xd4000 disable

# Serial (COM) ports
#device sio0 at isa? port IO_COM1 flags 0x10 irq 4
#device sio1 at isa? port IO_COM2 irq 3
#device sio2 at isa? disable port IO_COM3 irq 5
#device sio3 at isa? disable port IO_COM4 irq 9

# Parallel port
device ppc0 at isa? irq 7
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
#device vpo # Requires scbus and da

# PCI Ethernet NICs.
device de # DEC/Intel DC21x4x (“Tulip”)
device em # Intel PRO/1000 adapter Gigabit Ethernet Card (“Wiseman”)
device txp # 3Com 3cR990 (“Typhoon”)
device vx # 3Com 3c590, 3c595 (“Vortex”)

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the ‘device miibus’ line in order to use these NICs!
device miibus # MII bus support
#device dc # DEC/Intel 21143 and various workalikes
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device pcn # AMD Am79C97x PCI 10/100 NICs
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (“Starfire”)
#device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 “EPIC”)
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
device xl # 3Com 3c90x (“Boomerang”, “Cyclone”)
#device bge # Broadcom BCM570x (“Tigon III”)

# ISA Ethernet NICs.
# ‘device ed’ requires ‘device miibus’
device ed0 at isa? disable port 0x280 irq 10 iomem 0xd8000
device ex
device ep
device fe0 at isa? disable port 0x300
# Xircom Ethernet
device xe
# PRISM I IEEE 802.11b wireless NIC.
device awi
# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really
# exists only as a PCMCIA device, so there is no ISA attachment needed
# and resources will always be dynamically assigned by the pccard code.
device wi
# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will
# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP
# mode (the factory default). If you set the switches on your ISA
# card for a manually chosen I/O address and IRQ, you must specify
# those parameters here.
device an
# The probe order of these is presently determined by i386/isa/isa_compat.c.
device ie0 at isa? disable port 0x300 irq 10 iomem 0xd0000
#device le0 at isa? disable port 0x300 irq 5 iomem 0xd0000
device lnc0 at isa? disable port 0x280 irq 10 drq 0
device cs0 at isa? disable port 0x300
device sn0 at isa? disable port 0x300 irq 10

# Pseudo devices – the number indicates how many units to allocate.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
#pseudo-device sl 1 # Kernel SLIP
#pseudo-device ppp 1 # Kernel PPP
pseudo-device tun # Packet tunnel.
pseudo-device pty # Pseudo-ttys (telnet etc)
pseudo-device md # Memory "disks"
#pseudo-device gif # IPv6 and IPv4 tunneling
#pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation)

# The `bpf’ pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter

# USB support
#device uhci # UHCI PCI->USB interface
#device ohci # OHCI PCI->USB interface
device usb # USB Bus (required)
#device ugen # Generic
#device uhid # "Human Interface Devices"
#device ukbd # Keyboard
#device ulpt # Printer
#device umass # Disks/Mass storage – Requires scbus and da
#device ums # Mouse
#device uscanner # Scanners
#device urio # Diamond Rio MP3 Player
# USB Ethernet, requires mii
#device aue # ADMtek USB ethernet
#device axe # ASIX Electronics USB ethernet
#device cue # CATC USB ethernet
#device kue # Kawasaki LSI USB ethernet

# FireWire support
device firewire # FireWire bus code
device sbp # SCSI over FireWire (Requires scbus and da)
device fwe # Ethernet over FireWire (non-standard!)

编辑好funpower后开始编译安装内核:
#/usr/sbin/config funpower
#cd ../../compile/funpower
#make depend
#make
#make intall

编译安装完成后重启机器。

四、配置包过滤(ipfilter)及包转发(ipnat)服务

1、编辑/etc/ipf.conf

block in log quick all with short
block in log quick all with ipopts
block in log quick all with frag
block in log quick all with opt lsrr
block in log quick all with opt ssrr

pass out on xl0 all
pass in on xl0 all
pass out quick on lo0 all
pass in quick on lo0 all

block out on em0 all

block out log on em0 from any to 192.168.0.0/16
block out log quick on em0 from any to 0.0.0.0/8
block out log quick on em0 from any to 169.254.0.0/8
block out log quick on em0 from any to 10.0.0.0/8
block out log quick on em0 from any to 127.16.0.0/12
block out log quick on em0 from any to 127.0.0.0/8
block out log quick on em0 from any to 192.0.2.0/24
block out log quick on em0 from any to 204.152.64.0/23
block out log quick on em0 from any to 224.0.0.0/3

pass in quick on em0 proto tcp from any to 218.104.52.x port = 22 flags S keep state
pass in quick on em0 proto tcp from any to 218.104.52.x port = 23 flags S keep state
pass out log on em0 proto tcp/udp from any to any keep state
pass out log on em0 proto icmp all keep state

block in log on em0 from 192.168.0.0/16 to any
block in log quick on em0 from 10.0.0.0/8 to any
block in log quick on em0 from 172.16.0.0/12 to any
block in log quick on em0 from 127.0.0.0/8 to any
block in log quick on em0 from 192.0.2.0/24 to any
block in log quick on em0 from 169.254.0.0/16 to any
block in log quick on em0 from 224.0.0.0/3 to any
block in log quick on em0 from 204.152.64.0/23 to any

pass in quick on em0 proto tcp from any to any port = 80 flags S/SA keep state
pass in quick on em0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on em0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on em0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

block in quick on em0 all

block in log quick on em0 proto icmp from any to any icmp-type redir
block in log quick on em0 proto icmp from any to any
block in log quick on em0 proto icmp from any to any icmp-type echo

block return-rst in log on em0 proto tcp from any to any flags S/SA
block return-icmp(net-unr) in log on em0 proto udp from any to any

2、编辑/etc/ipnat.conf

map em0 192.168.61.0/24 -> 218.104.52.x/32 portmap tcp/udp 20000:39999
map em0 192.168.61.0/24 -> 218.104.52.x/32
map xl0 192.168.61.0/24 -> 218.104.52.x/32
map em0 192.168.61.0/24 -> 218.104.52.x/32 proxy port ftp ftp/tcp

五、配置DHCP服务

1、通过ports安装isc-dhcp3-server

安装前先从http://ftp.bestcom.ru/FreeBSD/ports/distfiles/]] >

One Comment

  1. […] 2、FreeBSD5.4Release下ipfilter+ipnat包过滤、转发和DHCP服务器架构笔记 […]

Leave a Reply