Centos 6.5Building dhcp+ Gateway 01/18 Update SLTechnology News&Howtos

Centos 6.5Building dhcp+ Gateway

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Originally, the company's office network was not physically isolated from the wireless network, so it was not very safe in physics. Later, the company's network rectification and reform, although it played a physical isolation, was not perfect. It only used a millet router setting and made a dhcp. Later, visitors and company employees surfed the Internet together with their mobile phones, so that the load was very high, and even a large part of people could not get ip, so they had their own built service.

I use a dell380 machine, the configuration requirements are not high, simple two network cards, eth0 as the external network, eth2 as the internal network

Eth0:192.168.1.1

Eth2:192.168.100.1

The configuration is as follows:

Install dhcp first

Yum install dhcp-y

Edit the dhcp configuration file / etc/dhcp/dhcpd.conf, or copy to / etc/dhcp/dhcpd.conf using / usr/share/doc/dhcp-4.1.1/dhcpd.conf.sample

The configuration file is as follows:

The ddns-update-style interim; # configuration uses the transitional DHCP-DNS interactive update mode.

Ignore client-updates; # ignore client updates

Subnet 192.168.100.0 netmask 255.255.254.0 {

Option routers 192.168.100.1; # Router address

Option subnet-mask 255.255.254.0; # Subnet Mask option

Option nis-domain "xfbaydhcp.com"

Option domain-name "xfbaydhcp.com"; # Domain name

Option domain-name-servers 192.168.0.7; # DNS address

Option time-offset-18000; # Eastern Standard Time

Range of range dynamic-bootp 192.168.100.1 192.168.101.255; # leased IP address >

Default-lease-time 21600; # default lease time

Max-lease-time 43200; # maximum lease time

Host myhost {# set host declaration

Hardware ethernet 08VOG 00VOR 27CRV 30RU 8C; # specify the mac address of the dhcp customer fixed-address 192.168.100.155; # assign ip to the specified mac address}}

3. Edit / etc/rc.d/init.d/dhcpd file

User=dhcpd

Group=dhcpd

Change to

User=root

Group=root

4. Specify the network card to start the dhcp function (error will be reported if it is not specified)

Vim / etc/sysconfig/dhcpd

DHCPDARGS=eth2

5. Set the service to boot

Chkconfig dhcpd on

Service dhcpd start

If the network card ip is configured, it will not be introduced here. The following is to check whether the host can automatically obtain the ip address.

Here is the configuration of iptables. The default hosts are all installed.

1. Turn on forwarding function

Vim / etc/sysctl.conf

Net.ipv4.ip_forward = 1

two。 Set iptables rules

Forwarding

Iptables-t nat-A POSTROUTING-o eth0-j SNAT-- to-source 192.168.1.143

Set the ttl value (mainly used to disallow private connection of wifi under wifi)

Iptables-t mangle-A POSTROUTING-o eth0-j TTL-- ttl-set 0

Turn off access to port 22 of the public network

Iptables-t nat-An INPUT-I eth0-p tcp-m tcp-- dport 22-j DROP

In fact, iptables only a few simple configuration on it, if it is to do other uses, of course, these are not enough.

Although the command is simple, the details are still important and the configuration file. Even the slightest error will start unsuccessfully. Pay attention to troubleshooting.

The experiment is very extensive, the configuration can be slightly modified, the company firewall can be used, ip bandwidth restrictions can be achieved, website access control and so on.

Here is the script for port flow control

#! / bin/sh

# define inbound and outbound devices (eth2 private network, eth0 public network)

IDEV= "eth2"

ODEV= "eth0"

# GUEST= "eth3"

# define the total up and down bandwidth

UP= "20mbit"

DOWN= "20mbit"

# define the upper and lower bandwidth of each restricted IP

# rate starting bandwidth

UPLOAD= "1mbit"

DOWNLOAD= "1mbit"

# ceil maximum bandwidth

MUPLOAD= "20mbit"

MDOWNLOAD= "20mbit"

# Private network IP segment

NET= "192.168."

INET= "192.168.8."

# restricted IP range, IPS starts IP,IPE and ends IP.

IPS= "1"

IPE= "255"

# clear the original queue rules of the Nic

Tc qdisc del dev $ODEV root 2 > / dev/null

Tc qdisc del dev $IDEV root 2 > / dev/null

# define the top-level (root) queue rule and specify the default class number

Tc qdisc add dev $ODEV root handle 1: htb default 4000

Tc qdisc add dev $IDEV root handle 2: htb default 4000

# define 10:1 categories for layer 1 (total uplink / downlink bandwidth)

Tc class add dev $ODEV parent 1: classid 1:1 htb rate $UP ceil $UP

Tc class add dev $IDEV parent 2: classid 2:1 htb rate $DOWN ceil $DOWN

Tc class add dev eth0 parent 1:1 classid 1:4000 htb rate 10mbit ceil 10mbit prio 2

Tc class add dev eth2 parent 2:1 classid 2:4000 htb rate 10mbit ceil 10mbit prio 2

# start iptables marking and setting specific rules

J = "8"

I=$IPS

While [$I-le $IPE]

Tc class add dev eth0 parent 1:1 classid 1:$i$j htb rate 2mbit ceil 2mbit prio 1

Tc filter add dev eth0 parent 1: protocol ip prio 1 handle $iTunj fw classid 1:$i$j

Tc class add dev eth2 parent 2:1 classid 2:$i$j htb rate 4mbit ceil 4mbit prio 1

Tc filter add dev eth2 parent 2: protocol ip prio 1 handle $iTunj fw classid 2:$i$j

Iptables-t mangle-A PREROUTING-s $NET$j\. $I-j MARK-- set-mark $iTunj

Iptables-t mangle-A PREROUTING-s $NET$j\. $I-j RETURN

Iptables-t mangle-A POSTROUTING-d $NET$j\. $I-j MARK-- set-mark $iTunj

Iptables-t mangle-A POSTROUTING-d $NET$j\. $I-j RETURN

I = `expr $I + 1`

Done

J = "9"