Linux下对猫上网的配置
目的: 使用两个Modem或外置ISDN TA接入Internet,并实现负载分担、代理和防火墙功能。理论上可支持多个MODEM)
平台及配置:
一台P200 PC ,64M内存,2.1G硬盘,3c509b网卡,
TAICOM IS128 TA(外置)2台,分别接com1、com2,2条ISDN线
所用软件:
Redhat Linux 6.1
dialup tools: diald-0.16-5a-1
firewall: ipchains 1.3.9
pppd: pppd 2.3.7
内容提要: 如何配置diald用两个MODEM上网
声明:
(1)本文参考<中国Linux论坛www.linuxforum.net> Jephe Wu的<外置ISDN TA上两个用2个B通道上网的配置>和<如何在Redhat 6.1上用ipchains构建防火墙和IP伪装> 两篇文章
(2)本人仅供Linux用户配置双MODEM参考,用下面的配置,作者能成功地上两个MODEM上网并实现负载分担,但不做任何担保,尤其是防火墙的安全性方面。
安装配置过程:
1、配置TA为MPPP方式(双B信道连接),并保存。
2、安装pppd(因原带的pppd有问题,卸掉后安装较低版本的)和diald
3、配置diald (需建立或修改 /etc/diald.conf
/etc/diald/connect
/etc/ppp/pppscript
/etc/ppp/options
/etc/ppp/pap-secrets)
4、以上文件具体内容如下:
---------------------------------------------------------------------
/etc/diald.conf(将/etc/diald/diald.conf拷贝到/etc下修改,原注释已去掉)
---------------------------------------------------------------------
accept any 420 any
device /dev/ttyS0
speed 115200
lock
mode ppp
dynamic
local 192.168.0.1
remote 192.168.0.2
up-delay 3
defaultroute
modem
crtscts
connect /etc/diald/connect
redial-timeout 10
fifo /etc/diald/diald.ctl
#ip-up /etc/rc.d/ipchains.rules (设置好ipchains后再打开注释)
#ip-down /etc/rc.d/ipchains.reset
---------------------------------------------------------------------
/etc/diald/connect
---------------------------------------------------------------------
#!/bin/sh
/usr/sbin/chat -v -f /etc/ppp/pppscript
---------------------------------------------------------------------
/etc/ppp/pppscript
---------------------------------------------------------------------
TIMEOUT 60
ABORT ERROR
ABORT BUSY
ABORT "NO CARRIER"
ABORT "NO DAILTONE"
"" "ATZ" OK
"atdt169" #可修改成对应的特服号
TIMEOUT 75
CONNECT
---------------------------------------------------------------------
/etc/ppp/options
---------------------------------------------------------------------
name your_account_at_ISP
login
asyncmap 0
---------------------------------------------------------------------
/etc/ppp/pap-secrets
---------------------------------------------------------------------
# Secrets for authentication using PAP
# client server secret IP addresses
your_account_at_ISP * your_passwd_at_ISP
---------------------------------------------------------------------
5、运行diald,测试diald
执行ping 1.1.1.1 后,如果设置正常,应该可以握手上线
用tail /var/log/messages 察看连接过程
6、配置第二个Modem
(将/usr/doc/ppp-2.3.7/scripts下的ppp-on,ppp-off,ppp-on-dialer
拷贝到/etc/ppp下修改,ppp-off不需修改)
---------------------------------------------------------------------
/etc/ppp/ppp-on
---------------------------------------------------------------------
#!/bin/sh
TELEPHONE=169 # The telephone number for the connection
LOCAL_IP=0.0.0.0 # Local IP address if known. Dynamic = 0.0.0.0
REMOTE_IP=0.0.0.0 # Remote IP address if desired. Normally 0.0.0.0
NETMASK=255.255.255.0 # The proper netmask if needed
DIALER_SCRIPT=/etc/ppp/ppp-on-dialer
exec /usr/sbin/pppd debug lock modem crtscts /dev/ttyS1 115200
$LOCAL_IP:$REMOTE_IP
noipdefault netmask $NETMASK defaultroute connect $DIALER_SCRIPT
---------------------------------------------------------------------
ppp-on-dialer
---------------------------------------------------------------------
#!/bin/sh
exec /usr/sbin/chat -v
TIMEOUT 3
ABORT
BUSYr
ABORT
NO ANSWERr
ABORT
RINGINGrnrnRINGINGr
\ ATZ
OK-+++c-OK ATH0
TIMEOUT 30
OK ATDT$TELEPHONE
CONNECT \
---------------------------------------------------------------------
7、测试第二个MODEM连接
执行 ppp-on
如果正常,应该可以握手上线
8、设置ipchains,并将两个MODEM的拨号及挂断联结起来
(生成/etc/rc.d/ipchains.rules 和 /etc/rc.d/ipchains.reset两个文件,
属性设为600)
---------------------------------------------------------------------
/etc/rc.d/ipchains.rules
---------------------------------------------------------------------
#!/bin/sh
echo "Starting ipchains firewall rules..."
/etc/diald/ppp-on
sleep 10
IP_PPP0=`ifconfig ppp0 | grep inet addr | awk {print $2} | sed -e s/addr://`
IP_PPP1=`ifconfig ppp1 | grep inet addr | awk {print $2} | sed -e s/addr://`
REMOTE_IP=`ifconfig ppp1 | grep P-t-P | awk {print $3} | sed -e s/P-t-P://`
INTERNAL_INTERFACE="YouEth0Addr/32"
LOOPBACK_INTERFACE="127.0.0.0/8"
INTERNAL_NETWORK="YouLocalNetWork/8"
ALL_NETWORK="0.0.0.0/0"
HIPORTS="1024:65535"
echo $IP_PPP0
echo $IP_PPP1
echo $REMOTE_IP
route add default gw $REMOTE_IP ppp1
# refresh all firewall rules
/sbin/ipchains -F forward
/sbin/ipchains -F input
/sbin/ipchains -F output
# setup default firewall rules
/sbin/ipchains -P forward DENY
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
# setup Loopback interface
/sbin/ipchains -A input -j ACCEPT -i lo
/sbin/ipchains -A output -j ACCEPT -i lo
# disabling IP spoofing
/sbin/ipchains -A input -j DENY -i ppp+ -s $INTERNAL_NETWORK
/sbin/ipchains -A input -j DENY -i ppp+ -d $INTERNAL_NETWORK
/sbin/ipchains -A output -j DENY -i ppp+ -s $INTERNAL_NETWORK
/sbin/ipchains -A output -j DENY -i ppp+ -d $INTERNAL_NETWORK
/sbin/ipchains -A input -j DENY -i ppp0 -s $IP_PPP0
/sbin/ipchains -A output -j DENY -i ppp0 -d $IP_PPP0
/sbin/ipchains -A input -j DENY -i ppp1 -s $IP_PPP1
/sbin/ipchains -A output -j DENY -i ppp1 -d $IP_PPP1
# disabling incoming request from internet
/sbin/ipchains -A input -j DENY -i ppp0 -p TCP -y -d $IP_PPP0
/sbin/ipchains -A input -j DENY -i ppp1 -p TCP -y -d $IP_PPP1
#refuse packets claiming to be to or from the loopback interface
/sbin/ipchains -A input -j DENY -i ppp+ -s $LOOPBACK_INTERFACE
/sbin/ipchains -A input -j DENY -i ppp+ -d $LOOPBACK_INTERFACE
/sbin/ipchains -A output -j DENY -i ppp+ -s $LOOPBACK_INTERFACE
/sbin/ipchains -A output -j DENY -i ppp+ -d $LOOPBACK_INTERFACE
#refuse broadcast address source packets
/sbin/ipchains -A input -j DENY -i ppp+ -s 255.255.255.255
/sbin/ipchains -A input -j DENY -i ppp+ -d 0.0.0.0
#refuse multicast/anycast/broadcast address
/sbin/ipchains -A input -j DENY -i ppp+ -s 240.0.0.0/3
#setup IP Masquerading rules
echo "1" > /proc/sys/net/ipv4/ip_forward
#forwarding all internal traffic
/sbin/ipchains -A forward -j ACCEPT -i eth0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK
# add modules for ftp, cuseeme, irc, real audio, etc...
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_user
/sbin/modprobe ip_masq_raudio
#starting IP masquerading
/sbin/ipchains -A forward -j MASQ -i ppp+ -s $INTERNAL_NETWORK -d $ALL_NETWORK
---------------------------------------------------------------------
/etc/rc.d/ipchains.reset
---------------------------------------------------------------------
#!/bin/sh
echo "Reset ipchains firewall rules..."
/etc/diald/ppp-off ppp1
# refresh all firewall rules
/sbin/ipchains -F forward
/sbin/ipchains -F input
/sbin/ipchains -F output
# setup default firewall rules
/sbin/ipchains -P forward ACCEPT
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
#setup IP Masquerading rules
echo "0" > /proc/sys/net/ipv4/ip_forward
---------------------------------------------------------------------
9、配置内核(再默认配置基础上)
make xconfig
networking options设置中 IP:equal cost multipath 设为 Y
重新编译内核
10、将diald设为自动运行,以新内核启动机器
11、以上配置在163及169上均测试通过,效果良好。
发布人:netbull 来自:LinuxKD