当前位置:Linux教程 - Linux - Linux下对猫上网的配置

Linux下对猫上网的配置



        

    目的: 使用两个Modem或外置ISDN TA接入Internet,并实现负载分担、代理和防火墙功能。理论上可支持多个MODEM)

    平台及配置:
    一台P200 PC ,64M内存,2.1G硬盘,3c509b网卡,
    TAICOM IS128 TA(外置)2台,分别接com1、com2,2条ISDN线

    所用软件:
    Redhat Linux 6.1
    dialup tools: diald-0.16-5a-1
    firewall: ipchains 1.3.9
    pppd: pppd 2.3.7

    内容提要: 如何配置diald用两个MODEM上网


    声明:
    (1)本文参考<中国Linux论坛www.linuxforum.net> Jephe Wu的<外置ISDN TA上两个用2个B通道上网的配置>和<如何在Redhat 6.1上用ipchains构建防火墙和IP伪装> 两篇文章
    (2)本人仅供Linux用户配置双MODEM参考,用下面的配置,作者能成功地上两个MODEM上网并实现负载分担,但不做任何担保,尤其是防火墙的安全性方面。

    安装配置过程:

    1、配置TA为MPPP方式(双B信道连接),并保存。
    2、安装pppd(因原带的pppd有问题,卸掉后安装较低版本的)和diald
    3、配置diald (需建立或修改 /etc/diald.conf
    /etc/diald/connect
    /etc/ppp/pppscript
    /etc/ppp/options
    /etc/ppp/pap-secrets)
    4、以上文件具体内容如下:
    ---------------------------------------------------------------------
    /etc/diald.conf(将/etc/diald/diald.conf拷贝到/etc下修改,原注释已去掉)
    ---------------------------------------------------------------------
    accept any 420 any
    device /dev/ttyS0
    speed 115200
    lock
    mode ppp
    dynamic
    local 192.168.0.1
    remote 192.168.0.2
    up-delay 3
    defaultroute
    modem
    crtscts
    connect /etc/diald/connect
    redial-timeout 10
    fifo /etc/diald/diald.ctl
    #ip-up /etc/rc.d/ipchains.rules (设置好ipchains后再打开注释)
    #ip-down /etc/rc.d/ipchains.reset
    ---------------------------------------------------------------------
    /etc/diald/connect
    ---------------------------------------------------------------------
    #!/bin/sh
    /usr/sbin/chat -v -f /etc/ppp/pppscript
    ---------------------------------------------------------------------
    /etc/ppp/pppscript
    ---------------------------------------------------------------------
    TIMEOUT 60
    ABORT ERROR
    ABORT BUSY
    ABORT "NO CARRIER"
    ABORT "NO DAILTONE"
    "" "ATZ" OK
    "atdt169" #可修改成对应的特服号
    TIMEOUT 75
    CONNECT
    ---------------------------------------------------------------------
    /etc/ppp/options
    ---------------------------------------------------------------------
    name your_account_at_ISP
    login
    asyncmap 0
    ---------------------------------------------------------------------
    /etc/ppp/pap-secrets
    ---------------------------------------------------------------------
    # Secrets for authentication using PAP
    # client server secret IP addresses
    your_account_at_ISP * your_passwd_at_ISP
    ---------------------------------------------------------------------
    5、运行diald,测试diald
    执行ping 1.1.1.1 后,如果设置正常,应该可以握手上线
    用tail /var/log/messages 察看连接过程
    6、配置第二个Modem
    (将/usr/doc/ppp-2.3.7/scripts下的ppp-on,ppp-off,ppp-on-dialer
    拷贝到/etc/ppp下修改,ppp-off不需修改)
    ---------------------------------------------------------------------
    /etc/ppp/ppp-on
    ---------------------------------------------------------------------
    #!/bin/sh
    TELEPHONE=169 # The telephone number for the connection
    LOCAL_IP=0.0.0.0 # Local IP address if known. Dynamic = 0.0.0.0
    REMOTE_IP=0.0.0.0 # Remote IP address if desired. Normally 0.0.0.0
    NETMASK=255.255.255.0 # The proper netmask if needed
    DIALER_SCRIPT=/etc/ppp/ppp-on-dialer
    exec /usr/sbin/pppd debug lock modem crtscts /dev/ttyS1 115200
    $LOCAL_IP:$REMOTE_IP
    noipdefault netmask $NETMASK defaultroute connect $DIALER_SCRIPT
    ---------------------------------------------------------------------
    ppp-on-dialer
    ---------------------------------------------------------------------
    #!/bin/sh
    exec /usr/sbin/chat -v
    TIMEOUT 3
    ABORT BUSYr
    ABORT NO ANSWERr
    ABORT RINGINGrnrnRINGINGr
    \ ATZ
    OK-+++c-OK ATH0
    TIMEOUT 30
    OK ATDT$TELEPHONE
    CONNECT \
    ---------------------------------------------------------------------
    7、测试第二个MODEM连接
    执行 ppp-on
    如果正常,应该可以握手上线
    8、设置ipchains,并将两个MODEM的拨号及挂断联结起来
    (生成/etc/rc.d/ipchains.rules 和 /etc/rc.d/ipchains.reset两个文件,
    属性设为600)
    ---------------------------------------------------------------------
    /etc/rc.d/ipchains.rules
    ---------------------------------------------------------------------
    #!/bin/sh
    echo "Starting ipchains firewall rules..."
    /etc/diald/ppp-on
    sleep 10

    IP_PPP0=`ifconfig ppp0 | grep inet addr | awk {print $2} | sed -e s/addr://`
    IP_PPP1=`ifconfig ppp1 | grep inet addr | awk {print $2} | sed -e s/addr://`
    REMOTE_IP=`ifconfig ppp1 | grep P-t-P | awk {print $3} | sed -e s/P-t-P://`

    INTERNAL_INTERFACE="YouEth0Addr/32"
    LOOPBACK_INTERFACE="127.0.0.0/8"
    INTERNAL_NETWORK="YouLocalNetWork/8"
    ALL_NETWORK="0.0.0.0/0"
    HIPORTS="1024:65535"

    echo $IP_PPP0
    echo $IP_PPP1
    echo $REMOTE_IP

    route add default gw $REMOTE_IP ppp1

    # refresh all firewall rules
    /sbin/ipchains -F forward
    /sbin/ipchains -F input
    /sbin/ipchains -F output

    # setup default firewall rules
    /sbin/ipchains -P forward DENY
    /sbin/ipchains -P input ACCEPT
    /sbin/ipchains -P output ACCEPT


    # setup Loopback interface
    /sbin/ipchains -A input -j ACCEPT -i lo
    /sbin/ipchains -A output -j ACCEPT -i lo

    # disabling IP spoofing
    /sbin/ipchains -A input -j DENY -i ppp+ -s $INTERNAL_NETWORK
    /sbin/ipchains -A input -j DENY -i ppp+ -d $INTERNAL_NETWORK

    /sbin/ipchains -A output -j DENY -i ppp+ -s $INTERNAL_NETWORK
    /sbin/ipchains -A output -j DENY -i ppp+ -d $INTERNAL_NETWORK

    /sbin/ipchains -A input -j DENY -i ppp0 -s $IP_PPP0
    /sbin/ipchains -A output -j DENY -i ppp0 -d $IP_PPP0
    /sbin/ipchains -A input -j DENY -i ppp1 -s $IP_PPP1
    /sbin/ipchains -A output -j DENY -i ppp1 -d $IP_PPP1

    # disabling incoming request from internet
    /sbin/ipchains -A input -j DENY -i ppp0 -p TCP -y -d $IP_PPP0
    /sbin/ipchains -A input -j DENY -i ppp1 -p TCP -y -d $IP_PPP1

    #refuse packets claiming to be to or from the loopback interface
    /sbin/ipchains -A input -j DENY -i ppp+ -s $LOOPBACK_INTERFACE
    /sbin/ipchains -A input -j DENY -i ppp+ -d $LOOPBACK_INTERFACE

    /sbin/ipchains -A output -j DENY -i ppp+ -s $LOOPBACK_INTERFACE
    /sbin/ipchains -A output -j DENY -i ppp+ -d $LOOPBACK_INTERFACE

    #refuse broadcast address source packets
    /sbin/ipchains -A input -j DENY -i ppp+ -s 255.255.255.255
    /sbin/ipchains -A input -j DENY -i ppp+ -d 0.0.0.0

    #refuse multicast/anycast/broadcast address
    /sbin/ipchains -A input -j DENY -i ppp+ -s 240.0.0.0/3

    #setup IP Masquerading rules
    echo "1" > /proc/sys/net/ipv4/ip_forward

    #forwarding all internal traffic
    /sbin/ipchains -A forward -j ACCEPT -i eth0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK

    # add modules for ftp, cuseeme, irc, real audio, etc...
    /sbin/modprobe ip_masq_ftp
    /sbin/modprobe ip_masq_quake
    /sbin/modprobe ip_masq_irc
    /sbin/modprobe ip_masq_user
    /sbin/modprobe ip_masq_raudio

    #starting IP masquerading
    /sbin/ipchains -A forward -j MASQ -i ppp+ -s $INTERNAL_NETWORK -d $ALL_NETWORK
    ---------------------------------------------------------------------
    /etc/rc.d/ipchains.reset
    ---------------------------------------------------------------------
    #!/bin/sh
    echo "Reset ipchains firewall rules..."
    /etc/diald/ppp-off ppp1

    # refresh all firewall rules
    /sbin/ipchains -F forward
    /sbin/ipchains -F input
    /sbin/ipchains -F output

    # setup default firewall rules
    /sbin/ipchains -P forward ACCEPT
    /sbin/ipchains -P input ACCEPT
    /sbin/ipchains -P output ACCEPT

    #setup IP Masquerading rules
    echo "0" > /proc/sys/net/ipv4/ip_forward
    ---------------------------------------------------------------------
    9、配置内核(再默认配置基础上)
    make xconfig
    networking options设置中 IP:equal cost multipath 设为 Y
    重新编译内核
    10、将diald设为自动运行,以新内核启动机器
    11、以上配置在163及169上均测试通过,效果良好。

    发布人:netbull 来自:LinuxKD