当前位置:Linux教程 - Dhcp - 如何共享一个IP上网(IP伪装+IP Chains+ DHCP Server)

如何共享一个IP上网(IP伪装+IP Chains+ DHCP Server)



         laptop
    1, 背景与要求

    朋友的办公室用Cable Modem上网,合同上规定只能用一个IP,可是一共有十多台电脑,
    结果朋友到ISP那里说明情况补交了一大笔费用.要求都能上网,用一个IP.

    2, 硬件&软件
    硬件:P90 32 RAM , 两块NIC卡, 一块3Com, 一块D-Link.好处:比较好分辨eth0, eth1.
    一块HUB.
    软件:RedHat 6.2 + Gnome Helix(可以运行FireStarter),最好升级kernel.

    3, 安装防火墙

    设置IP 伪装 + IPChains :


    建立 /etc/rc.d/rc.firewall(或者任何文件名任何地方,如果手工运行的话) 如下:

    #!/bin/sh
    #
    # rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels
    # using IPCHAINS
    #
    # Needed to initially load modules
    #
    /sbin/depmod -a

    # Supports the proper masquerading of FTP file transfers using the PORT method
    #
    /sbin/modprobe ip_masq_ftp

    # Supports the masquerading of RealAudio over UDP. Without this module,
    # RealAudio WILL function but in TCP mode. This can cause a reduction
    # in sound quality
    #
    #/sbin/modprobe ip_masq_raudio --> 收Real Audio 

    # Supports the masquerading of IRC DCC file transfers
    #
    #/sbin/modprobe ip_masq_irc -->去掉"#"如果你要玩IRC,我朋友不让,:-)


    # 连网打雷神
    # Supports the masquerading of Quake and QuakeWorld by default. This modules is
    # for for multiple users behind the Linux MASQ server. If you are going to
    # play Quake I, II, and III, use the second example.
    #
    # NOTE: If you get ERRORs loading the QUAKE module, you are running an old
    # ----- kernel that has bugs in it. Please upgrade to the newest kernel.
    #
    #Quake I / QuakeWorld (ports 26000 and 27000)
    #/sbin/modprobe ip_masq_quake
    #
    #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
    #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960


    # Supports the masquerading of the CuSeeme video conferencing software
    #
    #/sbin/modprobe ip_masq_cuseeme -->Cu-SeeMe 视频电话

    #Supports the masquerading of the VDO-live video conferencing software
    #
    #/sbin/modprobe ip_masq_vdolive -->VDO-live 视频电话


    #CRITICAL: Enable IP forwarding since it is disabled by default since
    #

    # Redhat Users: you may try changing the options in
    # /etc/sysconfig/network from:
    #
    # FORWARD_IPV4=false
    # to
    # FORWARD_IPV4=true
    #
    echo "1" > /proc/sys/net/ipv4/ip_forward


    #CRITICAL: Enable automatic IP defragmenting since it is disabled by default
    # in 2.2.x kernels. This used to be a compile-time option but the
    # behavior was changed in 2.2.12
    #
    echo "1" > /proc/sys/net/ipv4/ip_always_defrag


    # Dynamic IP users: -->该ISP用DHCP方法给用户分配IP,启动该项
    #
    # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
    # following option. This enables dynamic-ip address hacking in IP MASQ,
    # making the life with Diald and similar programs much easier.
    #
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr


    # Enable the LooseUDP patch which some Internet-based games require
    #
    # If you are trying to get an Internet game to work through your IP MASQ box,
    # and you have set it up to the best of your ability without it working, try
    # enabling this option (delete the "#" character). This option is disabled
    # by default due to possible internal machine UDP port scanning
    # vunerabilities.
    #
    #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose


    # MASQ timeouts
    #
    # 2 hrs timeout for TCP session timeouts
    # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
    # 160 sec timeout for UDP traffic (Important for MASQed ICQ users)
    #
    /sbin/ipchains -M -S 7200 10 160


    # DHCP: For people who receive their external IP address from either DHCP or
    # BOOTP such as ADSL or Cablemodem users, it is necessary to use the
    # following before the deny command. The "bootp_client_net_if_name"
    # should be replaced the name of the link that the DHCP/BOOTP server
    # will put an address on to? This will be something like "eth0",
    # "eth1", etc.
    #
    # This example is currently commented out.
    #
    # 该ISP用DHCP方法给用户分配IP,启动该项.
    /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp

    # Enable simple IP forwarding and Masquerading
    #
    # NOTE: The following is an example for an internal LAN address in the
    # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
    # connecting to the Internet on interface eth0.
    #
    # ** Please change this network number, subnet mask, and your Internet
    # ** connection interface name to match your internal LAN setup
    #
    /sbin/ipchains -P forward DENY
    /sbin/ipchains -A forward -i eth0 -s 192.168.0.0/24 -j MASQ

    键入 chmod 700 /etc/rc.d/rc.firewall使可执行.
    然后加一行/etc/rc.d/rc.firewall到/etc/rc.d/rc.local中,使它启动时运行.
    以上防火墙规则使子网(192.168.x.x)所有PC用一个ISP分配的IP上网,禁用IRC,Realplayer,Quake...


    4, DHCP Server

    为了使其他局域网里的Windows能方便设置网络,顺便安装DHCP Server
    到RedHat目录下,rpm -ivh dhcp* 确保全部DHCP包已安装.

    touch /var/state/dhcp/dhcpd.leases,建立dhcpd的日志文件

    建立 /etc/dhcpd.conf 文件:


    # /etc/dhcpd.conf
    # Type "route add -host 255.255.255.255 dev eth1 2> /dev/null" , and
    # "usr/sbin/dhcpd eth1" to start DHCPD binded with eth1 !
    # Don start it with eth0 , conflict with ISPs DHCPD !
    #
    subnet 192.168.0.0 netmask 255.255.255.0 {
    range 192.168.0.10 192.168.0.100;

    default-lease-time 1200;
    max-lease-time 9200;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.0.255;
    option routers 192.168.0.1;
    option domain-name-servers xxx.xx.xx.xx, xxx.xx.xxx.x; -->ISP的DNS server
    option domain-name "offfice.net";

    }

    以上设置自动分配192.168.0.10到192.168.0.100的内部IP.


    绑定DHCPD到eth1,否则系统会绑定到eth0,无法启动,也会导致和ISP的DHCPD发生冲突,
    编辑/etc/rc.d/init.d/dhcpd,在/usr/sbin/dhcpd后加 eth1.

    最后,为了客户PC可以稳妥取得路由,运行:

    route add -host 255.255.255.255 dev eth1 2> /dev/null

    5,客户端

    很方便,到 start-->settings-->network-->TCP/IP-->Obtain an IP automatially.

    发布人:Crystal 来自:中国Linux论坛