系统安装-CSDN博客

本文链接：https://blog.csdn.net/noway/article/details/428605

下载 CentOS-3.4-i386-Server.iso 刻录成光盘找一双网卡机器，全部包安装

配置网络

------第一张网卡----------
Ip address:192.168.1.254

netmask:255.255.255.0
Net device:eth0
------第二张网卡----------
Ip address:192.168.254.254
Netmask:255.255.255.0
Net device:eth1

#adsl-setup

[root@LinuxSir02 root]# adsl-setup

Welcome to the ADSL client setup. First, I will run some checks on
your system to make sure the PPPoE client is installed properly...

LOGIN NAME

Enter your Login Name (default root): ADSL提供商给的用户名，写在这里

INTERFACE

Enter the Ethernet interface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0): eth0这是ADSL通过第一台机器的第一张网卡eth0提供上网

Do you want the link to come up on demand, or stay up continuously?
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped. If you want the link to
stay up permanently, enter 'no' (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses. You may have some problems with demand-activated links.
Enter the demand value (default no):在这里按一下回车就行了。

DNS

Please enter the IP address of your ISP's primary DNS server.
If your ISP claims that 'the server will provide dynamic DNS addresses',
enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are
doing and not modify your DNS setup.
Enter the DNS information here: 202.101.172.35这是DNS，最好用你本地电信给的杭州电信的主dns
Please enter the IP address of your ISP's secondary DNS server.
If you just press enter, I will assume there is only one DNS server.
Enter the secondary DNS server address here: 202.96.104.18这是第二个DNS，也是电信给的。

PASSWORD

Please enter your Password:在这里把ADSL提供商给的密码写上
Please re-enter your Password:

USERCTRL

Please enter 'yes' (two letters, lower-case.) if you want to allow
normal user to start or stop DSL connection (default yes): yes

FIREWALLING

Please choose the firewall rules to use. Note that these rules are
very basic. You are strongly encouraged to use a more sophisticated
firewall setup; however, these will provide basic security. If you
are running any servers on your machine, you must choose 'NONE' and
set up firewalling yourself. Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc. If you
are using SSH, the rules will block outgoing SSH connections which
allocate a privileged source port.

The firewall choices are:
0 - NONE: This script will not set any firewall rules. You are responsible
for ensuring the security of your machine. You are STRONGLY
recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
for a LAN
Choose a type of firewall (0-2): 2

Start this connection at boot time

Do you want to start this connection at boot time?
Please enter no or yes (default no):yes

** Summary of what you entered **

Ethernet Interface: eth0
User name: ADSL用户名
Activate-on-demand: No
Primary DNS: 202.101.172.35
Secondary DNS: 202.96.104.18
Firewalling: MASQUERADE
User Control: yes
Accept these settings and adjust configuration files (y/n)?y

相关命令

用adsl-start拨号
adsl-stop下线
adsl-status 查看状态!

adsl-start

rpm -import http://mirror.centos.org/centos/3.4/os/i386/RPM-GPG-KEY-CentOS-3

yum -y update

升级更新至3.5

重启

配置放dhcp服务器

vi /etc/dhcp.conf

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

# --- default gateway
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;

#       option nis-domain               "domain.org";
#       option domain-name              "domain.org";
        option domain-name-servers      202.101.172.35,202.96.104.18,192.168.1.254;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.1.1;
#       option netbios-name-servers     192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.100 192.168.1.200;
        default-lease-time 864000;
        max-lease-time 2592000;

        # we want the nameserver to appear at a fixed address
        #host ns {
        #       next-server marvin.redhat.com;
        #       hardware ethernet 12:34:56:78:AB:CD;
        #       fixed-address 207.175.42.254;
        #}
}

vi /etc/sysconfig/dhcpd

# Command line options here
DHCPDARGS="eth0"

dhcp服务绑定eth0.

建立简易防火墙，

vi /root/iptables.rule

#!/bin/bash
# The interface that connect Internet
WAN_ETH="ppp0"
# the inside interface. if you don't have this one
# and you must let this be black ex> LAN_ETH=""
LAN_ETH="eth0"
LAN_NET="192.168.1.0/24" # This is for NAT's network

echo 1 > /proc/sys/net/ipv4/ip_forward

# 1.0
kver=`uname -r | cut -c 1-3`
if [ "$kver" != "2.4" ] && [ "$kver" != "2.5" ]; then
        echo "Your Linux Kernel Version may not be suported by this script!"
        echo "This scripts will not be runing"
        exit
fi
ipchains=`lsmod | grep ipchains`
if [ "$ipchains" != "" ]; then
        echo "unload ipchains in your system"
        rmmod ipchains 2> /dev/null
fi

# 2.0
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH WAN_ETH LAN_ETH LAN_NET
modprobe ip_tables            #> /dev/null 2>&1
modprobe iptable_nat          #> /dev/null 2>&1
modprobe ip_nat_ftp           #> /dev/null 2>&1
modprobe ip_nat_irc           #> /dev/null 2>&1
modprobe ip_conntrack         #> /dev/null 2>&1
modprobe ip_conntrack_ftp     #> /dev/null 2>&1
modprobe ip_conntrack_irc     #> /dev/null 2>&1

# 3.0
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

# 4.0
/sbin/iptables -A INPUT -i lo   -j ACCEPT
if [ "$LAN_ETH" != "" ]; then
        /sbin/iptables -A INPUT -i $LAN_ETH -j ACCEPT
        echo "1" > /proc/sys/net/ipv4/ip_forward
        /sbin/iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN_ETH -j MASQUERADE
fi

# 5.0
if [ -f /usr/local/virus/iptables/iptables.deny ]; then
sh /usr/local/virus/iptables/iptables.deny
fi
if [ -f /usr/local/virus/iptables/iptables.allow ]; then
sh /usr/local/virus/iptables/iptables.allow
fi

# 6.0
if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
sh /usr/local/virus/httpd-err/iptables.http
fi

# 7.0 allow ICMP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
/sbin/iptables -A INPUT -i $WAN_ETH -p icmp --icmp-type $tyicmp -j ACCEPT
done

# 8.0 Allow services
# /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport 22 -j ACCEPT     # SSH
# /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport 25 -j ACCEPT     # SMTP
# /sbin/iptables -A INPUT -p UDP -i $WAN_ETH --dport 53 -j ACCEPT     # DNS
# /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport 53 -j ACCEPT     # DNS
# /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport 80 -j ACCEPT     # WWW
# /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport 110 -j ACCEPT     # POP3
# /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport 113 -j ACCEPT     # auth

# 9.0 Allow NAT for intranet Servers
iptables -t nat -A PREROUTING -i $WAN_ETH -p tcp --dport http -j DNAT --to 192.168.1.148:80
iptables -t nat -A PREROUTING -i $WAN_ETH -p tcp --dport 8080 -j DNAT --to 192.168.1.1:80
iptables -t nat -A PREROUTING -p tcp -m tcp -i $WAN_ETH --dport ftp -j DNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -p tcp -m tcp -i $WAN_ETH --dport ftp-data -j DNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -p tcp -m tcp -i $WAN_ETH --dport 2121 -j DNAT --to 192.168.1.148:2121

# 10 Hardening the TCP/IP stack to SYN attacks
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

# 11 Allow NAT for intranet BT Emule
#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4000 -j DNAT --to 192.168.1.112:4000
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 6881 -j DNAT --to 192.168.1.193:6881
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to 192.168.1.193:4662
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4672 -j DNAT --to 192.168.1.193:4672
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 16881 -j DNAT --to 192.168.1.189:16881

cd /root

chmod 700 iptables.rule

vi /etc/rc.d/rc.local

添加如下二行使之启动世执行

# add iptables firewall
/root/iptables.rule

mkdir /oot/3322

cd /root/3322

wget http://www.3322.org/dyndnspage/ez-ipupdate-3.0.10-linux-i386.tgz

tar zxvf ez-ipupdate-3.0.10-linux-i386.tgz

mv ez-ipupdate-3.0.10-linux-i386/* .

vi qdns.conf

service-type=qdns
user=ctqs:password //用户名及密码，用冒号隔开
host=ctqs.3322.org //你申请的域名
interface=ppp0 //接口为ppp0
max-interval=2073600
cache-file=/tmp/ez-ipupdate.cache

ez-ipupdate -c qdns.conf

成功

vi monitorip

#!/bin/bash
###filename:monitorip.sh
if [ -f /root/3322/ip.txt ]
then
echo "12" >/dev/null
else
ifconfig|grep P-t-P > /root/3322/ip.txt
fi
org_ip=`cat /root/3322/ip.txt|cut -d: -f 2|cut -d ' ' -f 1`
now_ip=`ifconfig|grep P-t-P|cut -d: -f 2|cut -d ' ' -f 1`
if [ $org_ip = $now_ip ]
then
echo "donot need update ip/n" >/dev/null
else
ifconfig|grep P-t-P > /root/3322/ip.txt
/root/3322/ez-ipupdate -c /root/3322/qdns.conf
fi