FreeBSD 8.1下搭建内核级nat网关(非natd)

最新推荐文章于 2022-11-27 11:14:59 发布

weixin_34326558

最新推荐文章于 2022-11-27 11:14:59 发布

阅读量130

点赞数 1

原文链接：http://blog.51cto.com/lan2010/375717

版权

介于Freebsd 的研究与使用，因工作需要，公司的要求进行网络限速。以前的natd 网关引起的一系列延时等。

故，研究在Freebsd下搭建nat 内核级网关的是使用，及流量×××与控制。

1，环境：FreeBSD gateway.bsdart.org 8.1-RC2 FreeBSD 8.1-RC2 #0: Sat Aug 14 11:57:02 CST 2010 root@gateway.bsdart.org:/usr/obj/usr/src/sys/GATEWAY i386

2，编译内核增加功能：

gateway# find / -name GATEWAY
/usr/src/sys/i386/compile/GATEWAY
/usr/src/sys/i386/conf/GATEWAY

gateway# cd /usr/src/sys/i386/conf/
gateway# ll
total 76
-rw-r--r-- 1 root wheel     13 Jun 21 2005 .cvsignore
-rw-r--r-- 1 root wheel    598 Jun 14 10:09 DEFAULTS
-rw-r--r-- 1 root wheel 13474 Aug 11 15:14 GATEWAY
-rw-r--r-- 1 root wheel 13221 Jun 14 10:09 GENERIC
-rw-r--r-- 1 root wheel    878 Jun 14 10:09 GENERIC.hints
-rw-r--r-- 1 root wheel    148 Jun 14 10:09 Makefile
-rw-r--r-- 1 root wheel 30097 Jun 14 10:09 NOTES
-rw-r--r-- 1 root wheel   1646 Jun 14 10:09 PAE
-rw-r--r-- 1 root wheel   3487 Jun 14 10:09 XBOX
-rw-r--r-- 1 root wheel   3235 Jun 14 10:09 XEN

gateway# vi GATEWAY (添加以下内容)

options         IPFIREWALL
#options         IPDIVERT     ##(以前用的natd 方式)
options         IPFIREWALL_NAT ###(内核级nat)
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         DUMMYNET    ##（限速)
options         IPFIREWALL_FORWARD
options         LIBALIAS         ##(一定要打开)

###下面开始编译内核功能。

cd /usr/src
make buildkernel KERNCONF=GENERIC
make installkernel KERNCONF=GENERIC
reboot

3，FreeBSD 启动项内容。

gateway# vi /etc/rc.conf

# -- sysinstall generated deltas -- # Tue Dec 26 08:27:32 2006
# Created: Tue Dec 26 08:27:32 2006
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
hostname="gateway.bsdart.org"
/usr/libexec/ftpd -D -l -l
#ifconfig_bce0="DHCP"
inetd_enable="YES"
sshd_enable="YES"
#ifconfig_="inet 172.16.28.177 netmask 255.255.255.0"
ifconfig_bce0="inet 10.30.0.2 netmask 255.255.255.0"
#sh /etc/ipfw.nat
#/usr/panabit/bin/ipectrl start
ifconfig_bce1="inet 172.16.28.178   netmask   255.255.255.0"
ifconfig_bce1_alias0="inet 172.16.28.179 netmask 255.255.255.255"
defaultrouter="172.16.28.1"
route add -net 172.16.100.0 10.30.0.1 -netmask 255.255.255.0
#/etc/netstart
postgresql_enable="YES"
mysql_enable="YES"
firewall_enable="YES"
#firewall_type="UNKNOWN"
#firewall_script="/etc/ipfw.rules"
firewall_type="/etc/ipfw.rules"
sh /etc/ipfw.temp
#hald_enable="YES"
#dbus_enable="YES"
#gdm_enable="YES"
#gnome_enable="YES"
apache22_enable="YES"
#/usr/local/etc/rc.d/bandwidthd.sh start
#ppp_enable="YES"
#ppp_mode="ddial"
#ppp_profile="adsl"
firewall_nat_enable="YES"
firewall_nat_interface="bce1"
#natd_enable="YES"
#natd_interface="bce1"
#natd_flags="-config   /etc/natd.conf"   #Additonal flags for natd.
#natd_program="/sbin/natd"               #path to natd,if you want a different one.

sysctl net.inet.ip.forwarding=1
ifconfig_bce0="inet 10.30.0.2 netmask 255.255.255.0"

####注：bce1外网。 bce0内网。

4，IPFW 脚本文件内容。

gateway# cat /etc/ipfw.temp
#!/bin/sh

ipfw -q -f flush

cmd="ipfw -q add"
fwcmd="ipfw -q add"

$cmd 00100 allow all from any to any via lo0

$cmd 00110 deny all from any to 127.0.0.0/8

$cmd 00120 deny all from 127.0.0.0/8 to any

$cmd 00200 deny all from any to any ipoptions rr

$cmd 00210 deny all from any to any ipoptions ts

$cmd 00220 deny all from any to any ipoptions ***r

$cmd 00230 deny all from any to any ipoptions lsrr

$cmd 00240 deny tcp from any to any in tcpflags syn,fin

$cmd 00300 nat 10 all from any to any via bce1

ipfw nat 10 config if bce1

#$cmd nat 50 config redirect_port tcp 192.168.100.3:80 80

#$cmd 00400 allow tcp from any to me 65535 in via rl0 keep-state

$cmd 00410 allow tcp from any to me 80
$cmd 00410 allow tcp from any to me 22
$fwcmd     0911 pipe   3 ip   from 172.16.100.22   to any out
$fwcmd     0912 pipe   4 ip   from   any to 172.16.100.22 in
ipfw        pipe 3     config bw   1MB/s
ipfw       pipe   4    config   bw   1MB/s
#$fwcmd     0920 pipe   1 ip   from 172.16.100.0/24 to any out ##define out traffic
#$fwcmd     0930 pipe   2 ip   from any to 172.16.100.0/24 in ##define in traffic
#ipfw       pipe 1 config mask src-ip 0x000000ff bw 100Kbit/s queue 50Kbytes ##out for bandwidth 100Kbit/s
#ipfw       pipe 2 config mask dst-ip 0x000000ff bw 100KB/s queue 50Kbytes
$cmd 01000 allow all from any to any

$cmd 04000 deny all from any to any
5，更多配置请参考: FreeBSD中的man ipfw 文档。

6，参考文档：http://blog.chinaunix.net/u/8111/showart_520140.html

7，限速DUMMYNET 文档：http://info.iet.unipi.it/~luigi/dummynet/

8，IPFW 中文文档：http://www.freebsd.org/doc/zh_CN.GB2312/books/handbook/firewalls-ipfw.html

9，Freebsd 路由设置: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html

10，Freebsd 下bandwidthd 搭建：http://hi.baidu.com/tyb1023/blog/item/0a7ddd08dca0f4c53bc76388.html

转载于:https://blog.51cto.com/lan2010/375717