由 quanliking 在 12-01-2002 13:13 发表:

[转] Linux企业上网解决方案

http://www.powerleader.com.cn/settle/settle_13.htm

Linux企业上网解决方案

下面配置文件都为实际在运行中的，在红旗linux环境下。

一、文件服务器(samba-2.0.6-9)

配置文件：/etc/smb.conf

#=================== Global Settings =============================

[global]

workgroup = shenzhennt

client code page = 936

解决中文文件名

server string = File Server

log file = /var/log/samba/log.%m

Put a capping on the size of the log files (in Kb).

max log size = 50

Security mode. Most people will want user level security. See

security_level.txt for details.

security = user

encrypt passwords = no

Most people will find that this option gives better performance.

See speed.txt and the manual pages for details

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

WINS Server - Tells the NMBD components of Samba to be a WINS Client

Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

wins server = 10.100.100.109

dns proxy = no

#========================== Share Definitions ===========================

[homes]

comment = Home Directories

browseable = no

writable = yes

[public]

comment = Public Folder

path = /home/public

public = yes

writable = yes

#共享目录，每个人都可读写

[it]

comment = It Folder

path = /home/it

public = yes

write list = @it

产生一个it组，维护public/it目录,该目录放安装软件，driver........,非IT组用户只能读。

还可以按照此方法产生部门级共享目录等。

注意：

1. Smb.conf其它参数用缺省即可。由于Linux的权限管理没有NT全面，在权限分配较复杂情况下，

可以通过两种方式：a。对一个目录产生多个共享目录，每个目录对相应的用户组分配不同权限

b。可以和Linux上文件权限相结合。比如：samba共享目录可以给每个人写权限，

但Linux上文件权限为只给特定组写权限，则其它人只能读。

2. 用户及密码管理：

A:如果encrypt passwords = yes,用户会有两个密码(Linux，smbpasswd)，用户改密码会麻烦，所以我

设置为no，samba会用/etc/passwd做用户验证，用户也只维护一个密码，比较方便但不足够安全，好象

unix password sync = Yes可以既方便又安全，但我没成功。

B：修改/etc/passwd,使用户的shell为/usr/bin/passwd，这样用户想改密码时，telnet到samba服务器

即可，其它如sendmail服务器也可以用这种方法。

C:如不想用户的目录出现/GNUstep目录，运行mv /etc/skel /etc/skel.backup即可。

3. windows98客户端：改注册表。在HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP中增加一DWORD值：值名：EnablePlainTextPassword 数值：0x01。改\windows\hosts文件，ipaddree samba server name

4. 过网关：如客户端和samba server之间有路由器，确保客户端和samba server在同一workgroup, 客

户端编辑\windows\lmhosts文件，a.b.c.d samba server的netbios名或主机名。 我现在的做法为：给

分公司IT设一个帐号在总部，让他们通过CUTEFTP再通过public目录实现总部和分公司的文件传输。这

样可以避免分公司一定要跟总公司在一个域（他们还有NT）。

5. 磁盘限额：参见文章荟萃‘如何在Linux中设置磁盘限额’, 为了快速地为系统上的一群使用者，例

如一百名，设定和 bob 相同的 quota 值，首先以手动编辑 bob 的 quota 信息，然后执行: #csh #edquota -p bob awk -F: '$3 499 {print $1}' /etc/passwd这是假设你的使用者 UID 从 500 开

始．

更具体可以参考linuxforum文章。

二、打印服务器（samba-2.0.6-9）

配置文件：/etc/smb.conf

[global]

workgroup = NT-Domain-Name or Workgroup-Name workgroup = shenzhennt map to guest = Bad User

#很重要，这样每个用户都可以打印而不会被要求密码。

server string is the equivalent of the NT Description field server string = Printer In

OP

if you want to automatically load your printer list rather

than setting them up individually then you'll need this printcap name = /etc/printcap

load printers = yes log file = /var/log/samba/log.%m

Put a capping on the size of the log files (in Kb).

max log size = 50

security = user

socket options = TCP_NODELAY

dns proxy = no

#========================== Share Definitions ===========================

[homes]

comment = Home Directories

browseable = no

writable = yes

[printers]

comment = Printer in OP

path = /var/spool/samba

browseable = no

guest ok = yes

writable = no

printable = yes

其它参数用缺省即可.

另:samba_2.0.3-8有bug.

三、DNS(bind-8.2.2_P5-9)、FTP(wu-ftpd-2.4.2vr17-3)、 WWWFTP, WWW由于没有特殊应用, 所以只用了缺省值.

下面介绍DNS配置文件。

A. /etc/named.conf

// generated by named-bootconf.pl

options {

directory "/var/named";

/*

• If there is a firewall between you and nameservers you want

• to talk to, you might need to uncomment the query-source

• directive below. Previous versions of BIND always asked

• questions using port 53, but BIND 8.1 uses an unprivileged

• port by default.

*/

// query-source address * port 53;

};

//

// a caching only nameserver config

//

zone "." in {

type hint;

file "named.ca";

};

zone "0.0.127.in-addr.arpa" in {

type master;

file "named.local";

};

zone "domain.com" in {

type master;

file "domain.com";

};

zone "c.b.a.in-addr.arpa" in {

type master;

file "abc";

};

zone "200.100.10.in-addr.arpa" in {

type master;

file "200";

};

B. /var/named/domain.com

@ IN SOA domain.com. yzy.domain.com. (

1999122105 28800 14400 3600000 86400 );

NS dns.domain.com.

MX 10 firewall.domain.com.

localhost A 127.0.0.1

dns A a.b.c.dns

domain.com. A a.b.c.dns

firewall A a.b.c.fw

firewall1 A 10.100.200.2

www cname dns.domain.com.

ftp cname dns.domain.com.

mail cname firewall.domain.com.

C. /var/named/abc

@ IN SOA domain.com. yzy.domain.com. (

1999122101 28800 14400 3600000 86400 )

NS dns.domain.com.

177 PTR dns.domain.com.

188 PTR mail.domain.com.

177 PTR www.domain.com.

177 PTR ftp.domain.com.

D. /var/named/200

@ IN SOA domain.com. yzy.domain.com. (

1999122101 28800 14400 3600000 86400 )

NS dns.domain.com.

2 PTR firewall1.domain.com.

注意:

DNS对SENDMAIL非常重要，上面firewall1主要是为全公司的sendmail服务器服务的,

作为email网关.

四、代理服务器(squid-2.3.STABLE1-5)

配置文件：/etc/squid/squid.conf

http_port 8080

icp_port 8080

hierarchy_stoplist cgi-bin ?

cache_mem 8 MB

cache_swap_low 90

cache_swap_high 95

maximum_object_size 2048 KB

cache_dir ufs /var/spool/squid 150 16 256

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log /var/log/squid/store.log

debug_options ALL,1

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

ACCESS CONTROLS

-----------------------------------------------------------------------------

#Defaults:

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563

acl Safe_ports port 80 21 443 563 70 210 1025-65535

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

TAG: http_access

acl hq src 10.100.100.29/32 10.100.100.2/32 10.100.100.40/32 10.100.100.75/32 10.100.100.6/32 10.100.100.87/32

#总部

acl gz src 10.100.101.61/32 10.100.101.98/32 10.100.101.72/32 10.100.101.62/32 10.100.101.73/32 10.100.101.166/32 10.100.101.15/32

#分部

http_access allow hq

http_access allow gz

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access deny all

icp_access allow all

miss_access allow all

五、防火墙+端口转发（ipchains-1.3.9-5, ipmasqadm-0.4.2-3）

先介绍网络拓扑结构：

a.b.c.xxx为Internet真实地址。防火墙带DMZ区。除了可以进行包过滤以外，还进行端口转发，

使分公司用户可以通过总部唯一Internet连接收发他们当地Email。同时它还是Email网关，

凡是从Internet来或到Internet上的邮件都经过它。为了防止spammer攻击，

防火墙上的Sendmail不允许RELAY，但是为了让出差的用户可以发Email，

设置了一个可以进行RELAY的服务器Mail2以保护Firewall（现在Sendmail可以通过授权smtp方式允许在Linux上用户发Email而又不受到攻击），对外不公布，

在Mail2上安装拨号服务器，设置一个公共的帐号和密码，再对Mail2设置安全规则，

只允许通过它收发Email，这样既简化管理又实现拨号服务器功能。

配置文件：/etc/rc.d/fire。在/etc/rc.d/rc.local文件最后加一行：sh /etc/rc.d/fire， 这样系统每次启动都会自动设置防火墙。

echo ""

echo "Starting ipchains rules..."

#Refresh all Chains

/sbin/ipchains -F

echo 1 /proc/sys/net/ipv4/ip_forward

/sbin/ipchains -A forward -j MASQ -s 10.100.100.102/32

/sbin/ipchains -A forward -j MASQ -s 10.100.101.252/32

/sbin/ipchains -A forward -j MASQ -s 10.100.102.252/32

/sbin/ipchains -A forward -j MASQ -s 10.100.103.252/32

/sbin/ipchains -A forward -j MASQ -s 10.100.104.252/32

/sbin/ipchains -A forward -j MASQ -s 10.100.105.252/32

/sbin/ipchains -A forward -j MASQ -s 10.100.109.252/32

/sbin/ipchains -A forward -j MASQ -s 10.100.110.252/32

#以上为IP伪装，如果是通过防火墙访问Internet，则可以通过伪装，把整个局域网透明代理出去。/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 110 -R 10.100.100.252 110

#为总部用户收email, 当用户对a.b.c.fw:110请求时，转发到mssz的110口，这样即可收email，以下雷

同。

/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60101 -R 10.100.101.252 110 /usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60102 -R 10.100.102.252 110

/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60103 -R 10.100.103.252 110 /usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60104 -R 10.100.104.252 110 /usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60105 -R 10.100.105.252 110 /usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60109 -R 10.100.109.252 110 /usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60110 -R 10.100.110.252 110

#IP spoof protection

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then

echo ""

echo -n "Setting up IP spoofing protection..."

for f in /proc/sys/net/ipv4/conf/*/rp_filter;

do

echo 1 $f

done

echo "done."

Else

Echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED."

Echo "CONTROL-D will exit from this shell and continue system startup."

echo

#STart a single user shell on the console

/sbin/sulogin $CONSOLE

fi

#refuse broadcast address source packets

/sbin/ipchains -A input -j DENY -s 255.255.255.255

/sbin/ipchains -A input -j DENY -d 0.0.0.0

############################################

echo ""

echo "STarting http ............"

#from Internet & Intranet

/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 1024: -d a.b.c.dns/32 www -j ACCEPT /sbin/ipchains -A input -p udp -s 0.0.0.0/0 1024: -d a.b.c.dns/32 www -j ACCEPT

#Response

/sbin/ipchains -A input -p tcp -s a.b.c.dns www -d 0.0.0.0/0 1024: -i eth2 -j ACCEPT /sbin/ipchains -A input -p udp -s a.b.c.dns www -d 0.0.0.0/0 1024: -i eth2 -j ACCEPT ############################################

echo ""

echo "Starting FTP......................"

#From Internet & Intranet

/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 1024: -d a.b.c.dns/32 ftp -j ACCEPT

#Response

/sbin/ipchains -A input -p tcp -s a.b.c.dns/32 ftp -d 0.0.0.0/0 1024: -i eth2 -j ACCEPT ##################################################

echo ""

echo "Starting Domain ............."

From Internet & intranet

/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d a.b.c.dns/32 domain -j ACCEPT

/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d a.b.c.dns/32 domain -j ACCEPT

Response

/sbin/ipchains -A input -p tcp -s a.b.c.dns/32 domain -d 0.0.0.0/0 -j ACCEPT

/sbin/ipchains -A input -p udp -s a.b.c.dns/32 domain -d 0.0.0.0/0 -j ACCEPT

#To Internet query

/sbin/ipchains -A input -p tcp -s a.b.c.dns/32 -d 0.0.0.0/0 domain -i eth2 -j ACCEPT /sbin/ipchains -A input -p udp -s a.b.c.dns/32 -d 0.0.0.0/0 domain -i eth2 -j ACCEPT

#response

/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 domain -d a.b.c.dns/32 -i eth0 -j ACCEPT /sbin/ipchains -A input -p udp -s 0.0.0.0/0 domain -d a.b.c.dns/32 -i eth0 -j ACCEPT ####################################################'

echo ""

echo "Starting Telnet................"

#From Intranet

/sbin/ipchains -A input -p tcp -s 10.100.100.0/24 1024: -d a.b.c.dns/32 telnet -i eth1 -j ACCEPT

/sbin/ipchains -A input -p tcp -s a.b.c.fw/32 1024: -d a.b.c.m2/32 telnet -i eth0 -j ACCEPT

/sbin/ipchains -A input -p tcp -s 10.100.100.0/24 1024: -d 10.100.200.2/32 telnet -i eth1 -j ACCEPT

#以上允许总部主机对DMZ，FIREWALL进行维护，允许FIREWALL对MAIL2维护，当然最好不用TELNET， 通过SSH维护。

#Response

/sbin/ipchains -A input -p tcp -s a.b.c.dns/32 telnet -d 10.100.100.0/24 1024: -i eth2 -j ACCEPT

/sbin/ipchains -A input -p tcp -s a.b.c.m2/32 telnet -d a.b.c.fw/32 1024: -i eth0 -j ACCEPT

/sbin/ipchains -A input -p tcp -s 10.100.200.2/32 telnet -d 10.100.100.0/24 1024: -i eth1 -j ACCEPT

####################################################

echo ""

echo "Starting smtp ....................."

From Internet

/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d a.b.c.fw/32 smtp -j ACCEPT

/sbin/ipchains -A input -p tcp -s a.b.c.fw/32 smtp -d 0.0.0.0/0 -j ACCEPT

To Internet

/sbin/ipchains -A input -p tcp -s a.b.c.fw/32 -d 0.0.0.0/0 smtp -j ACCEPT