openBSD4.8 Linux 操作系统做网关服务及配置防火墙

一、 openBSD4.8 做路由及防火墙

1、 openBSD4.8 系统的安装

2、 硬件要求:旧电脑一台、网卡两张、MODEL 一台

3、 安装 openBSD4.8 系统成功后,进入/etc 目录下,配置以下文件

4、 #vi /etc/hostname.rl0(连接内网的网卡,也称为网关)

inet 192.168.0.1 255.255.255.0 NONE

:wq

#注意,此网卡本身为网关地址,因此不需要配置网关地址。将系统默认的网关地址删除 #rm /etc/mygate

5、#vi /etc/hostname.rl1(连接外网的网卡)

up

description “ADSL Port”

:wq

#此网卡设置为拨号网卡

6、#vi /etc/hostname.pppoe0

inet 0.0.0.0 255.255.255.255 NONE pppoedev rl1 authproto pap authname

„拨号用户名‟ authkey „拨号密码‟ up

!/sbin/route add default –ifp pppoe0 0.0.0.1

:wq

#新建拨号文件,并设置拨号信息

7、#vi /etc/sysctl.conf

net.inet.ip.forwarding=1 #1=Permit forwarding (routing) of IPv4 packets

net.inet.ip.mforwarding=1 #1=Permit forwarding (routing) of IPv4 multicast packets

net.inet.gre.allow=1

net.inet.gre.wccp=1

:wq

#去掉前面的“

#”,开启路由转发功能(NAT)

8、#vi /etc/resolv.conf

Lookup file bind

nameserver 202.96.134.133

nameserver 202.96.128.86

:wq

#配置 DNS 服务器

9、#vi /etc/dhcpd.conf

此文件为配置 DHCP 服务器文件,将此文件里面的 IP 改为内网 IP 段 192.168.0.0/24

10、#vi /etc/rc.conf

pf=YES

pf_rules=/etc/pf.conf

#加载系统开机运行文件,开启防火墙11、防火墙的配置(pf.conf 文件)

#vi /etc/pf.conf

###marcos:START

WAN=”pppoe0”

LAN=”rl0”

###marcos:END

###Options: tune the behavior of pf, default values are given.

set limit { states 100000, frags 50000}

set skip on lo0

set skip on gre0

###Tables:START

table <ALLOW_REMOTE_DOMAIN> persist file “/etc/pf/ALLOW_REMOTE_DOMAIN”

table <ALLOW_REMOTE_HOST> persist file “/etc/pf/ALLOW_REMOTE_HOST”

table <BADLIST_HOST> persist file “/etc/pf/BADLIST_HOST”

table <BADLIST_USER> persist file “/etc/pf/BADLIST_USER”

table <BADLIST_DOMAIN> persist file “/etc/pf/BADLIST_DOMAIN”

table <PROXY_USER> persist file “/etc/pf/PROXY_USER”

table <HK_USER> persist file “/etc/pf/HK_USER”

table <ERP_USER> persist file “/etc/pf/ERP_USER”

table <MSN_USER> persist file “/etc/pf/MSN_USER”

table <QQ_USER> persist file “/etc/pf/QQ_USER”

table <TCP_USER> persist file “/etc/pf/TCP_USER”

table <UDP_USER> persist file “/etc/pf/UDP_USER”

table <MSN_SRV> persist file “/etc/pf/MSN_SRV”

table <tax_website> persist file “/etc/pf/tax_websiste”

table <direct_website> persist file “/etc/pf/direct_website”

###Tables:END

###NAT:START

match out on $WAN inet from 192.168.0.0/24 to any nat-to ($WAN)

###NAT:END

###RULES:START

## start system default rules

block in all

pass quick on {gif0,gif1,tun0} inet all

pass out quick inet keep state

#WAN interface

pass in quick on $WAN inet proto ipencap from any to ($WAN) keep state

pass in quick on $WAN inet proto esp from any to ($WAN) keep state

pass in quick on $WAN inet proto tcp from any to ($WAN) port {80,822,443} flags S/SA keep state

pass in quick on $WAN inet proto icmp from any to ($WAN) keep state

pass in quick on $WAN inet proto udp from any to ($WAN) port {1194} keep state

##LAN

pass in quick on $LAN inet proto tcp from any to <direct_website>

pass in quick on $LAN inet proto tcp from any to <MSN_SRV>

pass in quick on $LAN inet proto tcp from any to 202.67.155.136

## for Accounting

pass in quick on $LAN inet proto tcp from 192.168.0.165 to <tax_website> keep state

pass in quick on $LAN inet proto tcp from 192.168.0.3 to <tax_website> keep state

pass in quick on $LAN inet proto tcp from 192.168.0.3 to any port 80 keep state

pass in quick on $LAN inet from 192.168.0.3 to any keep state

pass in quick on $LAN inet proto tcp from 192.168.0.3 to any port

{82,7001,7002,5678,8001} keep state

##MSN

pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to <MSN_SRV> keep state

pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to any port {https} keep state

pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to any port {1863} keep state

##Secure WEB-stie

pass in quick on $LAN inet proto tcp from <TCP_USER> to any keep state

pass in quick on $LAN inet proto udp from <TCP_USER> to any port {8000,8001}

keep state

pass in quick on $LAN inet proto udp from <QQ_USER> to any port {8000,8001}

keep state

##TO HK Print SERVER

pass in quick on $LAN inet from 192.168.0.0/24 to 192.168.1.223 keep state

pass in quick on $LAN inet proto tcp from 192.168.0.147 to any port {7001,5678} keep

state

##for accounting

pass in quick on $LAN inet from 192.168.0.165 to any keep state

##TO mail.saihe.cm

pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to 202.82.144.87 port

{25,110,443,465,995} keep state

#RULES:END

#sh /etc/netstart #启动网络接口

#ifconfig rl0 up #打开 rl0 网卡

#pfctl –f /etc/pf.conf #重新加载防火墙配置

#pfctl –e

#开启防火墙

#pfctl –d

#关闭防火墙安装及配置防火墙

一、操作系统:openBSD4.8

二、硬件要求:DELL 电脑一台、网卡两张

三、安装系统及配置防火墙

1、OpenBSD4.8 操作系统的安装(此省略);

2、配置第一张网卡(hostname.rl0)此网卡做内网网关。

#cd /etc/

#vi hostname.rl0

inet 192.168.0.1 255.255.255.0 NONE

:wq

3、配置第二张网卡(hostname.rl1)此网卡用于拨号。

#cd /etc

#vi hostname.rl1

up

description “ADSL Port”

:wq

4、配置拨号文件(hostname.pppoe0)。

#cd /etc

#vi hostname.pppoe0

inet 0.0.0.0 255.255.255.255 NONE pppoedev rl1 authproto pap authname „宽带帐号‟

authkey „密码‟ up

dest 0.0.0.1

!/sbin/route add default –ifp pppoe0 0.0.0.1

:wq

5、配置 DNS 服务器

#cd /etc

#vi resolv.conf

nameserver 202.96.128.86

nameserver 202.96.134.133

:wq

6、开启路由转发功能。

#cd /etc

#vi sysctl.conf

net.inet.ip.forwarding=1 //去掉前面的#号

7、开启防火墙功能。

#cd /etc

#vi rc.conf

pf=YES

pf_rules=/etc/pf.conf

8、配置防火墙 PF #cd /etc

#vi pf.conf

##marcos:START

WAN=”pppoe0”

LAN=”rl0”

##marcos:END //定义宏

##option:START

set limit {states 100000, frags 50000}

set skip lo0

set skip gre0

##option:END //选项定义

##table:START

table <表格名称> persist file “表格路径”

##table:END //配置表格

##queue:START

##QUEUE:END //优先级处理、带宽设置

. ##NAT:START

match out on $WAN inet from 192.168.0.0/24 to any nat-to ($WAN)

##NAT:END //转发内网 IP 地址访问互联网

##RULES:START //定义转发规则

block in all

pass quick on {gif0,gif1,tun0} inet all

pass out quick inet keep state

##WAN interfaces

pass in quick on $WAN inet proto ipencap from any to ($WAN) keep state

pass in quick on $WAN inet proto esp from any to ($WAN) keep state

pass in quick on $WAN inet proto tcp from any to ($WAN) port {80,822,443} flags S/SA keep

state

pass in quick on $WAN inet proto icmp from any to ($WAN) keep state

pass in quick on $WAN inet proto udp from any to ($WAN) port {1194} keep state

##LAN interfaces

pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to any keep state

block in quick on $LAN inet proto tcp from 192.168.0.0/24 to any

block in quick on $LAN inet proto tcp from 192.168.0.0/24 to <deny_video_web> port 80

觉得有帮助可以投喂下博主哦~感谢!

作者:chackr

版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0协议。转载请注明文章地址及作者
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇