Nov 12

[转]PPPoE作NAT共享上网 不指定

bkkkd , 00:21 , 网摘 » Web 技术 , 评论(0) , 引用(0) , 阅读(4705) , Via 本站原创 | |

OpenBSD4.1设PPPoE作NAT共享上网首先安装好OpenBSD4.1,我的机器有两个网卡:一个是pcn0是作为连接ADSL MODEL的,一个是pcn1是作为连接内网的。

其中下面全部配置中的pcn0是我的连接ADSL MODEL的网卡名,你要更改成你定际的网卡名。pcn1同样也要改成连接你内网的网卡名。

1) 连接ADSL MODEL的网卡不需要有IP,所以用 vi /etc/hostname.pcn0 编辑网卡配置文件。将里面的内容全部清空。

2)将/etc/mygate中的全部内容也删除。这样就没有设缺省网关了。

3)配置内网网卡的IP.
  vi /etc/hostname.pcn1
在里面加上以下内容:
inet 192.168.188.1 255.255.255.0 192.168.188.255

4)在/etc/resolv.conf 中加入下面的内容,以设定DNS
lookup file bind
nameserver    202.96.128.166 202.96.128.86

5)运行sh /etc/netstart使所作的ip配置生效。这时,
在你内网的电脑可以ping 192.168.188.1来试下你的内网
网卡有没设错。


6)配置PPPoE需要用到的ppp拔号配置文件
vi /etc/ppp/ppp.conf
加入下面的内容,注意大小写和将我的pcn0网卡名换成你的:

default:
     set log Phase Chat LCP IPCP CCP tun command
     set timeout 0
     set redial 15 0
     set reconnect 15 10000
     set server /var/run/ppp.sock "" 0177

    pppoe:
     set device "!/usr/sbin/pppoe -i pcn0"
     set mtu max 1492
     set mru max 1492
     set speed sync
     enable lqr
     disable acfcomp protocomp
     deny acfcomp
     add! default HISADDR
     set authname "你的ADSL账号名"
     set authkey "你的ADSL密码"
现在可以试试你设的PPPoE是否正确

    sh /sbin/ifconfig pcn0 up
    sh /usr/sbin/ppp -ddial pppoe
命令中的-ddial是接断线后不断重拔。连接上了后,你可以用ifconfig
看到新加了一个网络设备tun0。你还可以ping一下google.com,看网络是不是真的通了。
再在/etc/rc.local中中入以下内容,使它下次开机自动拔号上网。

    /sbin/ifconfig pcn0 up
    /usr/sbin/ppp -ddial pppoe


7) 运行sysctl net.inet.ip.fowarding=1 ,
你可以看到屏幕显示 net.inet.ip.forwarding: 0 -> 1

这表示IP转发开启了,想要在下次开机后自动开启,
vi /etc/sysctl.conf
将#net.inet.ip.forwarding=1 中的最前面的#号删除

8)下面我们来配置package filter配置文件,将以下内容加在/etc/pf.conf中

    ext_if="tun0"
    int_if="pcn1"
    internal_net="192.168.188.0/24"
    scrub in all

    # for NAT
    nat on $ext_if from $internal_net to any -> ($ext_if)

    # for firewall
    block in all
    block out all
    pass quick on lo0 all
    pass out on $ext_if proto tcp all modulate state flags S/SA
    pass out on $ext_if proto { udp, icmp } all keep state
    pass in on $int_if from $internal_net to any
    pass out on $int_if from any to $internal_net
其中的tun0是pppoe拔号连接上后系统自动新加的虚拟网卡,pcn1是我的内网网卡,
192.168.188.0/24是我的内网网段。

现在运行 pfctl -e 来运行package filter.
屏幕上会显示 pf enabled 。
这时,你内网的电脑就可以上网了。

最后将/etc/rc.conf中的pf=NO修改为
pf=YES
使下次开机自动运行package filter.

====================================
使Openbsd的网络更加安全,更加快
vi /etc/inetd.conf

ident        stream    tcp    nowait    _identd    /usr/libexec/identd    identd -el
ident        stream    tcp6    nowait    _identd    /usr/libexec/identd    identd -el
这两行前加上#号,让系统开机不自动运行ident网络服务。

同样,对comsat的两行也同样加上#号,禁止自动运行comsat网络服务。
127.0.0.1:comsat dgram    udp    wait    root    /usr/libexec/comsat    comsat
[::1]:comsat    dgram    udp6    wait    root    /usr/libexec/comsat    comsat

同样,对daytime和time网络服务作同样禁止处理。  
daytime        stream    tcp    nowait    root    internal
daytime        stream    tcp6    nowait    root    internal
time        stream    tcp    nowait    root    internal
time        stream    tcp6    nowait    root    internal

--------------------------------------------------------------------------------------

vi /etc/rc.conf  设置
sendmail_flags=NO
关闭sendmail.

再来vi /var/cron/tabs/root
将其中sendmail的一部分修改,加上一个#号,让sendmail不开机自动运行。
*/30   *   *   *   *    /usr/sbin/sendmail -L sm-msp-queue -Ac -q

而sshd就看是不是需要远程ssh连接过来,要的话,就保持它
sshd_flags=""
不需要的话,就vi /etc/rc.conf,修改
sshd_flags=NO
------------------------------------------------------------------------------------

vi /etc/sysctl.conf 在文件中开启swap分区加密
vm.swapencrypt.enable=1         # 1=Encrypt pages that go to swap

-----------------------------------------------------------------------------------
加以下内容到/etc/sysctl.conf中,使增加wan口上的tcp性能。
# 1. Path MTU discovery: enabled by default
# 2. TCP Extension (RFC1323): enabled by default
# 3. Increase TCP Window size for increase in network performance
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
# 4. SACK (RFC2018): enabled by default


完。
参考了网上找的这个资料。特别是pf.conf的配置。
===========================================

I've been using an OpenBSD box for NAT/firewall at home (with Verizon DSL) for a while now. I switched to OpenBSD after Red Hat dropped their non-enterprise version (don't get me wrong, I still use Fedora on desktop machines). The installation/setup is actually quite simple. Here are some notes.
Update(20040708): The notes have been updated for OpenBSD 3.5.

   1. My internal and external network interfaces are fxp0 and fxp1, respectively. Note that after PPPoE is done, fxp1 will be represented by tun0.

   2. Follow this to install OpenBSD 3.5 and configure the internal interface during the installation. After the installation, modify configuration files as follows.
      Note: Section 4.5.2 of the installation guide says "It is important that the first partition skips the first track of the disk, in this case, starting on sector 63". However, I'm using the first partition for OpenBSD, and I had to make the partition start on sector 0 (otherwise, it seems that the bootloader won't be installed correctly). Of course, YMMV.

   3. /etc/rc.conf: make sure "pf=NO" (will start pf after the DSL link is up).

   4. /etc/rc.local: put the following lines at the end to bring up the external interface and start ppp.

          /sbin/ifconfig fxp1 up
          /usr/sbin/ppp -ddial pppoe
          

   5. /etc/sysctl.conf: make sure "net.inet.ip.forwarding=1" (enable IP forwarding).

   6. My /etc/ppp/ppp.conf is as follows:

          default:
           set log Phase Chat LCP IPCP CCP tun command
           set timeout 0
           set redial 15 0
           set reconnect 15 10000
           set server /var/run/ppp.sock "" 0177

          pppoe:
           set device "!/usr/sbin/pppoe -i fxp1"
           set mtu max 1492
           set mru max 1492
           set speed sync
           enable lqr
           disable acfcomp protocomp
           deny acfcomp
           add! default HISADDR
           set authname
           set authkey
          

      Note: you can remove "LCP" from the first line of "default" if it's generating too many log messages.

   7. My /etc/ppp/ppp.linkup is as follows:

          MYADDR:
            ! sh -c "/sbin/pfctl -e -f /etc/pf.conf"
          

      This will start pf after the link is up.

   8. Finally, the NAT/firewall rules are specified in /etc/pf.conf (for more information about the rules, see here):

          ext_if="tun0"
          int_if="fxp0"
          internal_net="192.168.0.0/24"
          scrub in all

          # for NAT
      nat on $ext_if from $internal_net to any -> ($ext_if)

          # for firewall
          block in all
          block out all
       pass quick on lo0 all
      pass out on $ext_if proto tcp all modulate
       state flags S/SA
      pass out on $ext_if proto { udp, icmp } all keep
       state
      pass in on $int_if from $internal_net to any
      pass out on $int_if from any to $internal_net
          

These are based on several online documents I've read. Please let me know if you find something I missed. Thanks!
发表评论
表情
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
打开HTML
打开UBB
打开表情
隐藏
记住我
昵称   密码   游客无需密码
网址   电邮   [注册]