[转] Linux企业上网解决方案

quanliking · 发表于 2002-12-1 13:13:27

http://www.powerleader.com.cn/settle/settle_13.htm

Linux企业上网解决方案

下面配置文件都为实际在运行中的，在红旗linux环境下。
一、文件服务器(samba-2.0.6-9)
配置文件：/etc/smb.conf 　

#=================== Global Settings =============================

[global]
workgroup = shenzhennt
client code page = 936
# 解决中文文件名
server string = File Server
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
encrypt passwords = no
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 10.100.100.109
dns proxy = no 　

#========================== Share Definitions ===========================

[homes]
comment = Home Directories
browseable = no
writable = yes
[public]
comment = Public Folder
path = /home/public
public = yes
writable = yes
#共享目录，每个人都可读写
[it]
comment = It Folder
path = /home/it
public = yes
write list = @it
# 产生一个it组，维护public/it目录,该目录放安装软件，driver........,非IT组用户只能读。
还可以按照此方法产生部门级共享目录等。

注意：
1. Smb.conf其它参数用缺省即可。由于Linux的权限管理没有NT全面，在权限分配较复杂情况下，
可以通过两种方式：a。对一个目录产生多个共享目录，每个目录对相应的用户组分配不同权限
b。可以和Linux上文件权限相结合。比如：samba共享目录可以给每个人写权限，
但Linux上文件权限为只给特定组写权限，则其它人只能读。
2. 用户及密码管理：
A:如果encrypt passwords = yes,用户会有两个密码(Linux，smbpasswd)，用户改密码会麻烦，所以我
设置为no，samba会用/etc/passwd做用户验证，用户也只维护一个密码，比较方便但不足够安全，好象
unix password sync = Yes可以既方便又安全，但我没成功。
B：修改/etc/passwd,使用户的shell为/usr/bin/passwd，这样用户想改密码时，telnet到samba服务器
即可，其它如sendmail服务器也可以用这种方法。
C:如不想用户的目录出现/GNUstep目录，运行mv /etc/skel /etc/skel.backup即可。
3. windows98客户端：改注册表。在HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP中增加一DWORD值：值名：EnablePlainTextPassword 数值：0x01。改\windows\hosts文件，ipaddree samba server name
4. 过网关：如客户端和samba server之间有路由器，确保客户端和samba server在同一workgroup, 客
户端编辑\windows\lmhosts文件，a.b.c.d samba server的netbios名或主机名。我现在的做法为：给
分公司IT设一个帐号在总部，让他们通过CUTEFTP再通过public目录实现总部和分公司的文件传输。这
样可以避免分公司一定要跟总公司在一个域（他们还有NT）。
5. 磁盘限额：参见文章荟萃‘如何在Linux中设置磁盘限额’, 为了快速地为系统上的一群使用者，例
如一百名，设定和 bob 相同的 quota 值，首先以手动编辑 bob 的 quota 信息，然后执行: #csh #edquota -p bob `awk -F: '$3 499 {print $1}' /etc/passwd`这是假设你的使用者 UID 从 500 开
始．
更具体可以参考linuxforum文章。

二、打印服务器（samba-2.0.6-9）
配置文件：/etc/smb.conf
[global]
# workgroup = NT-Domain-Name or Workgroup-Name workgroup = shenzhennt map to guest = Bad User
#很重要，这样每个用户都可以打印而不会被要求密码。
# server string is the equivalent of the NT Description field server string = Printer In
OP
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this printcap name = /etc/printcap

load printers = yes log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
security = user
socket options = TCP_NODELAY
dns proxy = no

#========================== Share Definitions ===========================

[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = Printer in OP
path = /var/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
其它参数用缺省即可.
另:samba_2.0.3-8有bug. 　

三、DNS(bind-8.2.2_P5-9)、FTP(wu-ftpd-2.4.2vr17-3)、 WWWFTP, WWW由于没有特殊应用, 所以只用了缺省值.
下面介绍DNS配置文件。
A. /etc/named.conf
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
zone "." in {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "named.local";
};
zone "domain.com" in {
type master;
file "domain.com";
};
zone "c.b.a.in-addr.arpa" in {
type master;
file "abc";
};
zone "200.100.10.in-addr.arpa" in {
type master;
file "200";
};
B. /var/named/domain.com
@ IN SOA domain.com. yzy.domain.com. (
1999122105 28800 14400 3600000 86400 );
NS dns.domain.com.
MX 10 firewall.domain.com.
localhost A 127.0.0.1
dns A a.b.c.dns
domain.com. A a.b.c.dns
firewall A a.b.c.fw
firewall1 A 10.100.200.2
www cname dns.domain.com.
ftp cname dns.domain.com.
mail cname firewall.domain.com.
C. /var/named/abc
@ IN SOA domain.com. yzy.domain.com. (
1999122101 28800 14400 3600000 86400 )
NS dns.domain.com.
177 PTR dns.domain.com.
188 PTR mail.domain.com.
177 PTR www.domain.com.
177 PTR ftp.domain.com.
D. /var/named/200
@ IN SOA domain.com. yzy.domain.com. (
1999122101 28800 14400 3600000 86400 )
NS dns.domain.com.
2 PTR firewall1.domain.com.

注意:
DNS对SENDMAIL非常重要，上面firewall1主要是为全公司的sendmail服务器服务的,
作为email网关. 　

四、代理服务器(squid-2.3.STABLE1-5)
配置文件：/etc/squid/squid.conf
http_port 8080
icp_port 8080
hierarchy_stoplist cgi-bin ?
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 2048 KB
cache_dir ufs /var/spool/squid 150 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
debug_options ALL,1
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
#Defaults:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: http_access
acl hq src 10.100.100.29/32 10.100.100.2/32 10.100.100.40/32 10.100.100.75/32 10.100.100.6/32 10.100.100.87/32
#总部
acl gz src 10.100.101.61/32 10.100.101.98/32 10.100.101.72/32 10.100.101.62/32 10.100.101.73/32 10.100.101.166/32 10.100.101.15/32
#分部
http_access allow hq
http_access allow gz
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all
miss_access allow all 　

五、防火墙+端口转发（ipchains-1.3.9-5, ipmasqadm-0.4.2-3）
先介绍网络拓扑结构：
a.b.c.xxx为Internet真实地址。防火墙带DMZ区。除了可以进行包过滤以外，还进行端口转发，
使分公司用户可以通过总部唯一Internet连接收发他们当地Email。同时它还是Email网关，
凡是从Internet来或到Internet上的邮件都经过它。为了防止spammer攻击，
防火墙上的Sendmail不允许RELAY，但是为了让出差的用户可以发Email，
设置了一个可以进行RELAY的服务器Mail2以保护Firewall（现在Sendmail可以通过授权smtp方式允许在Linux上用户发Email而又不受到攻击），对外不公布，
在Mail2上安装拨号服务器，设置一个公共的帐号和密码，再对Mail2设置安全规则，
只允许通过它收发Email，这样既简化管理又实现拨号服务器功能。
配置文件：/etc/rc.d/fire。在/etc/rc.d/rc.local文件最后加一行：sh /etc/rc.d/fire，这样系统每次启动都会自动设置防火墙。
echo ""
echo "Starting ipchains rules..."
#Refresh all Chains
/sbin/ipchains -F
echo 1 /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A forward -j MASQ -s 10.100.100.102/32
/sbin/ipchains -A forward -j MASQ -s 10.100.101.252/32
/sbin/ipchains -A forward -j MASQ -s 10.100.102.252/32
/sbin/ipchains -A forward -j MASQ -s 10.100.103.252/32
/sbin/ipchains -A forward -j MASQ -s 10.100.104.252/32
/sbin/ipchains -A forward -j MASQ -s 10.100.105.252/32
/sbin/ipchains -A forward -j MASQ -s 10.100.109.252/32
/sbin/ipchains -A forward -j MASQ -s 10.100.110.252/32
#以上为IP伪装，如果是通过防火墙访问Internet，则可以通过伪装，把整个局域网透明代理出去。/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 110 -R 10.100.100.252 110
#为总部用户收email, 当用户对a.b.c.fw:110请求时，转发到mssz的110口，这样即可收email，以下雷
同。
/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60101 -R 10.100.101.252 110 /usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60102 -R 10.100.102.252 110
/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60103 -R 10.100.103.252 110 /usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60104 -R 10.100.104.252 110 /usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60105 -R 10.100.105.252 110 /usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60109 -R 10.100.109.252 110 /usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60110 -R 10.100.110.252 110
#IP spoof protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo ""
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 $f
done
echo "done."
Else
Echo "

ROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED."
Echo "CONTROL-D will exit from this shell and continue system startup."
echo
#STart a single user shell on the console
/sbin/sulogin $CONSOLE
fi
#refuse broadcast address source packets
/sbin/ipchains -A input -j DENY -s 255.255.255.255
/sbin/ipchains -A input -j DENY -d 0.0.0.0
############################################
echo ""
echo "STarting http ............"
#from Internet & Intranet
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 1024: -d a.b.c.dns/32 www -j ACCEPT /sbin/ipchains -A input -p udp -s 0.0.0.0/0 1024: -d a.b.c.dns/32 www -j ACCEPT
#Response
/sbin/ipchains -A input -p tcp -s a.b.c.dns www -d 0.0.0.0/0 1024: -i eth2 -j ACCEPT /sbin/ipchains -A input -p udp -s a.b.c.dns www -d 0.0.0.0/0 1024: -i eth2 -j ACCEPT ############################################
echo ""
echo "Starting FTP......................"
#From Internet & Intranet
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 1024: -d a.b.c.dns/32 ftp -j ACCEPT
#Response
/sbin/ipchains -A input -p tcp -s a.b.c.dns/32 ftp -d 0.0.0.0/0 1024: -i eth2 -j ACCEPT ##################################################
echo ""
echo "Starting Domain ............."
# From Internet & intranet
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d a.b.c.dns/32 domain -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d a.b.c.dns/32 domain -j ACCEPT
# Response
/sbin/ipchains -A input -p tcp -s a.b.c.dns/32 domain -d 0.0.0.0/0 -j ACCEPT
/sbin/ipchains -A input -p udp -s a.b.c.dns/32 domain -d 0.0.0.0/0 -j ACCEPT
#To Internet query
/sbin/ipchains -A input -p tcp -s a.b.c.dns/32 -d 0.0.0.0/0 domain -i eth2 -j ACCEPT /sbin/ipchains -A input -p udp -s a.b.c.dns/32 -d 0.0.0.0/0 domain -i eth2 -j ACCEPT
#response
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 domain -d a.b.c.dns/32 -i eth0 -j ACCEPT /sbin/ipchains -A input -p udp -s 0.0.0.0/0 domain -d a.b.c.dns/32 -i eth0 -j ACCEPT ####################################################'
echo ""
echo "Starting Telnet................"
#From Intranet
/sbin/ipchains -A input -p tcp -s 10.100.100.0/24 1024: -d a.b.c.dns/32 telnet -i eth1 -j ACCEPT
/sbin/ipchains -A input -p tcp -s a.b.c.fw/32 1024: -d a.b.c.m2/32 telnet -i eth0 -j ACCEPT
/sbin/ipchains -A input -p tcp -s 10.100.100.0/24 1024: -d 10.100.200.2/32 telnet -i eth1 -j ACCEPT
#以上允许总部主机对DMZ，FIREWALL进行维护，允许FIREWALL对MAIL2维护，当然最好不用TELNET，通过SSH维护。
#Response
/sbin/ipchains -A input -p tcp -s a.b.c.dns/32 telnet -d 10.100.100.0/24 1024: -i eth2 -j ACCEPT
/sbin/ipchains -A input -p tcp -s a.b.c.m2/32 telnet -d a.b.c.fw/32 1024: -i eth0 -j ACCEPT
/sbin/ipchains -A input -p tcp -s 10.100.200.2/32 telnet -d 10.100.100.0/24 1024: -i eth1 -j ACCEPT
####################################################
echo ""
echo "Starting smtp ....................."
# From Internet
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d a.b.c.fw/32 smtp -j ACCEPT
/sbin/ipchains -A input -p tcp -s a.b.c.fw/32 smtp -d 0.0.0.0/0 -j ACCEPT
To Internet
/sbin/ipchains -A input -p tcp -s a.b.c.fw/32 -d 0.0.0.0/0 smtp -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 smtp -d a.b.c.fw/32 -j ACCEPT
#From Intranet
/sbin/ipchains -A input -p tcp -s 10.100.0.0/16 -d 10.100.200.2/32 -i eth1 -j ACCEPT /sbin/ipchains -A input -p tcp -s 10.100.200.2/32 -d 10.100.0.0/16 -i eth1 -j ACCEPT
#To Intranet
/sbin/ipchains -A input -p tcp -s 10.100.200.2/32 -d 10.100.0.0/16 smtp -i eth1 -j ACCEPT /sbin/ipchains -A input -p tcp -s 10.100.0.0/16 smtp -d 10.100.200.2/32 -i eth1 -j ACCEPT
###################################
echo ""
echo "Starting pop-3.................."
#From Internet
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 1024: -d a.b.c.fw/32 pop-3 -i eth0 -j ACCEPT
#Response
/sbin/ipchains -A input -p tcp -s a.b.c.fw/32 pop-3 -d 0.0.0.0/0 1024: -i eth0 -j ACCEPT #Pop3 Relay
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 1024: -d a.b.c.fw/32 60100:60111 -i eth0 -j ACCEPT
/sbin/ipchains -A input -p tcp -s a.b.c.fw/32 -d 10.100.0.0/16 pop-3 -i eth1 -j ACCEPT
/sbin/ipchains -A input -p tcp -s 10.100.200.2/32 -d 10.100.0.0/16 pop-3 -i eth1 -j ACCEPT
#Response
/sbin/ipchains -A input -p tcp -s 10.100.0.0/16 pop-3 -d 0.0.0.0/0 1024: -i eth1 -j ACCEPT
#################################
echo ""
echo "Starting Define icmp packets"
/sbin/ipchains -A input -p icmp -j ACCEPT
#####################################
echo ""
echo "Starting define default rules for input chain"
/sbin/ipchains -A input -j REJECT -l

六、Email系统（sendmail-8.10.0-1，imap-4.7-5）
公司用统一域名domain.com。Firewall同时作为Email网关（名字分别为：mssz, msgz, msbj）。
(一)、Firewall上的配置文件：
A. /etc/sendmail.cf
该文件先由下面文件redhat.mc通过命令 m4 redhat.mc /etc/sendmail.cf产生：
redhat.mc的内容：
divert(-1)
dnl This is the macro config file used to generate the /etc/sendmail.cf
dnl file. If you modify thei file you will have to regenerate the
dnl /etc/sendmail.cf by running this macro config through the m4
dnl preprocessor:
dnl dnl m4 /etc/sendmail.mc /etc/sendmail.cf

dnl
dnl You will need to have the sendmail-cf package installed for this to dnl work. dnclude(`../m4/cf.m4')
define(`confDEF_USER_ID',``8:12'')
OSTYPE(`linux')
Undefine(`UUCP_RELAY')
undefine(`BITNET_RELAY')
define(`confAUTO_REBUILD')
define(`confTO_CONNECT', `1m')
define(`confTRY_NULL_MX_LIST',true)
define(`confDONT_PROBE_INTERFACES',true)
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')
define('ALIAS_FILE','/etc/mail/aliases')
define('SMTP_MAILER_FLAGS','0')
FEATURE(`smrsh',`/usr/sbin/smrsh')
Dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable')
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')
FEATURE(`domaintable',`hash -o /etc/mail/domaintable')
FEATURE(redirect)
FEATURE(always_add_domain)
FEATURE(use_cw_file)
FEATURE(local_procmail)
FEATURE(`access_db')
FEATURE(`blacklist_recipients')
Dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not hav 24x7 DNS do need this.
Dnl FEATURE(`accept_unresolvable_domains')
dnl FEATURE(`relay_based_on_MX')
MAILER(smtp)
MAILER(procmail)
然后修改：设置/etc/sendmail.cf中的DM部分为：
Dmdomain.com
B. /etc/mail/access
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
domain.com RELAY
yzy@domain.com deny
#需限制 Internet mail 的用户象上面那样写，不需限制的则不用写。
C. /etc/mail/local-host-names
修改/etc/mail/local-host-names内容为domain.com
D. /etc/mail/mailertable
更改/etc/mail/mailertable内容为：
sz.st-anda.com smtp:[10.100.100.252]
gz.st-anda.com smtp:[10.100.101.252]
bj.st-anda.com smtp:[10.100.109.252]
E. /etc/mail/relay-domains
10.100.100.252
10.100.101.252
10.100.109.252
F. /etc/mail/aliases
Szuser@sz.domain.com
Gzuser@gz.domain.com
Bjuser@bj.domain.com
G. /etc/hosts
加入下面内容：
168.100.100.252 mssz.sz.st-anda.com mssz
168.100.101.252 msgz.gz.st-anda.com msgz
168.100.102.252 mstj.tj.st-anda.com mstj
上面很多文件的修改都需要运行 makemap hash 命令以实现对数据库文件的更新。
具体以access为例：
makemap hash /etc/mail/access.db

yufeng_fly · 发表于 2006-5-17 16:39:18

精简精华啊

值得收藏

yufeng_fly · 发表于 2006-5-17 16:39:34

精简精华啊

值得收藏

		自动登录	找回密码
密码			注册