PDA

【求助】用一快網路卡 nat 是否無法動作



贊助商連結

lych
2003-05-21, 07:52 PM
我用一快網路卡想做nat功能,讓其他電腦也能連上網路
這塊網路卡eth0用實體ip,我另外又在多加一個虛擬介面eth0:0
用的是內部ip 192.168.1.5
script 是參考鳥哥網站的設定,設定內容如下

#!/bin/bash

EXIF='eth0'
EXNET='192.168.1.0/24'

# 底下如無需要,請不要變動了!
# 0.1 Testing your Kernel version ..
echo -n "Check your kernel version... "
kver=`uname -r | cut -c 1-3`
if [ "$kver" == "2.4" ] || [ "$kver" == "2.5" ]; then
echo "[OK]"
echo "Your Linux Kernel Version is no problem!"
else
echo "[Failure]"
echo "Your Linux Kernel Version may not be suported by this script!"
echo "This scripts will not be runing"
exit
fi

# 0.2 Tell you what is this
echo " "
echo "Note:"
echo " This script will clear your iptables' rules"
echo " Please make sure that you want to do this script!"
echo " Ha Ha! No problem ! If you just want to be an NAT server !"
echo " "

# 0.3 remove ipchains modules
ipchains=`lsmod | grep ipchains`
if [ "$ipchains" != "" ]; then
rmmod ipchains 2> /dev/null
modprobe ip_tables 2> /dev/null
fi

# 1. 宣告變數、啟動 Routing 與清除規則:
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH
echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables 2> /dev/null
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

# 2. 載入模組
modprobe ip_nat_ftp 2> /dev/null
modprobe ip_nat_irc 2> /dev/null
modprobe ip_conntrack 2> /dev/null
modprobe ip_conntrack_ftp 2> /dev/null
modprobe ip_conntrack_irc 2> /dev/null

# 3. 啟動 IP 偽裝:
/sbin/iptables -t nat -A POSTROUTING -o $EXIF -s $EXNET -j MASQUERADE

我的上定如上,執行後設定windows的tcp/ip
ip 192.168.1.15
netmask 255.255.255.0
gateway 192.168.1.5
dns 168.95.1.1
沒有設定proxy,我也沒有proxy server
請問我的scripts是否是因為錯誤才無法啟動nat功能呢
如果是設定錯誤那要怎麼設定呢,目前是用mandrake 9.1
之前有用兩張網卡就可以用(redhat 9),但是我把他減為一張網卡就變不行了
請問這樣要如何解決呢

贊助商連結

gerrybbs
2003-05-21, 10:23 PM
試試這 script, 之前請使用 ifconfig 確認網路介面啟用正常否



#!/bin/bash
#
# 這個 script 是用來建立 iptables 防火牆的基本規則!
# 基本規則定義為『拒絕所有,開放特定』的模式!
# 你可以將這個檔案放置在 /usr/local/virus/iptables 底下,檔名可定義為 iptables.rule !
# 基本上,你可以參考這個網站資料:
# http://aerosol.ev.ncku.edu.tw/~vbird/linux_redhat7.2/62simple_firewall.html
#
# HISTORY:
# 2002/08/20 First release by VBird
#

# 0.0 Please key in your parameters
EXTIF="eth0" # the interface that connect Internet
INIF="eth0:0" # the inside interface. if you don't have this one
# and you must let this be black ex> INIF=""
INNET="192.168.1.0/24" # This is for NAT's network

# 1.0 Testing your Kernel version and remove the ipchains module
kver=`uname -r | cut -c 1-3`
if [ "$kver" != "2.4" ] && [ "$kver" != "2.5" ]; then
echo "Your Linux Kernel Version may not be suported by this script!"
echo "This scripts will not be runing"
exit
fi
ipchains=`lsmod | grep ipchains`
if [ "$ipchains" != "" ]; then
echo "unload ipchains in your system"
rmmod ipchains 2> /dev/null
fi

# 2.0 Loading some modules
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH EXTIF INIF INNET
modprobe ip_tables > /dev/null 2>&1
modprobe iptable_nat > /dev/null 2>&1
modprobe ip_nat_ftp > /dev/null 2>&1
modprobe ip_nat_irc > /dev/null 2>&1
modprobe ip_conntrack > /dev/null 2>&1
modprobe ip_conntrack_ftp > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1

# 3.0 Clear the iptables's rules
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

# 4.0 Allow the lo and inside interface to access the server and internet
/sbin/iptables -A INPUT -i lo -j ACCEPT
if [ "$INIF" != "" ]; then
/sbin/iptables -A INPUT -i $INIF -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
fi

# 5.0 Deny and Allow IP or host or network from files
if [ -f /usr/local/bin/nat_script/VbirdFirewall/iptables.deny ]; then
/usr/local/bin/nat_script/VbirdFirewall/iptables.deny
fi
if [ -f /usr/local/bin/nat_script/VbirdFirewall/iptables.allow ]; then
/usr/local/bin/nat_script/VbirdFirewall/iptables.allow
fi

# 6.0 Allow ICMP come in
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
/sbin/iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done

# 7.0 Allow services
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT # SSH
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 25 -j ACCEPT # SMTP
/sbin/iptables -A INPUT -p UDP -i $EXTIF --dport 53 -j ACCEPT # DNS
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 53 -j ACCEPT # DNS
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT # WWW
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT # POP3
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 20 -j ACCEPT # FTP
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 21 -j ACCEPT # FTP
# /sbin/iptables -A INPUT -p UDP -i $EXTIF --dport 123 -j ACCEPT # NTP


# 8.0 Allow RELATED and ESTABLISHED
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 9.0 deny all
/sbin/iptables -A INPUT -m state --state NEW,INVALID -j DROP