http://blog.saviors.com.cn/myblog/blog/article.asp?id=128
1.在http://www.gentoo.org下载livecd
2.使用livecd启动
3.net-setup eth0 配置网络
4.fdisk && mkfs (按自己的需求安排磁盘分区)
本例分为三个区 /dev/hda1 (/boot) /dev/hda2(swap) /dev/hda3(/)
5.mount /dev/hda3 /mnt/gentoo
mkdir /mnt/gentoo/boot
mount /dev/hda1 /mnt/gentoo/boot
6.cd /mnt/gentoo
links http://www.gentoo.org/main/en/mirrors.xml
下载最新的 portage-xxx.tar.bz2 , stage3-xxx-xxx.tar.bz2
7.tar xvjpf /mnt/gentoo/stage3-xxx-xxx.tar.bz2
tar xvjf /mnt/gentoo/portage-xxx.tar.bz2 -C /mnt/gentoo/usr
8.nano -w /mnt/gentoo/etc/make.conf
加入 USE="-X -gtk -alsa cjk nls zh_CN"
在编译安装软件是不加入X,gtk,alsa支持(如果该软件有这些部件),加入中日韩语言支持.内码加入zh_CN支持.
9.cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
10.mount -t proc none /mnt/gentoo/proc
mount -o bind /dev /mnt/gentoo/dev
11.chroot /mnt/gentoo /bin/bash
env-update && source /etc/profile
export PS1="chroot) $PS1"
12.emerge --sync 同步最新的portage
13.echo "sys-libs/glibc userlocales" >> /etc/portage/package.use
在glibc中加入用户本地化支持.
14.localedef -i en_US -f UTF-8 zh_CN.UTF-8
nano -w /etc/locales.build
如下(安排本地化列表):
en_US/ISO-8859-1
en_US.UTF-8/UTF-8
zh_CN/GBK
zh_CN/GB18030
zh_CN/GB2312
zh_CN.UTF-8/UTF-8
15.cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
16.nano -w /etc/env.c/02.locale
如下(系统默认使用本地化配置):
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
17.env-update && source /etc/profile (更新环境)
18.cd /usr/portage/scripts
./bootstrap.sh (从新编译系统工具链)
19.emerge -e system (从新编译系统工具)
20.emerge genkernel (安装Gentoo内核编译工具)
21.links http://www.kernel.org 下载最新内核.
tar xvjf linux-xxx.tar.bz2 -C /usr/src/
ln -s /usr/src/linux-xxx /usr/src/linux
22.links http://ftp.netfilter.org/pub/ 下载最新的iptables 和 patch-o-matic-ng
tar xvjf patch-o-matic-ng-xxx.tar.bz2
tar xvjf iptables-xxx.tar.bz2
23.cd (patch-o-matic-ng-xxx的path)
KERNEL_DIR=/usr/src/linux IPTABLES_DIR=(iptables的path) ./runme base
KERNEL_DIR=/usr/src/linux IPTABLES_DIR=(iptables的path) ./runme extra
按需求选项择相关功能安装.
24.emerge grub (安装bootloader)
25.genkernel --menuconfig --bootloader=grub all (编译内核)
Block layer ---> IO Schedulers ---> Default I/O scheduler (Anticipatory)
Processor type and features --> Timer frequency (100 HZ)
Processor type and features --> Preemption Model (No Forced Preemption (Server))
然后根据自己的需求配置Network packet filtering 和 Network options.
其它内核配置视需求而定.
26. nano -w /etc/fstab
nano -w /etc/conf.d/hostname
nano -w /etc/conf.d/domainname
nano -w /etc/conf.d/net
如下:
config_eth0=("192.168.xxx.xxx network 255.255.255.0 brd 192.168.xxx.255") 内网ip
config_eth1=("xxx.xxx.xxx.xxx network 255.255.255.0 brd xxx.xxx.xxx.255") 外1网ip
config_eth1=("xxx.xxx.xxx.xxx network 255.255.255.0 brd xxx.xxx.xxx.255") 外2网ip
不配置默认外关.
ln -s net.eth0 net.eth1
ln -s net.eth0 net.eth2
rc-update add net.eth0 default (使网卡启动时打开)
rc-update add net.eth1 default
rc-update add net.eth2 default
27. nano -w /etc/hosts
nano -w /etc/rc.conf
UNICODE="yes"
28. emerge syslog-ng vixie-cron slocate rp-pppoe dhcpd (rp-pppoe 及 dhcpd 在拨号接入时安装,/etc/conf.d/net的配置有所不同)
rc-update add syslog-ng default
rc-update add vixie-cron default
29. nano -w /boot/grub/grub.conf
title=Gentoo Linux (2.6.16.11)
root(hd0,0)
kernel /kernel-genkernel-xxx root=/dev/ram0 ramdisk=8192 real_root=/dev/hda3 udev
initrd /initramfs-genkernel-xxx
30.grep -v rootfs /proc/mounts > /etc/mtab
grub-install /dev/hda
31. cd (iptables的path) && make && make install
32. emerge iproute2 arpd( iprouter2 自带的arpd 不会自动reply arp 请求,arpd 会自动回应)
32. exit && cd && umount /mnt/gentoo/dev && umount /mnt/gentoo/proc && umount /mnt/gentoo/boot && umount /mnt/gentoo
33. reboot
34. nano /etc/conf.d/local.start
/bin/sysctl.bash
/bin/router.bash
35. 文件sysctl.bash
#!/bin/sh
#
# setproc This shell script takes care of setting some good basic
# security measures by setting some variables in /proc
# Some of these are enabled in the default install, but it
# is good to make sure that they are being set on boot.
#
# Note: the file /etc/sysctl.conf could be used to do this
# in a saner way, but this works in cases when sysctl
# doesn't exist (some distributions)
#
# Note: kernel is not compiled to do ip forwarding or
# masquerading so setting options such as
# ip_forward, ip_masq_debug is not necessary (it
# could be argued that rp_filter doesn't need to be
# set either.
#
# For more information on these values, visit:
# http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-13.html
# Micah Jan, 14 2001
# Modified March 31 2002 for sarai -- micah
# Enable always defragging protection in /proc/sys/net/ipv4/ip_always_defrag
#echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo protection
# If you ping the broadcast address of a network, all hosts are supposed to
# respond. This makes for a dandy denial-of-service tool. Setting to 1 will ignore these broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection - This to ignore ICMP errors caused by hosts in the network
# reacting badly to frames sent to what they perceive to be the broadcast address.
# in /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# The following six /proc settings are all nested in one for loop
# because they are in the same directory:
#
# * Enable IP spoofing protection turn in Source Address
# By default, routers route everything, even packets which 'obviously' don't
# belong on your network. A common example is private IP space escaping onto
# the internet. If you have an interface with a route of 195.96.96.0/24 to it,
# you do not expect packets from 212.64.94.1 to arrive there.
# Lots of people will want to turn this feature off, so the kernel hackers
# have made it easy. There are files in /proc where you can tell
# the kernel to do this for you. The method is called "Reverse Path
# Filtering". Basically, if the reply to this packet wouldn't go out the
# interface this packet came in, then this is a bogus packet and should be ignored.
# /proc/sys/net/ipv4/conf/*/rp_filter
#
# * Disable ICMP Redirect Acceptance in
# /proc/sys/net/ipv4/conf/*/accept_redirects and
# /proc/sys/net/ipv4/conf/*/send_redirects
#
# * Disable Source Routed Packets in
# /proc/sys/net/ipv4/conf/*/accept_source_route
#
# * Log Spoofed Packets, Source Routed Packets, Redirect Packets in
# /proc/sys/net/ipv4/conf/*/log_martians
#
# * Enable ICMP redirect security so that only redirect messages originating
# from gateways listed in the default gateway list are accepted in
# /proc/sys/net/ipv4/conf/*/secure_redirects
for device in `ls /proc/sys/net/ipv4/conf`
do
echo "2" > /proc/sys/net/ipv4/conf/$device/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$device/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$device/send_redirects
echo "1" > /proc/sys/net/ipv4/conf/$device/secure_redirects
echo "0" > /proc/sys/net/ipv4/conf/$device/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/$device/log_martians
done
# Enable TCP SYN Cookie protection in /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# stops anyone doing an OS finger print scan on the IP stack, 64 will show as linux, 61 will screw them up
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
# Increase maximum number of files that the system can use
echo "65535" > /proc/sys/fs/file-max
# Incrase maximum inodes that the system can allocate, generally recommended that
# inode-max is set to be four times the value of file-max
#echo "65535" > /proc/sys/fs/inode-max
# Maximal number of remembered connection requests, which still did not
# receive an acknowledgement from connecting client. Default value is 1024 for
# systems with more than 128Mb of memory, and 128 for low memory machines.
echo "4096" > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Number of SYN packets the kernel will send before giving up on the new connection. (def. 10)
echo "5" > /proc/sys/net/ipv4/tcp_syn_retries
echo "512" > /proc/sys/net/ipv4/route/mtu_expires
# How often TCP/IP sends out keepalive messages, default 7200 (2 hours)
echo "7600" > /proc/sys/net/ipv4/tcp_keepalive_time
# The rate at which echo replies are sent to any one destination, helps slow down ping floods
#echo "10" > /proc/sys/net/ipv4/icmp_echoreply_rate
# Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer
# can be broken and never close its side, or even died unexpectedly. Default
# value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it,
# but remember that if your machine is even underloaded WEB server, you risk
# to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are
# less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but
# they tend to live longer. Cf. tcp_max_orphans.
# echo "360" > /proc/sys/net/ipv4/tcp_fin_timeout
# This enables a fix for 'time-wait assassination hazards in tcp', described
# in RFC 1337. If enabled, this causes the kernel to drop RST packets for
# sockets in the time-wait state.
echo "1" > /proc/sys/net/ipv4/tcp_rfc1337
# Set this if you want to disable Path MTU discovery - a technique to
# determine the largest Maximum Transfer Unit possible on your path. 0 by default
echo "0" > /proc/sys/net/ipv4/ip_no_pmtu_disc
# If a router decides that you are using it for a wrong purpose (ie, it needs
# to resend your packet on the same interface), it will send us a ICMP
# Redirect. This is a slight security risk however, so you may want to turn it
# off, or use secure redirects.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Set timeout on kernel panics (auto reboots after # seconds):
echo 5 > /proc/sys/kernel/panic
echo 5 > /proc/sys/kernel/panic_on_oops
36.文件router.bash
#!/bin/bash
echo "8376320" > /proc/sys/net/ipv4/ip_conntrack_max
echo "1" > /proc/sys/net/ipv4/ip_forward
killall arpd
arpd -i eth1 xxx.xxx.xxx.xxx/x
arpd -i eth2 xxx.xxx.xxx.xxx/x
iptables -t nat -F
#edu-net
iptables -A POSTROUTING -t nat -s 192.168.xxx.xxx -p all -o eth2 -j SNAT --to xxx.xxx.xxx.xxx
iptables -A PREROUTING -t nat -d xxx.xxx.xxx.xxx -p all -i eth2 -j DNAT --to 192.168.xxx.xxx
(以上为静态nat,xxx.xxx.xxx.xxx为外网ip可与eth2地址不同)
iptables -A POSTROUTING -t nat -s xxx.xxx.xxx.xxx/x -p all -o eth2 -j SNAT --to xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
(以上为动态nat)
#public-net
iptables -A POSTROUTING -t nat -s 192.168.xxx.xxx -p all -o eth1 -j SNAT --to xxx.xxx.xxx.xxx
iptables -A PREROUTING -t nat -d xxx.xxx.xxx.xxx -p all -i eth1 -j DNAT --to 192.168.xxx.xxx
iptables -A POSTROUTING -t nat -s 192.168.xxx.xxx/x -p all -o eth1 -j SNAT --to xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
#route rule
ip rule add prio 6 from 192.168.xxx.xxx/16 table 6
ip route replace 192.168.xxx.xxx/24 dev eth0 proto static src xxx.xxx.xxx.xxx table 6
ip route replace xxx.xxx.xxx.xxx/x dev eth1 proto static src xxx.xxx.xxx.xxx table 6
ip route replace xxx.xxx.xxx.xxx/x dev eth2 proto static src xxx.xxx.xxx.xxx table 6
(以上保证网卡所在地址段能正确路由)
ip route replace 192.168.xxx.xxx via 192.168.xxx.xxx dev eth0 proto static table 6
ip route replace xxx.xxx.xxx.xxx/21 via xxx.xxx.xxx.xxx dev eth2 proto static table 6
(以上促证网卡所转网络地址段的能正确路由)
ip rule add prio 10 from 192.168.xxx.xxx table 10
ip route replace default via xxx.xxx.xxx.xxx dev eth2 proto static table 10
(此为对外开放服务器所走路由线路,其它对外服务类似)
ip route replace 58.17.0.0/16 proto static nexthop via xxx.xxx.xxx.xxx dev eth1weight 1 nexthop via xxx.xxx.xxx.xxx dev eth2 weight 3
ip route replace 58.19.0.0/16 proto static nexthop via xxx.xxx.xxx.xxx dev eth1weight 1 nexthop via xxx.xxx.xxx.xxx dev eth2 weight 3
...
....
ip route replace 222.248.0.0/16 proto static via xxx.xxx.xxx.xxx dev eth2
ip route replace 192.168.0.0/16 via 192.168.xxx.xxx dev eth0 proto static (内网默认路由)
ip route replace xxx.xxx.xxx.xxx/x via xxx.xxx.xxx.xxx dev eth2 proto static (外网1默认路由)
ip route replace default via xxx.xxx.xxx.xxx dev eth1 proto static (默认路由)
ip route flush cache
#iptables-firewall
iptables -F INPUT
iptables -A INPUT -s 192.168.xxx.xxx/24 -d 192.168.xxx.xxx -p tcp --syn --dport 22 -i eth2 -j ACCEPT
iptables -A INPUT -d xxx.xxx.xxx.xxx -p tcp --syn --dport 22 -i eth2 -j REJECT
iptables -A INPUT -d xxx.xxx.xxx.xxx -p tcp --syn --dport 22 -i eth0 -j REJECT
iptables -A INPUT -d xxx.xxx.xxx.xxx -p tcp --syn --dport 22 -i eth1 -j REJECT
iptables -A INPUT -p tcp --syn --dport 4444 -j Drop
iptables -A INPUT -p tcp --syn --dport 135 -j Drop
iptables -A INPUT -p tcp --syn --dport 136 -j Drop
iptables -A INPUT -p tcp --syn --dport 137 -j Drop
iptables -A INPUT -p tcp --syn --dport 138 -j Drop
iptables -A INPUT -p tcp --syn --dport 139 -j Drop
iptables -A INPUT -p tcp --syn --dport 445 -j Drop
iptables -A INPUT -p tcp --syn --dport 593 -j Drop
iptables -A INPUT -p tcp --syn --dport 3127 -j Drop
iptables -A INPUT -p tcp --syn --dport 42 -j Drop
iptables -A INPUT -p tcp --syn --dport 1025 -j Drop
iptables -A INPUT -p tcp --syn --dport 5554 -j Drop
iptables -A INPUT -p tcp --syn --dport 9996 -j Drop
iptables -A INPUT -p tcp --syn --dport 389 -j Drop
iptables -A INPUT -p tcp --syn --dport 636 -j Drop
iptables -A INPUT -p tcp --syn --dport 3268 -j Drop
iptables -A INPUT -p tcp --syn --dport 3269 -j Drop
iptables -A INPUT -p tcp --syn --dport 1503 -j Drop
iptables -A INPUT -p tcp --syn --dport 707 -j Drop
iptables -A INPUT -p tcp --syn --dport 1999 -j Drop
iptables -A INPUT -p tcp --syn --dport 2001 -j Drop
iptables -A INPUT -p tcp --syn --dport 2023 -j Drop
iptables -A INPUT -p tcp --syn --dport 2583 -j Drop
iptables -A INPUT -p tcp --syn --dport 6129 -j Drop
iptables -A INPUT -p tcp --syn --dport 6267 -j Drop
iptables -A INPUT -p tcp --syn --dport 6670 -j Drop
iptables -A INPUT -p tcp --syn --dport 6671 -j Drop
iptables -A INPUT -p tcp --syn --dport 6939 -j Drop
iptables -A INPUT -p tcp --syn --dport 6969 -j Drop
iptables -A INPUT -p tcp --syn --dport 7306 -j Drop
iptables -A INPUT -p tcp --syn --dport 7511 -j Drop
iptables -A INPUT -p tcp --syn --dport 7526 -j Drop
iptables -A INPUT -p tcp --syn --dport 8011 -j Drop
iptables -A INPUT -p tcp --syn --dport 9989 -j Drop
iptables -A INPUT -p tcp --syn --dport 19191 -j Drop
iptables -A INPUT -p tcp --syn --dport 1029 -j Drop
iptables -A INPUT -p tcp --syn --dport 20168 -j Drop
iptables -A INPUT -p tcp --syn --dport 23444 -j Drop
iptables -A INPUT -p tcp --syn --dport 27374 -j Drop
iptables -A INPUT -p tcp --syn --dport 30100 -j Drop
iptables -A INPUT -p tcp --syn --dport 31337 -j Drop
iptables -A INPUT -p tcp --syn --dport 50766 -j Drop
iptables -A INPUT -p tcp --syn --dport 45576 -j Drop
iptables -A INPUT -p tcp --syn --dport 61466 -j Drop
iptables -A INPUT -p udp --dport 135 -j Drop
iptables -A INPUT -p udp --dport 136 -j Drop
iptables -A INPUT -p udp --dport 137 -j Drop
iptables -A INPUT -p udp --dport 138 -j Drop
iptables -A INPUT -p udp --dport 139 -j Drop
iptables -A INPUT -p udp --dport 445 -j Drop
iptables -A INPUT -p udp --dport 593 -j Drop
iptables -A INPUT -p udp --dport 1434 -j Drop
37.ipcalc.bash(用于教育网的掩码计算,print 部分可以根据要求改写,可用于生成ip route replace 58.19.0.0/16 proto static nexthop via xxx.xxx.xxx.xxx dev eth1weight 1 nexthop via xxx.xxx.xxx.xxx dev eth2 weight 3 这部分)
#/bin/bash
awk '{ ("ipcalc -p "$1" "$3) | getline var;var=substr(var,8); print $1"/"var}' $1 > $2
37.加入本地化支持(在lib与内核中),将来可以使用iptables的string做内容控制.:)
38.未尽事宜:使用vlan来减少网卡数量.使用tc做流控,加入radius做认证,加入pppoe,加入vpn等.把以前的实验整合.
39.使用情况:同时在线用户2,000左右,并发最大80,000左右,平均流量110Mbps/s 左右,工作正常.
40.硬件配置:cpu 2.0GHZ, mem 1G.