out-server
操作系统版本:Slackware 11.0
1 硬件
配置1块网卡,映射到/dev/vmnet9。
2 安装基础系统
只安装a/目录下的软件包,采用expert模式,全部安装。
配置lilo,安装在MBR中。
3 安装库文件
- l/zlib-1.2.3-i486-1
4 安装基本网络包
- n/mailx-12.1-i486-1
- n/tcpip-0.17-i486-39
- n/iptables-1.3.5-i486-2
- n/tcpdump-3.9.4-i486-2
- n/openssl-0.9.8d-i486-1
- n/openssh-4.4p1-i486-1
5 安装nfs包
- n/nfs-utils-1.0.10-i486-3
- n/portmap-5.0-i486-3
6 安装网络服务器
- n/vsftpd-2.0.5-i486-1
- n/apache-1.3.37-i486-2
- n/mod_ssl-2.8.28_1.3.37-i486-1
- n/inetd-1.79s-i486-7
- n/bind-9.3.2_P1-i486-1
7 配置网络
执行netconfig配置网络:
# netconfig
IP地址:172.18.0.20/24
8 安装补丁
使用nfs从develop获取更新包:
# mount -t nfs -o nolock 172.18.0.250:/newpkg /mnt # cd /mnt/packages # upgradepkg *.tgz # umount /mnt
9 防火墙配置
有关各个iptables脚本的详细内容见:Iptables脚本。
这里使用服务器脚本rc.iptables-server.ref,使用nfs从develop获取:
# mount -t nfs -o nolock 172.18.0.250:/newpkg /mnt # cd /etc/rc.d # cp /newpkg/rc.iptables-server.ref rc.iptables # chmod a+x rc.iptables
修改/etc/rc.d/rc.S文件,把/newpkg/rc.S.ref模板内容粘贴到rc.S的末尾。
# umount /mnt
修改/etc/rc.d/rc.iptables脚本,去掉相关注释,使得:
- 提供服务:ping、ssh。
10 设置内核参数
有关脚本的详细内容见:Sysctl脚本。
# mount -t nfs -o nolock 172.18.0.250:/newpkg /mnt # cd /etc/rc.d # cp /newpkg/rc.sysctl.ref rc.sysctl # chmod a+x rc.sysctl
编辑/etc/rc.d/rc.M,把/newpkg/rc.M.ref模板内容粘贴到rc.inet2的前面。
# umount /mnt
11 配置httpd
启动apache:
# chmod a+x /etc/rc.d/rc.httpd
启用mod_ssl,编辑/etc/apache/httpd.conf,取消如下注释:
#Include /etc/apache/mod_ssl.conf
编辑/etc/rc.d/rc.httpd,
将: /usr/sbin/apachectl start ;; 改为: /usr/sbin/apachectl startssl ;;
配置证书,这里仅仅作为测试,所以直接使用了现有的证书:
# cd /etc/apache/ssl.crt # cp server.crt server.crt.bak # cp snakeoil-rsa.crt server.crt # cd /etc/apache/ssl.key # cp server.key server.key.bak # cp snakeoil-rsa.key server.key
修改/etc/rc.d/rc.iptables脚本,去掉相关注释,使得:
- 提供服务:http(s)。
12 配置vsftpd
编辑/etc/inetd.conf, 打开vsftp,同时关闭其他打开的服务。
修改/etc/rc.d/rc.iptables脚本,去掉相关注释,使得:
- 提供服务:ftp。
13 配置域名服务bind
out-server作为outer.net、copyleft.net、other.net的主域服务器。
13.1 主配置
编辑/etc/named.conf,增加各个正向和反向解析zone,其余内容不变:
... zone "outer.net" IN { type master; file "outer.zone"; }; zone "copyleft.net" IN { type master; file "copyleft.zone"; }; zone "other.net" IN { type master; file "other.zone"; }; zone "0.16.172.in-addr.arpa" IN { type master; file "outer.172.16.0"; }; zone "0.17.172.in-addr.arpa" IN { type master; file "outer.172.17.0"; }; zone "0.18.172.in-addr.arpa" IN { type master; file "outer.172.18.0"; }; zone "1.31.172.in-addr.arpa" IN { type master; file "outer.172.31.1"; }; ...
13.2 正向解析
(1).创建正向解析文件/var/named/outer.zone:
$TTL 86400 $ORIGIN outer.net. @ IN SOA outer.net. root.outer.net. ( 2007061000 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS out-server1.outer.net. out-server1 IN A 172.18.0.20 out-server2 IN A 172.18.0.30 out-server3 IN A 172.18.0.40 router IN A 172.16.0.1 router IN A 172.17.0.1 router IN A 172.18.0.1 router IN A 172.31.1.1 www IN CNAME out-server1 ftp IN CNAME out-server1 dns IN CNAME out-server1
其中:
$TTL定义一个通用的TTL变量。
$ORIGIN指出该文件的记录适用的域,注意outer.net后面的小数点(.),不可缺少。
SOA后面是此区域的授权主机和管理者邮箱,由于@是保留字,所以用(.)代替,实际邮箱是root@outer.net,注意不要少了小数点(.)。
SOA的设置内容在主域服务器和从域服务器之间复制的参数。
NS资源记录指定本地网域的域名服务器,注意该名必须是A资源记录,不能是CNAME等;不要少了小数点(.);否则在home-gate/away-gate等缓存服务器配置时会运行不正常!!!
后面就是具体的A资源记录和CNAME资源记录。
(2).创建正向解析文件/var/named/copyleft.zone:
$TTL 86400 $ORIGIN copyleft.net. @ IN SOA copyleft.net. root.copyleft.net. ( 2007061000 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS out-server1.outer.net. out-server1.outer.net. IN A 172.18.0.20 home-gate IN A 172.16.0.10 away-gate IN A 172.17.0.10 home IN CNAME home-gate gate.home IN CNAME home-gate server.home IN CNAME home-gate www.home IN CNAME home-gate ftp.home IN CNAME home-gate www IN CNAME home-gate ftp IN CNAME home-gate away IN CNAME away-gate gate.away IN CNAME away-gate server.away IN CNAME away-gate www.away IN CNAME away-gate ftp.away IN CNAME away-gate
(3).创建正向解析文件/var/named/other.zone:
$TTL 86400 $ORIGIN other.net. @ IN SOA other.net. root.other.net. ( 2007061000 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS out-server1.outer.net. out-server1.outer.net. IN A 172.18.0.20 other-gate IN A 172.18.0.10 other IN CNAME other-gate gate.other IN CNAME other-gate server.other IN CNAME other-gate www.other IN CNAME other-gate ftp.other IN CNAME other-gate www IN CNAME other-gate ftp IN CNAME other-gate
13.3 反向解析
(1).创建反向解析文件/var/named/outer.172.16.0:
$TTL 86400 @ IN SOA outer.net. root.outer.net. ( 2007061000 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS out-server1.outer.net. 1 IN PTR router.outer.net. 10 IN PTR home-gate.copyleft.net.
注意末尾的小数点(.)。
(2).创建反向解析文件/var/named/outer.172.17.0:
$TTL 86400 @ IN SOA outer.net. root.outer.net. ( 2007061000 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS out-server1.outer.net. 1 IN PTR router.outer.net. 10 IN PTR away-gate.copyleft.net.
(3).创建反向解析文件/var/named/outer.172.18.0:
$TTL 86400 @ IN SOA outer.net. root.outer.net. ( 2007061000 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS out-server1.outer.net. 1 IN PTR router.outer.net. 10 IN PTR other-gate.other.net. 20 IN PTR out-server1.outer.net. 30 IN PTR out-server2.outer.net. 40 IN PTR out-server3.outer.net.
(4).创建反向解析文件/var/named/outer.172.31.1:
$TTL 86400 @ IN SOA outer.net. root.outer.net. ( 2007061000 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS out-server1.outer.net. 1 IN PTR router.outer.net.
13.4 其他设置
启动bind服务:
# cd /ec/rc.d/ # chmod a+x rc.bind
编辑/etc/rc.d/rc.iptables,允许DNS查询:
# dns iptables -A INPUT -p udp --dport domain -m state --state NEW -j ACCEPT