out-server
操作系统版本:Slackware 11.0
1 硬件
配置1块网卡,映射到/dev/vmnet9。
2 安装基础系统
只安装a/目录下的软件包,采用expert模式,全部安装。
配置lilo,安装在MBR中。
3 安装库文件
- l/zlib-1.2.3-i486-1
4 安装基本网络包
- n/mailx-12.1-i486-1
- n/tcpip-0.17-i486-39
- n/iptables-1.3.5-i486-2
- n/tcpdump-3.9.4-i486-2
- n/openssl-0.9.8d-i486-1
- n/openssh-4.4p1-i486-1
5 安装nfs包
- n/nfs-utils-1.0.10-i486-3
- n/portmap-5.0-i486-3
6 安装网络服务器
- n/vsftpd-2.0.5-i486-1
- n/apache-1.3.37-i486-2
- n/mod_ssl-2.8.28_1.3.37-i486-1
- n/inetd-1.79s-i486-7
- n/bind-9.3.2_P1-i486-1
7 配置网络
执行netconfig配置网络:
# netconfig
IP地址:172.18.0.20/24
8 安装补丁
使用nfs从develop获取更新包:
# mount -t nfs -o nolock 172.18.0.250:/newpkg /mnt # cd /mnt/packages # upgradepkg *.tgz # umount /mnt
9 防火墙配置
有关各个iptables脚本的详细内容见:Iptables脚本。
这里使用服务器脚本rc.iptables-server.ref,使用nfs从develop获取:
# mount -t nfs -o nolock 172.18.0.250:/newpkg /mnt # cd /etc/rc.d # cp /newpkg/rc.iptables-server.ref rc.iptables # chmod a+x rc.iptables
修改/etc/rc.d/rc.S文件,把/newpkg/rc.S.ref模板内容粘贴到rc.S的末尾。
# umount /mnt
修改/etc/rc.d/rc.iptables脚本,去掉相关注释,使得:
- 提供服务:ping、ssh。
10 设置内核参数
有关脚本的详细内容见:Sysctl脚本。
# mount -t nfs -o nolock 172.18.0.250:/newpkg /mnt # cd /etc/rc.d # cp /newpkg/rc.sysctl.ref rc.sysctl # chmod a+x rc.sysctl
编辑/etc/rc.d/rc.M,把/newpkg/rc.M.ref模板内容粘贴到rc.inet2的前面。
# umount /mnt
11 配置httpd
启动apache:
# chmod a+x /etc/rc.d/rc.httpd
启用mod_ssl,编辑/etc/apache/httpd.conf,取消如下注释:
#Include /etc/apache/mod_ssl.conf
编辑/etc/rc.d/rc.httpd,
将:
/usr/sbin/apachectl start ;;
改为:
/usr/sbin/apachectl startssl ;;
配置证书,这里仅仅作为测试,所以直接使用了现有的证书:
# cd /etc/apache/ssl.crt # cp server.crt server.crt.bak # cp snakeoil-rsa.crt server.crt # cd /etc/apache/ssl.key # cp server.key server.key.bak # cp snakeoil-rsa.key server.key
修改/etc/rc.d/rc.iptables脚本,去掉相关注释,使得:
- 提供服务:http(s)。
12 配置vsftpd
编辑/etc/inetd.conf, 打开vsftp,同时关闭其他打开的服务。
修改/etc/rc.d/rc.iptables脚本,去掉相关注释,使得:
- 提供服务:ftp。
13 配置域名服务bind
out-server作为outer.net、copyleft.net、other.net的主域服务器。
13.1 主配置
编辑/etc/named.conf,增加各个正向和反向解析zone,其余内容不变:
...
zone "outer.net" IN {
type master;
file "outer.zone";
};
zone "copyleft.net" IN {
type master;
file "copyleft.zone";
};
zone "other.net" IN {
type master;
file "other.zone";
};
zone "0.16.172.in-addr.arpa" IN {
type master;
file "outer.172.16.0";
};
zone "0.17.172.in-addr.arpa" IN {
type master;
file "outer.172.17.0";
};
zone "0.18.172.in-addr.arpa" IN {
type master;
file "outer.172.18.0";
};
zone "1.31.172.in-addr.arpa" IN {
type master;
file "outer.172.31.1";
};
...
13.2 正向解析
(1).创建正向解析文件/var/named/outer.zone:
$TTL 86400
$ORIGIN outer.net.
@ IN SOA outer.net. root.outer.net. (
2007061000 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS out-server1.outer.net.
out-server1 IN A 172.18.0.20
out-server2 IN A 172.18.0.30
out-server3 IN A 172.18.0.40
router IN A 172.16.0.1
router IN A 172.17.0.1
router IN A 172.18.0.1
router IN A 172.31.1.1
www IN CNAME out-server1
ftp IN CNAME out-server1
dns IN CNAME out-server1
其中:
$TTL定义一个通用的TTL变量。
$ORIGIN指出该文件的记录适用的域,注意outer.net后面的小数点(.),不可缺少。
SOA后面是此区域的授权主机和管理者邮箱,由于@是保留字,所以用(.)代替,实际邮箱是root@outer.net,注意不要少了小数点(.)。
SOA的设置内容在主域服务器和从域服务器之间复制的参数。
NS资源记录指定本地网域的域名服务器,注意该名必须是A资源记录,不能是CNAME等;不要少了小数点(.);否则在home-gate/away-gate等缓存服务器配置时会运行不正常!!!
后面就是具体的A资源记录和CNAME资源记录。
(2).创建正向解析文件/var/named/copyleft.zone:
$TTL 86400
$ORIGIN copyleft.net.
@ IN SOA copyleft.net. root.copyleft.net. (
2007061000 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS out-server1.outer.net.
out-server1.outer.net. IN A 172.18.0.20
home-gate IN A 172.16.0.10
away-gate IN A 172.17.0.10
home IN CNAME home-gate
gate.home IN CNAME home-gate
server.home IN CNAME home-gate
www.home IN CNAME home-gate
ftp.home IN CNAME home-gate
www IN CNAME home-gate
ftp IN CNAME home-gate
away IN CNAME away-gate
gate.away IN CNAME away-gate
server.away IN CNAME away-gate
www.away IN CNAME away-gate
ftp.away IN CNAME away-gate
(3).创建正向解析文件/var/named/other.zone:
$TTL 86400
$ORIGIN other.net.
@ IN SOA other.net. root.other.net. (
2007061000 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS out-server1.outer.net.
out-server1.outer.net. IN A 172.18.0.20
other-gate IN A 172.18.0.10
other IN CNAME other-gate
gate.other IN CNAME other-gate
server.other IN CNAME other-gate
www.other IN CNAME other-gate
ftp.other IN CNAME other-gate
www IN CNAME other-gate
ftp IN CNAME other-gate
13.3 反向解析
(1).创建反向解析文件/var/named/outer.172.16.0:
$TTL 86400
@ IN SOA outer.net. root.outer.net. (
2007061000 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS out-server1.outer.net.
1 IN PTR router.outer.net.
10 IN PTR home-gate.copyleft.net.
注意末尾的小数点(.)。
(2).创建反向解析文件/var/named/outer.172.17.0:
$TTL 86400
@ IN SOA outer.net. root.outer.net. (
2007061000 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS out-server1.outer.net.
1 IN PTR router.outer.net.
10 IN PTR away-gate.copyleft.net.
(3).创建反向解析文件/var/named/outer.172.18.0:
$TTL 86400
@ IN SOA outer.net. root.outer.net. (
2007061000 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS out-server1.outer.net.
1 IN PTR router.outer.net.
10 IN PTR other-gate.other.net.
20 IN PTR out-server1.outer.net.
30 IN PTR out-server2.outer.net.
40 IN PTR out-server3.outer.net.
(4).创建反向解析文件/var/named/outer.172.31.1:
$TTL 86400
@ IN SOA outer.net. root.outer.net. (
2007061000 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS out-server1.outer.net.
1 IN PTR router.outer.net.
13.4 其他设置
启动bind服务:
# cd /ec/rc.d/ # chmod a+x rc.bind
编辑/etc/rc.d/rc.iptables,允许DNS查询:
# dns iptables -A INPUT -p udp --dport domain -m state --state NEW -j ACCEPT