环境:RedHat Linux9.0。Webmin version 1.38。Webmin是一款B/S结构的优秀的Linux系统管理软件,利用其图形用户界面,可以方便、高效的管理大多数Linux的服务、应用、网络和硬件配置。Webmin安装后不用运行Apache服务器,自己就提供Web服务,默认的端口是10000。
网卡:
eth0:外网卡,IP=10.0.0.118,255.255.255.0
eth1:内网卡,IP=192.168.0.118,255.255.255.0
在Linux下用ifconfig命令查看网卡配置的结果:
[root@mylinux root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:03:FF:0B:21:81
inet addr:10.0.0.118 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1447 errors:0 dropped:0 overruns:0 frame:0
TX packets:1257 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:134788 (131.6 Kb) TX bytes:131251 (128.1 Kb)
Interrupt:11 Base address:0x9000
eth1 Link encap:Ethernet HWaddr 00:03:FF:19:21:81
inet addr:192.168.0.118 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2133 errors:0 dropped:0 overruns:0 frame:0
TX packets:2082 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:160402 (156.6 Kb) TX bytes:156738 (153.0 Kb)
Interrupt:11 Base address:0xd000
/etc/sysconfig/network_scripts/ ifcfg-eth0文件内容:
# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
USERCTL=no
PEERDNS=yes
GATEWAY=10.0.0.2
TYPE=Ethernet
DEVICE=eth0
HWADDR=00:03:ff:0b:21:81
BOOTPROTO=none
NETMASK=255.255.255.0
ONBOOT=yes
IPADDR=10.0.0.118
NETWORK=10.0.0.0
BROADCAST=10.0.0.255
/etc/sysconfig/network_scripts/ ifcfg-eth1文件内容:
# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
USERCTL=no
PEERDNS=yes
TYPE=Ethernet
DEVICE=eth1
HWADDR=00:03:ff:19:21:81
BOOTPROTO=none
NETMASK=255.255.255.0
ONBOOT=yes
IPADDR=192.168.0.118
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
路由表:
[root@mylinux root]# gedit
[root@mylinux root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.0.0.2 0.0.0.0 UG 0 0 0 eth0
配置:
打开Webmin网址:http//10.0.0.2:10000,输入root帐户名和其密码,选择网络配置下的“Linux Firewall”:
打开的界面,在“Showing Iptable”按钮右边默认选择的是“Packet filtering(filter)”,可以进行防火墙的配置。如果原来已经设置启用了中级或高级防火墙策略,那就必须注意在这里配置转发(Forwarded packets (FORWARD))规则,允许NAT通信的有关协议、端口的流量由内向外通过(注意方向不能搞错,内网卡是input,外网卡是output),使NAT真正生效。实验时,我们允许所有的通信通过,规则如下:
Accept - If input interface is eth1 and output interface is eth0
并且注意规则的执行顺序,是由上而下,最上面的先被匹配,只要找到匹配的规则,就直接跳出规则队列。
为了配置NAT服务,需要选择“Showing Iptable”按钮右边的“Network Address Translation(nat)”选项,然后点击“Showing Iptable”按钮,进入NAT配置界面。
按“Add Role”按钮,打开规则配置界面。
“Action to take”选“Source NAT”,“IPs and ports for SNAT”的“IP range”填10.0.0.118;Outgoing interface选等于(Equals)eth0,就是外网卡;别的选项选择默认值。然后按“Save”按钮保存,再按“Apply Configuration”按钮,使规则即可生效。
注意,配置到这里,其实还是不能实现需要的功能,不知道是Webmin的功能欠缺还是别的什么原因,我们还需要配置Linux实现“IP转发”功能,才能最后完成所有任务。
配置Linux“IP转发”,有的资料上说必须在/etc/sysconfig/network文件末加FORWARD_IPV4=yes语句:
/etc/sysconfig/network:
NETWORKING=yes
HOSTNAME=myLinux
GATEWAY=10.0.0.2
FORWARD_IPV4=yes
同时再执行echo 1 > /proc/sys/net/ipv4/ip_forward语句。但是我发现在Redhat Linux9.0下只要执行后一条语句就够了,不知道别的Linux发行版是不是与此相同。
为了使语句echo 1 > /proc/sys/net/ipv4/ip_forward语句在开机后自动执行,我们把它加到/etc/rc.d/rc.local文件末尾就可以了。
用Webmin配置防火墙和NAT服务,本质上是编辑和操作/etc/sysconfig/iptables文件,所有配置结果都保存在该文件中,/etc/sysconfig/iptables内容:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
:My-test-Chain - [0:0]
-A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 137:139 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 -j REJECT --syn
-A My-test-Chain -p icmp -d 10.0.0.118 -i eth0 -j DROP
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A OUTPUT -o eth0 -j ACCEPT
# Not ping 10.0.0.118
-A INPUT -p icmp -d 10.0.0.118 -i eth0
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.118
COMMIT
# Completed
其实,核心配置语句就是一句:
-A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.118
本文来自“十万个为什么”电脑学习网 http://www.why100000.com
http://www.why100000.com/_Linux/doc/RHLinux_Webmin_Nat.swf
作者:张庆(网眼)2008-1-21