Linux Concise System Maintenance Manual

Foreword

Have colleagues have completed long hundreds of documents for Linux through tough work. In fact, there are also more than 10,000 pages of technical essence on Linux on the Internet, and it is not included in English. There are tens of thousands of programmers and network experts working hard for this software. This is the charm of freedom.

I used Linux for a lot of time, and I have experienced countless setbacks during the period. At the same time, I also got a lot of experts. I have always liked a simple text. Through the simple sentences and code below, I hope to express my experience in using Linux. Maybe this article is more messy, but I hope that every sentence of it is useful to you. Of course, you have to know some more detailed things, please refer to my colleague written document.

Of course, it is my biggest wish to make your work through accessing this document.

First, the misunderstanding of Linux

1. What is Linux?

First, few people do desktop systems with Linux because the Windows desktop system is already good enough. We mainly use Linux as the operating system of the web server. If you and your app meet the following, then you use Linux:

* Don't worry about spending money on operating systems and web applications.

* Use the D version of the system to condemn or fear responsibility.

* I want to get and spend a lot of performance.

* It looks high in front of the user.

* Know several masters of Linux, or know where to find questions.

2, is there a lot of differences in each Linux issued package?

If you use a plenty of PC in the late 1980s to 95 years ago, you should understand it for Linux: it is like a DOS with 32-bit multitasking core, the difference is that the appearance looks Like a UNIX. Linux is a lot of people who have been piled up with wisdom. Beginners often ask: "Red Hat is good or slackware?". This person is also facing hundreds of options, which is indeed a headache. Most Linux issuings are actually very simple, almost all issuings have the same kernel (perhaps different versions), the difference in external commands and data files is limited to the location of storage in the file system (this leads to Some compatibility issues because a specific file is found in some places). Alternatively, some issuings have added some own utilities in the issue package to display their own brows. In fact, it is not too much manufacturer to modify the kernel, because this will continue to update the kernel's official version. Of course, some embedded system developers say that they have said their own system on the basis of Linux.

It is a very annoying issue of Linux, I prefer FreeBSD at this point, because it only has an official release version, but also runs more stable. There are too many programmers who can make software for Linux. There are more information on Linux. Remember: When a guy talking to you does not matter, then he is an expert.

3, is Linux amateur?

Such a propaganda gives many impressions like this. In fact, Linux is a serious operating system that has all the characteristics of all operating systems. It can be used in many serious occasions.

4, Linux performance better than Windows?

The answer here will disappoint you, according to my previous actual test, version 2.2 Linux core performance is lower than Windows2000. It is worth considering that the central performance of the 2.4 version has substantially approached Windows2000. But the Windows2000 complex graphical interface takes up considerable system resources.

5, Linux is more complicated and more professional than Windows?

From complexity, Windows 2000 is more complicated than Linux. In the core technology, Windows is more advanced.

6, is Linux more reliable?

The reliability of the system should be evaluated from the two angles. (1) The reliability of the system itself, the two are similar. People generally think that WindWOS is worse than Linux reliable impression derived from a wide range of wells of Windows. Of course, Linux is simpler than the Windows structure and can improve reliability to some extent. (2) From the perspective of security, Linux is much higher than the Windows system, which is very simple: the tree is striking. In addition, Linux's source code open mechanism makes the vulnerability discovery and eliminates very fast. Windows is relatively bureaucrats. Here, I added, the most reliable system I have used is the OS, reliability and security of the BSD class. 7, Linux really doesn't have to spend a penny?

Most of the issuings need to be a small amount of money. Of course, you can also download from the web. In fact, these issuings do not meet your applications, usually need to have some changes and customizations to run. Of course, the money of the flowers can not compare with Windows.

Second, Linux installation considerations

Most of the issues now are easy to install, basically a graphic wizard, each distribution package is not too the same, and you can't describe one by one. If you don't even understand, then you don't use Linux. Here only shows a few concerns.

1. If you want to mix with Windows, be sure to first install Windows, then load Linux.

2. When the partition is, the software is flexibly determined according to the software installed. General partitions include: /, / root, / usr, / var, and swap partitions, where the SWAP partition type and other different needs need to choose, it is generally twice the physical memory. / root partition is an emergency ROOT, 64 megabitches.

3, of course, for convenience, you can install the issuance package to give you a good job. But I am installing Linux habitat is to install a minimum system and install all compilation tools. Method for installing compilation tools is generally implemented through the package management tool you use, so that it is most convenient. For example, in TurboLinux, run / usr / sbin / turbopkg. Select all the options or GCC-related options for Developeropoment, which is generally available in the management tool.

4, LILO must be installed. Otherwise, it is not good to do if there is a partition problem.

5. If it is mixed with Windows, it is not coming. You can start with a 98 boot disk, then use the FDISK / MBR to reply to the main boot partition to keep the Windows partition.

After installing the minimum system and a full set of compilers, we should get a cleaner system. On this system, you can download and install a variety of applications.

Third, basically use

1, file system

No matter how many partitions, the entire file system is a complete tree structure. The most common catalogs are:

(1) / usr: Store various application files. Where use of / usr / local to store software installed

(2) / var: Used to store all data files

(3) / proc: The file inside is used to represent various configurations and status of the system kernel. This piece is not a real file system, but various data in memory. Some common system information can be obtained from here. For example, what is memory memory.

(4) / etc: Here is to place all system configuration files. Under normal circumstances, the post-installed software configuration file will not be placed here. Unless you are installing software or deliberately doing this with RPM. I don't like to mix together different software files, so I usually make different software configuration files in their respective directories.

2, common command

Here I list some of the frequently used commands, and the specific usage can be found in the relevant manus page (I hope your English is not as bad).

Vi (must use this very annoying thing, if you succumb, you can choose another editor called Pico, it has a bit icon Edit "Head (used to see a long file)

Tail (ibid)

NetStat (see network status)

TAR (unlock .tar.gz compression package)

PS (see process)

Kill (Dry Process)

TOP (see system conditions)

Shutdown (shut down system)

CAT (see file content)

Ping (see network communication conditions)

FTP (transfer file)

MAN (manual)

The above commands are most common, and the basic usage is sure to remember. In fact, each person can remember all the parameters of all commands or commands, remember that several commonly used. Other books.

3, kernel upgrade

If you don't want to adventure, you can skip this part. However, according to my actual experience, the 2.4.x version of the kernel performance is at least 40% of the performance of 2.2.x, or it is worth a try. Now the latest distribution kits have almost a new 2.4 core, but the version number wants to be conservative. Here, my suggestion is when deciding to upgrade any part, you must first look at the so-called "Currect Version Release Note" information, tell you what changes in this version upgrade. If the contents of the change do not involve your current environment or demand, just add some evil door equipment, you must not have to upgrade. In addition: One of Linux's kernel version number is an odd number of non-stable versions, such as 2.3, is an even number of stable versions.

The steps to upgrade the kernel are as follows:

(1) First find the kernel file you intend to upgrade online, the general name is: Linux-2.x.xx.tar.gz, copy this file to / usr / src. (I don't know where to find it? Take a look: http://www.kernel.org, it is best to find .tar.gz format, such as here: http://www.kernel.org/pub/linux/kernel/v2 .x /). The following upgrade example is upgraded from 2.2.18 to 2.5.7 (this is the latest kernel, you don't forget to change the version number using other versions)

(2) Decompression: TAR ZXVF Linux-2.5.7.tar.gz generated a directory: Linux-2.5.7.

(3) Enter / usr / src, use the ls -l command to see there is a connection in the SRC, similar to: Linux -> Linux-2.2.18 / (connection pointing to your current kernel version). First remove this connection (RM Linux), rebuild the connection with the ln -s linux-2.5.7 linux command. I think you will not even have the version number here.

(4) Enter Linux-2.5.7 directory, if not the first time to compile this core, it is best to use the command: make mrproperty to delete the .o file, etc., of course, the previously saved configuration is also lost.

(5) Use the command: make menuconfig command to adjust the kernel configuration to accommodate your current environment, remember, do not understand the configuration. The primary task is to adjust the environment of various hardware, such as the SCSI card: SCSI Support / SCSI Low-Level Drivers, don't know the current SCSI card model? It can be found in / proc / scsi. There is also a network card, in the Network Device Support. Don't know the current network card model? Write in this file: /Proc/net/pro_lan_adapters/th0.info or / proc / pci file can also be found. Use the space bar to change the option status in MenuConfig, the previous <*> indicates that the function is compiled in the kernel, mainly running fast. <> Indicates that this feature is not required. Indicates that the function is compiled into a module, which is usually compiled into a module to reduce the size, and the convenience of replacement.

(6) The following things are compared to the program, do: make dep (check the integrity of the file, the process is very complicated)

(7) Make Bzimage accounts cases (really start compiling yeah! I feel this is the most addicted, the screen "", this time you will feel that how many unknown programmers contribute in this complex system What kind of power is

(8) Make Modules (Compiling those marked as

Function module or driver)

(9) Make MODULES_INSTALL (copy the compiled module to the specified location, generally: / lib / modules /. Note: The module of the different version numbers is completely separated in different directories, because Modules is closely related to the kernel, Mixing is easy to cause system crash)

(10) CD /USR/SRC/LINUX-2.5.7/Arch/i386/boot, use commands: cp /usr/src/linux2.5.7/Arch/i386/boot/bzimage /boot/vmlinuz-2.5.7 File BZIMAGE file is changed to VMLinuz-2.5.7 copy to / boot /

(11) cp /usr/src/linux-2.5.7/system.map /boot/system.map-2.5.7

(12) Enter / boot directory, RM system.map

(13) Running the LN System.map-2.5.7 System.map 10-13 in the / boot directory. Two steps must be done each time you recompile.

(14) I started reminding, I hope that you have installed Lilo (otherwise you sing: "God, save me!"), Editorial file: /etc/lilo.conf, do the following editing:

Boot = / dev / sda

MAP = / boot / map

INSTALL = / boot / boot.b

Prompt

TIMEOUT = 50

LBA32

Default = linux-2.5.7

Image = / boot / vmlinuz

Label = Linux

INitrd = / boot / initrd

Read-only

root = / dev / sda5

Image = / boot / vmlinuz-2.5.7

Label = linux-2.5.7

INitrd = / boot / initrd

Read-only

root = / dev / sda5

The black body part is a followed and modified. In case you don't have LILO, you can only modify the / boot below to point to your new System.map and VMLinuz without modifying LILO. This can also be started, but once problems have, your machine can't start. (15) Execute the command: LILO (used to update LILO data), pay attention to the result of the output: With the star number is default.

(16) Pray, then the Reboot system is restarted, and the new kernel can be seen with uname -a. If any problems cannot be booted, you need to select the original kernel start in LILO's boot interface, re-change the kernel parameters, adjust the hardware or other configuration after entering the system. Then repeat all the procedures.

Fourth, the main software installation

As mentioned earlier, my habit is to install a kernel and compile system when installing the system. After getting a clean system, the other software is installed is relatively clear. Another point unless you don't get a source code version, I usually download the official version of the source code file to recompile. Similarly, the selection software version should be determined according to the Release Note of the software, and the better the better. This is why many software are the cause of the development of several versions. The installation methods between these softwares will have a little different. Be careful to read the ReadMe files and install files in the directory before installation, otherwise these little differences will cause many troubles. The installation process described below is closely related. In addition, all software copies the package of program files to / usr / local / src directory, which is a habit. Because in Linux is used to put the later software in / usr / local.

(1) Install DNS server

1. Download Bind Domain Name Server Software from www.isc.org. We used Bind8.3.0, Bind8 branches and Bind9 branches were parallel. Choose a suitable Bind version based on your own actual situation.

2, MKDIR / USR / SRC / BIND83

3, the downloaded file is bind-src.tar.gz, copy it to the / usr / local / src / bind83 directory.

4, CD / USR / local / src / bind83

5, TAR ZXVF BIND-SRC.TAR.GZ

6, CD SRC

7, Make Stdlinks

8, make clean

9, Make Depend

10, Make All

11, Make Install

12, editing profile: /etc/named.conf content is as follows, the part you need to change with the black body:

/ *

* This is a Worthless, Nonrunnable Example of a named.conf file what has

* Every Conceivable Syntax Element in Use. We Use it to test the paser.

* IT Could Also BE Used as a concertual template for users of new features.

* /

/ *

* C-Style Comments Are OK

* /

// SO Are C - STYLE Comments

# So Are Shell-Style Comments

// Watch out for ";" - IT's important!

Options {

DIRECTORY "/ var / named";

// USE CURRENT DIRECTORY

Named-xfer "/ usr / libexec / named-xfer";

// _path_xfer

dump-file "named_dump.db"; // _path_dumpfile

Pid-file "/var/run/named.pid";

// _Path_PIDFILE

Statistics-file "named.stats";

// _path_stats

MemStatistics-file "named.memstats";

/ / _PATH_MEMSTATS

Check-names master fail;

Check-names slave warn;

CHECK-NAMES Response Ignore;

Host-statistics no;

DEAALLOCATE-ON-EXIT NO;

// PainStakingly Deallocate All

// Objects When Exitation Instead of

// Letting the OS Clean Up for US.

// Useful a memory Leak is suspected.

// final statistics area Written to the

// Memstatistics-file.

DataSize default;

Stacksize default;

Coresize default;

FILES UNLIMITED;

Recursion YES;

Fetch-glue yes;

FAKE-IQUERY NO;

NOTIFY YES;

// send Notify Messages. You CAN SET

// Notify ON A zone-by-zone

// Basis in the "zone" statement

// see (Below)

Serial-queries 4;

// Number of Parallel SOA Queries

// we can have outstanding for master

// zone change Testing Purposes

Auth-nxdomain yes;

// ALWAYS SET AA ON NXDOMAIN.

// don't set this to 'no' unless

// you know what you're doing - Older

// Servers Won't Like IT.

Multiple-cnames NO;

// if Yes, Then a name my much more

// Than One CNAME RR. THIS USE

// is non-standard and is not

// Recommended, But it is available

// Because Previous Releases Supported

// IT and it WAS Used by Large Sites

// for loading balancing.

Allow-query {any;};

Allow-Transfer {any;};

TRANSFERS-IN 10;

// default_xfers_running, cannot be

// set> Than max_xfers_running (20)

Transfers-Per-NS 2;

// default_xfers_per_ns

TransferS-OUT 0;

// not Implement

Max-Transfer-Time-IN 120;

// max_xfer_time; the default number

// of minutes an inbound zone Transfer

// May Run. May be set on a per-zone // basis.

TRANSFER-FORMAT One-Answer;

Query-source address * port *;

/ *

* The "forward" option is only meaningful if you've defined

* Forwarders. "First" gives the normal bind

* Forwarding Behavior, I.E. Ask The Forwarders First, And if That

* Doesn't Work The Do The Full Lookup. You Can Also Say

* "Forward ONLY;" Which is what buy to be specified with

* "slave" or "options forward-only". "" Only "WILL NEVER Attempt

* a full lookup; Only The Forwarders Will Be.

* /

Forward first;

Forwarders {};

// Default is no forwarders

Topology {localhost; localnets;

// prefer local nameservers

Listen-on Port 53 {any;};

// Listen for queries on port 53 on

// any interface on the system

// (i.e. all interfaces). The

// "Port 53" is optional; if you

// Don't Specify A Port, Port 53

// is associated.

/ *

* Interval Timers

* /

Cleaning-interval 60;

// clean the cache of expired rrs

// every 'cleaning-interval' Minutes

Interface-Interval 60;

// scan for new or deleted interfaces

// Every 'interface-interval' Minutes

Statistics-Interval 60;

// log statistics Every

// 'statistics-interval' minutes

Maintain-ixfr-base no;

// if Yes, Keep Transaction Log File for ixfr

Max-IXFR-LOG-SIZE 20;

// Not Implement, Maximum size

// ixfr transaction log file to growth

}

/ *

* Control listener, for "ndc". Every Nameserver Needs at Least One.

* /

CONTROLS {

inet * port 52 allow {any;};

// a bad idea

UNIX "/ var / run / ndc" perm 0600 Owner 0 Group 0;

// the default

}

ZONE "rd.xxx.com" in {

TYPE MASTER;

// What use to be called "primary" file "rd.xxx.com.db";

Check-names fail;

Allow-update {none;};

Allow-Transfer {any;};

Allow-query {any;};

// Notify YES;

// send Notify Messages for this

// zone? The global option is buy

// IF "notify" is not specific

// here.

Also-notify {};

// Don't notify any nameservers other

// THOSE ON THE NS List for this

// zone

}

Zone "223.99.211.in-addr.Arpa" in {

TYPE MASTER;

// What use to be caled "secondary"

FILE "21.9.22.db";

}

Zone "0.0.127.in-addr.Arpa" in {

TYPE MASTER;

File "127.0.0.db";

}

"in {

Type hint;

// use to be specified w / "cache"

File "named.root";

}

Logging {

/ *

* All log output goes to one or more "channels"; you can as

* Many of Them as you want.

* /

Channel syslog_errors {

// this channel Will Send Errors Or

Syslog user;

// or Worse to Syslog (user facility)

Severity Error;

}

Category parse {

Syslog_errors;

// you can log to ask as many channels

DEFAULT_SYSLOG;

// as you want

}

Category lame-servers {null;};

// Don't log these at all

Channel modeRate_debug {

Severity Debug 3;

// level 3 debugging to file

File "foo";

// foo

PRINT-TIME YES;

// TimeStamp log entries

PRINT-CATGORY YES;

// Print Category Name

PRINT-severity yes;

// Print Severity Level

/ *

* Note That Debugging Must Have Been Turned On Either

* on the command line or with a signal to get debugging

* OUTPUT (Non-Debugging Output Will Still Be Written TO

* this channel).

* /

}

/ *

* If you don't want to see "zone xxxx loaded" Messages But do

* Want to see any problems, you could do the folload. * /

CHANNEL NO_INFO_MESSAGES {

Syslog;

Severity NOTICE;

}

Category load {no_info_messages;

/ *

* You can also define category "default"; it gets used when no

* "Category" Statement Has Been Given for a category.

* /

Category default {

DEFAULT_SYSLOG;

Moderate_debug;

}

}

13. Files marked in /etc/named.conf in / var / named / in / var / named / in: rd.xxx.com.db, the content is as follows, you need to modify and adjust the appropriate part:

Authoriative Data for rd.xxx.com

;

$ TTL 3600

@ In SOA Compaq.rd.xxx.com. Tandongyu.rd.xxx.com.

20020101; Serial

3600; Refresh 1 HOUR

900; RETRY 15 MINS

604800; Expire 7 Days

86400); MINI 24 Hours

Name Server NS Records

@ In ns compaq.rd.xxx.com.

Mail Exchange (MX) Records

Rd.xxx.com. in mx 0 Compaq

Address (a) Records.

Localhost in A 127.0.0.1

Compaq in a 21.9.22.9

TLS65 IN A 21.9.22.8

FBSD IN A 21.9.22.7

14. Files marked in /etc/named.conf in / var / named / in / var / named / in: 21.9.22.db, the content is as follows, you need to modify the appropriate part:

;

;

$ TTL 3600

@ In SOA Compaq.rd.xxx.com. Tandongyu.rd.xxx.com.

20020101; Serial

3600; Refresh

900; RETRY 15 MINS

604800; Expire 7 Days

86400); MINI 24 Hours

; Nameserver (NS) Records

@ In ns compaq.rd.xxx.com.

Address Point To Name (PTR) Records

9 in Ptr compaq.rd.xxx.com.

8 in ptr tls65.rd.xxx.com.

7 in ptr fbsd.rd.xxx.com.

15. Files labeled in /etc/named.conf in / var / named / in / var / named /.: 127.0.0.db, the content is as follows, you need to modify the appropriate part:

; 0.0.127.in-addr.arpa

$ TTL 3600 @ in SOA Compaq.rd.xxx.com. Tandongyu.rd.xxx.com.

20020101; Serial

3600; Refresh

1800; RETRY

604800; EXPIRATION

3600); Minimum

IN ns compaq.rd.xxx.com.

1 in ptr localhost.

16. Files marked in /etc/named.conf in / var / named / in / var / named / in: Named.Root, the content is approximately as follows. This file is labeled 14 domain name servers. You can get the latest sample of this file from ftp.rs.internic.net: named.hosts, then change the name you need, such as Named.Root

This File Holds The Information on Root Name Servers Needed To

; Initialize Cache of Internet Domain Name Servers

(E.G. Reference this file in the "cache.

"

Configuration File of Bind Domain Name Servers.

;

This File is Made Available by InterniTration Services

Under anonymous ftp as

File / Domain/named.root

On Server ftp.rs.internic.net

-Or- under gopher at rs.internic.net

Under Menu Internative Registration Services (NSI)

SubMenu InterniTration Archives

File named.root

;

Last Update: AUG 22, 1997

; Related Version of Root Zone: 1997082200

;

;

Formerly ns.internic.net

;

. 3600000 in ns a.root-servers.net.

A.Root-Servers.Net. 3600000 A 198.41.0.4

;

Formerly ns1.isi.edu

;

. 3600000 ns b.Root-servers.net.

B. ROOT-SERVERS.NET. 3600000 A 128.9.0.107

;

Formerly C.PSI.NET

;

. 3600000 ns C.Root-servers.net.

C. ROOT-SERVERS.NET. 3600000 A 192.33.4.12

;

Formerly Terp.Umd.edu

;

. 3600000 ns d.Root-servers.net.

D. ROOT-SERVERS.NET. 3600000 A 128.8.10.90;

Formerly NS.NASA.GOV

;

. 3600000 ns e.Root-servers.net.

E. ROOT-SERVERS.NET. 3600000 A 192.203.230.10

;

Formerly ns.isc.org

;

. 3600000 ns f.Root-servers.net.

F.Root-Servers.Net. 3600000 A 192.5.5.241

;

Formerly ns.nic.ddn.mil

;

. 3600000 ns g.root-servers.net.

G.Root-servers.Net. 3600000 A 192.112.36.4

;

Formerly aos.arl.army.mil

;

. 3600000 ns H.Root-servers.net.

H. ROOT-SERVERS.NET. 3600000 A 128.63.2.53

;

Formerly nic.nordu.net

;

. 3600000 ns i.root-servers.net.

I. ROOT-SERVERS.NET. 3600000 A 192.36.148.17

;

; Temporarily Housed AT NSI (Intern)

;

. 3600000 ns j.Root-servers.net.

J. ROOT-SERVERS.NET. 3600000 A 198.41.0.10

;

Housed in linx, operated by ripe ncc

;

. 3600000 ns k.root-servers.net.

K.Root-Servers.Net. 3600000 A 193.0.14.129

;

; Temporarily Housed AT ISI (IANA)

;

. 3600000 ns l.Root-servers.net.

L. ROOT-SERVERS.NET. 3600000 A 198.32.64.12

;

Housed in Japan, Operated by Wide

;

. 3600000 ns m.Root-servers.net.

M.Root-Servers.Net. 3600000 A 202.12.27.33

; End of File

17. We also need to configure the /etc/resolv.conf ,/etc/hosts/etc/hosts.conf file to accommodate new conditions.

18. After everything is over, start Bind with / usr / sbin / ndc start command, the same available STOP, RESTART, RELOAD and other command parameters.

19. After startup, use the nslookup command (some system recommended using a DIG command) to verify correct. This command will not be started if an error occurs. General errors are all database files or profile errors. For example, less "." Or the file is incorrect. (2) Install the Sendmail server

1. Download the latest version from www.sendmail.org (this Smostmail is necessary to upgrade to the latest version, because its upgrade is mainly a security vulnerability issue). Here, SENDMAIL-8.12.2.tar.gz is used herein.

2, CD / USR / Local / SRC /

3, download the file to: / usr / local / src

4, TAR ZXVF Sendmail-8.12.2.tar.gz

5, cd /usr/local/src/sendmail-8.12.2

6, CHMOD GO-W / ETC / ETC / MAIL / USR / VAR / VAR / SPOOL / VAR / SPOOL / MQUEUE

7, Chown root / / / / etc / etc / mail / usr / var / var / spool / var / spool / mqueue

8, CD /usR/local/src/sendmail-8.12.2/sendmail

9, sh build

10, CD /USR/LOCAL/SRC/SENDMAIL-8.12.2/CF/CF

11. The establishment of the file Sendmail.mc content is as follows, you can modify the corresponding part as needed.

DIVERT (-1)

DNL this is the macro config file buy to generate the /etc/sendmail.cf

DNL file. if you modify the file you will help to regenerate the

DNL / Etc/sendmail.cf by Running this Macro Config Through the M4

DNL Preprocessor:

DNL M4 /etc/sendmail.mc> /etc/sendmail.cf

DNL you will need to have since the sendmail-cf pacage installed for this to work.

INCLUDE (`/usr/local/src/sendmail-8.12.2/cf ')

Define (`Confdef_user_id ',` 8: 12')

Ostype (`Linux ')

Undefine (`uucp_relay ')

undefine (`BitNet_Relay ')

Define (`Confto_Connect ',` 1m')

Define (`ConfTry_null_mx_list ', true)

Define (`confdont_probe_interface", true)

Define (`procmail_mailer_path ',` / usr / bin / procmail')

Define (`smart_host ', compaq.rd.xxx.com)

<--- This is used in (non-HUB) default use of HUB sends an email

Masquerade_as (`rd.xxx.com ')

<-------------------------

Feature (`masquerade_entire_domain")

<--- These three are used for email address camouflage

Feature (`masquerade_envelop")

<-------------------------

Feature (`SMRSH ',` / usr / sbin / smrsh')

Feature (`Mailertable ',` Hash -o / etc / mail / mailertable') Feature (`Virtusrtable ',` hash -o / etc / mail / virtusertable ")

Feature (redirect)

Feature (always_add_domain)

Feature (use_cw_file)

Feature (local_procmail)

Feature (`Access_db ')

Feature (`blacklist_recipients')

Feature (`accept_unresolvable_domains')

MAILER (SMTP)

MAILER (procmail)

DNL WE STRONGLY Recommend to Comment this one out if you want to protect

DNL yourself from spam. However, The Laptop and Users on Computers That DO

DNL NOT HAV 24x7 DNS Do NEED THIS.

DNL Feature (`RELAY_BASED_ON_MX ')

12, SH Build Install-CF

13, GroupAdd SMMSP

14, UseRadd SMMSP

15, CD CD /USR /LOCAL/SRC/Sendmail-8.12.2/sendmail

16, SH Build Install

17, CD /USR /CAL/SRC/SENDMAIL-8.12.2/makemap

18, SH Build Clean

19, sh build all

20, SH Build Install

21, CD /usR/local/src/sendmail-8.12.2/

22, add MX records in this domain DNS primary database file:

Rd.xxx.com. in mx 0 Compaq

Note Modify the appropriate part. That 0 is used in several mail concentrates for marking the order. When there are several MX, it is recommended to write to 10, 20, 30 ...

23. Create an Access file in the / etc / mail directory, the content is similar below:

127.0.0.1 relay

21.9.22 Relay

211.99.221.238 relay

Then: makemap hash access.db

24. Creating files / etc / mail / local-host-names, which is your own domain name information.

Rd.xxx.com

Compaq.rd.xxx.com

25. Create files / etc / mail / aliases, content Similar:

Mailer-daemon: postmaster

Postmaster: root

Bin: root

Daemon: root

NoBody: root

Run newaliases to create a database.

One of the meaning of creating alias files is when the mail is sent to the user of other mail servers in the domain rather than the mail hub user.

For example, add one:

Atan: atan @ fbsd

Then cause the message to send to the mail hub, automatically forward to Atan@fbsd.rd.xxx.com

26, start sendmail: / usr / sbin / sendmail -bd -q30m

Run-bad: If there is a problem, it can't be started. Most problems are related to the DNS configuration, you can use NSLookup to check if DNS is normal. The content of the files in the ETC / Mail is also a good way to troubleshoot. In addition, modify the configuration, not recommended to edit the Sendmail.cf file directly, it is recommended to use the M4 macro compilation tool because some of the security vulnerabilities or outdated macros will be prompted when compiling, so as to avoid relevant security issues. (3) Install the DHCP server

1. The source program download address is: ftp://ftp.isc.org/isc/dhcp/DHCP-3.0.TAR.GZ, our version is: DHCPD-3.0

2, copy to: / usr / local / SCR after decompression: TAR ZXVF DHCP-3.0.Tar.gz

3, CD /USR/LOCAL/SRC/DHCP-3.0.TAR.GZ

4,. / Configure

5, make (if not the first compilation, first make clean

6, Make Install

7, cp ./server/dhcpd.conf / etc

8, edit this file, look similar to the following: (to change the crude body)

# dhcpd.conf

#

# Sample Configuration File for ISC DHCPD

#

#boption definitions Common to all supported networks ...

Option Domain-name "rd.xxx.com";

Option Domain-name-servers compaq.rd.xxx.com;

Default-Lease-Time 86400;

Max-Lease-Time 172800;

DDNS-UPDATE-STYLE AD-HOC;

# I i i dhcp server is the official dhcp server for the Local

# NetWork, The Authoritative Directive Should Be Uncommet.

#authoritative;

# Use this to send dhcp log messages to a different log file (you also

# Have to Hack syslog.conf to complete the redirection.

Log-fundility local7;

# No service will be given on this subnet, but declaring it help

# DHCP Server To UnderStand The Network Topology.

# This is a very basic subnet declaration.

Subnet 21.9.22.0 Netmask 255.255.255.224 {

Range 21.9.22.2 21.9.22.6;

Option Routers 21.9.22.1;

}

# This declaration allows bootp clients to get Dynamic Addresses,

# Which we don't really recomment.

#SUBNET 10.254.239.32 Netmask 255.255.255.224 {

# Range Dynamic-bootp 10.254.239.40 10.254.239.60;

#boption Broadcast-Address 10.254.239.31;

#boption routers RTR-239-32-1.Example.org;

#}

# A slightly diffrest configuration for an internal subnet. # Subnet 10.5.5.0 Netmask 255.255.255.224 {

# Range 10.5.5.26 10.5.5.30;

#boption domain-name-servers ns1.internal.example.org;

#botion domain-name "internal.example.org";

#boption routers 10.5.5.1;

# Option Broadcast-Address 10.5.5.31;

# default-lease-time 600;

# Max-Lease-Time 7200;

#}

# Hosts Which Require Special Configuration Options Can Be listed in

# Host Statements. if no address isdomiped, the address will be

# Allocated Dynamically (if Possible), But The Host-Specific Information

# Will Still Come from The Host Declaration.

#host passacaglia {

# Hardware Ethernet 0: 0: C0: 5D: BD: 95;

# filename "vmunix.passacaglia";

# Server-name "TOCCATA.FUGUE.COM";

#}

# Fixed IP Addresses Can Also Be Specified for Hosts. Thase Addresses

# SHOULD NOT Also Be listed as being available for Dynami Assignment.

# Hosts for Which Fixed IP Addresses Have Been Specified Can Boot Using

# Bootp or dhcp. Hosts for Which No Fixed Address Is Specified Can Only

# Be booted with dhcp, unless there is an address range on the subnet

# t which a bootp client is connected which Has The Dynamic-bootp flag

# set.

#host fantasia {

# Hardware Ethernet 08: 00: 07: 26: C0: A5;

# Fixed-address fantasia.fugue.com;

#}

# You can declare a class of clients and then do address allocation

# based on what. The Example Below Shows A Case Where All Clients

# in a cerantain class get addresses on the 10.17.224 / 24 subnet, and all

# 安ot clients get addresses on the 10.0.29 / 24 subnet.

#class "foo" {

# Match if Substring (Option Vendor-Class-Identifier, 0, 4) = "SUNW";

#}

# Shared-network 224-29 {

# Subnet 10.17.224.0 Netmask 255.255.255.0 {# Option Routers RTR-224.EXample.org;

#}

# Subnet 10.0.29.0 Netmask 255.255.255.0 {

#boption routers rtr-29.example.org;

#}

# pool {

# Allow Members of "foo";

# Range 10.17.224.10 10.17.224.250;

#}

# pool {

# deny members of "foo";

# Range 10.0.29.10 10.0.29.230;

#}

There is a comment behind this file, which is an example of the configuration that is originally to your configuration, you can. Of course, unless you use them, and clear their meaning.

9, establish an empty file: Touch /var/state/dhcp/dhcpd.Leases empty file

10. Check the kernel compilation option: networking options ----- packet socket: Mmapped IO and socket filtering options are selected (don't know how to see? Take a look at the previous article, use make meconfig), if you don't need to recompile Kernel.

11, Route Add -host 255.255.255.255 dev eth0

12, Roote Add-Host Localhost Dev Eth0

13. In /etc/rc.d/rc.local, finally add a row of route add -host 255.255.255.255 dev eth0

14, Reboot System

15. Start DHCP with the DHCPD command, try to see the network with other machines.

(4) Install Apache Mysql PHP GD PNG ZLIB JPEG Freetype SSLMOD

Why do you want to say such a lot of things? Because they have a close contact, especially the PHP, use all other modules. If you want PHP function, you can only step by step.

1, first install MySQL: From http://www.mysql.com/downloads/index.html to download yourself to feel the right version. Here is a 3.23.42 version here.

2, enter the directory / usr / local / src (don't say it later?) Unzip: TAR ZXVF mysql-3.23.42.tar.gz

3, CD MYSQL-3.23.42 /

4, configure --prefix = / usr / local / mysql

5, Make

6, Make Install

7, useradd mysql; groupadd mysql; su mysql; (establish a user and group named mysql, and switch to mysql identity)

8, scripts / mysql_install_db (establish a database structure)

9, CD / USR / local / mysql / bin

10,. / Safe_Mysqld & (Start)

11,. / Mysqladmin -u root password "new-password" (your new password, remember the MySQL password nuclear system password is independent, the default is no password)

12. Try it with mySQL program.

The following steps are very stylized, I try to write as much as possible.

13, download related software package: address form as follows

Software version address

Jpegsrc.v6b.tar.gz 6b ftp://ftp.u.net/graphics/jpegzlib.tar.gz 1.1.3 ftp://ftp.u.net/graphics/png/src

Freetype-2.0.8.tar.gz 2.0.8 http://www.freeetype.org

Libpng-1.0.10.tar.gz 1.0.10 ftp://ftp.u.net/graphics/png/src

GD-1.8.4.tar.gz 1.8.4 http://www.boutell.com/gd

Apache_1.3.23.tar.gz 1.3.23 http://www.apache.org

PHP-4.1.1.tar.gz 4.1.1 http://www.php.net

Number4.tar.gz 4 http://www.php.net/extra

Rsaref20.tar.z 2.0 ftp://ftp.ai.mit.edu/pub/deberg

OpenSSL-Engine-0.9.6c.tar.gz 0.9.6c http://www.openssl.org/source

MOD_SSL-2.8.6-1.3.23.tar.gz 2.8.6 http://www.modssl.org

When you are, put it in / usr / local / src directory, except Number4.Tar.gz and Rsaref20.tar.z, and other TAR ZXVF xxxx.tar.gz decompressed. (While enjoyment?)

Special, rsaref20.tar.z needs to create a RSAREF-2.0 directory first, then copy rsaref20.tar.z to the referendency to release compression with Tar Zxvf Rsaref30.tar.z. Number4.tar.gz needs to be copied to the PHP-4.1.1 directory and then decompressed with tar zxvf number4.tar.gz.

The following description I want to simply, only the commands executed after entering the directory. The directorys are all built when they are released, and if you are executed under / usr / local / src, all directories are here. It is best to perform in order. Rair said: If it is not the first time to compile, in general, please perform Make Clean and compile it.

14, [JPEG-6B]: Generate a function library for JPEG images.

./configure

Make

Make test

Make Install

15, [ZLIB-1.1.3]: Compressed algorithm, is the need for PNG and JPEG

Make test

Make Install

16, [freetype-2.0.8]: Font Library, need to use when using fonts on the image,

./configure --Prefix = / usr / local

Make

Make Install

17, [libPng-1.0.10]: Generate a library of a PNG image

CP Scripts / Makefile.Linux Makefile

Make test

pngtest pngnow.png

(If you are tested, please continue. Otherwise, look at the error prompt, correct the error)

Make Install

18, [GD-1.8.4]: GD library, used to dynamically generate images, mainly with PHP generation images.

Edit the Makefile file:

Cancel the following line to comment symbol (#):

CFLAGS = -DHAVE_LIBXPM -DHAVE_LIBPNG -DHAVE_LIBJPEG-DHAVE_LIBFREETYPE -DHAVE_LIBTTF

Libs = -lgd -lpng -lz -ljpeg -lfreetype -lm -lttf

Note The following list (increasing #):

Cflags = -o -dhave_libpng -dhave_libjpeg

Libs = -lgd -lpng -lz -lm

Modify the following line:

Includedirs = -i. -I / usr / local / include / freetype2 -i / usr / include / x11

-I / usr / x11r6 / include / x11 -i / usr / local / incn

-I / usr / include / freetype

After saving:

Make

Make Install

19, [Apache_1.3.23]: Step 1./configure --prefix = / usr / local / apache

20, [PHP-4.1.1]:

If it is not the first installation, please delete: config.cache file, then execute Make Clean

Next, the environment is configured, enter a longer command:

./configure

--with-apache = / usr / local / src / apache_1.3.23

--with-config-file-path = / local / apache / confed

--with-enable-versioning

--with-mysql = / usr / local / mysql

--with-ftp

--with-gd = / usr / local / src / GD-1.8.4

--with-enabled-bcmath = yes

--with-disable-debug

--enable-memory-limited = yes

--enable-track-vars

--with-zlib

--with-jpeg-dir = / usr / local / src / jpeg-6b

--with-png-dir = / usr / local / src / libpng-1.0.10

--with-freetype-dir = / usr // local / src / freetype-2.0.8

Of course, you can also achieve a SH file containing the above command, which is convenient. I am doing this.

Make

Make Install

21, [RSAREF-2.0]: RSA Encryption Module

As mentioned earlier, the release of this directory is special, first see the directory, I hope you do this.

CP -RP Install / Unix Local

CD Local

Make

MV Rsaref.a librsaref.a

22, [OpenSSL-Engine-0.9.6c]: OpenSSL Engine

./config -prefix = / usr / local / ssl -l`pwd` /../ rsaref-2.0 / local / rsaref -fpic

Make

Make test

Make Install

23, [MOD_SSL-2.8.6-1.3.23]

./configure --with-apache = .. / Apache_1.3.23

24, [Apache_1.3.23] Step 2

./configure --prefix = / usr / local / apache --enable-shared = SSL

--enable-module = ssl --activate-module = src / modules / php4 / libphp4.amake

Make certificate type = Custom (answer some questions)

Make Install

25, the end of the finish:

Edit /usr/local/apache/conf/httpd.conf file, add a line:

AddType Application / X-httpd-php .php

26. Check the correctness of the configuration file with command / usr / local / apache / bin / apachectl configtest.

27, start Apache Server with / usr / lcoal / apache / bin / apachectl start

28, build a Test.php file in / usr / local / apache / htdocs contains the following:

PHPINFO ();

?>

29. Look at this machine with a browser on another machine: http://xxx.xxx.xxx.xxx/test.php The PHP configuration summary, see the module compiled in front is not.

30. Test SSL is very troublesome, you need to start Apache with Apachectl Startssl and then generate a large number of certificates. It will not be discussed here.

31. Copy the / usr / local / apache / bin / apachectl file to /etc/rc.d/init.d, then establish a symbol connection pointing / etc / rc.d/rd3.d / ETC / RC The above files in .d / init.d:

ln -s ../init.d/apachectl s70apachectl

This will automatically start Apache and which large stack of modules.

Call ~~~~ (Plever) here, basically completed a full-featured web server system.

(5) Install the FTP server

(6) Install POP3 server

Some mail servers are with POP3 features (such as qmail, xmail) if you use these mail server software, of course, you don't have to install POP3. Currently, there is only several ways such as SENDMAIL and Postfix in common mail servers. These types of mail server software are used by system users, and our installed POP3 is only popped up with the mail of the system user. Here we use the version and download address:

qpopper4.0.3.tar.gz

http://www.eudora.com/qpopper_general/

Similarly, download the file to / usr / local / src, follow these steps:

TAR ZXVF qpopper4.0.3.tar.gz

CD qpopper4.0.3

./configure

Make

Make Install

After completing, qpopper is installed in / usr / local / sbin (if you are willing to put it elsewhere, you can use ./configure -prefix = / your_path specified), the file name is called Popper. Typically, Popper is loaded as a child process as an inetd (Hyper network service process). This needs to edit files /etc/inetd.conf and do the following: ...

# POP3 MAIL Server

# POP-3 Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IPOP3D

POP-3 Stream TCP NOWAIT ROOT / USR / LOCAL / SBIN / POPPER qpopper -s

...

Increase this line of the black body, note the original (above this line), pay attention, if your installation path is different, remember to change. Then, get inetd's process number: PS -AX | GREP inetd with the following command: ps -ax | grep inetd

Get results similar to:

248? S 0:00 inetd

what? Which one is the process number? It is the most in front of it. Then restart inetd with the following command:

Kill-Hup 248

Take a look at the POP3 is not started with the following command.

NetStat -ln | GREP 110

If the result is this, congratulations.

TCP 0 0 0.0.0.0:110 0.0.0.0:0:0:0:110 0.0.0.0:0:0:110

Here is some point, in a few cases, the POP3 process requires an independent monitor port, which is not loaded as an inetd, the above process needs to be changed:

./configure plus the --Nable-Standalone parameter.

Edit /etc/inetd.conf does not increase the black body, but you need to comment out the original POP-3 row (if any).

When startup, run the / usr / local / sbin / popper xxx.xxx.xxx.xxx:110. The back parameters are the IP addresses and ports that require a few listeners locally. Note that there is no special need, the port must be 110. The last thing to say is: In fact, the easiest way is to use the POP3 software that you use the Linux issued bag, and then select it directly.

(7) Install the IMAP server

Almost all publishers have IMAP server software (generally the University of Washington, the best way to install the IMAP server with your distribution package. In fact, I personally think that the IMAP server is rarely used. Download the most conventional IMAP server source code address is: ftp://ftp.cac.washington.edu/imap/imap.tar.z

TAR ZXVF IMAP.TAR.Z

CD IMAP-2001A

Make SLX

(If you don't test the other you feel the possible system type, look at the name of the column in Makefile with vi)

Then configure /etc/inetd.conf to allow inetd to allow IMAP services. [This section has no test success, compiling always does not go]

(8) Install the Squid server

Squid is an excellent proxy server software that can be flexible to be configured in a variety of application forms, including forward proxy, reverse acceleration mode, and transparent agents. However, Squid is currently only able to proxy HTTP protocol, and the Agent FTP protocol needs to configure the browser simulation active FTP protocol. The following steps are the process of installing the Squid.

1. Download the reverse proxy server software to use Squid, download address: http://www.squid-cache.org/

After downloading, stored in / usr / local / src directory, the file name is Squid-2.4.stable2-src.tar.gz

2, TAR ZXVF Squid-2.4.stable2-src.tar.gz decompressed

3, cd/usr/local/src/squid-2.4.stable2 enters the directory

4,. / Configure --prefix = / usr / local / squid --enable-heap-replacement --disable-internal-dns builds the environment to install the Squid installation / usr / local / squid. The second parameter is to specify a more advanced buffer algorithm. The third parameter is to cancel internal DNS parsing (if used in remote cache mode, such as GSLB, you need to add options: - Disable-Internal-DNS, the purpose is to turn off the internal DNS. Otherwise, the internal DNS ignores you in ETC / HOSTS Setting, directly looking for a domain name server, which causes a forwarding loop. It is the update request sent to the physical server (because domain name) will also be paid back by the user's GSLN device to form a loop.) 5, make start compilation

6. Make install is installed to the path that just -prefix = specified

7. After the installation is complete, you will generate a Squid directory in the installation path you specified, and there are four directories in the Squid directory: bin / etc / libexec / logs /. Where ETC is a configuration file, the bin is an execution file, and the logs are log files.

8. After the installation is the debug server, it works in accordance with your requirements. Squid's configuration file has only one, in the ETC directory, the name is Squid.conf, all configuration options are in this file. And each configuration item has an annotation description. First, find the following configuration items in the Squid file:

Cache_MEM --- Here you can add you ready to Squid as a memory size used for caches. Note that if your machine has n toemon memory, then it is recommended that the number added here is N / 3.

Cache_dir / usr / local / squid / cache 100 16 256 The first number here is that you are ready to use the hard disk space size used as cache, and the unit is a megab. If you want to print 100M space as cache, then write 100 here.

Cache_mgr Webmaster@test.com Fill in the Cache administrator's email address, the system is automatically reminded the Cache administrator.

Cache_replacement_policy and memory_replacement_policy parameters cannot use the default LRU algorithm, you can choose one of the following three kinds of LRU algorithms.

HEAP GDSF: GREEDY-DUAL SIZE FREQUENCY

Heap Lfuda: Least Frequently Used with Dynamic Aging

Heap Lru: Lru Policy Implement Using A HEAP

E.g:

Cache_replacement_policy Heap Lru

Memory_Replacement_Policy Heap Lru

Let's set the ACL access control list: For the sake of simplicity, we open all permissions here. ACL is divided into two parts: ACL definition section, and http_access section. Use the Access_http section to use the previous definition. The front is defined:

ACL ALL SRC 0.0.0.0.0.0.0.0

We note all HTTP_ACCESS ports:

HTTP_ACCESS Allow All --- Note: All is the front ACL definition.

This will open all permissions. In the future, it will continue to add various restrictions.

9. Create a group nogroup as root.

% su root (if it is not root) #groupadd nogroup

#useradd nobody (if there is no user)

10. Perform directory / usr / local, perform the following command as root, change the owner of the entire Squid directory for nobody.nogroup

#CD / USR / LOCAL

#Chown Nobody.nogroup -r Squid

11, SU as Nobody, perform / usr / local / Squid / bin directory, execute #squid -z creation cache exchange directory

#SU Nobody

$ CD / USR / local / Squid / Bin

$. / squid -z

12. After success, test: / usr / local / squid / bin / Squid -ncd1 This command officially launched Squid. If everything is normal, you will see a line output: Ready to Serve Requests.

13. Exit the front desk test with Ctrl-C.

14. Start the Squid as a daemon to run directly: / usr / local / Squid / bin / Squid

15, check the status with squid -k check

16, stop Squid with Squid -k Shutdown

If it is configured to configure the basic forward agent, it can be used above. The following steps are used to configure the reverse proxy server that supports multiple domain names. Fortunately, all the configurations of Squid are under / usr / local / square, and several introductions related to the reverse proxy are as follows:

17. HTTP_PORT 80 "http_port" parameter Specifies the port number of the Squid listens to the browser customer request.

18. ICP_PORT 0 "ICP_PORT" parameter specifies the port number that Squid sends and receive ICP requests within the neighbour server buffer. It is set to 0 because it configures Squid as an accelerator of the internal web server, so it is not necessary to use the buffer of the neighbor server.

19, emulate_httpd_log on open "emulate_httpd_log" option, will cause Squid to create access records in the format of the web server. If you want to use the Web Access Record Analysis program, you need to set this parameter.

20, redirect_rewrites_host_header off default, Squid will overwrite the host header of any redirection request. If the system runs Squid as accelerator mode, it is not necessary to redirect characteristics. This parameter is opened when the load is overweight.

21, httpd_accel_host Vartual Set the host name of the reverse agent, if you buffer the rear multiple domain names, use the virtual host mode (that).

22, httpd_accel_port 80 Set the web service port number of the reverse agent.

23, # httpd_accel_with_proxy off This line comes away, and set up a regular agent cache service while setting the reverse agent. If this line does not comment, there is no cache function.

24, define the list of access controls:

ACL Port80 Port 80

ACL Accel_host1 dstdomain .test.com

ACL Accel_Host2 Dstdomain .test.net

...

HTTP_ACCESS Allow Accel_Host1 Port80

HTTP_ACCESS Allow Accel_host2 port80

HTTP_ACCESS DENY ALL;

25. After the completion, reload the configuration file with Squid -k Reconfigure.

(9) Install SSH

---

(10) Configure Linux to router

---

(11) Configure the Linux gateway and install the IPChains / Iptables firewall

The firewall above Linux, the most commonly used IPchains, and is usually installed as additional parts of the gateway. The rules of Ipchains are very complicated, flexible, can be formulated into a variety of five hundred. These need to be combined with your own actual situation. Here, we only introduce a simple configuration based on the gateway. Installing Ipchains generally don't worry about you, because almost all Linux distribution packages use the software as the need to install. Another reason is that ipchains have a big relationship with kernel, so it is best to select the relevant option (if any) when installing the system. In the title, we also mentioned iptables, this tool is equivalent to ipchains on the surface, but it is only used for 2.4 kernel (2.4 kernel's code is almost rereaded in this area, and the function has a long increase). We will introduce later in the IPTables tool. You only need to remember that use ipchains, 2.4 cores, use iptables, using ipchains, 2.4.

First, your server needs two network cards (or more), which is called "multi-hoster host", which is specially used to do gateways or routers. Here, in general, the host as a normal server requires a network card even if the load is heavy, it is enough to do only the gateway or router. This is not like a general person thinks that a network card can add a bandwidth. In fact, a network card can provide sufficient bandwidth. Also, some people are wrong to assign two network cards to two addresses on the same switch, which is even more wrong, because this produces additional loop routes, generate a large number of internal warning errors, some systems will be alarm .

1. Make a dual interface (double host) host.

Typically, the installer of the current issued package can identify two network cards, so that it will save. But there are many issued bags to identify the first network card (perhaps because of the reasons why you are saying), or you have to add a network card on a machine (because you don't want to reinstall the system), then follow The following method is handled.

1.1, let's say the PCI network card. Let's take a look at the network card chip before installing, remember the model of the chip (I hope you have a machine).

1.2, install the Man Manual (with the issuing package)

1.3, search for your network card model in the / usr / doc / howto / eNGLISH / TXT / Ethernet-HOWTO file (if it is compressed), find the corresponding drive module name.

1.4, if the module does not, it also needs to recompile the core. In the MenuConfig network device column, you select your model and then tagged to * or M. Don't forget to compile modules after compiling the core: make modules_install. (If you don't care, take a closer look at the part of the previous compilation kernel)

1.5, create /tc/modules.conf with depmod -a commands (if there is already no need), and some issuings are called conf.modules.

1.6, edit this file plus a line: Alias ​​Eth1 XXXX, where xxxx is the module name you just found. General This module file is located in the xxxx.o file in / lib / modules / kernel version number / net .... This file is generated when you compile the kernel module. When you are configured in kernel, all marked as M will be compiled into .o file here. Similarly, the network card driver you choose is also compiled into a module here.

1.7, running ModProbe Eth1 to make the module valid. 1.8, the section you need to modify in the modified / etc / sysconfig / network file.

1.9, establish or modify the / etc / sysconfig / network-script / ifcfg-eth1 file (the ETH0 can be made), the setting address is your true situation, such as the network segment you want to pick up. These two files (Eth0 / Eth1 is the script parameter file when starting)

1.10, restart the network: /etc/rc.d/init.d/network restart

1.11, use ifconfig to see if Eth0 / Eth1 is started.

1.12, big success

2, adjustment and compilation core: If the core option needs to be configured as a gateway. Note: The kernel compilation option here is only suitable for 2.2.x versions, and version 2.4 is completely different.

2.1 Run the following options in / usr / src / linux:

NetWorking Options

[*] NetWork FireWalls

[*] IP: Advanced Router

[*] Ip: firewalling

[*] IP: FireWall Packet NetLink Device

[*] IP: TRANSPARENT PROXY Support

[*] IP: Masquerading

[*] IP: ICMP Masquerading

[*] IP: MasqueReding Special Modules Support

IP: iPautofw Masq Support (Experimental)

IP: Ipportfw Masq Support (Experimental)

IP: IP FWMARK MASQ-Forwarding Support (Experimental)

[*] IP: MasqueReding Virtual Server Support (Experimental)

(12) ip masquerading vs Table size (The Nth Power of 2)

The specific options of different versions of the core are endless, you can look at it. Compiled into a module

Or the core [*] can be freely selected.

2.2, according to the previous compilation kernel, have a gateway function after restarting. After starting, verify the file: / proc / sys / net / ipv4 / ip_forward content is 1. (Don't tell me how to see 8-)))

3, set ipchains

This work is very complicated, but we will talk about it here, let the gateway will pass.

3.1, first look at our current imaginary environment: Your machine has two network cards, a piece of connection is connected to the internal network address, and the other is equipped with the public network address. The machine in this machine PING Internet and the external network should be available. And the external network address of the machine PING this machine is also connected, the address of the machine in the external network is also the same. This shows that the forwarding function is effective.

3.2, then try again: Set the gateway to the intranet address of your machine in the internal network, then any machine of the PING (not the external network address of this machine), the result is not available. The reason is that ICMP packages out of the outer network machine do not know how to answer, there is no suitable route, because the response address of this package is the intranet.

3.3, now set ipchains: (IPChains software applies 2.2.x kernel, not applicable in the 2.4.x kernel. 2.4.X The kernel recommended to use iptables, the usage of the software is herein) ipchains -a forward -S 192.168.1.0/24 -j Masq

The black body part is an intranet address. The meaning of this sentence is that all the private networks are sent into the address of the external network (the external network address of the machine), so that the external other machines will be sent to this machine when the external machine responds. Innernet. Ok, a simple gateway is done. If you need to implement a firewall (package filtering function), you need to configure more complex filtering rules, which should simultaneously act on the Input / Output / Forward chain.

3.4, automatic start: set complex chains, need to be saved. Create a file in /etc/rc.d: rc.ipfwadm can add your chain. Finally, give this file X attribute (chmod x rc.ipfwadm).

4. Use iptables in the 2.4.x core to create a Linux firewall (gateway).

4.1 Description and Download

As mentioned earlier, IPTables should be used in the 2.4 core to do things similar to IPchains in the 2.2 core. In fact, iptables in the 2.4 kernel contain two completely different parts: package filtering and address translation. These two functions are logically separated, taking into account the problem of operating habits is integrated on a configuration program (iptables). If you have a release package with a 2.4 kernel, it usually has iptables and is also configured on the kernel configuration. If you want to compile new kernels or the original kernel does not support iptables, you need to select the relevant options. Operation when using make menuconfig configuring kernel: Enter: Networking options at least in:

NetWork Packet Filtering (Replaces Ipchains)

[*] NetWork Packet Filtering Debugging (New)

Enter: IP: Netfilter Configuration --->

[*] Connection TRACKING (Required for Masq / NAT) (NEW)

FTP Protocol Support (New)

Irc Protocol Support (New)

and many more……

Tag all the following options <*>

Return to the above menu step by step, save the configuration, and then follow the set of programs that compile the kernel (see the previous content). What is needed here is that the kernel supports the iptables function, and there is also an external program. If you are directly installed with a release package with a 2.4 kernel, you should already have an iptables utility. But if you are directly upgraded from 2.2 core issuings directly to 2.4 kernel, although the core is configured in accordance with the above practices, iptables cannot be used. You must also download and compile the iptables external programs to use iptables. The download address is: http://www.netfilter.org, the downloaded file is iptables-1.2.6a.tar.bz2 or updated version.

4.2 Installation:

This .bz2 file is quite strange? Copy the file to / usr / local / src, then release compile and install with the following command: bzip2 -dc iptables-1.1.2.tar.bz2 | TAR VXF - (last '- don't forget)

Your system may not have a bzip2 tool, if not, you go to the next: Enter the newly generated directory: CD iptables-1.2.6A Compile and installation: make; make install

4.3 configuration

If you need to configure a simple gateway, you just need to configure a forwarding addressed address conversion function, I provide the reference script as follows:

#begin

Echo 1> / Proc / Sys / Net / IPv4 / IP_FORWARD

Modprobe iptable_nat

MODPROBE IP_CONNTRACK

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

iptables -finput

iptables -f forward

iptables -f output

iptables -f postrol -t nat

iptables -t nat -f

iptables -p forward DROP

iptables -a forward -s 192.168.1.0/24 -j acceptpt

iptables -a forward -i eth1 -m state --state established, Related -j Accept

iptables -t nat -a postrol -o eth1 -s 192.168.1.0/24

-J Snat - TO 21.9.22.2

#end

Among them, 3 lines modprobe are compiled into modules related to iptables related features in the kernel (selected

It is only used (possibly more than 3 lines). Among them, several lines of insertion modules are more important. Sometimes when you finish NAT, find that FTP is not easy to use, you must manually insert the IP_nat_ftp module (the syntax is: ModProbe IP_NAT_FTP). The address part of the black body may be determined according to the actual situation of your network. The last sentence means that the source address is 192.168.1.x, and the package is converted to the external address of the gateway 21.9.22.2. Ok, you have established a basic gateway. In fact, IPTables is functional and powerful, and the configuration is also very flexible. The firewall function is implemented through the -t filter parameter, and the address conversion function is implemented by the -t NAT (like the above). The firewall function is mainly 3 chains: Input, Forward, Output, address translation (NAT) is mainly 3 chains: preloading, postrouting, Output. Observe the current state you can use the following command: iptables -l -t filter or iptables -l -t nat.

Ok, to configure a more flexible, more powerful firewall function, relying on yourself. I recommend you two manuals: "Linux 2.4 packet filter howto" and "Linux 2.4 Nat Howto". These two documents are written by the original author of iptables, quite classic. Poor english? It doesn't matter, these two documents have Chinese version. Recommend you to: Forever Unix (http://www.fanqiang.com) download.

(12) Configure Samba Server

---

(13) Construction of Linux-based VPN networks

Building a VPN is almost one of Linux's most powerful applications, learning this technology is enough to make you proud. The main purpose of the VPN is to create an encrypted communication mechanism, and then encrypt all your subnets in a specific way, constitute a logically virtual network. Simply put, it is a Linux system IP layer encryption solution. There are many components that need to be used here, and the following is described. 1, prepare work and installation

1.1 Download the 2.4.x kernel from http://www.kernel.org, except 2.4.15 version (this version has a fatal error). Then put the kernel to: / usr / src. (Here we use linux-2.4.18.tar.gz), then release: TAR ZXVF Linux-2.4.18.tar.gz

1.2 Delete the original connection RM Linux

1.3 ln -s linux-2.4.18.tar.gz Linux

1.4 Check the current network card and SCSI model (see the kernel upgrade chapter)

1.5 CD Linux (enter Linux-2.4.18 directory)

1.6 Make Menugonfig

1.7 Make Dep

1.8 Make Bzimage

1.9 Compiling work to stop!

1.10 Download the latest version of the GMP library from http://www.swox.com/gmp to / usr / local / src.

1.11 TAR ZXVF GMP-4.0.1.tar.gz

1.12 CD GMP-4.0.1

1.13 ./configure

1.14 Make

1.15 make install

1.16 download FreeESWAN-1.97.TAR.GZ from http://www.freeswan.org (we use here) to / usr / local / src

1.17 TAR ZXVF FreeESwan-1.97.tar.gz

1.18 Download X509PATCH-0.9.11-FreeSwan-1.97.tar.gz from http://www.strongsec.com/freeswan/, this is a patch file. Release, enter the X509 patch directory, copy freewan.diff to the outside FREESWAN source directory, then return to the FREESWAN source directory: patch -p1

1.19 Download OpenSSL-0.9.6B version from http://www.openssl.org to / usr / local / src, release, enter the directory

1.20 ./config (if there is OpenSSL in the original system, Uninstall will be installed, but in general, you may not be uninstall. 8-). If uninstall is uninstall, find their path, here to specify the path to overwrite the old version by the -prefix = parameter. Here you are serious: If you don't have to grasp the determined path, it is best to do this: go to the developer of the issued package of the issuer (if you use turbolinux to ftp.turbolinux.com with redhat to ftp.redhat.com) Use anonymous user and one email as a password to log in, find the vicinity of your release package version, then download the corresponding RPM package, pay attention: The package here should be at least the i386 version of I386 above. After the download is complete, use rpm -uvh updated. This is clean. 1.21 make (if you upgrade with the RPM package, you don't have to use this step)

1.22 Make Test (if you upgrade this step with the RPM package)

1.23 make install (if you use the RPM package upgrade, you don't have this step) After you have installed the OpenSSL command, enter the version of the version to see if you just install the version. If not, there may be no old version that is originally installed. Recoming 1.20

1.24 and then return to the source directory of FreeESwan, run: make mengo, select all options for iptables and IPSec related to NetWorking Options. Where IPsec is free, it is best to change the M (module mode) in front brackets to * (compiled into the kernel). The following kernel options should be selected:

Enter: NetWorking Options At least:

NetWork Packet Filtering (Replaces Ipchains)

[*] NetWork Packet Filtering Debugging (New)

Enter: IP: Netfilter Configuration --->

<*> Connection Tracking (Required for Masq / NAT) (New)

FTP Protocol Support (New)

Irc Protocol Support (New)

Note: If you need to use the DHCP function, you need to add two options for Pachet Socket Mmapped IO and Socket Filtering to see the DHCP chapter.

and many more……

Tag all the following options <*>

After returning the previous menu, select all the options that the list options at the bottom of the list of ipsecs are selected as <*>. Also, if you plan to use a dial-up connection, please select PPP support in the Network Device Support menu (note that you will use the PPP program must be 2.4 or more)

1.25 Then check if the network card and the hard disk option are correct. If there is no problem, yourself and save the configuration.

1.26 will automatically compile the kernel after exiting, waiting ...

1.27 After completing the compilation, come to the / usr / src / linux directory, run: make modules; make modules_install

1.28 cp system..map /boot/system.map-2.4.18-vpn

1.29 CD ARCH / I386 / BOOT

1.30 CP Bzimage /Boot/vmlinuz-2.4.18-VPN1.31 CD / Boot

1.32 rm system.map

1.33 ln -s system.map-2.4.18-vpn system.map

1.34 vi /etc/lilo.conf

Add a paragraph:

Boot = / dev / sda

MAP = / boot / map

INSTALL = / boot / boot.b

Prompt

TIMEOUT = 50

LBA32

Default = Linux-VPN

Image = / boot / vmlinuz

Label = Linux

INitrd = / boot / initrd

Read-only

root = / dev / sda5

Image = / boot / vmlinuz-2.4.18-VPN

Label = Linux-VPN

INitrd = / boot / initrd

Read-only

root = / dev / sda5

1.35 Run LILO Update Data

1.36 Reboot

1.37 After startup, run: IPsec Setup Restart should not report any errors and the FREESWAN version will appear.

Note: There are also some necessary kernel parameter configurations that can be implemented in rc.local. they are:

ECHO 0> / proc / sys / net / ipv4 / conf / eth0 / rp_filter

Echo 1> / Proc / Sys / Net / IPv4 / IP_FORWARD

If you compile the following two into a module (the first bookmission is M instead of *):

FTP Protocol Support (New)

Irc Protocol Support (New)

You need to plus in rc.local:

Modprobe ip_nat_ftp

After installation, we will explain the gameplay of several VPNs.

2. Configure FREES / WAN to support dual gateway communications. That is, two subnets are interviewed by a pair of IPsec VPN gateways. The first gameplay is the network VPN to the network. In general, a company has an office in both the two places (distance from), each with a set of LANs each, which is connected to the Internet network. A LAN is the management center of the company, running the management system of the company. Users on BLAN also need to use the management system, although B LAN can be connected via the Internet, but the boss of the company can't say! Our data cannot be exposed to public online, must be encrypted! Ok, our VPN network can be applied to this business. First put a Linux server at the exit of the two LANs of A & B, they all have IPSec (a lot of installation steps earlier), and the data of the two LANs pass through the respective machines (IPsec Gateway ) Enter the public network, all data through the gateway is encrypted. In effect, two LAN users can ping each other to the other party, although they may be 192.168.1.0/24, the other is 192.168.10.0/24 network segment. They seem to work in the same local area network, there is no boundary. The encryption part of the public network is also transparent to them. The data exchanged on both LANs on the public network is ciphertext. This is the virtual private network VPN.

I hope that you have already installed two machines in the previous steps. Let me tell you how to configure the network.

2.1 Let's first configure the IPsec gateway of the nail (the gateway has two network cards, we configure their addresss to Eth1: 192.168.1.231 and eth0: 21.9.22.22). After the installation is complete, what we must do first is to generate a CA certificate. (Using OpenSSL just installed) 2.2 Find the openssl.cnf file, generally in / etc / ssl / in / var / ssl or / usr / ssl (really don't do it, " Openssl.cnf "Look for!), if there are several, you have to figure out which one is your installed version. Change the value of the default_bits option from 1024 to 2048, then change the value of Default_Days to 3650. The time limit is 10 years! Save exit.

2.3 Creating a directory in / var / in: / var / sslca, changing the permission of the directory is 700 (CHMOD 700 / VAR / SSLCA)

2.4 Find the CA.SH script in the openssl directory you install. Note that it should be your current OpenSSL version of CA.SH

2.5 CD / VAR / SSLCA enters the directory you just created

2.6, if you have found Ca.sh in / usr / lib / ssl / misc /, then enter /usr/lib/ssl/misc/ca.sh -newca, next you will be asked a series of questions . The problem and answer are similar to the following. If you confirm which you have a change in changing, such as the company name, email, password, etc. If you can't determine, you can copy it in the following.

~ / sslca # / usr / lib / ssl / misc / ca.sh -newca

Ca CERTIFICATE FILENAME (or Enter to Create)

(ENTER)

Making Ca Cautificate ...

Using configuration from /usr/lib/ssl/openssl.cnf

Generating a 2048 Bit Rsa Private Key

........................................

........................................

Writing new private key to './democa/private/./cakey.pem'

ENTER PEM Pass Phrase: (ENTER Password)

Verifying Password - Enter Peth Pass Phrase: (Enter Same Password Again)

-----

You are about to be asked to enter

Information That Will BE Incorporated

INTO YOUR CERTIFICATE REQUEST.

What you are about to enteruisd name or a dn.

There Are Quite a Few Fields But You Can Leave Some Blank

For Some Fields There Will Be a Default Value,

If you enter '.', The Field Will Be Left Blank.

-----

Country Name (2 letter code) [au]: US (enter)

State or Province Name (Full Name) [Some-State]: State (Enter) Locality Name (EG, City) []: City (enter)

Organization Name (EG, Company) [Internet Widgits Pty Ltd]: 21VIANET (Enter)

Organizational Unit Name (EG, Section) [] :( ENTER)

Common name (EG, Your Name) []: CA (Enter)

Email address []: ca@xxx.com (enter)

~ / sslca #

2.7 The next step is to generate a certificate for the gateway:

The command and the question to answer are as follows:

~ / sslca # /usr/lib/ssl/misc/ca.sh -newreq

Using configuration from /usr/lib/ssl/openssl.cnf

Generating a 2048 Bit Rsa Private Key

.................................

...............................

Writing new private key to 'newreq.pem'

ENTER PEM Pass Phrase: (ENTER Password)

Verifying Password - Enter Peth Pass Phrase: (Repeat Password)

-----

You are about to be asked to enter information That Will Be Incorporated

INTO YOUR CERTIFICATE REQUEST.

What you are about to enteruisd name or a dn.

There Are Quite a Few Fields But You Can Leave Some Blank

For Some Fields There Will Be a Default Value,

If you enter '.', The Field Will Be Left Blank.

-----

Country Name (2 letter code) [au]: US (enter)

State or province name [Some-state]: state (enter)

Locality Name (EG, City) []: City (enter)

Organization Name (EG, Company) [Internet Widgits Pty Ltd]: EXAMPLECO (ENTER)

Organizational Unit Name (EG, Section) [] :( ENTER)

Common name (EG, Your Name) []: vpnserver.rd.xxx.com (enter)

Email address []: user@xxx.com (enter)

Please enter the folload 'extra' attributes

To Be Sent With your certificate request

A challenge password [] :( Enter)

An Optional Company Name [] :( Enter)

Request (and private key) is in newReq.pem

Natecars @ buzzword: ~ / sslca $ /usr/lib/ssl/misc/ca.sh -signusing configuration from /usr/lib/ssl/openssl.cnf

ENTER PEM Pass Phrase: (Password you entered for the ca certificate)

Check That The Request Matches The Signature

Signature OK

The Subjects distinguished name is ask

CountryName: Printable: 'US'

StateorProvinCename: Printable: 'State'

LocalityName: Printable: 'City'

Organizationname: Printable: '21ViaNet'

Commonname: Printable: 'VPNServer.rd.xxx.com'

EmailAddress: ia5string: @rd@xxx.com '

Certificate is to bee certified uns to becom 13 16:28:40 2012 GMT (3650 days)

Sign THE CERTIFICATE? [Y / N]: Y (ENTER)

1 OUT OF 1 CERTIFICATE REQUESTS CERTIFIED, COMMIT? [Y / N] Y (ENTER)

Write out Database with 1 new entry

Data Base Updated

(CERTIFICATE SNIPPED)

Signed Certificate is in newcert.pem

Be sure to remember the password you entered in the above steps. If it is nice, if you want to re-come, remember to delete all subdirectory below / a var / sslca directory.

2.8 Change the file name to you need

~ / sslca # mv newcert.pem vpnserver.rd.xxx.com.pem

~ / sslca # mv newReq.pem vpnserver.rd.xxx.com.key

2.9 Edit .Key file, delete '----- Begin Certificate Request ---- "After all things, this file should be from' ----- Begin RSA Private Key ----- 'To' ----- End RSA Private Key ----- 'ends.

2.10 If the X.509 patch is installed properly, you should be able to see /etc/ipsec.d and the following directory below. If not, you build it yourself. Then copy the appropriate files in the following position: (you are still in the / var / sslca directory)

# cp vpnserver.rd.xxx.com.key /etc/ipsec.d/private

# CP vpnserver.rd.xxx.com.pem /etc/ipsec.d

# OpenSSL X509 -IN Democa / Cacert.pem -Outform Der -Out Rootca.der

# cp rootca.der /etc/ipsec.d/cacerts/rootca.der

# OpenSSL X509-1 Host.example.com.pem -Outform der -Out /etc/x509cert.der

# Openssl ca -gencrl -out crl.pem

# cp crl.pem /etc/ipsec.d/crls

2.11 Add a line in /etc/ipsec.secrets :: RSA vpnserver.rd.xxx.com.key "password", then delete all other rows. The password is the password that answers the problem when you generate a secret when you generate a secret.

2.12 Editing the IPsec.conf file Similar to the following:

# Basic Configuration

Config setup

Interfaces =% DefaultRoute

Klipsdebug = none

Plutodebug = none

Plutoload =% Search

Plutostart =% Search

UniqueIDS = YES

CONN% Default

KeyingTries = 1

Compress = yes

Disablearrivalcheck = no

Authby = rsasig

Leftrsasigkey =% CERT

Rightrsasigkey =% CERT

LEFT =% DefaultRoute

LEFTCERT = VPNServer.rd.xxx.com.pem

Auto = add

PFS = yes

Conn RoadWarrior

Right =% any

CONN RoadWarrior-Net

Leftsubnet = 192.168.1.0 / 255.255.255.0

Right =% any

CONN NET-NET

Leftsubnet = 192.168.1.0 / 255.255.255.0

Right =% any

Rightsubnet = 192.168.10.0 / 255.255.255.0

CONN World-Net

LEFTSUBNET = *

Right =% any

Rightsubnet = 192.168.10.0 / 255.255.255.0

The part of the black body is that you need to change according to your actual environment. The subnets we used were 192.168.1.0/24 and 192.168.10.0. VPNServer.rd.xxx.com.pem is a CA certificate in the file. This configuration is universal, that is, two ways to connect to the LAN-LAN mode can be applied.

2.13 Configure the gateway of the branch office below. This machine also installs software for FREESWAN in advance.

Re-executing the 2.7-2.9 steps to generate a certificate of branch, note: In the process of answering the problem, the input of the part of the host name is changed to your branch's gateway machine name, such as: vpnCliet.rd.xxx.com.

2.14 Copy the corresponding location of the generated files to the branch office (such as copy by floppy disk):

CP vpnServer.rd.xxx.com.pem /etc/ipsec.d

Cp vPnClient.rd.xxx.com.key /etc/ipsec.d/private

Cp vPnClient.rd.xxx.com.pem /etc/ipsec.d

Execute command: OpenSSL X509 -in vpnclient.rd.xxx.com.pem -

Outform der -out /etc/x509cert.de

Cp rootca.der /etc/ipsec.d/cacerts/rootca.der

CP crl.pem /etc/ipsec.d/crls

2.15 Configuring the branch of /etc/ipsec.secret write a line:

RSA vPnClient.rd.xxx.com.key "password".

Other rows are deleted. Password is the password entered when answering questions in front. 2.16 Configuration /etc/ipsec.conf

# Basic Configuration

Config setup

Interfaces =% DefaultRoute

Klipsdebug = none

Plutodebug = none

Plutoload =% Search

Plutostart =% Search

UniqueIDS = YES

CONN% Default

Keyingtries = 0

Compress = yes

Disablearrivalcheck = no

Authby = rsasig

Rightrsasigkey =% CERT

Leftrsasigkey =% CERT

Right =% DefaultRoute

Rightcert = vpnclient.rd.xxx.com.pem

Auto = add

PFS = yes

Conn RoadWarrior

LEFT = 21.9.22.22

LEFTCERT = VPNServer.rd.xxx.com.pem

CONN RoadWarrior-Net

LEFT = 21.9.22.22

LEFTCERT = VPNServer.rd.xxx.com.pem

Leftsubnet = 192.168.1.0 / 255.255.255.0

CONN NET-NET

LEFT = 21.9.22.22

LEFTCERT = VPNServer.rd.xxx.com.pem

Leftsubnet = 192.168.1.0 / 255.255.255.0

Rightsubnet = 192.168.10.0 / 255.255.255.0

The part of the black body is that you can modify according to the actual situation.

2.17 First launch the IPsec: IPsec Setup Restart, then start the client's IPSec

2.18 Create channel: IPsec Auto -up Net-Net Then you can use the command IPsec WHACK Status to see several channels for the newly established channels. At this point, you should be able to ping each other in both subnets.

3. Configure FREES.wan to support remote client access. That is, a Windows client is allowed to communicate through the network from the company via VPN.

The second VPN play is actually converting the LAN of the branch into a single, address unfixed machine. Such applications are suitable for connection to the local network when the general manager is traveling. During the period, it is not certified, and all of the data from ISP and public networks is encrypted. This approach is exactly the same as above the server side (remember? The configuration given in the market is already equipped with two usage). What you need to do is to separate the general manager's notebook into a VPN client. His notebook should be Windows2000 and upgrade to SP2.

3.1 Repeating 2.7-2.9 steps Generate a certificate, where some of the host names can enter your general manager's machine name. Similar to: win.rd.xxx.com. Of course, the general manager's machine is the same name.

3.2 Generate a key to the P12 format that Windows can recognize in the server side.

Openssl PKCS12 -EXPORT

-in win.rd.xxx.com.pem

-INKEY WIN.RD.XXX.COM.KEY

-Certfile Democa / CACERT.PEM

-Out win.rd.xxx.com.p12

3.3 Use the command to look at the environment: It is best to output the result to the file remember, after which it is obtained later.

OpenSSL X509 -IN Democa / Cacert.pem -noout -Subject3.4 Transfer above the P12 files generated to the general manager's machine, placed in a regular place (this file is important).

3.5 Download from http://vpn.ebootis.de Site in the machine's machine: ipsec.exe

3.6 Download the WindWos2000 IPSec Resource Tools from: http://agent.microsoft.com/ttp://agent.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpolo.asp site.

3.7 Install the two software described above and put them in the same directory.

3.8 Create an IPsec MMC: (I hope you know what MMC is)

Enter START / RUN / MMC in turn.

FILE (or Console) - Add / Remove Snap-in

Click 'Add'

Select 'Certificate', then select 'Add'

Choose 'Computer Account', then point 'next'.

Choose 'Local Computer', then point 'finish'.

Select 'IP Security Policy Management', then point 'add'.

Choose 'Local Computer', then point 'finish'

Choose 'close' then point 'ok'

3.9 Add a certificate

Expand the 'Certificates (Local Computer)' in the left window

Right-click 'Personal', choose 'all tasks' then point 'import'

Point Next

Enter which .p12 file path (that is, you have just copied from the server gateway, browse the selection), then point 'next' Enter the Export Password (Password), then click Next Based on the Certificate Store Based on the Type Of certificate ', then click Next, if you have any prompt window pop-up, you have selected YES to exit MMC, save the current configuration to the management tool, so you don't have to come back every time. The above has added a certificate to the general manager's machine.

3.10 Setting IPSec Tools:

Edit the IPsec.conf file on the general manager, write Rightca's = back to the result generated by the openssl x509 -in democa / cater.pem -noout -subject command. Similar to the following:

Conn RoadWarrior

Left =% any

Right = (IP_OF_REMOTE_SYSTEM)

Rightca = "c = us, s = state, l = city, o = 21VIANET,

CN = ca, email = ca @ xxx.com "

Network = auto

Auto = start

PFS = yes

CONN RoadWarrior-Net

Left =% any

Right = (IP_OF_REMOTE_SYSTEM)

Rightsubnet = 192.168.1.0 / 24

Rightca = "c = us, s = state, l = city, o = 21VIANET, CN = CA, Email = CA @ xxx.com"

Network = auto

Auto = start

PFS = yes

The black body part should pay attention to the correct configuration.

3.12 Run IPsec.exe has the following output:

C: ipsec> ipsec

IPSec Version 2.1.4 (C) 2001, 2002 Marcus Mueller

Getting Running Config ...

Microsoft's Windows XP Identified

Host Name IS: (Local_Hostname)

No ras connections found.

LAN IP Address: (Local_IP_Address)

Setting Up IPSec ...

Deactivating Old Policy ...

REMOVING OLD Policy ...

Connection RoadWarrior:

MyTunnel: (local_ip_address)

Mynet: (local_ip_address) / 255.255.255.255

Partnertunnel: (IP_OF_REMOTE_SYSTEM)

Partnernet: (ip_of_remote_system) / 255.255.255.255

CA (ID): C = US, S = State, L = City, O = EXAMPLECO, ...

PFS: Y

Auto: Start

Auth.mode: MD5

Rekeying: 3600S / 50000K

Activating policy ...

Connection RoadWarrior-Net:

MyTunnel: (local_ip_address)

Mynet: (local_ip_address) / 255.255.255.255

Partnertunnel: (IP_OF_REMOTE_SYSTEM)

Partnernet: (Remote_Subnet) / (remote_netmask)

CA (ID): C = US, S = State, L = City, O = EXAMPLECO, ...

PFS: Y

Auto: Start

Auth.mode: MD5

Rekeying: 3600S / 50000K

Activating policy ...

C: ipsec>

At this time, you can ping it after you get a few 'NEGOTITING IP Security' from the intranet behind the client PING server. In this way, the general manager can connect to the company as in the office with this notebook to the internet network.

The value of the value is that for security issues, we recommend that you close all other services above the VPN gateway and carefully configure the firewall. Usually, if you want to send all traffic to the primary station gateway, you don't need to add iptables policies in the slave. Otherwise, you need to add such a policy:

iptables -t nat -a postrol -o eth0 -j masquerade

In the mainstay due to rivers, it is necessary to add the following strategy:

iptables -t nat -a postrouting -o ipsec0 -s! 192.168.10.0/255.255.255.0 -

J SNAT-TO 192, 168.1.231

iptables -t nat -a postrouting -o eth1 -s! 192.168.10.0 - j snat -to 192, 168.1.231

The black body in each row is a subnet network segment, followed by the inner exit of this gateway.

Note: The original information is at http://vpn.ebootis.de/ Details in: http://www.natecarlson.com/include/showpage.php? Cat = Linux & Page = IPsec-x509

(14) Install another email system Postfix

Any well-known thing seems to have at least one of the wind (Microsoft's Windows series seems to exception, and there is no exception to the wind), and these later people often have their more excellent aspects. In the field of mail server in the UNIX world, no product can have such a large name of the Sendmail program, although it has a very embarrassing profile. Similarly, many people have made a lot of other mail server products in order to improve Sendmail, and they have their own distinct features and attract a lot of users. Among them, the leaders are qmail and postfix mail systems. Here we choose Postfix, mainly based on the following two reasons: First, postfix is ​​a MTA (Mail Transport Agent) designed for high-load mail servers as a high-load mail server, while qmail processing power is worse (it is more suitable Small and medium-sized applications). In some cases, Postfix is ​​even 3 times faster than Sendmail speed. Second, Postfix is ​​made according to the designed road compatible with Sendmail, and the comparable configuration file can be used directly. This original Sendmail user can easily upgrade Postfix. This is a very "preferential" upgrade condition that attracts a lot of original Sendmail users.

The most basic steps for installing and configuring the Postfix mail system are as follows:

1. Download the latest version of Postfix from http://www.postfix.org. The version used here is Postfix1.1.5, the file name is called postfix-1.1.5.tar.gz, download this file to / usr / local / src

2, CD / USR / Local / SRC

3, TAR ZXVF Postfix-1.1.5.tar.gz Release Compressed File

4, CD postfix-1.1.5

5, Vi INSTALL reads the installation file and precautions carefully.

6, make clean

7, Make

8. UserAdd Postfix (or adduser postfix) Adds a new user. Then use: vi / etc / passwd editing user files of Postfix, letting the row look like: postfix: *: 2126: 2128: postfix: / no / where: / no / shell where the number portion is not changed. This is mainly for safety considerations.

9. GroupAdd PostDrop creates a group, but this group cannot include any user. The related lines in the / etc file Similar to: posterdrop: *: 54321:

10. Check / etc / mail / aliases There is no posterfix: root line, not add.

11, # mv / usr / sbin / sendmail /usr/sbin/sendmail.off

12, # mv / usr / bin / newaliases /usr/bin/newaliases.off

13, # mv / usr / bin / mailq /usr/bin/mailq.off

14, # chmod 755 /usr/sbin/sendmail.off /usr/bin/newaliases.off /usr/bin/mailq.off15,make install (new installation)

16, Make Upgrade (upgrade)

When performing the above two steps (one of them), the script will ask many paths, it is recommended not to change the way. Unless you're sure you know the need to change the default value.

17. Starting is Postfix Start

Note: The above steps 10-14 are used when upgrading from Sendmail.

It is very likely that the system is not allowed to send and receive emails so that the system is installed. First, you should install a POP3 mail receiving protocol service (see POP3 installation). Additionally, you need to check the relevant configuration files as follows.

1, / etc / mail / access is a control file that allows access, similar to the following, pay attention: Don't copy it.

127.0.0.1 relay

21.9.22 Relay

211.151.194.14 relay

In fact, this file can be defined quite complicated. Templates and instructions can be referred to: / etc / postfix / access

2, edit the completed / etc / access file, you have to compile it into a database format: makemap hash access.db

3, / etc / mail / aliases is an alias file, similar to the following:

Mailer-daemon: postmaster

Postmaster: root

Bin: root

Daemon: root

NoBody: root

Postfix: root

Templates and instructions for this file can be found / etc / postfix / aliases. After the editing is complete, use newaliases aliases to convert into database format.

4, / etc / mail / local-host-name written the name of the local host, the content is similar to:

Rd.xxx.com

TLS65.RD.xxx.com

5, main configuration file: /etc/postfix/main.cf, look at the content, better than sendmial.cf? Each item has a detailed explanation and example. The most important (only allowing the run) configuration item introduces it in the carrier.

5.1 MYDOMAIN

Indicates your domain name, here we specify:

Mydomain = Test.com

5.2 Myorigin

The Myorigin parameter indicates the domain name where the sender is located. If your user's email address is user@domain.com, then the parameter specifies the domain name behind. Here we specify:

Myorigin = $ mydomain

5.3 MyDestination

The MyDestination parameter specifies that the recipient's domain name when postfix receives the mail, in other words, that is, what kind of mail is your Postfix system to receive. Usually like Myorigin:

MyDestination = $ mydomain

5.4 MYNETWORKS_Style

Set the network type, we specify:

MyNetworks_Style = SUBNET

5.5mynetworks

Define the client IP address that can be used by this SMTP server, because the company's IP range is known, so we specify:

Myneetworks = 192.168.1.0/24

6. Set the MX record of the DNS server. OE Use the postfix reload command to reload the configuration.

8, POST also supports virtual domain names, the configuration method is as follows:

8.1 First, point the MX record of OtherDomain.com (the virtual domain name you want to use) to mail.test.com (this domain's mail server), which is responsible for analyzing the DNS of OtherDomain.com.

8.2 To allow users to send and receive emails using username@otherdomain.com, we must configure virtual domains, in the main.cf file, we add the following:

Virtual_maps = hash: / etc / postfix / virtual

This assumed user TOM, TEST, WHITE needs to use this virtual domain name, of course, first add these users (fill in system users with Useradd or AddUser), then create the / etc / postfix / virtual file and add the following:

Othername.com anything

Tom@othername.com Tom

Test@othername.com test

White@othername.com White

After that, use the postmap command to generate a virtual domain database:

Postmap / etc / postfix / virtual

Understand the example of the configuration file above, you can very flexible multi-domain email system.

Five, daily maintenance

Responsible Editor's Tip: This article is the enthusiastic netizen of this website. There are still some contents that are not complete. Please contact this author. :)