返回列表 回复 发帖
lzhdm

超级版主

Rank: 8Rank: 8

UID
124 
帖子
4245 
积分
28626 
威望
1939 点 
A币
12901 元 
阅读权限
200 
最后登录
2008-11-28 

终身成就勋章热心大使勋章优秀斑竹勋章
1#
打印
tT
发表于 2006-10-30 21:53 | 只看该作者

【推荐】实验室网关服务器的架设

服务器, 网关, 实验室, 架设, 推荐
实验室网关服务器的架设
网关服务器刚才刚刚更新并完成设置成功,现在有些时间写写"攻略",备查.)

因NGN及其他项目需要,老师要求在我们415室验室的网关服务器上开设FTP,供项目组使用.

但是我们的服务器上硬盘只有4G, 空间不足, 需要增加硬盘. 当老师找来40G硬盘装上去后, 却发现主板太旧, 不能支持大硬盘, 只好换机器了.

于是也因为这个要求,我们的网关终于得以升级,但是,比较一下两者的CPU,你会发现是怎样的一种升级:

这是原来的网关CPU信息:
$ cat /proc/cpuinfo
processor   : 0
vendor_id   : GenuineIntel
cpu family   : 6
model     : 6
model name   : Celeron (Mendocino)
stepping   : 5
cpu MHz     : 334.094
cache size   : 128 KB
fdiv_bug   : no
hlt_bug     : no
sep_bug     : no
f00f_bug   : no
coma_bug   : no
fpu       : yes
fpu_exception   : yes
cpuid level   : 2
wp       : yes
flags     : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov pat pse36 mmx fxsr
bogomips   : 666.82

这是新的:
#cat /proc/cpuinfo
processor   : 0
vendor_id   : GenuineIntel
cpu family   : 6
model     : 6
model name   : Celeron (Mendocino)
stepping   : 5
cpu MHz     : 400.916
cache size   : 128 KB
fdiv_bug   : no
hlt_bug     : no
f00f_bug   : no
coma_bug   : no
fpu       : yes
fpu_exception   : yes
cpuid level   : 2
wp       : yes
flags     : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov pat pse36 mmx fxsr
bogomips   : 799.53

废话少说, 我们看看我们做了什么:

1. 第一步当然是准备"新"机器是否能跑
老师先找来了一台基本能动的机器,内含一40G硬盘.
并计划还是用一个4G的旧硬盘做系统盘,40G硬盘仅作数据盘

2.下载TrusTix Linux, 我到这里下载了一个2.2版本的iso:http://www.trustix.NET/, 刻碟.

3.开始安装时还遇到一些问题: 启动,新安装,进入分区界面前停住了. 检查硬盘跳线,正确. 进而怀疑是开机时提示"Primary IDE Channel no 80 conductor cable installed"造成, LHL帮助下GOOGLE之, 发现是数据线与硬盘不一致造成,更换主板IDE口和数据线, 修改CMOS参数, 搞定.

分区:
4G硬盘分区
/boot 80M
/     剩余空间
40G硬盘做/data分区

选全部安装,需1G多

30分钟后安装完成.

4.双网卡, 对内网卡IP 192.168.200.1, 对外网卡202.116.86.150, 用iptables做网关软件:
规则如下:
#!/bin/bash
#initialize iptables
#This ensures that the standard TSL support modules are loaded.
#I use 'restart' instead of 'start' because it ensures that the
#iptables service is stopped and started prior to the rest of the
#script. This is intended to ensure that the iptables environment is
#as pristine as possible regardless of it's actual previous condition.
#If iptables is not already started you'll probably see an informative
#error that says it couldn't be stopped which is not a problem.
#The important thing is that the start succeeds.
service iptables restart

#clean up existing rules to ensure a clean slate.
#flush existing rules
iptables -t filter -F
iptables -t NAT -F
iptables -t mangle -F
#delete custom chains.
iptables -X
#reset packet counters.
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
#set default policies.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#INPUT rules.
#drop all invalid incoming packets.
iptables -A INPUT -m state --state INVALID -j DROP
#accept all input from the loopback device.
iptables -A INPUT -i lo -j ACCEPT
#accept all input from the internal network.
iptables -A INPUT -i eth0 -j ACCEPT

#accept proxy port. zgf. 2004.10.27
iptables -A INPUT -i eth1 -p TCP --dport 3128 -j ACCEPT
#!/bin/bash
#initialize iptables
#This ensures that the standard TSL support modules are loaded.
#I use 'restart' instead of 'start' because it ensures that the
#iptables service is stopped and started prior to the rest of the
#script. This is intended to ensure that the iptables environment is
#as pristine as possible regardless of it's actual previous condition.
#If iptables is not already started you'll probably see an informative
#error that says it couldn't be stopped which is not a problem.
#The important thing is that the start succeeds.
service iptables restart

#clean up existing rules to ensure a clean slate.
#flush existing rules
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
#delete custom chains.
iptables -X
#reset packet counters.
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
#set default policies.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#INPUT rules.
#drop all invalid incoming packets.
iptables -A INPUT -m state --state INVALID -j DROP
#accept all input from the loopback device.
iptables -A INPUT -i lo -j ACCEPT
#accept all input from the internal network.
iptables -A INPUT -i eth0 -j ACCEPT

#accept all input from the external network.
iptables -A INPUT -i eth1 -p TCP --dport 80 -j ACCEPT

#accept traffic from all other interfaces only if it's already established
#or related to an existing connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#drop all other incoming packets.
iptables -A INPUT -j DROP

#FORWARD rules
#drop all invalid forward packets.
iptables -A FORWARD -m state --state INVALID -j DROP
#forward all from the loopback device.
iptables -A FORWARD -i lo -j ACCEPT
#forward all from the internal network.
iptables -A FORWARD -i eth0 -j ACCEPT
#forward traffic from all other interfaces only if it's already established
#or related to an existing connection.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#drop all other forwards.
iptables -A FORWARD -j DROP

#OUTPUT rules
#drop all outgoing invalid packets.
iptables -A OUTPUT -m state --state INVALID -j DROP
#allow all other outgoing traffic.
iptables -A OUTPUT -j ACCEPT

#enable ip masquerade on Internet interface.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

#enable ip forwarding and dynamic address support.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

5.设置启动服务如下:
#chkconfig --list | grep n
iptables   0ff   1ff   2:on   3:on   4:on   5:on   6:off
network     0:off   1:off   2:on   3:on   4:on   5:on   6:off
random     0:off   1:off   2:on   3:on   4:on   5:on   6:off
rawdevices   0:off   1:off   2:off   3:on   4:on   5:on   6:off
keytable   0:off   1:on   2:on   3:on   4:on   5:on   6:off
httpd     0:off   1:off   2:on   3:on   4:on   5:on   6:off
fcron     0:off   1:off   2:on   3:on   4:on   5:on   6:off
mysql     0:off   1:off   2:on   3:on   4:on   5:on   6:off
sshd       0:off   1:off   2:on   3:on   4:on   5:on   6:off
proftpd     0:off   1:off   2:on   3:on   4:on   5:on   6:off
syslog     0:off   1:off   2:on   3:on   4:on   5:on   6:off

6.设置FTP,增加FTP管理员ftpadmin, NGN项目组用户ngngroup.
其中proFTPd,配置文件如下:
#cat proftpd.conf
ServerName   "计算机应用研究所FTP服务器(CAI FTP Server)"
ServerType   standalone
DefaultServer   on
SystemLog   /var/log/proftpd.log
Port   22221
Umask   022
MaxInstances   30
TimeoutStalled 300
UseReverseDNS off
IdentLookups   off
User   nobody
Group   nobody
DefaultRoot ~ ftpusers
<Directory /*>
AllowOverwrite       on
</Directory>
<Global>
DenyFilter \*.*/
</Global>
<Anonymous /data/ftp/anonymous>
<limit LOGIN>
Order allow,deny
Allow from 192.168.200.
Deny from all
</limit>
RequireValidShell off
User           ftp
Group           ftpusers
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias           anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients         50
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin         welcome.msg
DisplayFirstChdir       .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
<Directory incoming/*>
<Limit READ>
  AllowAll
</Limit>
<Limit STOR>
  AllowAll
</Limit>
<Limit DELE>
  AllowAll
</Limit>
<Limit WRITE>
  AllowAll
</Limit>
</Directory>
</Anonymous>

7.设置mysql数据库,修改root密码,将旧服务器数据移至新服务器
8.设置www服务器,移旧服务器网页至新服务器
修改/etc/httpd/conf.d/http-php.conf,去除注释,开启PHP支持
root@cai-gw /etc/httpd/conf.d# cat httpd-php.conf
### The follwoing is needed to enable PHP5 support
LoadModule php5_module /usr/lib/apache/libphp5.so
AddType application/x-httpd-php .php .php4 .php5 .inc
AddType application/x-httpd-php-source .phps

--the end--
收藏 分享 评分
提问题时注意版块要与你所要问的问题相对应,
回复 引用

订阅 TOP

返回列表