1545.html

著名的linux英雄站点的文档打包

# WINS Server - Tells the NMBD components of Samba to be a WINS Client<br>
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both<br>
wins server = 10.100.100.109<br><br>
dns proxy = no <br><br>
#============================ Share Definitions ==============================<br>
[homes]<br>
comment = Home Directories<br>
browseable = no<br>
writable = yes<br><br><br>
[public]<br>
comment = Public Folder<br>
path = /home/public<br>
public = yes<br>
writable = yes<br><br>
#共享目录，每个人都可读写<br><br>
[it]<br>
comment = It Folder<br>
path = /home/it<br>
public = yes<br>
write list = @it<br>
# 产生一个it组，维护public/it目录,该目录放安装软件，driver........,非IT组用户只能读。<br>
还可以按照此方法产生部门级共享目录等。<br><br>
注意：<br>
1. Smb.conf其它参数用缺省即可。由于Linux的权限管理没有NT全面，在权限分配较复杂情况下，<br>
可以通过两种方式：a。对一个目录产生多个共享目录，每个目录对相应的用户组分配不同权限。<br>
b。可以和Linux上文件权限相结合。比如：samba共享目录可以给每个人写权限，<br>
但Linux上文件权限为只给特定组写权限，则其它人只能读。<br><br>
2. 用户及密码管理：<br>
A:如果encrypt passwords = yes,用户会有两个密码(Linux，smbpasswd)，用户改密码会麻烦，<br>
所以我设置为no，samba会用/etc/passwd做用户验证，用户也只维护一个密码，比较方便<br>
但不足够安全，好象unix password sync = Yes可以既方便又安全，但我没成功。<br>
B：修改/etc/passwd,使用户的shell为/usr/bin/passwd，这样用户想改密码时，<br>
telnet到samba服务器即可，其它如sendmail服务器也可以用这种方法。<br>
C:如不想用户的目录出现/GNUstep目录，运行mv /etc/skel /etc/skel.backup即可。<br><br>
3. windows98客户端：改注册表。在<br>
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesVxDVNETSUP中<br>
增加一DWORD值：值名：EnablePlainTextPassword 数值：0x01。改windowshosts文件，<br>
ipaddree       samba server name<br><br>
4. 过网关：如客户端和samba server之间有路由器，确保客户端和samba server在<br>
同一workgroup, 客户端编辑windowslmhosts文件，a.b.c.d samba server的<br>
netbios名或主机名。 我现在的做法为：给分公司IT设一个帐号在总部，让他们通过<br>
CUTEFTP再通过public目录实现总部和分公司的文件传输。这样可以避免分公司一定要跟<br>
总公司在一个域（他们还有NT）。<br><br>
5. 磁盘限额：参见文章荟萃‘如何在Linux中设置磁盘限额’, 为了快速地为系统上的一群使用者，<br>
例如一百名，设定和 bob 相同的 quota 值，首先以手动编辑 bob 的 quota 信息，然后执行:<br>
#csh<br>
#edquota -p bob `awk -F: '$3 &gt; 499 {print $1}' /etc/passwd`<br>
这是假设你的使用者 UID 从 500 开始． <br><br>
更具体可以参考linuxforum文章。<br><br>
二、打印服务器(samba-2.0.6-9)<br><br>
配置文件：/etc/smb.conf<br><br>
[global]<br>
# workgroup = NT-Domain-Name or Workgroup-Name<br>
workgroup = shenzhennt<br>
map to guest = Bad User<br>
#很重要，这样每个用户都可以打印而不会被要求密码。<br><br>
# server string is the equivalent of the NT Description field<br>
server string = Printer In OP<br><br>
# if you want to automatically load your printer list rather<br>
# than setting them up individually then you'll need this<br>
printcap name = /etc/printcap<br>
load printers = yes<br><br>
log file = /var/log/samba/log.%m<br><br>
# Put a capping on the size of the log files (in Kb).<br>
max log size = 50<br><br>
security = user<br>
socket options = TCP_NODELAY<br><br>
dns proxy = no<br><br>
#============================ Share Definitions ==============================<br>
[homes]<br>
comment = Home Directories<br>
browseable = no<br>
writable = yes<br><br>
[printers]<br>
comment = Printer in OP<br>
path = /var/spool/samba<br>
browseable = no<br>
guest ok = yes<br>
writable = no<br>
printable = yes<br><br>
其它参数用缺省即可.<br>
另:samba_2.0.3-8有bug.<br><br>
三、DNS(bind-8.2.2_P5-9)、FTP(wu-ftpd-2.4.2vr17-3)、 WWW<br><br>
FTP, WWW由于没有特殊应用, 所以只用了缺省值.<br><br>
下面介绍DNS配置文件。<br><br>
A. /etc/named.conf<br><br><br>
// generated by named-bootconf.pl<br><br>
options {<br>
directory "/var/named";<br>
/*<br>
* If there is a firewall between you and nameservers you want<br>
* to talk to, you might need to uncomment the query-source<br>
* directive below. Previous versions of BIND always asked<br>
* questions using port 53, but BIND 8.1 uses an unprivileged<br>
* port by default.<br>
*/<br>
// query-source address * port 53;<br>
};<br><br>
// <br>
// a caching only nameserver config<br>
// <br>
zone "." in {<br>
type hint;<br>
file "named.ca";<br>
};<br><br>
zone "0.0.127.in-addr.arpa" in {<br>
type master;<br>
file "named.local";<br>
};<br><br>
zone "domain.com" in {<br>
type master;<br>
file "domain.com";<br>
};<br><br>
zone "c.b.a.in-addr.arpa" in {<br>
type master;<br><br>
file "abc";<br>
};<br><br>
zone "200.100.10.in-addr.arpa" in {<br>
type master;<br>
file "200";<br>
};<br><br>
B. /var/named/domain.com<br><br>
@ IN SOA domain.com. yzy.domain.com. (<br>
1999122105 28800 14400 3600000 86400 );<br><br>
NS dns.domain.com.<br><br>
MX 10 firewall.domain.com.<br>
localhost A 127.0.0.1<br>
dns A a.b.c.dns<br>
domain.com. A a.b.c.dns<br>
firewall A a.b.c.fw<br><br>
firewall1 A 10.100.200.2<br>
www cname dns.domain.com.<br>
ftp cname dns.domain.com.<br>
mail cname firewall.domain.com.<br><br>
C. /var/named/abc<br><br>
@ IN SOA domain.com. yzy.domain.com. (<br>
1999122101 28800 14400 3600000 86400 ) <br>
NS dns.domain.com.<br>
177 PTR dns.domain.com.<br>
188 PTR mail.domain.com.<br>
177 PTR www.domain.com.<br>
177 PTR ftp.domain.com.<br><br><br>
D. /var/named/200<br><br>
@ IN SOA domain.com. yzy.domain.com. (<br>
1999122101 28800 14400 3600000 86400 ) <br>
NS dns.domain.com.<br>
2 PTR firewall1.domain.com.<br><br>
注意:<br>
DNS对SENDMAIL非常重要，上面firewall1主要是为全公司的sendmail服务器服务的,<br>
作为email网关.另:DNS的设置中，格式要求非常严格,一定注意，调试中多看log.<br>
Redhat 6.2带的wu-ftpd包好象有bug, 远程登录特别慢.<br><br>
四、代理服务器(squid-2.3.STABLE1-5) <br><br>
配置文件：/etc/squid/squid.conf<br><br>
http_port 8080<br>
icp_port 8080<br>
hierarchy_stoplist cgi-bin ?<br>
cache_mem 8 MB<br>
cache_swap_low 90<br>
cache_swap_high 95<br>
maximum_object_size 2048 KB<br>
cache_dir ufs /var/spool/squid 150 16 256<br>
cache_access_log /var/log/squid/access.log<br>
cache_log /var/log/squid/cache.log<br>
cache_store_log /var/log/squid/store.log<br>
debug_options ALL,1<br>
refresh_pattern ^ftp: 1440 20% 10080<br>
refresh_pattern ^gopher: 1440 0% 1440<br>
refresh_pattern . 0 20% 4320<br><br>
# ACCESS CONTROLS<br>
# -----------------------------------------------------------------------------<br>
　<br>
#Defaults:<br>
acl all src 0.0.0.0/0.0.0.0<br>
acl manager proto cache_object<br>
acl localhost src 127.0.0.1/255.255.255.255<br>
acl SSL_ports port 443 563<br>
acl Safe_ports port 80 21 443 563 70 210 1025-65535<br>
acl Safe_ports port 280 # http-mgmt<br>
acl Safe_ports port 488 # gss-http<br>
acl Safe_ports port 591 # filemaker<br>
acl Safe_ports port 777 # multiling http<br>
acl CONNECT method CONNECT<br><br>
# TAG: http_access<br><br>
acl hq src 10.100.100.29/32 10.100.100.2/32 10.100.100.40/32 10.100.100.75/32 10.100.100.6/32 10.100.100.87/32<br><br>
#总部<br><br>
acl gz src 10.100.101.61/32 10.100.101.98/32 10.100.101.72/32 10.100.101.62/32 10.100.101.73/32 10.100.101.166/32 10.100.101.15/32<br><br>
#广州<br><br>
http_access allow hq<br>
http_access allow gz<br><br>
http_access allow manager localhost<br>
http_access deny manager<br>
http_access deny !Safe_ports<br>
http_access deny CONNECT !SSL_ports<br><br>
http_access allow localhost<br>
http_access deny all<br><br>
icp_access allow all<br>
miss_access allow all<br><br>
由于我公司用ADSL上网，所以代理不用太麻烦。Linux对代理有很多方案。具体请参考论坛。<br><br>
五、防火墙+端口转发（ipchains-1.3.9-5, ipmasqadm-0.4.2-3）<br><br>
先介绍网络拓扑结构：<br><br>
a.b.c.xxx为Internet真实地址。防火墙带DMZ区。除了可以进行包过滤以外，还进行端口转发，<br>
使分公司用户可以通过深圳总部唯一Internet连接收发他们当地Email。同时它还是Email网关，<br>
凡是从Internet来或到Internet上的邮件都经过它。为了防止spammer攻击，<br>
防火墙上的Sendmail不允许RELAY，但是为了让出差的用户可以发Email，<br>
设置了一个可以进行RELAY的服务器Mail2以保护Firewall（现在Sendmail可以通过<br>
授权smtp方式允许在Linux上用户发Email而又不受到攻击），对外不公布，<br>
在Mail2上安装拨号服务器，设置一个公共的帐号和密码，再对Mail2设置安全规则，<br>
只允许通过它收发Email，这样既简化管理又实现拨号服务器功能。<br><br>
配置文件：/etc/rc.d/fire。在/etc/rc.d/rc.local文件最后加一行：sh /etc/rc.d/fire，<br>
这样系统每次启动都会自动设置防火墙。<br><br>
echo ""<br>
echo "Starting ipchains rules..."<br>
#Refresh all Chains<br>
/sbin/ipchains -F<br>
echo 1 &gt; /proc/sys/net/ipv4/ip_forward<br>
/sbin/ipchains -A forward -j MASQ -s 10.100.100.102/32<br>
/sbin/ipchains -A forward -j MASQ -s 10.100.101.252/32<br>
/sbin/ipchains -A forward -j MASQ -s 10.100.102.252/32<br>
/sbin/ipchains -A forward -j MASQ -s 10.100.103.252/32<br>
/sbin/ipchains -A forward -j MASQ -s 10.100.104.252/32<br>
/sbin/ipchains -A forward -j MASQ -s 10.100.105.252/32<br>
/sbin/ipchains -A forward -j MASQ -s 10.100.109.252/32<br>
/sbin/ipchains -A forward -j MASQ -s 10.100.110.252/32<br>
#以上为IP伪装，如果是通过防火墙访问Internet，则可以通过伪装，把整个局域网透明代理出去。<br><br>
/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 110 -R 10.100.100.252 110<br>
#为总部用户收email, 当用户对a.b.c.fw:110请求时，转发到mssz的110口，这样即可收email，以下雷同。<br><br>
/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60101 -R 10.100.101.252 110 <br>
/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60102 -R 10.100.102.252 110 <br>
/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60103 -R 10.100.103.252 110 <br>
/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60104 -R 10.100.104.252 110 <br>
/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60105 -R 10.100.105.252 110 <br>
/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60109 -R 10.100.109.252 110 <br>
/usr/sbin/ipmasqadm portfw -a -P tcp -L a.b.c.fw 60110 -R 10.100.110.252 110 <br><br>
#IP spoof protection<br>
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then<br>
echo ""<br>
echo -n "Setting up IP spoofing protection..."<br>
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do<br>
echo 1 &gt; $f<br>
done<br>
echo "done."<br>
else<br>
echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED."<br>
echo "CONTROL-D will exit from this shell and continue system startup."<br>
echo<br>
#STart a single user shell on the console<br>
/sbin/sulogin $CONSOLE<br>
fi<br>
#refuse broadcast address source packets<br><br>
/sbin/ipchains -A input -j DENY -s 255.255.255.255<br>