http://www.chinaunix.net 作者:platinum 發表於:2004-02-19 14:51:20
這兩天一直在研究AS3,初次使用,由RH73跨越到AS3,確實有很多東西不適應,配置方法也不太一樣,下面就我在安裝配置時出現的一些問題在這裡說明一下
我的系統掛了MYSQL、PHP、APACHE2,做了SQUID和NAT、SAMBA、DHCP、SENDMAIL SMTP認證、PROFTPD
1、安裝MYSQL4.0.18
下了MYSQL以後,解壓縮
[quote:8c49f6d181]
./configure --prefix=/usr/local/mysql
make
make install
useradd mysql
chown -R mysql /usr/local/mysql/var
[/quote:8c49f6d181]
啟動MYSQL,/usr/local/mysql/bin/mysqld_safe --user=mysql
2、安裝APACHE 2.0.48
解壓縮
[quote:8c49f6d181]
./configure
make
make install
[/quote:8c49f6d181]
3、安裝PHP 4.3.4
解壓縮
[quote:8c49f6d181]
./configure --with-mysql --with-apxs2=/usr/local/apache2/bin/apxs --enable-versioning --disable-debug --enable-track-vars
make
make install
[/quote:8c49f6d181]
修改/usr/local/apache2/conf/httpd.conf
看有沒有以下兩行
[quote:8c49f6d181]
LoadModule php4_module modules/libphp4.so
AddType application/x-httpd-php .php
[/quote:8c49f6d181]
默認應該有第一行,第二行要自己添加
增加默認頁面index.php
[quote:8c49f6d181]
DirectoryIndex index.html index.php index.htm index.html.var
[/quote:8c49f6d181]
4、配置SENDMAIL
vi /etc/mail/sendmail.mc
將
[quote:8c49f6d181]
dnl # TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl # define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
[/quote:8c49f6d181]
修改為,以便支持SMTP發信認證
[quote:8c49f6d181]
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
[/quote:8c49f6d181]
將
[quote:8c49f6d181]
DAEMON_OPTIONS(`Port=smtp,127.0.0.1,Name=MTA')dnl
[/quote:8c49f6d181]
修改為,支持遠程訪問
[quote:8c49f6d181]
DAEMON_OPTIONS(`Port=smtp,Name=MTA')dnl
[/quote:8c49f6d181]
將
[quote:8c49f6d181]
dnl # MASQUERADE_AS(`platinum.3322.org')dnl
[/quote:8c49f6d181]
改為
[quote:8c49f6d181]
MASQUERADE_AS(`platinum.3322.org')dnl
[/quote:8c49f6d181]
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
vi /etc/mail/sendmail.cf
修改
[quote:8c49f6d181]
Cwlocalhost
[/quote:8c49f6d181]
為
[quote:8c49f6d181]
Cwlocalhost platinum.3322.org
[/quote:8c49f6d181]
vi /etc/mail/access 添加0.0.0.0 RELAY
vi /etc/mail/local-host-names
添加
[quote:8c49f6d181]
localhost
platinum.3322.org
[/quote:8c49f6d181]
啟動服務:
/etc/rc.d/init.d/sendmail start
/etc/rc.d/init.d/saslauthd start
setup,啟用ipop3服務
/etc/rc.d/init.d/xinetd restart
測試:
adduser test
passwd test
用OUTLOOK測試
5、做ADSL撥號上網
adsl-setup
一步一步接著下一步
然後修改生成的配置文件/etc/sysconfig/network-scripts/ifcfg-ppp0
將裡面的
[quote:8c49f6d181]
PPPOE_TIMEOUT=60
[/quote:8c49f6d181]
改為
[quote:8c49f6d181]
PPPOE_TIMEOUT=0
[/quote:8c49f6d181]
這樣就不會因為沒有數據傳輸而自動斷線了
6、做NAT
vi /etc/sysctl.conf
修改
[quote:8c49f6d181]
net.ipv4.ip_forward = 0
[/quote:8c49f6d181]
為
[quote:8c49f6d181]
net.ipv4.ip_forward = 1
[/quote:8c49f6d181]
這樣把默認允許轉發打開,不用每次還有修改/proc/net/ipv4/ip_forward了
在防火牆裡添加控制,允許NAT出去
[quote:8c49f6d181]
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
[/quote:8c49f6d181]
7、做SQUID
我沿用的RH73的SQUID配置,但在AS3里卻遇到了問題
後來仔細看提示才發現,說找不到一個DNS SERVER,奇怪,我的ADSL撥號能PING通www.163.com啊
後來發現/etc/resvol.conf為空,我添加了一個DNS SERVER就行了
我的SQUID做了1000M容量,保存HTTP的1M大小以下的文件,這裡就不細說如何配置SQUID了
另外別忘了在iptables里將80埠指向SQUID的埠,我的是默認的3128
8、DHCP
我仍然沿用RH73的dhcpd.conf,結果提示錯誤,服務無法啟動,後來發現需要加個參數
[quote:8c49f6d181]
ddns-update-style ad-hoc;
[/quote:8c49f6d181]
我的配置文件如下
[code:1:8c49f6d181]
ddns-update-style ad-hoc;
max-lease-time -1;
default-lease-time -1;
option subnet-mask 255.255.255.0;
option broadcast-address 255.255.255.255;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1,202.106.196.152;
option domain-name "platinum.3322.org";
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.2 192.168.0.100;
host platinum {
hardware ethernet 00:0a:e6:a9:64:a2;
fixed-address 192.168.0.2;
}
host bchyi {
hardware ethernet 00:80:c8:e4:c1:e4;
fixed-address 192.168.0.3;
filename "/tftpboot/pxelinux.0";
}
}
[/code:1:8c49f6d181]
9、SAMBA
這個是最頭疼的,因為這個困惑了我半天的時間
最開始,我沿用RH73的配置文檔,發現網上鄰居能看見,卻無法訪問
我的配置文檔如下
[code:1:8c49f6d181]
[global]
client code page = 936
workgroup = HOME
server string = Samba Server
security = USER
encrypt passwords = Yes
update encrypted = Yes
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %nn *Retype*new*password* %nn *passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins proxy = Yes
wins support = Yes
remote announce = 192.168.0.255
remote browse sync = 192.168.0.255
create mask = 0777
directory mask = 0777
printing = lprng
[數據中心]
comment = DATACENTER
path = /share/DATACENTER
read only = No
[/code:1:8c49f6d181]
於是我將security = DOMAIN改成了security = USER
結果發現能出來了,但是進去以後,英文目錄名沒問題,中文全是亂碼(大方框)
在RH73和RH9里百試百靈的,怎麼在AS3里不行了?
於是我ssh,直接進入我的硬碟ls了一下,結果傻了,原來RH73看到的都是中文名字,現在變成了???等東西
……
經好好先生提醒,我想起來了,可能是和字符集有關係,於是補裝ttfonts-zh_CN庫,結果發現少裝了好多東西,關聯東西太多,無奈,又重新裝系統……
現在好了,ls,發現仍然是???,無奈,選擇默認字符集為GB2312,ls,沒事了!
/etc/rc.d/init.d/smb restart
回到網上鄰居,進入,發現仍然事亂碼!
看來和字符集沒關係,和SAMBA的配置有關係
testparm發現,client code page = 936這句話在AS3里並不好使,提示這句話錯誤
難道沒辦法顯示中文了???
找了N多資料,在一個老外的論壇了找到了正確配置方法(顯示中文的東西竟然在老外論壇里),用這兩句話替代:
[color=red:8c49f6d181]dos charset=cp936
unix charset=cp936[/color:8c49f6d181]
現在SAMBA能用了,正確的配置文檔如下
[code:1:8c49f6d181]
[global]
dos charset=cp936
unix charset=cp936
workgroup = HOME
server string = Samba Server
security = USER
encrypt passwords = Yes
update encrypted = Yes
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %nn *Retype*new*password* %nn *passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins proxy = Yes
wins support = Yes
remote announce = 192.168.0.255
remote browse sync = 192.168.0.255
create mask = 0777
directory mask = 0777
printing = lprng
[數據中心]
comment = DATACENTER
path = /share/DATACENTER
read only = No
[/code:1:8c49f6d181]
[color=red:8c49f6d181]注意:cp936是微軟的磁碟系統中文標準,而gb2312是中國國家中文標準,二者略有不同,在LINUX中使用cp936能更好地與中文磁碟格式兼容[/color:8c49f6d181]
10、PROFTPD
這個對我來說是輕車熟路了,裝了個1.2.9(最高版本,目前沒漏洞),編譯好
直接把配置文檔貼出來吧
[code:1:8c49f6d181]
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerType standalone
DefaultServer on
AllowRetrieveRestart on
AllowOverwrite on
AllowStoreRestart on
ServerIdent on "Welcome to PLATINUM's FTP !"
DefaultRoot ~
DisplayLogin .welcome
DisplayFirstChdir .message
UseReverseDNS off
IdentLookups off
SystemLog /var/log/ftp.syslog
TransferLog /var/log/ftp.transferlog
TransferRate RETR 20 group hMovie
# MaxClientsPerUser 10 "已超過最大上限 10 個guest用戶,請少后再試!"
# MaxClientsPerHost 4
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 002
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User nobody
Group nobody
# Normally, we want files to be overwriteable.
AllowOverwrite on
DenyGroup hMovie
User guest
Group ftp
AllowOverwrite on
AllowRetrieveRestart on
AllowStoreRestart on
TransferRate RETR 10
# MaxClientsPerUser 30 "已超過最大上限 30 個guest用戶,請少后再試!"
# MaxClientsPerHost 4
Umask 000
DenyAll
[/code:1:8c49f6d181]
11、網路安全問題
服務架好了,網路安全不容忽視
這是我的「反彈式」防火牆
[code:1:8c49f6d181]
#! /bin/bash
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/iptables -F -t filter
/sbin/iptables -F -t nat
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
# ALLOW ALL in PRIVATE NET
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -j ACCEPT
# FTP
/sbin/iptables -A INPUT -m limit --limit 100/s --limit-burst 100 -p tcp --dport 21 -j ACCEPT
# SSH & TELNET
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# MAIL
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
# VPN
#/sbin/iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
#/sbin/iptables -A INPUT -p gre -j ACCEPT
# WWW
/sbin/iptables -A INPUT -m limit --limit 100/s --limit-burst 100 -p tcp --dport 80 -j ACCEPT
# MYSQL
# /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
# SOCKS5
# /sbin/iptables -A INPUT -p tcp --dport 8039 -j ACCEPT
# ICMP(PING)
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
/sbin/iptables -A INPUT -p icmp --icmp-type ! echo-request -j ACCEPT
# NAT
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
# DNAT SQL-SERVER & RADMIN to PRIVATE NET
/sbin/iptables -A PREROUTING -t nat -p tcp -s ! 192.168.0.0/24 --dport 4899 -j DNAT --to 192.168.0.2:4899
/sbin/iptables -A PREROUTING -t nat -p tcp -s ! 192.168.0.0/24 --dport 5000 -j DNAT --to 192.168.0.3:4899
iptables -t nat -A PREROUTING -p tcp -m tcp -s 192.168.0.0/24 --dport 80 -j DNAT --to 192.168.0.1:3128
# DENY OTHERS
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -j MIRROR
[/code:1:8c49f6d181]
終於寫完了,不容易,這17小時沒白費!
