BOSS提议,不用2k了,
要用linux之类的东东。
我现在才开始学solaris,不想在回头花时间去看那些liunx下的iptables资料 了。
问一下,solaris9下有这个吗?还有squid?
要是可以的话,就用soaris9做nat共享上网算了。。。
| remoter 回复于:2003-12-18 15:16:13 |
| ipfilter
squid |
| stevens_wu 回复于:2003-12-18 16:20:02 |
| 我只会用BSD作NAT,正在学习用solaris. |
| carrison 回复于:2003-12-18 16:20:55 |
| sun本身不带这些东西,自己下载源码编译吧 |
| softarts 回复于:2003-12-18 16:38:47 |
| 有的,但是为啥不用linux??? |
| peng 回复于:2003-12-18 17:01:28 |
| 可以用squid。 |
| suncn 回复于:2003-12-18 17:08:00 |
| ipfilter很好啊! |
| 南非蜘蛛 回复于:2003-12-18 17:12:57 |
| 我想这是你想要的
http://www.kempston.net/solaris/nat [size=18:7753554b7c][color=red:7753554b7c]Configuring Network Address Translation on Solaris 7 and 8[/color:7753554b7c][/size:7753554b7c] THIS IS A DRAFT PAGE - NOT YET FINISHED! This page contains detailed step-by-step instructions to configure a Solaris 7 or Solaris 8 system to act as a dial-up gateway for a local network consisting of any combination of Solaris, Windows and Linux systems. This gives internet access to all systems on a local network as if each system had its own connection to the Internet. These instructions assume that the Solaris system has already been configured for dial-up access as described in Configuring PPP on Solaris to connect to an ISP, that the physical local network exists, that TCP/IP networking is installed on each local machine and that each machine can ping every other machine on the local network. For the purpose of these instructions, it's assumed that each machine on the local network has been configured with a local network IP address from the private address range 192.168.1.1 to 192.168.1.254 and that the local network address of the Solaris system is 192.168.1.1. If you've used a different IP address range, simply subsititue your own IP addresses for the addresses mentioned in this guide. Network Address Translation (NAT) A Solaris system on a local network has an IP address associated with its network interface card, perhaps 192.168.1.1, and all TCP/IP traffic between it and other machines on the local network is routed through this network interface. When the Solaris system is connected to the Internet through a dial-up PPP link, it has another IP address associated with its dial-up interface ipdptp0. This IP address may be a fixed static address but is more commonly a dynamic address assigned by the ISP when the dial-up connection is made. It would be possible to assign a public IP address, probably from the ISP's address space, to each machine on a local network and arrange for the Solaris dial-up gateway to act as a router, forwarding packets from the local machines which arrive on its local network interface out through its dial-up network interface. But few ISPs are willing to allocate multiple IP addresses to dial-up customers and the private address ranges such as 192.168.1.1 to 192.168.1.254 are not routable on the Internet. The solution is to run network address translation software on the Solaris system. In brief, the way this works is that the local machines are configured with a default route pointing at the Solaris system so that packets addressed to host machines on the Internet are sent first to the Solaris system. Solaris is configured as a router so that it receives incoming packets on its local network interface and sends them out on its dial-up interface. Before retransmitting the packets, the Solaris system performs network address translation, replacing the source address (of the sending machine on the local network) with its own dial-up interface address. The reverse happens with packets incoming from the Internet: the Solaris system receives these on its dial-up interface, checks from its tables which local machine the packet is destined for and replaces the destination address in the packet before retransmitting it on the local network. The following instructions cover the installation and configuration of NAT software called ipfilter on the Solaris dial-up system and the configuration of DNS and a default route on the other machines on the local network. Specific instructions are provided for Solaris 7 and 8, Windows 95 and 98, and RedHat Linux 6.1. The general principle of setting a default route applies to other operating systems. -------------------------------------------------------------------------------- Installing and configuring NAT on Solaris Please note that you must be logged in as root while implementing these instructions. 1. Download the ipfilter source code: The ipfilter software is supplied in source form and you need to compile it. This isn't difficult! Before doing so, you need to have installed the g(un)zip program and a C compiler. All of these are freely downloadable from the Net and instructions for installing C and gzip are here. The source of ipfilter is available from http://coombs.anu.edu.au/ipfilter/ip-filter.html. At the time of writing, the latest version is 3.3.12 and the source code is provided as a compressed tar archive in the file ip-fil3.3.12.tar.gz. 2. Prepare the source code for compilation: Make a directory at a convenient point in the file system to hold the source code and copy the source into this directory. For example: # mkdir -p /opt/source/ipfilter # cd /opt/source/ipfilter # cp /tmp/ip-fil3.3.12.tar.gz . Unzip and untar the source and then change to the directory created by tar: # gunzip ip-fil* # tar xvf ip-fil* # cd ip_fil3.3.12 At this point, you may like to have a look at the README file which contains a short list of features. 3. Compile the source code: Note that ipfilter cannot be compiled using the GNU "make" program. If you've installed this, make sure that the Solaris "make" program is found first: # which make /usr/ccs/bin/make If the "which" command finds GNU make, you'll need to adjust your search path so that /usr/ccs/bin/make is found first. Compile the ipfilter program: # make solaris 4. Network Address Translation Rules A set of NAT rules has to be given to ipfilter to tell it how to translate IP addresses. A simple rule is: map ipdptp0 192.168.1.0/24 -> 50.50.50.50/32 and this is interpreteted as follows: "map ipdptp0" tells ipfilter to examine the source address of all packets about to be sent through the PPP dial-up interface ipdptp0 and change the source address if it matches the next element in the rule. "192.168.1.0/24" is a standard way of denoting an IP address block. IP addresses consist of 32 bits and are written as four decimal number separated by dots. The "/24" denotes the number of bits which comprise the network part of the address and is this example is the 24 bits 192.168.1. So, 192.168.1.0/24 indicates that ipfilter should change the source address when it's in the range 192.168.1.1 to 192.168.1.254. The rest of this rule, "-> 50.50.50.50/32" tells ipfilter to replace the source address in these packets with 50.50.50.50, the "/32" indicating that this is a host address. Such a rule could be used to translate a local network of 192.168.1 so that all packets going out on the dial-up interface have the source address of the dial-up interface. There's a small complication in that most ISPs allocate dynamic unpredictable IP addresses to dial-up clients. IPfilter copes with this by allowing us to specify "0" as the address of the dial-up interface and it replaces this with the actual IP address assigned to the interface. So, a more general rule can be written as: map ipdptp0 192.168.1.0/24 -> 0/32 but it is necessary to run the command: # ipf -y to refresh the actual address whenever a dial-up connection is made. This one simple NAT rule is sufficient for most outgoing TCP/IP connections from the local network but it doesn't map source port numbers. It isn't strictly necessary to provide port mapping rules and ipfilter will, by default, simply select the next available local port when translating an IP address. But it's better to specify the range of source ports to be used as in the rule: map ipdptp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:40000 which tells ipfilter to use source port numbers in the range 10,000 to 40,000. Another rule is needed to cope with active FTP. FTP is unusual in that one of its modes of operation requires the server to open a data port on the client and there's no general way of allowing incoming connections to a local network when using NAT. To cope with this requirement, ipfilter contains an FTP proxy which opens a hole to allow the server to connect back to the client. The format of this proxy rule is: map ipdptp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp NAT configuration rules are stored in the file /etc/opt/ipf/nat.conf and this file is created in the next step. If you're interested in a more complete discussion of NAT rules, the standard guide is the IP Filter Based Firewalls HOWTO. 5. Create the NAT configuration rules: Use a text editor to create the file /etc/opt/ipf/nat.conf containing the following lines: map ipdptp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp map ipdptp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:40000 map ipdptp0 192.168.1.0/24 -> 0/32 As described earlier, these rules provide access on the private network 192.168.1.1 - 192.168.1.254 through the Solaris NAT system to any host on the Internet via the dial-up ipdptp0 interface. The order of the rules is important and they must be specified exactly as shown above unless you're quite sure of the effect any differences will make. The first rule allows FTP access from all hosts on the local network to the Internet, the second rule maps high ports 10,000 to 40,000 for the local network and the third rule maps general TCP traffic to and from the local network and the Internet. When the nat.conf file has been created, stop and restart the ipf software: # /etc/init.d/ipfboot stop # /etc/init.d/ipfboot start 5. Set up IP forwarding in the Solaris kernel: Issue the following command to switch on IP forwarding in the Solaris kernel: # ndd -set /dev/tcp ip_forwarding 1 This tells Solaris to forward packets from one network to another and enables packets arriving on the local network interface to be forwarded out on the dial-up ipdptp0 interface and vice versa. 6. Setup the NAT tables when connected: # /sbin/ipnat -C -f /etc/opt/ipf/nat.conf # /sbin/ipf -y -------------------------------------------------------------------------------- Configuring Windows 95 and 98 to use the Solaris gateway -------------------------------------------------------------------------------- Further sources of information Further information about ipfilter is available from the following sources: The IP Filter Based Firewalls HOWTO by Brendan Conoboy and Erik Fichtner The Solaris IPNAT Howto by Rachel Polanskis -------------------------------------------------------------------------------- Has this guide been useful? I hope these instructions prove useful. If you have any comments or suggestions for improvement, or have found any technical errors, please email me at mike@kempston.net This page is copyright & mike@kempston.net 2000. Reproduction is forbidden without the author's permission. You are welcome to link to these pages if you wish but please point to the pages at www.kempston.net: Solaris Resources at Kempston |
| peng 回复于:2003-12-18 17:14:54 |
| 厉害啊。偶像,太高深了。。 |
| 南非蜘蛛 回复于:2003-12-18 17:22:18 |
| [quote:65639bd12d="peng"]厉害啊。偶像,太高深了。。[/quote:65639bd12d]
你是我偶像 :em02: :em02: :em02: :em02: |
| carrison 回复于:2003-12-18 18:26:42 |
| 忒厉害了,都成了精了 :mrgreen: |
| stevens_wu 回复于:2003-12-18 18:51:37 |
| 佩服佩服! |
| 阿修罗 回复于:2003-12-18 22:46:06 |
| solaris 8自带一个sunscreen lite
solaris 9自带sunscreen(没lite,更全) 这都可以做防火墙和NAT 可以用图形界面配,docs.sun.com有相关手册 btw,我自己是编译ipfilter, 嘿嘿 |
| netzsj 回复于:2003-12-18 23:18:51 |
| [quote:c635dcbcf8="softarts"]有的,但是为啥不用linux???[/quote:c635dcbcf8]
solaris是刚开始学,linux只是偶尔装的玩玩,不会配置。 如果 solairs能做到的话,我又何必花多余的时间去研究 linux呢? |
延伸阅读
文章来源于领测软件测试网 https://www.ltesting.net/