linode vps增加ipv6地址
[
2010/01/22 18:06 | by suibing ]
2010/01/22 18:06 | by suibing ]
CentOS
/etc/sysconfig/network
NETWORKING_IPV6=yes
IPV6_DEFAULTDEV="tun6to4"
/etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT="yes"
IPV6TO4INIT="yes"
IPV6TO4_RELAY="192.88.99.1"
Restart your networking (/etc/init.d/network restart) and then take a look at your ifconfig. You can then try "ping6 ipv6.chat.freenode.net" (or another host of choice) to test your connectivity.
来自:http://www.linode.com/wiki/index.php/IPv6#CentOS
/etc/sysconfig/network
NETWORKING_IPV6=yes
IPV6_DEFAULTDEV="tun6to4"
/etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT="yes"
IPV6TO4INIT="yes"
IPV6TO4_RELAY="192.88.99.1"
Restart your networking (/etc/init.d/network restart) and then take a look at your ifconfig. You can then try "ping6 ipv6.chat.freenode.net" (or another host of choice) to test your connectivity.
来自:http://www.linode.com/wiki/index.php/IPv6#CentOS
总结一下我开只允许用来登录的SSH账号的方法
[ 2010/01/22 10:16 | by suibing ]
2010/01/22 10:16 | by suibing ]
这个方法的副作用就是只有root才能使用sftp!
创建用户组,创建用户,设置密码:
复制内容到剪贴板代码:
groupadd SSHTunnel
useradd -g SSHTunnel -s /bin/bash -d /home/tunnel TunnelUser1
passwd TunnelUser1
设置sftp权限:
复制内容到剪贴板代码:
chmod 700 /usr/lib/openssh/sftp-server
在/etc/ssh/sshd_config内添加:
复制内容到剪贴板代码:
Match Group SSHTunnel
AllowTcpForwarding yes
ForceCommand sh /home/tunnel/tunnelshell.sh
下载设置登陆脚本:
复制内容到剪贴板代码:
wget https://chencp.info/tunnelshell.sh --no-check-certificate -O /home/tunnel/tunnelshell.sh
ln -s /home/tunnel/tunnelshell.sh /home/tunnel/.profile
最后重启sshd:
复制内容到剪贴板代码:
/etc/init.d/ssh restart
这样就可以了,同时用户登陆后还支持passwd命令修改密码。
再添加用户则:
复制内容到剪贴板代码:
useradd -g SSHTunnel -s /bin/bash -d /home/tunnel <用户名>
passwd <用户名>
创建用户组,创建用户,设置密码:
复制内容到剪贴板代码:
groupadd SSHTunnel
useradd -g SSHTunnel -s /bin/bash -d /home/tunnel TunnelUser1
passwd TunnelUser1
设置sftp权限:
复制内容到剪贴板代码:
chmod 700 /usr/lib/openssh/sftp-server
在/etc/ssh/sshd_config内添加:
复制内容到剪贴板代码:
Match Group SSHTunnel
AllowTcpForwarding yes
ForceCommand sh /home/tunnel/tunnelshell.sh
下载设置登陆脚本:
复制内容到剪贴板代码:
wget https://chencp.info/tunnelshell.sh --no-check-certificate -O /home/tunnel/tunnelshell.sh
ln -s /home/tunnel/tunnelshell.sh /home/tunnel/.profile
最后重启sshd:
复制内容到剪贴板代码:
/etc/init.d/ssh restart
这样就可以了,同时用户登陆后还支持passwd命令修改密码。
再添加用户则:
复制内容到剪贴板代码:
useradd -g SSHTunnel -s /bin/bash -d /home/tunnel <用户名>
passwd <用户名>
proxmox 网络配置
[ 2010/01/19 18:54 | by suibing ]
2010/01/19 18:54 | by suibing ]
Default Configuration (bridged)
The installation program creates a single bridge (vmbr0), which is connected to the first ethernet card (eth0).
auto lo
iface lo inet loopback
auto vmbr0
iface vmbr0 inet static
address 192.168.10.2
netmask 255.255.255.0
gateway 192.168.10.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
Virtual machine behaves like directly connected to the physical network.
Routed Configuration
Most hosting providers does not support above setup. For security reason they stop networking as soon as they detect multiple MAC addresses.
A common setup is that you get a public IP (assume 192.168.10.2 for this example), and additional IP blocks for your VMs (10.10.10.1/255.255.255.0). For such situation we recommend the following setup.
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
gateway 192.168.10.1
post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
Masquerading
Sometimes you want to use private IPs and masquerade the traffic:
auto vmbr1
iface vmbr1 inet static
address 10.10.11.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.11.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.11.0/24' -o eth0 -j MASQUERADE
Unsupported Routing
Physical NIC (eg., eth1) cannot currently be made available exclusively for a particular KVM / Container , ie., without bridge and/or bond.
Naming Conventions
* Ethernet devices: eth0 - eth99
* Bridge names: vmbr0 - vmbr9
* Bonds: bond0 - bond9
* VLANs: Simply add the VLAN number to the ethernet device name, seperated by a period. For example "eth0.50"
以上是官方网站的配置,下面是自己的配置。
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.2.202
netmask 255.255.255.0
gateway 192.168.2.1
post-up iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -p tcp -d 192.168.2.202 --dport 4321 -i eth0 -j DNAT --to-destination 10.0.1.2:3389
post-down iptables -t nat -D POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
auto vmbr0
iface vmbr0 inet static
address 10.0.1.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
去除post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp的原因是proxy_arp会导致一些网络问题,还是iptables好用。
The installation program creates a single bridge (vmbr0), which is connected to the first ethernet card (eth0).
auto lo
iface lo inet loopback
auto vmbr0
iface vmbr0 inet static
address 192.168.10.2
netmask 255.255.255.0
gateway 192.168.10.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
Virtual machine behaves like directly connected to the physical network.
Routed Configuration
Most hosting providers does not support above setup. For security reason they stop networking as soon as they detect multiple MAC addresses.
A common setup is that you get a public IP (assume 192.168.10.2 for this example), and additional IP blocks for your VMs (10.10.10.1/255.255.255.0). For such situation we recommend the following setup.
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
gateway 192.168.10.1
post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
Masquerading
Sometimes you want to use private IPs and masquerade the traffic:
auto vmbr1
iface vmbr1 inet static
address 10.10.11.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.11.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.11.0/24' -o eth0 -j MASQUERADE
Unsupported Routing
Physical NIC (eg., eth1) cannot currently be made available exclusively for a particular KVM / Container , ie., without bridge and/or bond.
Naming Conventions
* Ethernet devices: eth0 - eth99
* Bridge names: vmbr0 - vmbr9
* Bonds: bond0 - bond9
* VLANs: Simply add the VLAN number to the ethernet device name, seperated by a period. For example "eth0.50"
以上是官方网站的配置,下面是自己的配置。
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.2.202
netmask 255.255.255.0
gateway 192.168.2.1
post-up iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -p tcp -d 192.168.2.202 --dport 4321 -i eth0 -j DNAT --to-destination 10.0.1.2:3389
post-down iptables -t nat -D POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
auto vmbr0
iface vmbr0 inet static
address 10.0.1.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
去除post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp的原因是proxy_arp会导致一些网络问题,还是iptables好用。
debian iptables 学习
[ 2010/01/19 14:22 | by suibing ]
2010/01/19 14:22 | by suibing ]
一.配置debian机器的双网卡IP,我设的是eth0为公网IP,eth1为内网IP,
vim /etc/network/interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 172.18.30.187
netmask 255.255.255.0
gateway 172.18.30.1
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
二、输入:echo 1 > /proc/sys/net/ipv4/ip_forward
当初学习的时候我记得是需要保存这一项的,不然重启后值会变成0。但忘了怎么保存了。再次郁闷,
后来我在/etc/sysct1.conf里添加了下面这一行:
net.ipv4.ip_forward = 1 重启后生效了。嘿嘿!!
三、输入: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to 172.18.30.187
此时一个简单的路由器便成功了。
但是,一但系统重启,将不能转发。郁闷,GOOGLE了半天才找到了一个解决保存iptables的方法
四、保存iptables:iptables-save > /etc/network/iptables
五、在/etc/network/interface里的eth0配置下加入下面这一行,使系统启动时自动转入iptables
up /sbin/iptables-restore /etc/network/iptables
前两天刚把IPTABLES安装好并能工作,但是没有配置什么策略,最近学习了一些策略,特记录下来。
我做的策略方式是首先将INPUT默认设为drop,然后按需求开启;FORWARD也设成DROP;而OUTPUT呢,暂不做策略。
1、将默认策略设为drop
iptables -P INPUT DROP
2、开启ssh,我都是使用远程到服务器上去学习的,所以安装了ssh,并把ssh端口改为了6789
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -dport -j ACCEPT
TCP/IP 本身是双向的,也就是有出必有进,有进必有出。这个规则没考虑到这点问题。
-m state --state ESTABLISHED 扮演很重要角色,那就是允许连线出去后对方主机回应进来的封包。
3、现在可以使用ssh上去管理了。由于我的debian上建立了DNS还有samba还供学习用,所以为了这台服务器功能更多,我还得开启这些端口:
iptables -A INPUT -p tcp -m multiport -dport 139,445 -j ACCEPT
iptables -A INPUT -p tcp -m multiport -dport 137,138 -j ACCEPT
iptables -A INPUT -p tcp -dport 53 -j ACCEPT
iptables -A INPUT -p udp -dport 53 -j ACCEPT
iptables -A INPUT -p tcp -dport 88 -j ACCEPT(因为我的samba是与AD集成的需要krb5验证)
4、允许ping
iptables -A INPUT -p icmp -j ACCEPT
vim /etc/network/interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 172.18.30.187
netmask 255.255.255.0
gateway 172.18.30.1
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
二、输入:echo 1 > /proc/sys/net/ipv4/ip_forward
当初学习的时候我记得是需要保存这一项的,不然重启后值会变成0。但忘了怎么保存了。再次郁闷,
后来我在/etc/sysct1.conf里添加了下面这一行:
net.ipv4.ip_forward = 1 重启后生效了。嘿嘿!!
三、输入: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to 172.18.30.187
此时一个简单的路由器便成功了。
但是,一但系统重启,将不能转发。郁闷,GOOGLE了半天才找到了一个解决保存iptables的方法
四、保存iptables:iptables-save > /etc/network/iptables
五、在/etc/network/interface里的eth0配置下加入下面这一行,使系统启动时自动转入iptables
up /sbin/iptables-restore /etc/network/iptables
前两天刚把IPTABLES安装好并能工作,但是没有配置什么策略,最近学习了一些策略,特记录下来。
我做的策略方式是首先将INPUT默认设为drop,然后按需求开启;FORWARD也设成DROP;而OUTPUT呢,暂不做策略。
1、将默认策略设为drop
iptables -P INPUT DROP
2、开启ssh,我都是使用远程到服务器上去学习的,所以安装了ssh,并把ssh端口改为了6789
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -dport -j ACCEPT
TCP/IP 本身是双向的,也就是有出必有进,有进必有出。这个规则没考虑到这点问题。
-m state --state ESTABLISHED 扮演很重要角色,那就是允许连线出去后对方主机回应进来的封包。
3、现在可以使用ssh上去管理了。由于我的debian上建立了DNS还有samba还供学习用,所以为了这台服务器功能更多,我还得开启这些端口:
iptables -A INPUT -p tcp -m multiport -dport 139,445 -j ACCEPT
iptables -A INPUT -p tcp -m multiport -dport 137,138 -j ACCEPT
iptables -A INPUT -p tcp -dport 53 -j ACCEPT
iptables -A INPUT -p udp -dport 53 -j ACCEPT
iptables -A INPUT -p tcp -dport 88 -j ACCEPT(因为我的samba是与AD集成的需要krb5验证)
4、允许ping
iptables -A INPUT -p icmp -j ACCEPT
phpwind转discuz 伪静态规则 for lighttpd
[ 2010/01/19 00:27 | by suibing ]
2010/01/19 00:27 | by suibing ]
论坛转换后原先链接均失效,因此需要重新书写伪静态规则,保证原先连接正常。
url.rewrite= (
"^/archiver/((fid|tid)-[\w\-]+\.html)$" => "archiver/index.php?$1",
"^/forum-([0-9]+)-([0-9]+)\.html$" => "forumdisplay.php?fid=$1&page=$2",
"^/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$" => "viewthread.php?tid=$1&extra=page=$3&page=$2",
"^/space-(username|uid)-(.+)\.html$" => "space.php?$1=$2",
"^/tag-(.+)\.html$" => "tag.php?name=$1",
"^(.*)/read-htm-tid-([0-9]+)\.html$" => "$1/viewthread.php?tid=$2",
"^(.*)/read\.php\?tid-([0-9]+)\.html$" => "$1/viewthread.php?tid=$2",
"^(.*)/thread-htm-fid-([0-9]+)\.html$" => "$1/forumdisplay.php?fid=$2",
"^(.*)/thread-htm-fid-([0-9]+)-type-([0-9]+)\.html$" => "$1/forumdisplay.php?fid=$2&filter=type&typeid=$3",
"^(.*)/thread-htm-fid-([0-9]+)-search-digest\.html$" => "$1/forumdisplay.php?fid=$2&filter=digest",
"^(.*)/profile-htm-action-show-(username|uid)-(.*)\.html$" => "$1/space.php?action=viewpro&$2=$3",
"^(.*)/thread-htm-fid-([0-9]+)([a-z\-]+)([0-9]+)\.html$" => "$1/forumdisplay.php?fid=$2&page=$4",
"^(.*)/read-htm-tid-([0-9]+)-page-([0-9]+)-fpage-([0-9]+)\.html$" => "$1/viewthread.php?tid=$2&extra=page%3D1&page=$3",
"^(.*)/read\.php\?tid=([0-9]+)$" => "$1/viewthread.php?tid=$2",
"^(.*)/thread\.php\?fid=([0-9]+)$" => "$1/forumdisplay.php?fid=$2",
"^(.*)/thread\.php\?fid=([0-9]+)&type=([0-9]+)$" => "$1/forumdisplay.php?fid=$2&filter=type&typeid=$3",
"^(.*)/thread\.php\?fid=([0-9]+)&search=digest$" => "$1/forumdisplay.php?fid=$2&filter=digest",
"^(.*)/simple/index\.php\?(t|f)([0-9]+\.html)$" => "$1/archiver/?$2id-$3",
"^(.*)/profile\.php\?action=show&(username|uid)=(.*)$" => "$1/space.php?action=viewpro&$2=$3",
"^(.*)/thread\.php\?fid=([0-9]+)([a-zA-Z=&]+)([0-9]+)$" => "$1/forumdisplay.php?fid=$2&page=$4",
"^(.*)/read\.php\?tid=([0-9]+)&page=([0-9]+)&fpage=([0-9]+)$" => "$1/viewthread.php?tid=$2&extra=page%3D1&page=$3",
)
url.rewrite= (
"^/archiver/((fid|tid)-[\w\-]+\.html)$" => "archiver/index.php?$1",
"^/forum-([0-9]+)-([0-9]+)\.html$" => "forumdisplay.php?fid=$1&page=$2",
"^/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$" => "viewthread.php?tid=$1&extra=page=$3&page=$2",
"^/space-(username|uid)-(.+)\.html$" => "space.php?$1=$2",
"^/tag-(.+)\.html$" => "tag.php?name=$1",
"^(.*)/read-htm-tid-([0-9]+)\.html$" => "$1/viewthread.php?tid=$2",
"^(.*)/read\.php\?tid-([0-9]+)\.html$" => "$1/viewthread.php?tid=$2",
"^(.*)/thread-htm-fid-([0-9]+)\.html$" => "$1/forumdisplay.php?fid=$2",
"^(.*)/thread-htm-fid-([0-9]+)-type-([0-9]+)\.html$" => "$1/forumdisplay.php?fid=$2&filter=type&typeid=$3",
"^(.*)/thread-htm-fid-([0-9]+)-search-digest\.html$" => "$1/forumdisplay.php?fid=$2&filter=digest",
"^(.*)/profile-htm-action-show-(username|uid)-(.*)\.html$" => "$1/space.php?action=viewpro&$2=$3",
"^(.*)/thread-htm-fid-([0-9]+)([a-z\-]+)([0-9]+)\.html$" => "$1/forumdisplay.php?fid=$2&page=$4",
"^(.*)/read-htm-tid-([0-9]+)-page-([0-9]+)-fpage-([0-9]+)\.html$" => "$1/viewthread.php?tid=$2&extra=page%3D1&page=$3",
"^(.*)/read\.php\?tid=([0-9]+)$" => "$1/viewthread.php?tid=$2",
"^(.*)/thread\.php\?fid=([0-9]+)$" => "$1/forumdisplay.php?fid=$2",
"^(.*)/thread\.php\?fid=([0-9]+)&type=([0-9]+)$" => "$1/forumdisplay.php?fid=$2&filter=type&typeid=$3",
"^(.*)/thread\.php\?fid=([0-9]+)&search=digest$" => "$1/forumdisplay.php?fid=$2&filter=digest",
"^(.*)/simple/index\.php\?(t|f)([0-9]+\.html)$" => "$1/archiver/?$2id-$3",
"^(.*)/profile\.php\?action=show&(username|uid)=(.*)$" => "$1/space.php?action=viewpro&$2=$3",
"^(.*)/thread\.php\?fid=([0-9]+)([a-zA-Z=&]+)([0-9]+)$" => "$1/forumdisplay.php?fid=$2&page=$4",
"^(.*)/read\.php\?tid=([0-9]+)&page=([0-9]+)&fpage=([0-9]+)$" => "$1/viewthread.php?tid=$2&extra=page%3D1&page=$3",
)
