如今,几乎所有现代 Linux 发行版都已准备好 MASQ,但在尝试设置之前检查您的系统始终是好的。请按照以下几个步骤检查您的内核是否已准备好 MASQ。
要查看您的系统正在运行哪个内核,请运行以下命令
uname -a |
为了清晰起见:2.4.x 内核运行 IPTABLES :: 2.2.x 内核运行 IPCHAINS :: 2.0.x 内核运行 IPFWADM
一般来说,您必须拥有内核支持才能进行以下操作:
IP 转发
IP 伪装
IP 防火墙
等等。
您还需要编译大多数与 MASQ 相关的模块(大多数模块化内核已经完成了您需要的一切。那么您将不需要重新编译内核。如果您不确定您的 Linux 发行版是否已准备好 MASQ,请执行以下操作
2.4.x 内核(从更长的列表中查找以下大多数条目)
运行命令“ls /proc/sys/net/ipv4”当登录到 Linux 机器时。无论您的内核是否将 IPMASQ 构建为模块或静态链接,这些项目都是必需的,并且应该存在。
ip_dynaddr
ip_forward
要检查 IPMASQ 是否已静态编译到内核中,请运行命令“/sbin/lsmod”,看看是否加载了 MODULE 部分中如下所示的模块。没有?好的,现在运行命令“ls /proc/net/”,看看您是否看到其他 /proc 文件,例如
ip_masquerade
ip_conntrack
ip_tables_names
如果您的内核通过模块使用 IPTABLES,则上面列出的大多数内容应该都已丢失(因为模块可能未加载)。运行命令“ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/”,您应该看到如下文件
ip_conntrack.o, ip_conntrack_ftp.o, ip_conntrack_irc.o, ip_nat_ftp.o, ip_nat_irc.o
ip_tables.o, ipt_MASQUERADE.o, iptable_nat.o, iptable_mangle.o, iptable_filter.o
以及一些可选的,如ipchains.o, ipt_REJECT.o, 和 ipt_tcpmss.o
2.2.x 内核(从更长的列表中查找以下大多数条目):列表)
运行命令“ls /proc/sys/net/ipv4”当登录到 Linux 机器时。无论您的内核是否将 IPMASQ 构建为模块或静态链接,这些项目都是必需的,并且应该存在。
ip_always_defrag
ip_dynaddr
ip_forward
ip_masq_debug
ip_masq_udp_dloose(某些发行版不支持此选项——暂时忽略它
其他 2.2.x 选项可以通过运行“ls /proc/net/”来检查
ip_fwchains
ip_fwnames
ip_masquerade
更多 2.2.x 选项可以通过运行“ls /proc/net/”来检查
app
icmp
icq
mfw
portfw
tcp
udp/
2.0.x 内核(从更长的列表中查找以下大多数条目)
运行命令“ls /proc/sys/net/ipv4”当登录到 Linux 机器时。无论您的内核是否将 IPMASQ 构建为模块或静态链接,这些项目都是必需的,并且应该存在。
ip_dynaddr
ip_forward
运行“ls /proc/net”
ip_forward
ip_masq_app
ip_masquerade
ip_portfw
最终,归结为是否看到诸如“iip_forward", "ip_masq_debug", "ip_masq_udp_dloose”(可选)和“ip_always_defrag”(可选)之类的 /proc 文件是否存在。
所以。您相应的内核是否显示了上述大多数 /proc 条目或内核模块? 如果是,那就太好了! 如果您找不到上述任何条目,或者不确定您的发行版是否默认支持 IP 伪装,请假设它不支持 MASQ。 您可以最后检查一下 第 7.1 节,看看您的 Linux 发行版是否在列表中。 仍然没有? 听起来您需要编译内核,但别担心……这并不难。
无论您当前的内核是否支持 MASQ,仍然强烈建议阅读本节的其余部分,因为它包含其他有用的信息。
首先,您需要获取一些 2.4.x 内核源代码(最好是最新的内核版本 - 在 LINUX 世界中,更新的版本*更好*)
注意 #1:随着 2.4.x 内核系列和 iptables 程序开发的进展,编译配置选项会随着时间而变化。 截至本 IPMASQ 指南版本,本节反映了 IPTABLES 1.2.7a 和 2.4.20 内核的设置。 如果您正在针对更新或以前的内核或 IPTABLES 版本进行编译,则对话框甚至命令可能看起来有所不同。 建议您更新到最新版本的内核和 IPTABLES,以提高内核的功能、性能和稳定性。
接下来,根据您下载的 Linux 内核和 IPTABLES 存档的版本,您可能需要将一些 IPTABLES “patch-o-matic”补丁应用于内核。 这些可选补丁可能会修复一些已知问题,添加您可能需要的其他功能(H.323 协议、网络游戏的特定问题)等。 应该注意的是,Patch-O-Matic 补丁过去是随 IPTABLES 存档一起提供的。 现在情况已不再如此,您必须单独下载它们(如果有)。 您可以在 第 2.6 节中找到用于下载 IPTABLES、Patch-o-matic 系统等的各种 URL。
如果这是您第一次编译内核,请不要害怕。 事实上,这相当容易,并且在 第 2.6 节中找到的几个 URL 中对此进行了介绍。 请注意,此处包含的说明只是构建内核的一种方法。 有关完整详细信息,请参阅内核指南。
注意:请注意,不建议将新的内核源代码放入 /usr/src/linux 目录中。 您应该将 Linux 发行版随附的原始内核源代码保留在 /usr/src/linux 中。 有关此主题的更多详细信息,请阅读内核源代码顶层目录中的“README”文件。
对于本指南示例,创建一个名为/usr/src/kernel的目录。 接下来,“cd”进入此目录,并将最新的 2.4.x 内核源代码下载到其中。 下载完成后,发出以下命令(如果文件以 .tar.gz 结尾)tar xvzf linux-2.4.x.tar.gz或(如果文件以 .tar.bzip2 结尾)tar xyvf linux-2.4.x.tar.bz2。 请将 2.4.x 文件名中的“x”替换为您下载的 Linux 2.4 内核版本。
BZ2 注意事项:某些 Linux 发行版使用 “I” 选项而不是 “y” 选项来解压缩 bzip2 存档。
解压缩后,我建议您将目录从默认的 “linux” 名称重命名为 “linux-2.4.x”(将 “x” 替换为您新安装的内核的特定版本),以使其更清晰。 要执行此操作,请运行命令“mv linux linux-2.4.x”。 接下来,确保存在指向 “/usr/src/kernel/linux”的目录或符号链接。 即运行命令
ln -s /usr/src/kernel/linux-2.4.x /usr/src/kernel/linux |
如上所述,您可能需要考虑在编译最终内核之前,将任何适当或可选的补丁应用于内核的 MASQ 代码。 股票内核中找到的 IP MASQ 代码已经非常有用,并且不需要任何特定的补丁即可使系统用于 NAT 友好的网络应用程序。 许多这些补丁仅用于修复可能的已知错误、添加新功能(有些是/非常/酷的)等。 有关 URL,请参阅 第 2.6 节和 IP Masquerade 资源,以获取最新信息和补丁 URL。
应用 IPTABLES 和 Patch-o-Matic 内核补丁
从 第 2.6 节下载 iptables 软件包和可选的 Patch-O-Matics,并将其放入一个目录,例如 “/usr/src/archive/netfilter”。 接下来,进入这个新的 netfilter 目录,并使用命令解压缩 iptables 存档
tar xyvf iptables-x.y.z.tar.bz2 tar xyvf patch-o-matic-x.tar.bz2 |
现在,进入新的 iptables-x.y.x 目录 (/usr/src/archive/netfilter/iptables-x.y.z) 并运行命令
#For iptables v1.2.7a: make KERNEL_DIR=/usr/src/kernel/linux #For iptables v1.2.4 (when Patch-o-matic was built-in): make pending-patches KERNEL_DIR=/usr/src/kernel/linux |
注意:这假设您的 2.4.x 内核源代码位于/usr/src/kernel/linux目录中。
注意 #2:如果您在上面的命令行末尾附加 “/”,您将收到一个错误,指出
"make: *** [/usr/src/kernel/linux/include/asm/socket.h] Error 1". |
以下是编译 IPTABLES v1.2.7a 的示例。 您的输出可能因您尝试使用的版本而异。
# make KERNEL_DIR=/usr/src/kernel/linux Extensions found: cc -O2 -Wall -Wunused -I/usr/src/kernel/linux/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o extensions/libipt_ah_sh.o -c extensions/libipt_ah.c ld -shared -o extensions/libipt_ah.so extensions/libipt_ah_sh.o cc -O2 -Wall -Wunused -I/usr/src/kernel/linux/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o extensions/libipt_conntrack_sh.o -c extensions/libipt_conntrack.c ld -shared -o extensions/libipt_conntrack.so extensions/libipt_conntrack_sh.o cc -O2 -Wall -Wunused -I/usr/src/kernel/linux/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o extensions/libipt_dscp_sh.o -c extensions/libipt_dscp.c extensions/libipt_dscp_helper.c:69: warning: `dscp_to_name' defined but not used ld -shared -o extensions/libipt_dscp.so extensions/libipt_dscp_sh.o . . . cc -O2 -Wall -Wunused -I/usr/src/kernel/linux/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\" -c -o libipulog/libipulog.o libipulog/libipulog.c ar rv libipulog/libipulog.a libipulog/libipulog.o a - libipulog/libipulog.o rm libiptc/libip6tc.o libiptc/libip4tc.o libipulog/libipulog.o libipq/libipq.o |
好的,希望 IPTABLES 程序为您编译成功。 现在,您需要安装它。 要执行此操作,请进入目录并运行命令
make install KERNEL_DIR=/usr/src/kernel/linux |
以下是安装 IPTABLES v1.2.7a 的示例。 您的输出可能因您尝试使用的版本而异。
# make install KERNEL_DIR=/usr/src/kernel/linux cp iptables /usr/local/sbin/iptables cp iptables-save /usr/local/sbin/iptables-save cp iptables-restore /usr/local/sbin/iptables-restore cp ip6tables /usr/local/sbin/ip6tables cp extensions/libipt_ah.so /usr/local/lib/iptables/libipt_ah.so cp extensions/libipt_conntrack.so /usr/local/lib/iptables/libipt_conntrack.so cp extensions/libipt_dscp.so /usr/local/lib/iptables/libipt_dscp.so cp extensions/libipt_ecn.so /usr/local/lib/iptables/libipt_ecn.so cp extensions/libipt_esp.so /usr/local/lib/iptables/libipt_esp.so cp extensions/libipt_helper.so /usr/local/lib/iptables/libipt_helper.so . . . cp extensions/libip6t_udp.so /usr/local/lib/iptables/libip6t_udp.so cp extensions/libip6t_LOG.so /usr/local/lib/iptables/libip6t_LOG.so cp extensions/libip6t_MARK.so /usr/local/lib/iptables/libip6t_MARK.so |
接下来,如果您有兴趣应用 Patch-O-Matic 补丁集,请进入patch-o-matic-X目录 (/usr/src/archive/netfilter/patch-o-matic-X) 并运行命令
#For Patch-O-Matic later than the release of iptables v1.2.7a: KERNEL_DIR=/usr/src/kernel/linux ./runme pending |
注意 #1:使用 “pending” 批处理对于 IPMASQ 功能最常见,但还有其他几个。 请参见下文。
注意 #2:这假设您的 2.4.x 内核源代码位于/usr/src/kernel/linux目录中。
注意 #3:如果您在命令行末尾附加 “/”,您将收到一个错误,指出
"make: *** [/usr/src/kernel/linux/include/asm/socket.h] Error 1". Remove the trailing "/" and try again. |
以下是您可能收到的用于 2.4.20 内核和 “20030107” Patch-O-Matic 集的 Patch-O-Matic 提示示例。 您还可以以批处理模式运行 “runme” 程序以加快速度,添加实验性补丁等(如果您愿意)。 为了更好地了解您的选项,只需运行 “./runme”命令本身。 请注意,这些提示会随时间而变化。
Welcome to Rusty's Patch-o-matic!
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: submitted/01_2.4.19
submitted/02_2.4.20
submitted/ipt_ULOG-mac_len-fix
submitted/ipt_multiport-invfix
pending/01_ip_conntrack_proto_tcp-lockfix
pending/02_newnat-udp-helper
pending/03_REJECT-fwspotting-phrack60-fix
pending/04_ftp-conntrack-msg-fix
Testing... 05_ECN-tcpchecksum-littleendian-fix.patch NOT APPLIED (1 rejects out
of 1 hunks)
The pending/05_ECN-tcpchecksum-littleendian-fix patch:
Author: Patrick McHardy
Status: Pending for kernel inclusion
The 2.4.20 kernel included the new iptables 'ECN' target, enabling a
selective
ECN disable mechanism. Unfortunately there was a bug in the incremental
TCP
checksum update, resulting in broken TCP checksums on little endian
machines.
This patch fixes the Bug.
Testing patch pending/05_ECN-tcpchecksum-littleendian-fix.patch...
Patch pending/05_ECN-tcpchecksum-littleendian-fix.patch applied cleanly.
Applying patch pending/05_ECN-tcpchecksum-littleendian-fix.patch...
Patch pending/05_ECN-tcpchecksum-littleendian-fix.patch applied cleanly.
Excellent! Kernel is now ready for compilation. |
如果一切补丁都应用良好,您应该在屏幕底部看到类似文本
Excellent! Kernel is now ready for compilation. |
的内容。 除此之外,您此时无需安装任何内容。 下一步是编译新的已打补丁的内核。
好的,现在新的内核已准备好编译,但您应确保您的机器上也安装了适当匹配的iptables程序(只是为了确保)。 运行命令
whereis iptables |
现在内核源代码已打好补丁,您需要配置它以了解您需要的功能类型(HD 支持、网络支持、MASQ 支持等)。 以下是启用 IP 伪装功能所需的最低内核配置选项。 请理解,本指南仅说明了一种配置和编译内核的方法(模块与静态)。 本示例与不同 MASQ 指南给出的示例的主要区别在于,有些人可能希望将内核组件编译为模块或单体到内核中。 基本上,将内容编译为模块为您提供了更大的灵活性,可以控制内核中安装或未安装的内容(减少您不使用/不会使用的内容的不必要内存使用,并且模块还允许即插即用的软件升级 [通常无需重新启动机器])。 另一方面,内核模块增加了配置的复杂性,有时内核自动加载器可能会出错(不是说我曾经见过这种情况发生)。 将内容直接编译到内核中使事情变得更简单,但是您会失去很大的灵活性。 以下内核配置示例是内核模块选择和单体构建的混合(您可能始终需要 MASQ 功能随时可用)。
旁注:假设您还将内核配置为使用您安装的其他硬件,例如 USB 打印机、以太网网络接口、SCSI 和 IDE HD 控制器等。 有关编译内核的详细帮助,请参阅 Linux 内核指南和内核源代码的 “README”文件和 “Documentation/”目录。
您将需要对以下程序回答 YES、NO 或 MODULE。 如果没有本指南稍后描述的正确内核补丁,并非所有选项都可用。 这不应该是一个问题,因为大多数第三方补丁仅适用于非常精选的用户群。
运行以下命令来配置您的内核
cd /usr/src/kernel/linux
make menuconfig
请注意,以下内核提示反映了 2.4.14 内核(以及一些可选的 Patch-O-Matic 添加项)。 请仔细阅读以下建议
[ Code maturity level options ]
* Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
- YES: though not required for IP MASQ, this option allows the kernel to create
the MASQ modules and enable the option for port forwarding
* Enable loadable module support (CONFIG_MODULES) [Y/n/?]
- YES: allows you to load kernel IP MASQ modules
* Set version information on all module symbols (CONFIG_MODVERSIONS) [Y/n/?]
- YES: allows newer kernels to load older modules if possible
* Kernel module loader (CONFIG_KMOD) [Y/n/?]
- OPTIONAL: Recommended : allows the kernel to load various kernel modules as it needs them
== Non-MASQ options skipped
== (CPU type, memory, SMP, FPU, specific stuff)
[ General setup ]
* Networking support (CONFIG_NET) [Y/n/?]
- YES: Enables the network subsystem
== Non-MASQ options skipped
== (specific hardware, PCI, kernel binaries, PCMCIA, etc.)
* Sysctl support (CONFIG_SYSCTL) [Y/n/?]
- YES: Enables the ability to enable disable options such as forwarding,
dynamic IPs, etc. via the /proc interface
[ Block devices ]
== Non-MASQ options skipped
== (kernel binaries, power management, PnP, RAID, etc.)
== Don't forget to compile in support for hardware that you might need:
== IDE controllers, HDs, CDROMs, etc.
[ Networking options ]
* Packet socket (CONFIG_PACKET) [Y/m/n/?]
- YES: Though this is OPTIONAL, this recommended feature will allow you
to use TCPDUMP to debug any problems with IP MASQ
* Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y
- YES: Speed up the packet protocol
* Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?]
- OPTIONAL: Recommended : this feature will allow the logging of
advanced firewall issues such as routing messages, etc
* Routing messages (CONFIG_RTNETLINK) [N/y/?] (NEW) y
- OPTIONAL: Allows for support of advanced kernel routing messages
if you enabled the CONFIG_NETLINK option
* Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW)
- NO: This option does not have anything to do with packet firewall
logging
* Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y
- YES: Enable this option to let IPTABLES configure the TCP/IP subsection
of the kernel. By enabling this, then you can turn on advanced
routing mechanisms like IP Masq, packet filtering, etc.
* Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) n
- NO: Not required for Masquerading functionality though it may help
for troubleshooting. There might be a performance penalty when
enabling this.
* Socket Filtering (CONFIG_FILTER) [Y/n/?]
- OPTIONAL: Recommended : Though this doesn't have anything do with IPMASQ,
if you plan on implimenting a DHCP server on the internal network, you WILL
need to enable this option.
* Unix domain sockets (CONFIG_UNIX) [Y/m/n/?]
- YES: This enables the UNIX TCP/IP sockets mechanisms
* TCP/IP networking (CONFIG_INET) [Y/n/?]
- YES: Enables the TCP/IP protocol
* IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?]
- OPTIONAL: You can enable this if you want to be able to receive
Multicast traffic. Please note that your ISP must
support Multicast as well for this all to work at all
* IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?]
- OPTIONAL: Though there is nothing in this section mandatory for
Masquerade, some specific options might be useful
== Non-MASQ options skipped
== ( autoconf, tunneling )
* IP: multicast routing (CONFIG_IP_MROUTE) [N/y/?] n
- OPTIONAL: Though not needed for IPMASQ, enabling this feature will
let you route multicast traffic through your Linux box.
Please note that this requires that your ISP be multicast
enabled as well.
== Non-MASQ options skipped
== (ARPd)
* IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] n
- NO: Though enabling this option would be great, there are many Internet
sites out there that will block this. Hit the "?" when configuring
the kernel to learn more about it but it is recommended to say NO for
now.
* IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [Y/n/?]
- YES: Recommended : for basic TCP/IP network security
[ Networking options --> IP: Netfilter Configuration ]
* Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/m/?] (NEW) m
- YES: (Module) This enables the kernel to track various network connections.
This option is required for Masquerading support as well as to enable
Stateful tracking for various filewall mechanisms. Please note that
if you compile this directly into the kernel, you cannot enable
the legacy IPCHAINS or IPFWADM compatibility modules.
* FTP protocol support (CONFIG_IP_NF_FTP) [M/n/?] (NEW) m
- YES: (Module) This enables the proper Masquerading of FTP connections if
CONFIG_IP_NF_CONNTRACK was enabled above
* IRC protocol support (CONFIG_IP_NF_IRC) [M/n/?] (NEW) m
- YES: (Module) This enables the proper Masquerading of IRC connections if
CONFIG_IP_NF_CONNTRACK was enabled above
* Userspace queueing via NETLINK (EXPERIMENTAL) (CONFIG_IP_NF_QUEUE) [N/y/m/?] (NEW) m
- OPTIONAL: Though this is OPTIONAL, this feature will allow IPTABLES to
copy specific packets to UserSpace tools for additional checks
* IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [N/y/m/?] (NEW) m
- YES: (Module) Enables IPTABLES support
* limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/y/m/?] (NEW) y
- OPTIONAL: (Module) Recommended : Though not required, this option can used to
enable rate limiting of both traffic and loggin messages help slow down denial
of service (DoS) attacks.
* MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/y/m/?] (NEW) m
- OPTIONAL: Though not required, the option can allow you to
filter traffic based upon the SOURCE Ethernet MAC address.
* netfilter MARK match support (CONFIG_IP_NF_MATCH_MARK) [N/y/m/?] (NEW) y
- YES: (Module) Recommended : This enables IPTABLES to take action upon marked packets.
This mechanism can allow for PORTFW functionality, TOS marking, etc.
* Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/y/m/?] (NEW) y
- YES: (Module) Recommended : This enables IPTABLES to accept mutliple SRC/DST port
ranges (non-contiguous) instead of one port range per IPTABLES
statement.
* TOS match support (CONFIG_IP_NF_MATCH_TOS) [Y/m/n/?] n
- OPTIONAL: This allows IPTABLES to match packets based upon their
DIFFSERV settings.
* LENGTH match support (CONFIG_IP_NF_MATCH_LENGTH) [N/m/?] (NEW) n
- OPTIONAL: This allows IPTABLES to match packets based upon their
packet length.
* TTL match support (CONFIG_IP_NF_MATCH_TTL) [N/m/?] (NEW) ? n
- OPTIONAL: This allows IPTABLES to match packets based upon their
TTL settings.
* tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) [N/y/m/?] m
- OPTIONAL: (Module) Recommended : This option allows users to examine the MSS value in
TCP SYN packets. This is an advanced knob but can be very valuable in
troubleshooting MTU problems.
* Connection state match support (CONFIG_IP_NF_MATCH_STATE) [M/n/?] m
- YES: (Module) Recommended : This option allows for Stateful tracking of network
connections.
* Unclean match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_UNCLEAN) [N/y/m/?] y
- YES: (Module) Recommended : This option allows for connection tracking on odd packets.
It cal also help in the detection of possibly malicious packets.
This can be a valuable tool in tracking hostile people on the network.
* Owner match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_OWNER) [N/y/m/?] n
- OPTIONAL: This option allows IPTABLES to match traffic based upon the
user login, group, etc. who created the traffic.
* Packet filtering (CONFIG_IP_NF_FILTER) [N/y/m/?] ? y
- YES: (Module) This option allows for the kernel to be able filter traffic at
the INPUT, FORWARDING, and OUTPUT traffic points.
* REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/y/m/?] (NEW) y
- YES: (Module) With this option, a packet firewall can send an ICMP Reject packet
back to the originator when a packet is blocked.
* MIRROR target support (EXPERIMENTAL) (CONFIG_IP_NF_TARGET_MIRROR) [N/y/m/?] (NEW) n
- OPTIONAL: This option allows the packet firewall to mirror the exact same
network packet back to the originator when it is supposed to be
blocked. This is similar to the REJECT option above but it actually
sends the original packet back to the originator. i.e. a
hostile user could actually portscan themselves.
* Full NAT (CONFIG_IP_NF_NAT) [M/n/?] m
- YES: (Module) This option enables the future menus to enable Masquerading,
PORTFWing, Full (1:1) NAT, etc.
* MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE) [M/n/?] (NEW) m
- YES: (Module) This option specifically enables Masquerade into the
kernel
* REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT) [N/y/m/?] n
- OPTIONAL: Not needed for normal MASQ functionality though people who
want to do transparent proxy via Squid will want this.
* Basic SNMP-ALG support (EXPERIMENTAL) (CONFIG_IP_NF_NAT_SNMP_BASIC) [N/m/?] n
- OPTIONAL: This enables IPTABLES to properly NAT internal SNMP packets so
that machines with duplicate addressing ranges can be properly
managed.
* Packet mangling (CONFIG_IP_NF_MANGLE) [N/y/m/?] y
- YES: (Module) This option allows for advanced IPTABLES packet manipulation
options.
* TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/y/m/?] (NEW) n
- OPTIONAL: Enables the kernel to modify the TOS field in a packet
before routing it on
* MARK target support (CONFIG_IP_NF_TARGET_MARK) [N/y/m/?] (NEW) m
- OPTIONAL: (Module) Recommended : This enables the kernel to manipulate
packets based upon the MARK field. This can be used for PORTFW
as well as many other things.
* LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/y/m/?] m
- YES: (Module) This allows for the logging of packets before they are accepted,
denied, rejected, etc.
* TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) [N/y/m/?] ? m
- YES: (Module) This option help some people with MTU problems. Typically,
most users have to set their Internet connection's MTU to
1500 as well as ALL internal machines to 1500. With this
option, this whole MTU issue might be finally solved.
* ipchains (2.2-style) support (CONFIG_IP_NF_COMPAT_IPCHAINS) [N/y/m/?] m
- OPTIONAL: (Module) Recommended : If you have an existing IPCHAINS ruleset
(2.2.x kernels) and enable this option, you can continue to use the
IPCHAINS program and the majority of your old ruleset except for the
use of any 2.2.x kernel-specific modules. Please note that if this
IPCHAINS module is loaded, ALL IPTABLES modules will be non-
operational. This is an either/or deal only intended for legacy
rulesets.
* ipfwadm (2.0-style) support (CONFIG_IP_NF_COMPAT_IPFWADM) [N/y/m/?] n
- OPTIONAL: If you have an existing IPFWADM ruleset (2.0.x kernels) and
enable this option, you can continue to use the IPFWADM program and
the majority of your old ruleset except for the use of any 2.0.x
kernel-specific modules. Please note that if this IPFWADM module
is loaded, ALL IPTABLES modules will be non operational. This is
an either/or deal only intended to support legacy rulesets.
== Non-MASQ options skipped
== (IPv6, khttpd, ATM, IPX, AppleTalk, etc.) --
* Fast switching (read help!) (CONFIG_NET_FASTROUTE) [N/y/?] n
- NO: This performance optimization is NOT compatible with IP MASQ and/or
packet filtering
== Non-MASQ options skipped
== (QoS, Telephony, IDE, SCSI, 1394FW, I2O, etc)
== Don't forget to compile in support for hardware that you might need:
== IDE: HDs, CDROMs, etc.
== SCSI: HDs, CDROMs, etc.
[ Network device support ]
* Network device support (CONFIG_NETDEVICES) [Y/n/?]
- YES: Enables the Linux Network device sublayer
== Non-MASQ options skipped
== (Arcnet)
* Dummy net driver support (CONFIG_DUMMY) [M/n/y/?]
- YES: Though OPTIONAL, this option can help when debugging problems
== Non-MASQ options skipped
== (EQL, etc..)
== Don't forget to compile in support for hardware that you might need:
== NICs: eth, tr, etc.
== MODEMs: ppp (ppp async) and/or slip
== WANs: T1, T3, ISDN, etc.
== ISDN: for internal ISDN modems
== Non-MASQ options skipped
== (Amateur Radio, IrDA, ISDN, USB, etc.)
[ Character devices ]
== Don't forget to compile in serial port support if you are a modem user
== Don't forget to compile in mouse support
== Non-MASQ options skipped
== (I2C, Watchdog cards, Ftape, Video for Linux, etc. )
[ File systems ]
== Non-MASQ options skipped
== (Quota, ISO9660, NTFS, etc )
* /proc filesystem support (CONFIG_PROC_FS) [Y/n/?]
- YES: Required to dynamically configure the Linux forwarding
and NATing systems
== Non-MASQ options skipped
== (Console drivers, Sound, USB, Kernel Hacking)
|
注意:这些只是您需要用于 IP 伪装网络支持的内核组件。 您将需要选择特定设置所需的任何其他选项。 如果您想了解有关这些内核模块中每一个模块的作用的更多信息,请参阅本指南的 FAQ 部分以获取详细信息。
现在编译内核 (make dep; make clean; make bzImage; make modules; make modules_install) 等。 同样,如果您在编译内核时遇到问题,则超出本指南的范围。 有关内核指南等的 URL,请参阅 第 2.6 节。
然后,您需要移动内核二进制文件,更新您的引导加载程序(LILO、Grub 等),然后重新启动。 如果您对内核编译有疑问,我强烈建议查阅本节上面提到的一些 URL。
有关任何必需的软件、补丁等,请参阅 第 2.7 节。
首先,您需要 2.2.x 的内核源代码(最好是最新的内核版本)
注意 #1:--- 更新您的内核 --- 低于 2.2.20 版本的 Linux 2.2.x 内核包含几个不同的 安全漏洞(有些是 MASQ 特有的)。 低于 2.2.20 的内核存在一些本地漏洞。 低于 2.2.16 的内核具有 TCP 根利用漏洞,低于 2.2.11 的内核具有 IPCHAINS 分片错误。 由于这些问题,运行具有强大 IPCHAINS 规则集的防火墙的用户容易受到可能的入侵。 请将您的内核升级到已修复的版本。
注意 #2:随着 2.2.x 系列的进展,编译时选项不断变化。 截至本版本,本节反映了 2.2.20 内核的设置。
如果您正在运行更新或更旧的内核版本,则对话框将看起来有所不同。 建议您更新到最新的内核,以提高系统的功能和稳定性。
如果这是您第一次编译内核,请不要害怕。 事实上,这相当容易,并且在 第 2.7 节中找到的几个 URL 中对此进行了介绍。 请注意,此处包含的说明只是构建内核的一种方法。 有关完整详细信息,请参阅内核指南。
注意:请注意,不建议将新的内核源代码放入 /usr/src/linux 中。 您应该将 Linux 发行版随附的原始内核源代码保留在 /usr/src/linux 中。 有关此主题的更多详细信息,请阅读内核源代码顶层目录中的 “README” 文件。
对于本指南示例,创建一个名为/usr/src/kernel。 接下来,“cd” 进入此目录,并将最新的 2.2.x 内核源代码下载到其中。 下载完成后,发出以下命令(如果文件以 .tar.gz 结尾)tar xvzf linux-2.2.x.tar.gz或(如果文件以 .tar.bzip2 结尾)tar xyvf linux-2.2.x.tar.bz2。 请将 2.2.x 文件名中的 “x” 替换为您下载的 Linux 2.2 内核版本。
注意:某些 Linux 发行版使用 “I” 选项而不是 “y” 选项来解压缩 bzip2 存档。
解压缩后,我建议您将目录从 “linux” 重命名为 “linux-2.2.x”,以使其更清晰。 要执行此操作,请运行命令mv linux linux-2.2.x。 接下来,确保存在指向/usr/src/kernel/linux的目录或符号链接。 即运行命令ln -s /usr/src/kernel/linux-2.2.x /usr/src/kernel/linux或者再次替换 “x” 为您正确的内核版本。
将任何适当或可选的补丁应用于内核源代码。 默认情况下,股票 Linux 内核不需要任何特定的补丁即可使系统正常工作。 诸如 PPTP/IPSEC 伪装之类的功能已内置在最新的内核中,但其他工具(如 Xwindows 转发器)是可选的。 有关 URL,请参阅 第 2.7 节和 IP Masquerade 资源,以获取最新信息和补丁 URL。
现在内核已打好补丁(如果需要),以下是启用 IP 伪装功能所需的最低内核配置选项。 请理解,本指南仅说明了一种编译内核的方法。 本方法与另一种方法的主要区别在于,有些人希望将内容编译为模块或直接编译到内核中。 基本上,将内容编译为模块为您提供了更大的灵活性,可以控制内核中安装或未安装的内容(减少不必要的内存使用并允许即插即用升级 [无需重新启动]),但是它们增加了配置的复杂性。 另一方面,将内容直接编译到内核中使事情变得更简单,但是您会失去一定的灵活性。 以下示例是内置和模块的混合。
旁注:假设您还将内核配置为使用您安装的其他硬件,例如网络接口、可选的 SCSI 控制器等。 有关编译内核的详细帮助,请参阅 Linux 内核指南和内核源代码的 README 文件和 Documentation/ 目录。
请注意以下内容的 YES 或 NO 答案。 如果没有本指南稍后描述的正确内核补丁,并非所有选项都可用。
运行以下命令来配置您的内核
cd /usr/src/kernel/linux
make menuconfig
以下内核提示反映了 2.2.20 内核
[ Code maturity level options ]
* Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
- YES: though not entirely required for IP MASQ, this option allows the kernel
to create possible additional MASQ modules such as PORTFW, etc.
== Non-MASQ options skipped
== (CPU, memory, MTRR, SMP, etc.)
[ Loadable module support ]
* Enable loadable module support (CONFIG_MODULES) [Y/n/?] y
- YES: allows you to load kernel IP MASQ modules
* Set version information on all symbols for modules (CONFIG_MODVERSIONS) [N/y/?] y
- YES: allows newer kernels to load older modules if possible
* Kernel module loader (CONFIG_KMOD) [Y/n/?] y
- OPTIONAL: Recommended : allows the kernel to load various kernel modules as
it needs them
[ General setup ]
* Networking support (CONFIG_NET) [Y/n/?]
- YES: This enables the network subsystem
== Non-MASQ options skipped
== (PCI, kernel binaries, specific hardware options, etc.)
* Sysctl support (CONFIG_SYSCTL) [Y/n/?]
- YES: Enables the ability to enable disable options such as forwarding,
dynamic IPs, etc. via the /proc interface
[ Block devices ]
== Non-MASQ options skipped
== (kernel binaries, power management, PnP, IDE, SCSI, etc.)
== Don't forget to compile in support for hardware that you might need:
== IDE controllers, HDs, CDROMs, etc.
[ Networking options ]
* Packet socket (CONFIG_PACKET) [Y/m/n/?] y
- YES: Though this is OPTIONAL, this recommended feature will allow you
to use TCPDUMP to debug any problems with IP MASQ
* Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] y
- OPTIONAL: Recommended : This feature will allow the logging of
advanced firewall issues such as routing messages, etc
* Routing messages (CONFIG_RTNETLINK) [Y/n/?] y
- OPTIONAL: If you enabled the CONFIG_NETLINK option above, this option
will send routing messages and other information to SYSLOG.
* Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) n
- NO: This option does not have anything to do with packet firewall
logging
* Network firewalls (CONFIG_FIREWALL) [Y/n/?] y
- YES: Enables the kernel to be comfigured by the IPCHAINS firewall tool
* Socket Filtering (CONFIG_FILTER) [Y/n/?] y
- OPTIONAL: Though this doesn't have anything do with IPMASQ, if you
plan on implimenting a DHCP server on the internal network, you
WILL need this option.
* Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] y
- YES: This enables the UNIX TCP/IP sockets mechanisms
* TCP/IP networking (CONFIG_INET) [Y/n/?] y
- YES: Enables the TCP/IP protocol
* IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?] y
- OPTIONAL: You can enable this if you want to be able to receive
Multicast traffic. Please note that your ISP must
support Multicast as well for this all to work
* IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] n
- OPTIONAL: Though there is nothing in this section mandatory for
Masquerade, some specific options might be useful
* IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] ?
- NO: Not needed for normal MASQ functionality
* IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] y
- YES: This enables the kernel to support packet filtering, NAT, etc.
* IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?] n
- OPTIONAL: Though this is OPTIONAL, this feature will allow IPCHAINS to
copy some packets to UserSpace tools for additional checks
* IP: transparent proxy support (CONFIG_IP_TRANSPARENT_PROXY) [N/y/?] n
- OPTIONAL: Not needed for normal MASQ functionality though people who
want to do transparent proxy via Squid will want this. Please note
that there is a PERFORMANCE PENALTY enabling this feature.
* IP: masquerading (CONFIG_IP_MASQUERADE) [Y/n/?] y
- YES: Enable IP Masquerade to re-address specific internal to external
TCP/IP packets
* IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] y
- YES: Enable support for masquerading ICMP ping packets (ICMP error
codes will be MASQed regardless). This is an important feature
for troubleshooting connections.
* IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?] y
- YES: Though OPTIONAL, this enables the option to later enable other
modules like the PORTFW to give external computers a directly
connection to specified internal MASQed machines.
* IP: ipautofw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [N/y/m/?] n
- NO: NOT recommended : IPautofw is a legacy method of port forwarding. It
is mainly old code and has been found to have some issues.
* IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/m/n/?] y
- OPTIONAL: Recommended : This enables PORTFW which allows external computers
on the Internet to directly communicate to specified internal MASQed
machines. This feature is typically used to allow access to internal
SMTP, TELNET, and WWW servers. Please note that FTP port forwarding
needs an additional patch, as described in the FAQ section of the MASQ
HOWTO. Please see the this FAQ section in the HOWTO for additional
information.
* IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) [Y/m/n/?] y
- OPTIONAL: This is a NEW method of performing PORTFW-like functionality which is
similar to how the new 2.4.x kernels do things. With this option, IPCHAINS
can mark packets that should have additional work done upon it. Using a
UserSpace tool, much like IPMASQADM or IPPORFW, IPCHAINS would then
do things like re-address the packets, change their TOS value, etc.
Currently, this code is less tested than PORTFW but it looks promising.
For now, this HOWTO recommends to use IPMASQADM and IPPORTFW. If you
have specific thoughts or comments on MFW, please email dranch.
* IP: optimize as a router not host (CONFIG_IP_ROUTER) [Y/n/?] y
- YES: This optimizes the kernel for the network subsystem, though it
isn't well known if this makes a siginificant performance difference
or not.
== Non-MASQ options skipped
== ( autoconf, tunneling, GRE )
* IP: multicast routing (CONFIG_IP_MROUTE) [N/y/?] n
- OPTIONAL: Though not needed for IPMASQ, enabling this feature will
let you route multicast traffic through your Linux box.
Please note that this requires that your ISP be multicast
enabled as well.
== Non-MASQ options skipped
== (Aliasing, ARPd)
* IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [Y/n/?]
- YES: Recommended : for basic TCP/IP network security
* IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?]
- NO: This OPTIONAL selection is to enable PPTP and GRE tunnels through
the IP MASQ box
== Non-MASQ options skipped
== (aliasing, ARPd)
* IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?]
- YES: HIGHLY recommended for basic TCP/IP network security
== Non-MASQ options skipped
== (RARP)
* IP: Allow large windows (not recommended if <16Mb of memory) * (CONFIG_SKB_LARGE) [Y/n/?]
- YES: This is recommended to optimize Linux's TCP window
== Non-MASQ options skipped
== (IPv6, IPX, WAN router, etc.)
* Fast switching (read help!) (CONFIG_NET_FASTROUTE) [N/y/?] n
- NO: This performance optimization is NOT compatible with IP MASQ and/or
packet filtering
== Non-MASQ options skipped
== (Slow CPU, Telephony, SCSI, I2O, etc. )
== Don't forget to compile in support for hardware that you might need:
== SCSI: HDs, CDROMs, etc.
[ Network device support ]
* Network device support (CONFIG_NETDEVICES) [Y/n/?]
- YES: Enables the Linux Network device sublayer
== Non-MASQ options skipped
== (Arcnet)
* Dummy net driver support (CONFIG_DUMMY) [M/n/y/?]
- YES: Though OPTIONAL, this option can help when debugging problems
== Non-MASQ options skipped
== (EQL, NICs, Wireless, IrDA, ISDN, etc..)
== Don't forget to compile in support for hardware that you might need:
== NICs: eth, tr, etc.
== MODEMs: ppp and/or slip
== WANs: T1, T3, ISDN, etc.
== ISDN: for internal ISDN modems
[ Character devices ]
== Don't forget to compile in serial port support for modem users
== Don't forget to compile in mouse support
== Non-MASQ options skipped
== (I2C, Watchdog cards, Ftape, Video for Linux, USB, etc. )
[ File systems ]
== Non-MASQ options skipped
== (Quota, ISO9660, NTFS, etc )
* /proc filesystem support (CONFIG_PROC_FS) [Y/n/?]
- YES: Required to dynamically configure the Linux forwarding
and NATing systems
== Non-MASQ options skipped
== (network fs, NLS, video section, sound, kernel hacking) |
注意:这些只是您需要用于 IP Masquerade 的组件。 您将需要选择特定设置所需的任何其他选项。
现在编译内核 (make dep; make clean; make bzImage; make modules; make modules_install) 等。 同样,如果您在编译内核时遇到问题,则超出本指南的范围。 有关内核指南等的 URL,请参阅 第 2.7 节。
然后,您需要移动内核二进制文件,更新您的引导加载程序(LILO、Grub 等),然后重新启动。 如果您对内核编译有疑问,我强烈建议查阅本节上面的某些 URL。
有关任何必需的软件、补丁等,请参阅 第 2.8 节。
首先,您需要 2.0.x 的内核源代码(最好是最新的内核版本)
随着 2.0.x 系列的进展,编译时选项不断变化。 截至本版本,本节反映了 2.0.39 内核的设置。
如果这是您第一次编译内核,请不要害怕。 事实上,这相当容易,并且在 第 2.8 节中找到的几个 URL 中对此进行了介绍。 请注意,此处包含的说明只是构建内核的一种方法。 有关完整详细信息,请参阅内核指南。
注意:请注意,不建议将新的内核源代码放入 /usr/src/linux 中。 您应该将 Linux 发行版随附的原始内核源代码保留在 /usr/src/linux 中。 有关此主题的更多详细信息,请阅读内核源代码顶层目录中的 “README” 文件。
对于本指南示例,创建一个名为/usr/src/kernel。 接下来,“cd” 进入此目录,并将最新的 2.0.x 内核源代码下载到其中。 下载完成后,发出以下命令tar xvzf linux-2.0.x.tar.gz。 请将 2.0.x 文件名中的 “x” 替换为您下载的 Linux 2.0 内核版本。
解压缩后,我建议您将目录从 “linux” 重命名为 “linux-2.0.x”,以使其更清晰。 要执行此操作,请运行命令mv linux linux-2.0.x。 接下来,确保存在指向/usr/src/kernel/linux的目录或符号链接。 即运行命令ln -s /usr/src/kernel/linux-2.0.x /usr/src/kernel/linux或者再次替换 “x” 为您正确的内核版本。
将任何适当或可选的补丁应用于内核源代码。 默认情况下,股票 Linux 内核不需要任何特定的补丁即可使系统正常工作。 诸如 IPPORTFW、PPTP 和 Xwindows 转发器之类的功能是可选的,但非常有用。 有关 URL,请参阅 第 2.8 节和 IP Masquerade 资源,以获取最新信息和补丁 URL。
现在内核已打好补丁(如果需要),以下是启用 IP 伪装功能所需的最低内核配置选项。 请理解,本指南仅说明了一种编译内核的方法。 本方法与另一种方法的主要区别在于,有些人希望将内容编译为模块或直接编译到内核中。 基本上,将内容编译为模块为您提供了更大的灵活性,可以控制内核中安装或未安装的内容(减少不必要的内存使用并允许即插即用升级 [无需重新启动]),但是它们增加了配置的复杂性。 另一方面,将内容直接编译到内核中使事情变得更简单,但是您会失去一定的灵活性。 以下示例是内置和模块的混合。
旁注:假设您还将内核配置为使用您安装的其他硬件,例如网络接口、可选的 SCSI 控制器等。 有关编译内核的详细帮助,请参阅 Linux 内核指南和内核源代码的 “README”文件和 “Documentation/”目录。
请注意以下选项的 YES 或 NO 答案。 如果没有本指南稍后描述的正确内核补丁,并非所有选项都可用
运行以下命令来配置您的内核
cd /usr/src/kernel/linux
make menuconfig
以下内核提示反映了 2.0.39 内核
[ Code maturity level options ]
* Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
- YES: this will allow you to later select the IP Masquerade feature code
[ Loadable module support ]
* Enable loadable module support (CONFIG_MODULES) [Y/n/?] y
- YES: allows you to load kernel IP MASQ modules
* Set version information on all module symbols (CONFIG_MODVERSIONS) [N/y/?] y
- YES: allows newer kernels to load older modules if possible
* Kernel daemon support (e.g. autoload of modules) (CONFIG_KERNELD) [N/y/?] y
- OPTIONAL: Recommended : allows the kernel to load various kernel modules as
it needs them
[ General setup ]
== Non-MASQ options skipped
== (FPU, memory)
* Networking support (CONFIG_NET) [Y/n/?] y
- YES: Enables the network subsystem
== Non-MASQ options skipped
== (memory, PCI, binary format, APM, etc.)
== Don't forget to compile in support for hardware that you might need:
== IDE controllers, HDs, CDROMs, etc.
[ Networking options ]
* Network firewalls (CONFIG_FIREWALL) [Y/n/?] y
- YES: Enables the IPFWADM firewall tool
== Non-MASQ options skipped
== (Aliasing)
* TCP/IP networking (CONFIG_INET) [Y/n/?] y
- YES: Enables the TCP/IP protocol
* IP: forwarding/gatewaying (CONFIG_IP_FORWARD) [N/y/?] y
- YES: Enables Linux network packet forwarding and routing
- Controlled by IPFWADM
* IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?] y
- OPTIONAL: You can enable this if you want to be able to receive
Multicast traffic. Please note that your ISP must
support Multicast as well for this all to work
* IP: syn cookies (CONFIG_SYN_COOKIES) [Y/n/?] y
- YES: HIGHLY recommended for basic network security
* IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] y
- YES: Enable the packet firewall features
* IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE) [Y/n/?] y
- YES: Allows the kernel to report back on various packets traversing
the firewall.
* IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?] y
- YES: Enable the kernel to perform IP MASQ NAT functionality
* IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?] n
- NO: NOT Recommended : IPautofw is a legacy method of TCP/IP port forwarding.
Though IPautofw works, IPPORTFW is a better choice.
* IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?] y
- YES: This option is ONLY AVAILABLE VIA A PATCH for the 2.0.x kernels.
With this option, external computers on the Internet can directly
communicate to specified internal MASQed machines. This feature is
typically used to access internal SMTP, TELNET, and WWW servers.
FTP port forwarding sometimes might require an additional patch as
described in the FAQ section. Additional information on port
forwarding is available in the Forwards section of this HOWTO.
* IP: MS PPTP masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_PPTP) [N/y/?] (NEW) n
- OPTIONAL: Enabling this feature will allow internal MASQ clients to
properly connect to PPTP servers on the Internet.
* IP: MS PPTP Call ID masq support (CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT) [N/y/?] (NEW) n
- OPTIONAL: If you enabled the CONFIG_IP_MASQUERADE_PPTP above, this
option will allow for multiple internal PPTP clients behind the MASQ
server to communicate to the same PPTP server.
* IP: MS PPTP masq debugging (DEBUG_IP_MASQUERADE_PPTP) [N/y/?] n
- OPTIONAL: NOT recommended : This is not required for IP MASQ or MASQing PPTP
connections unless you need additional troubleshooting help. If enabled,
this can fill up your logs quickly.
* IP: MS PPTP masq verbose debugging (DEBUG_IP_MASQUERADE_PPTP_VERBOSE) [N/y/?] (NEW) n
- OPTIONAL: NOT Recommended : If you enabled the DEBUG_IP_MASQUERADE_PPTP
option above, this will make the logging even more verbose.
* IP: IPSEC ESP & ISAKMP masq support (EXPERIMENTAL) * (CONFIG_IP_MASQUERADE_IPSEC) [N/y/?] m
- OPTIONAL: This option allows for some forms of IPSEC tunnels to be
masquraded
* IP: IPSEC masq table lifetime (minutes) (CONFIG_IP_MASQUERADE_IPSEC_EXPIRE) * [30] (NEW)
- OPTIONAL: This feature allows to change the MASQ table timeouts so that
idle IPSEC tunnels won't be prematurely disconnected.
* IP: Disable inbound ESP destination guessing * (CONFIG_IP_MASQUERADE_IPSEC_NOGUESS) [N/y/?] n
- OPTIONAL: This feature allows the kernel to guess where the fully encrypted IPSEC VPN
might be going and add it to the MASQ table.
* IP: IPSEC masq debugging (DEBUG_IP_MASQUERADE_IPSEC) [N/y/?] ? n
- OPTIONAL: NOT recommended : This is not required for IP MASQ or MASQing IPSEC
connections unless you need additional troubleshooting help. If enabled,
this can fill up your logs quickly.
* IP: IPSEC masq verbose debugging (DEBUG_IP_MASQUERADE_IPSEC_VERBOSE) [N/y/?] (NEW) n
- OPTIONAL: NOT Recommended : If you enabled the DEBUG_IP_MASQUERADE_IPSEC
option above, this will make the logging even more verbose.
* IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?]
- YES: Enable support for masquerading ICMP packets. Though thought of as
optional, many programs will NOT function properly with out ICMP
support.
* IP: transparent proxy support (EXPERIMENTAL) (CONFIG_IP_TRANSPARENT_PROXY) [N/y/?] n
- OPTIONAL: Not needed for normal MASQ functionality though people who
want to do transparent proxy via Squid will want this. Please note
that there is a PERFORMANCE PENALTY enabling this feature.
* IP: loose UDP port managing (EXPERIMENTAL) (CONFIG_IP_MASQ_LOOSE_UDP) [Y/n/?]
- YES: This option is ONLY AVAILABLE VIA A PATCH for the 2.0.x kernels.
With this option, internally masqueraded computers can play
NAT-friendly games over the Internet. Explicit details are given
in the FAQ section of this HOWTO.
* IP: always defragment (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?]
- YES: This feature optimizes IP MASQ connections
== Non-MASQ options skipped
== (Accounting)
* IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?]
- YES: This optimizes the kernel for the network subsystem
== Non-MASQ options skipped
== (Tunneling, Mcast routing, RARP, PMTU, etc.)
* IP: Drop source routed frames (CONFIG_IP_NOSR) [Y/n/?]
- YES: HIGHLY recommended for basic network security
== Non-MASQ options skipped
== (IPX, Bridging, SCSI, etc.)
== Don't forget to compile in support for hardware that you might need:
== SCSI controllers, HDs, CDROMs, etc.
[ Network device support ]
* Network device support (CONFIG_NETDEVICES) [Y/n/?]
- YES: Enables the Linux Network device sublayer
== Non-MASQ options skipped
== (Dummy, EQL, PPP, SLIP, NICs, Wireless, etc.)
== Don't forget to compile in support for hardware that you might need:
== NICs: eth, tr, etc.
== MODEMs: ppp and/or slip
== WANs: T1, T3, ISDN, etc.
== ISDN: for internal ISDN modems
[ File systems ]
== Non-MASQ options skipped
== (Quota, ISO9660, Codepages, NTFS, etc )
* /proc filesystem support (CONFIG_PROC_FS) [Y/n/?]
- YES: Required to dynamically configure the Linux forwarding
and NATing systems
[ Character devices ]
== Non-MASQ options skipped
== (multi-port serial, parallel, mice, Ftape, Sound, etc. )
== Don't forget to compile in serial port support for modem users
== Don't forget to compile in mouse support
|
继续并 “exit”,您应该会看到提示您保存配置。
注意:这些只是用于 IP Masquerade 功能的组件。 您可能还需要选择其他选项以匹配您的特定网络和硬件设置。
现在编译内核 (make dep; make clean; make bzImage; make modules; make modules_install) 等。 同样,如果您在编译内核时遇到问题,则超出本指南的范围。 有关内核指南等的 URL,请参阅 第 2.8 节。
然后,您需要移动内核二进制文件,更新您的引导加载程序(LILO、Grub 等),然后重新启动。 如果您对内核编译有疑问,我强烈建议查阅本节上面的某些 URL。