这几天我在学习ubuntu server的配置,今天在网上看见篇新的 server 7.10 的配置就粘贴出来与大家分享下。
Ubuntu 7.10 server从无到有搭建全能WEB生产环境(一)
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明。
http://www.dingl.com/blog/archives/12
作者:丁令
由于工作原因,需要搭建linux环境。
选择Ubuntu7.10 server的原因是比较干净,生产服务器上不要搞那么多乱七八糟的东西。
Ubuntu7.10 server是一个非常干净的系统,连图形界面都没有,于是鼠标用不上了。
安装Ubuntu非常简单,不再多述。注意几点:
1、安装之前先插上网线
2、除了OpenSSH,不装其它任何的服务器软件,Apache/Mysql/PHP都不装,后面使用源码自己编译安装
Ubuntu安装后的配置:
1、启用root用户
sudo passwd root
输入密码后:
su
即可用root用户完成后面的配置与维护。
2、配置网络
如果在安装时没有配置好网络环境,可手工配置:
vi /etc/network/interfaces
根据环境正确配置即可。重启网络:
/etc/init.d/networking restart
3、配置apt-get的更新位置
如果想使用最新版本的各种包,此步必须。
vi /etc/apt/sources.list
编辑文件,主要是禁止从cdrom安装软件,而从网上下载最新的版本。
#
# deb cdrom:[Ubuntu-Server 7.10 _Gutsy Gibbon_ – Release i386 (20071016)]/ gutsy main restricted
#deb cdrom:[Ubuntu-Server 7.10 _Gutsy Gibbon_ – Release i386 (20071016)]/ gutsy main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://ubuntu.cn99.com/ubuntu/ gutsy main restricted
deb-src http://ubuntu.cn99.com/ubuntu/ gutsy main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://ubuntu.cn99.com/ubuntu/ gutsy-updates main restricted
deb-src http://ubuntu.cn99.com/ubuntu/ gutsy-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://ubuntu.cn99.com/ubuntu/ gutsy universe
deb-src http://ubuntu.cn99.com/ubuntu/ gutsy universe
deb http://ubuntu.cn99.com/ubuntu/ gutsy-updates universe
deb-src http://ubuntu.cn99.com/ubuntu/ gutsy-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://ubuntu.cn99.com/ubuntu/ gutsy multiverse
deb-src http://ubuntu.cn99.com/ubuntu/ gutsy multiverse
deb http://ubuntu.cn99.com/ubuntu/ gutsy-updates multiverse
deb-src http://ubuntu.cn99.com/ubuntu/ gutsy-updates multiverse
## Uncomment the following two lines to add software from the ‘backports’
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://ubuntu.cn99.com/ubuntu/ gutsy-backports main restricted universe multiverse
# deb-src http://ubuntu.cn99.com/ubuntu/ gutsy-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical’s
## ‘partner’ repository. This software is not part of Ubuntu, but is
## offered by Canonical and the respective vendors as a service to Ubuntu
## users.
# deb http://archive.canonical.com/ubuntu gutsy partner
# deb-src http://archive.canonical.com/ubuntu gutsy partner
deb http://security.ubuntu.com/ubuntu gutsy-security main restricted
deb-src http://security.ubuntu.com/ubuntu gutsy-security main restricted
deb http://security.ubuntu.com/ubuntu gutsy-security universe
deb-src http://security.ubuntu.com/ubuntu gutsy-security universe
deb http://security.ubuntu.com/ubuntu gutsy-security multiverse
deb-src http://security.ubuntu.com/ubuntu gutsy-security multiverse
4、更新Ubuntu:
apt-get update
apt-get upgrade
此步需要花费大概30分钟,如果出现网络错误可重新执行或加上–fix-missing参数重新执行。
5、安装各种软件包
可一次安装N个:
apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl
libc6-dev libcompress-zlib-perl libdb4.3-dev libpcre3 libpopt-dev lynx
m4 make ncftp nmap perl perl-modules unzip zip zlib1g-dev autoconf
automake1.9 libtool bison autotools-dev g++ build-essential
上面的命令要放在一行执行。这些包基本都是后面需要使用的或者平时也经常可以用到的,可根据自己需要选择。
6、安装libncurses5-dev
很多朋友在使用源码安装软件时在make时出现错误,就是因为没有安装这个包:
checking for termcap functions library… configure: error: No curses/termcap library found
解决办法:
apt-get install libncurses5-dev
7、增加ll别名
以前用fedora core时都有ll命令,Ubuntu下没有,很不习惯,只好自己设置:
vi ~/.bashrc
此文件中其实已经有别名的配置,只是已经注释掉了,去掉注释即可,同时为vi设置别名为vim。
alias ll=’ls -l’
alias la=’ls -A’
alias l=’ls -CF’
alias vi=’vim’
Ubuntu 7.10 server从无到有搭建全能WEB生产环境(二)
正式开始安装软件,这部分主要是mysql/apache的安装。
一、安装mysql
mysql使用utf-8作为默认编码:
groupadd mysql
useradd -g mysql mysql
tar -zxvf mysql-5.0.45.tar.gz
cd mysql-5.0.45
./configure –prefix=/usr/local/mysql –with-charset=utf8 –with-collation=utf8_general_ci –with-extra-charsets=latin1
make
make install
cp support-files/my-medium.cnf /etc/my.cnf
cd /usr/local/mysql
bin/mysql_install_db –user=mysql
chown -R root .
chown -R mysql var
chgrp -R mysql .
bin/mysqld_safe –user=mysql &
将mysql加入PATH:
vi /etc/profile
增加:
PATH=/usr/local/mysql/bin:”${PATH}”
让mysql随系统一起启动
cp support-files/mysql.server /etc/init.d/mysqld
cd /etc/init.d
update-rc.d mysqld defaults
重启服务器,验证mysql是否能随系统正常启动,启动后:
mysql
如果能直接进入则说明启动成功。
为了安全,修改root密码:
mysql>use mysql
mysql>UPDATE user SET password=PASSWORD(’new_password’) WHERE user=’root’;
mysql>FLUSH PRIVILEGES;
mysql>exit
二、安装apache
1、安装apache前,先安装openssl,因为后面要配置apache支持https协议:
tar -zxvf openssl-0.9.8e.tar.gz
cd openssl-0.9.8e
./config –prefix=/usr/local/ssl
make
make test
make install
2、安装apache,configure参数可根据需要调整。
tar -zxvf httpd-2.2.6.tar.gz
cd httpd-2.2.6
./configure –prefix=/usr/local/apache –enable-modules=all
–enable-rewrite –enable-forward –enable-ssl –with-ssl=/usr/local/ssl
–enable-mods-shared=all –enable-deflate –enable-proxy
–enable-proxy-balancer –enable-proxy-http
make
make install
修改conf/httpd.conf的ServerName:
ServerName 127.0.0.1:80
测试apache是否正常
让apache随系统一起启动
cp /usr/local/apache/bin/apachectl /etc/init.d/httpd
cd /etc/init.d
update-rc.d httpd defaults
Ubuntu 7.10 server从无到有搭建全能WEB生产环境(三)
三、安装PHP
先安装php需要的一些包。
1、安装libxml2:
apt-get install libxml2 libxml2-dev
tar -zxvf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure –prefix=/usr/local/zlib
make
make install
2、安装jpeg:
tar -zxvf jpegsrc.v6b.tar.gz
cd jpeg-6b
mkdir /usr/local/jpeg
mkdir /usr/local/jpeg/bin
mkdir /usr/local/jpeg/lib
mkdir /usr/local/jpeg/include
mkdir /usr/local/jpeg/man
mkdir /usr/local/jpeg/man/man1
./configure –prefix=/usr/local/jpeg –enable-shared –enable-static
make
make install
3、安装libpng:
tar -zxvf libpng-1.2.16.tar.gz
cd libpng-1.2.16
./configure –prefix=/usr/local/libpng
make
make install
4、安装freetype:
tar -zxvf freetype-2.3.3.tar.gz
cd freetype-2.3.3
./configure –prefix=/usr/local/freetype
make
make install
5、安装gd:
tar -zxvf gd-2.0.33.tar.gz
cd gd-2.0.33
./configure –prefix=/usr/local/gd –with-jpeg=/usr/local/jpeg –with-freetype=/usr/local/freetype –with-png –with-zlib
make
make install
6、安装curl:
tar -zxvf curl-7.16.1.tar.gz
cd curl-7.16.1
mkdir -p /usr/local/curl
./configure –prefix=/usr/local/curl –with-ssl
make
make install
7、安装libiconv:
tar -zxvf libiconv-1.11.tar.gz
cd libiconv-1.11
./configure –prefix=/usr/local/iconv
make
make install
8、正式安装PHP:
参数比较多,可根据需要安装,一般情况下这些已经够了。
tar -zxvf php-5.2.5.tar.gz
cd php-5.2.5
./configure –prefix=/usr/local/php
–with-apxs2=/usr/local/apache/bin/apxs
–with-config-file-path=/usr/local/apache/conf –enable-magic-quotes
–with-openssl=/usr/local/ssl –with-zlib=/usr/local/zlib
–with-zlib-dir=/usr/local/zlib –with-curl=/usr/local/curl –enable-ftp
–with-openssl-dir=/usr/local/ssl –with-gd=/usr/local/gd
–with-jpeg-dir=/usr/local/jpeg –with-png-dir=/usr/local/libpng
–with-freetype-dir=/usr/local/freetype –enable-gd-native-ttf
–enable-mbstring –with-mysql=/usr/local/mysql
–with-pdo-mysql=/usr/local/mysql –enable-soap –enable-sockets
–enable-zip –with-iconv –enable-zend-multibyte
–with-mysql-sock=/tmp/mysql.sock –enable-sqlite-utf8
make
make test
make install
cp php.ini-dist /usr/local/apache/conf/php.ini
9、安装ZendOptimizer-3.3.0a
tar -zxvf ZendOptimizer-3.3.0a-linux-glibc21-i386.tar.gz
cd ZendOptimizer-3.3.0a-linux-glibc21-i386
./install.sh
安装过程中指定ZendOptimizer的安装目录及php.ini所在的路径即可
10、让apache支持PHP:
vi /usr/local/apache/conf/httpd.conf
在最后加上:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
将<Directory “/usr/local/apache/htdocs”>修改为:
<Directory “/home/dingl/php-web/test”>
修改DocumentRoot为”/home/dingl/php-web/test”
在此目录下新建index.php文件,内容如下:
<?php phpinfo()?>
打开http://192.168.1.xx/index.php即可看到php的信息,说明php安装成功
重启服务器即可看到Apache与Resin同时启动了,使用http://www.dingl.com/即可正常访问!
Ubuntu 7.10 server从无到有搭建全能WEB生产环境(四)
四、JAVA环境的安装
JSP容器我推荐使用Resin,一是作为生产环境Resin比Tomcat更加优秀,二是我对Resin比较熟,使用已经有6年之久。
当然,也可以同时安装Resin和Tomcat与Apache一起使用。此次安装同时也安装了Tomcat,不过没有与Apache结合,直接使用非80端口提供服务。鉴于Tomcat安装更加简单,此系列文章不包含Tomcat的安装。
1、安装jdk
chmod 755 jdk-1_5_0_11-linux-i586.bin
./jdk-1_5_0_11-linux-i586.bin
cp -r jdk1.5.0_11 /usr/local/java
2、修改环境变量:
vi /etc/profile
在最后加上:
JAVA_HOME=/usr/local/java
export JAVA_HOME
PATH=”${JAVA_HOME}”/bin:/usr/local/mysql/bin:”${PATH}”
export PATH
3、安装resin:
tar -zxvf resin-pro-3.1.3.tar.gz
cd resin-pro-3.1.3
./configure –with-apache=/usr/local/apache
make
make install
cp -r /home/dingl/soft/resin-pro-3.1.3 /usr/local/resin
cd /usr/local/resin
4、修改环境变量:
vi /etc/profile
JRE_HOME=”${JAVA_HOME}”/jre
export JRE_HOME
CLASSPATH=.:”${JAVA_HOME}”/lib/tools.jar:”${JAVA_HOME}”/lib/dt.jar
export CLASSPATH
RESIN_HOME=/usr/local/resin
export RESIN_HOME
CLASSPATH=”${RESIN_HOME}”/lib/resin.jar:”${CLASSPATH}
export CLASSPATH
PATH=”${JAVA_HOME}”/bin:/usr/local/mysql/bin:”${PATH}”
export PATH
5、配置resin启动环境:
退出重新用root登陆ssh
vi /usr/local/resin/bin/httpd.sh
修改
exec $java -jar ${RESIN_HOME}/resin.jar $*
为
exec $java -jar ${RESIN_HOME}/lib/resin.jar $*
并在此行上面加:
JAVA_HOME=/usr/local/java
export JAVA_HOME
RESIN_HOME=/usr/local/resin
export RESIN_HOME
PATH=${JAVA_HOME}/bin:${PATH}
export PATH
6、测试resin:
/usr/local/resin/bin/httpd.sh
如果能正常打开http://www.dingl.com:8080/ 则说明resin安装成功
vi /usr/local/resin/conf/resin.conf
修改
<web-app id=”/” root-directory=”webapps/ROOT”/>
为
<web-app id=”/” root-directory=”/home/dingl/jsp-web/test/”/>
在/home/dingl/jsp-web/test/下新建一个index.jsp文件,内容如下:
2+2=<%=2+2%>
7、结合Apache和Resin:
vi /usr/local/apache/conf/httpd.conf
将DocumentRoot “/home/dingl/php-web/test”修改为DocumentRoot “/home/dingl/jsp-web/test”
再加上以下一段:
<Directory “/home/dingl/jsp-web/test”>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
增加welcome文件列表,修改
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
为
<IfModule dir_module>
DirectoryIndex index.html index.jsp index.php index.htm
</IfModule>
重启resin及apache(注意一个重启顺序,先Resin再Apache):
/usr/local/resin/bin/httpd.sh restart
/usr/local/apache/bin/apachectl -k restart
分别访问:
http://www.dingl.com:8080/index.jsp
http://www.dingl.com/index.jsp
浏览器显示2+2=4说明apache与resin整合成功
8、让resin随系统一起启动
resin在Ubuntun下的自启动按照官方文档是不行的,但是fedora core下是可以的。具体如下:
cp /usr/local/resin/bin/httpd.sh /usr/local/resin/bin/resin-a.sh
然后测试使用resin-a.sh是否能正常启动并停止服务:
/usr/local/resin/bin/resin-a.sh start
/usr/local/resin/bin/resin-a.sh stop
如果不行,则路径配置有误。
cp /usr/local/resin/bin/resin-a.sh /etc/init.d/resin
cd /etc/init.d
update-rc.d resin defaults
重启服务器即可看到Apache与Resin同时启动了,使用http://www.dingl.com/即可正常访问!
Ubuntu 7.10 server从无到有搭建全能WEB生产环境(五)
五、安装Rails环境
Rails环境使用Mongrel架设。
1、安装ruby
tar -zxvf ruby-1.8.6.tar.gz
cd ruby-1.8.6
./configure –prefix=/usr/local/ruby
make
make install
将ruby加入PATH
vi /etc/profile
RUBY_HOME=/usr/local/ruby
PATH=”${RUBY_HOME}”/bin:”${JAVA_HOME}”/bin:/usr/local/mysql/bin:”${PATH}”
export PATH
退出root,重新用root登陆,验证ruby是否安装成功
ruby -v
显示版本号,说明安装成功
2、安装gem
tar -zxvf rubygems-0.9.4.tgz
cd rubygems-0.9.4
ruby setup.rb
rubygems-0.9.5好像有问题,无论gem什么包都说ssl没有安装,重新安装个rubygems-0.9.4就没问题了。
3、安装rails/mongrel/termios
apt-get install libssl-dev
gem install rake –include-dependencies
gem install rails –include-dependencies
gem install termios –include-dependencies
gem install mongrel –include-dependencies
gem install mongrel_cluster –include-dependencies
生成一个默认站点(或者将已经开发的网站上传,并配置好数据库)后,转到站点目录
mongrel_rails cluster::configure -e production -p 8000 -N 3 -c /home/dingl/rails-web/ -a 127.0.0.1
在database.yml中配置好数据库,这里是生产环境,配置production段。
如果需要使用socket方式连接mysql,增加:
socket: /tmp/mysql.sock
同时还可以指定数据传输编码:
encoding: utf8
4、启动mongrel:
mongrel_rails cluster::start
如果出现以下错误:
Cannot find gem for Rails ~>1.2.3.0:
Install the missing gem with ‘gem install -v=1.2.3 rails’
则修改config/environment.rb里rails的版本号即可
5、配置Apache与Mongrel:
修改apache的配置文件:
vi /usr/local/apache/conf/httpd.conf
在文件最后增加一个虚拟主机:
<VirtualHost *:80>
ServerName http://www.dingl.com/
RewriteEngine On
DocumentRoot /home/dingl/rails-web/
ProxyRequests Off
<Proxy balancer://mongrel_cluster>
BalancerMember http://127.0.0.1:8000/
BalancerMember http://127.0.0.1:8001/
BalancerMember http://127.0.0.1:8002/
</Proxy>
ProxyPass balancer://mongrel_cluster/images !
ProxyPass balancer://mongrel_cluster/stylesheets !
ProxyPass balancer://mongrel_cluster/javascrits !
ProxyPass / balancer://mongrel_cluster/
ProxyPassReverse / balancer://mongrel_cluster/
ProxyPreserveHost on
</VirtualHost>
重启Mongrel_cluster和Apache,然后在IE中打开http://www.dingl.com/就可以正常访问了。
注意,这里不能使用http://www.dingl.com:8000等直接访问,因为Mongrel配置为127.0.0.1,只能使用http://127.0.0.1:8000访问。
6、将mongrel设为随系统一同启动:
ln -s /home/dingl/rails-web/config/mongrel_cluster.yml /etc/mongrel_cluster/app.yml
cp /usr/local/ruby/lib/ruby/gems/1.8/gems/mongrel_cluster-1.0.5/resources/mongrel_cluster /etc/init.d/mongrel_cluster
cd /etc/init.d
chmod +x mongrel_cluster
vi /etc/init.d/mongrel_cluster
在CONF_DIR之上加入一行:
PATH=/usr/local/ruby/bin:/usr/local/ruby/lib/ruby/gems/1.8/gems/mongrel_cluster-1.0.5/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local:/usr/local/sbin:/usr/local/bin
这里要写完整的路径,不要引入另外一个变量
下面的USER=mongrel一行可根据需要设置一个用来启动的用户,如果没有创建mongrel用户,可修改为USER=root
update-rc.d -f mongrel_cluster defaults
重启服务器后,能正常使用http://www.dingl.com/访问Rails应用了。
Ubuntu 7.10 server从无到有搭建全能WEB生产环境(六)
作为生产环境,经常需要使用SSL来支持https协议,这部分主要为Apache增加SSL支持。
六、配置apache支持ssl:
1、修改Apache配置文件:
vi /usr/local/apache/conf/httpd.conf
确保两面这行没有被注释:
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
再配置一个虚拟主机(可配置成xxx.dingl.com,根据购买的SSL证书设置):
<VirtualHost *:80>
ServerName www.dingl.com
DocumentRoot /home/dingl/jsp-web
ResinConfigServer localhost 6800
AddHandler caucho-request jsp
AddHandler caucho-request xtp
AddHandler caucho-request vm
</VirtualHost>
2、修改ssl配置文件:
vi /usr/local/apache/conf/extra/httpd-ssl.conf
dingl.com修改成如下形式:
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache “shmcb:/usr/local/apache/logs/ssl_scache(512000)”
SSLSessionCacheTimeout 300
SSLMutex “file:/usr/local/apache/logs/ssl_mutex”
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot “/home/dingl/jsp-web”
ServerName www.dingl.com:443
ServerAdmin you@example.com
ErrorLog “/usr/local/apache/logs/error_log”
TransferLog “/usr/local/apache/logs/access_log”
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile “/usr/local/apache/conf/dingl.com.crt”
#SSLCertificateFile “/usr/local/apache/conf/server-dsa.crt”
SSLCertificateKeyFile “/usr/local/apache/conf/dingl.com.key”
#SSLCertificateKeyFile “/usr/local/apache/conf/server-dsa.key”
#SSLCertificateChainFile “/usr/local/apache/conf/server-ca.crt”
#SSLCACertificatePath “/usr/local/apache/conf/ssl.crt”
#SSLCACertificateFile “/usr/local/apache/conf/ssl.crt/ca-bundle.crt”
#SSLCARevocationPath “/usr/local/apache/conf/ssl.crl”
#SSLCARevocationFile “/usr/local/apache/conf/ssl.crl/ca-bundle.crl”
#SSLVerifyClient require
#SSLVerifyDepth 10
ResinConfigServer 127.0.0.1 6800
AddHandler caucho-request jsp
AddHandler caucho-request xtp
AddHandler caucho-request vm
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory “/usr/local/apache/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog “/usr/local/apache/logs/ssl_request_log” \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
</VirtualHost>
这时即可通过http://www.dingl.com/访问了。
Ubuntu 7.10 server从无到有搭建全能WEB生产环境(七)
作为服务器对外提供服务,不能不安装防火墙,这部分为Ubuntu7.10配置iptables。
在网上查看了很多关于Ubuntu下防火墙配置的文章,感觉都很麻烦。
在desktop版下,可以使用firestarter来配置iptables。
在server中也有shorewall工具来配置。
仔细研究了一下iptables的配置,发现都是使用iptables命令来配置规则,同时发现网上有朋友直接使用脚本配置规则。于是,依样画葫芦也搞了个脚本,这样省事,而且与Fedora Core命令行下的配置类似。
创建/etc/init.d/firewall文件:
vi /etc/init.d/firewall
放到/etc/init.d下的原因是方便自动启动。
脚本如下:
#!/bin/bash
# This program is used to use start my iptables.
#History :
# Sat Jun 17 23:22:01 CST 2006 Jerry Second realease
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:~/bin
export PATH
case “$1″ in
start)
echo -n “Staring FireWall … ”
# /sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p all -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p all -m state –state INVALID,NEW -j DROP
echo “OK”
;;
stop)
echo -n “Stop FireWall … ”
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
echo “OK”
;;
restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
echo “Restart FireWall OK”
;;
*)
echo “Usage: $0 {start|stop|restart}”
esac
exit 0
如果想新开端口,直接修改start部分即可。
测试firewall是否能正常工作:
/etc/init.d/firewall restart
没有问题。
配置firewall随系统自动启动:
cd /etc/init.d
update-rc.d firewall defaults 01
01表示启动优先级,让系统刚启动时就立即启动防火墙规则,可修改所有的K01为K99,在关机或重启服务器时最后停止防火墙服务。
至此,本系统文章全部完毕。
作为生产环境,以上配置基本足够了,能跑目前流行的各种应用,包括N多的开源或免费的应用,如BBS、CMS、Blog等。
完 …
