自由控制机房上网、QQ、联众
机房经常提出这种要求,这节课要求上网,下节课就要求断网。以前就是拨网线,后来用了这个就不用了。并且可以上网时,也能控制学生上联众或者QQ。课后机房开放时即要能上网,还要能上QQ,把这些策略禁止掉就行了。并且WINBOX操作比较简便,教会管理员,我不需要管了。
/ ip firewall rule forward
这里是控制各个机房的上网策略,可以上时设为无效,禁止上时设为有效。
1机房
add src-address=192.168.3.0/26 dst-address=!192.168.0.0/16 action=drop \
comment="1机房" disabled=yes
2机房
add src-address=192.168.3.64/26 dst-address=!192.168.0.0/16 action=drop \
comment="2机房" disabled=no
3机房
add src-address=192.168.3.128/26 dst-address=!192.168.0.0/16 action=drop \
comment="3机房" disabled=yes
4机房
add src-address=192.168.3.192/26 dst-address=!192.168.0.0/16 action=drop \
comment="4机房" disabled=no
5机房
add src-address=192.168.0.128/26 dst-address=!192.168.0.0/16 action=drop \
comment="5机房" disabled=no
add src-address=192.168.0.192/29 dst-address=!192.168.0.0/16 action=drop \
comment="" disabled=no
6机房
add src-address=192.168.0.64/26 dst-address=!192.168.0.0/16 action=drop \
comment="6机房" disabled=no
这里是控制各个机房的联众 QQ
2机房
add src-address=192.168.3.64/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="2机房禁止联众 禁止QQ聊天" disabled=no
add src-address=192.168.3.64/26 dst-address=:8000 protocol=udp action=drop \
comment="" disabled=no
add src-address=192.168.3.64/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.3.128/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
机房
add src-address=192.168.3.128/26 dst-address=:8000 protocol=udp action=drop \
comment="3机房禁止QQ聊天禁止联众" disabled=yes
add src-address=192.168.3.128/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=yes
4机房
add src-address=192.168.3.192/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="4机房禁止联众,QQ聊天" disabled=no
add src-address=192.168.3.192/26 dst-address=:8000 protocol=udp action=drop \
comment="" disabled=no
add src-address=192.168.3.192/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
5机房
add src-address=192.168.0.128/26 dst-address=:8000 protocol=udp action=drop \
comment="5机房禁止QQ聊天 禁止联众" disabled=no
add src-address=192.168.0.192/29 dst-address=:8000 protocol=udp action=drop \
comment="" disabled=no
add src-address=192.168.0.128/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.0.192/29 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.0.128/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=no
add src-address=192.168.0.192/29 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=no
6机房
add src-address=192.168.0.64/26 dst-address=:8000 protocol=udp action=drop \
comment="6机房禁止QQ聊天 禁止联众" disabled=no
add src-address=192.168.0.64/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.0.64/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=no
[ 本帖最后由 njalin 于 2006-10-18 22:14 编辑 ] 非常支持楼主发贴教学的精神,脚本也写得非常好!真的! 好帖子还没人顶,哎~~仔细品位一下楼主的脚本,还是写得相当优美的! 不错,可是我在国企阿,要是不让大家上联中和qq,他们得干死我 艾?每个机房64台机子吗? 楼上的,私网地址是自己的,浪费一些地址没有什么。为了规则简单一些,就这样设计了。机房不一定是64台机器,少于64台就行了。
刚开始我也没好好划分,后来规则条数太多就想到好好划分了一下。
[ 本帖最后由 njalin 于 2006-11-7 10:21 编辑 ] 个人觉得结合PPPOE+RADIUS来管理更加简单! 谢谢,值得学习 支持楼主发贴教学的精神
页:
[1]