====== Skoleni Router, Firewall, Samba, VPN ======
Download and install the epel-release package from the EPEL repository, 6.8 is the version at this date but it can be different later, check the name of the file. 

<code bash>
yum install wget

wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

rpm -ivh epel-release-6.8.noarch.rpm

yum --enablerepo epel groupinstall Xfce
</code>


===== Zakladni prace se sitovymi interfaces =====
Nastavte ONBOOT na yes a NM_CONTROLLED na no
''/etc/sysconfig/network-scripts/ifcfg-eth0''
<file>
DEVICE=eth0
HWADDR=00:0C:29:46:73:F1
TYPE=Ethernet
UUID=8e657a0a-96ed-412e-8e88-d6017267d83d
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=dhcp
</file>

Dva druhy vypisu vsech interfaces
   ifconfig -a
   ip a
Pozor, vypis se lisi pokud pridate vice IP adres na jeden interface pres "ip a a 1.2.3.4/24 dev eth0", pak druha ip nebude pres ifconfig videt. Je lepsi pouzivat na vypis ''ip a''. Vystup ifconfig je vsak pro me oko prehlednejsi.

Shozeni a nahozeni interface
1. uplny restart site
<code>
/etc/init.d/network restart
service network restart 
</code>
2. restart jen jednoho interface
<code>
   ifdown eth0
   ifup eth0
</code>
===== Firewall =====
Vypsani firewallu INPUT, OUTPUT, FORWARD
   iptables -L -n
Vypsani firewallu nat a raw
   iptables -t nat -L -n

Smazani obsahu vsech //chainu// firewallu, nastavit politiku na ACCEPT a smazani vsech //chainu//
   iptables -F
   iptables -P INPUT ACCEPT
   iptables -X
   
===== Budujeme predradny firewall pro tri obchody =====
alza
czc
starlab
===== je cas na tcpdump======
   yum install tcpdump
   
===== Pridani tri novych chainu pravidel =====
<code bash>   
   iptables -N starlab
   iptables -N alza
   iptables -N czc

   iptables -A INPUT -d 10.0.1.2 -j alza
   iptables -A INPUT -d 10.0.1.3 -j czc
   iptables -A INPUT -d 10.0.1.4 -j starlab
</code>

Nezapomenout zapnout forwarding v kernelu a jeste ACCEPT v iptables FORWARD
  echo 1 > /proc/sys/net/ipv4/ip_forward
  iptabes -F
  iptables -P FORWARD ACCEPT
  

Lehky test jestli jsou vsechny ip adresy aktivni
  for i in 16 17 18 19 20 21 22; do
     ping -c1 10.0.1.$i 1>/dev/null || echo Chyba $i;
  done

Hezky podrobny manual o iptables napsal pan Oscar Andreasson

Priklad natu pro firewall/router, ktery smeruje sluzbu www (port 80) na jinou ip
  iptables -t nat -A POSTROUTING -o eth1/pozor nekdy eth0/ -j MASQUERADE
  iptables -t nat-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.1.18

Priklad pouziti //tcpdump//
<code>
   tcpdump -i eth0 -n -nn not port 22
   tcpdump -i eth0 -n tcp and port 80 -s 1500 -X
</code>
komu nestaci //tcpdump// muze pouzit //wireshark//.

====== MRTG - grafy toku ======
<code>
   yum install mrtg
   yum install net-snmp
</code>

Konfiguracni soubor ''/etc/snmp/snmpd.conf''. Upozorneni - tento soubor zpristupnuje prilis mnoho informaci o systemu. Pro ostry provoz je treba vyexportovat jen jednotlive uzitecne informace a jeste omezit v iptables pristup. V pripade localhosta muzete nechat poslouchat snmp demona jen na localhostu.
<code>
#       sec.name  source      community
com2sec readonly  default     public

# GrupnSex.Name   sec.model   sec.name
group MyROGroup   v1          readonly
group MyROGroup   v2c         readonly
group MyROGroup   usm         readonly

#           incl/excl subtree                          mask
view  all    included  .1                              80

#                context sec.model sec.level match  read   write  notif
access MyROGroup ""      any       noauth    exact  all    none   none
</code>

Vytvorime konfiguraci pro mrtg pomoci utility cfgmaker public@localhost
a vystup presmeerujeme do ''/etc/mrtg/mrtg.cfg''
   cfgmaker public@localhost > /etc/mrtg/mrtg.cfg
Zvolime spravne cesty a trochu lepsi options
<file>
#  for UNIX
WorkDir: /var/www/mrtg/

#  to get bits instead of bytes and graphs growing to the right
Options[_]: growright, bits
</file>

cron je obvykle (centos i debian) nastaveny spravne instalacnim balikem.
a nastavime apache.
''/etc/httpd/conf.d/mrtg.conf''
staci jedina radka
   alias /mrtg /var/www/mrtg
A vygenerujeme index.html podle configu
   indexmaker /etc/mrtg/mrtg.cfg > /var/www/mrtg/index.html
   

===== High Availability HA Router =====
VRRP nebo UCARP
Instalace
<code>
yum install http://mirror.hosting90.cz/epel/6/x86_64/epel-release-6-8.noarch.rpm   
yum install ucarp
</code>

skripty ''up.sh'' a ''down.sh'', uvadim priklad jen pro UP
<file>
#!/bin/sh

ip a a 192.168.5.166/32 dev eth0
ip a a 10.0.1.166/32 dev eth1

#nezapomenout na arping
</file>

Dlouha prikazova radka 
<code>
   ucarp --interface eth0 --srcip 192.168.5.16 --vhid=16  --pass=dalibor \
   --addr=192.168.5.166 --preempt --shutdown \
   --upscript=/etc/ucarp/up.sh \
   --downscript=/etc/ucarp/down.sh
</code>  

====== OpenVPN a Easy RSA ======
   yum install openvpn easy-rsa

Nasledujici se bude odehravat v adresari 
''/usr/share/easy-rsa/2.0''

<code>
[root@router-bck 2.0]# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
[root@router-bck 2.0]# ./clean-all
[root@router-bck 2.0]# ./build-ca
</code>


Priklad konfigurace klienta '/etc/openvpn/client.conf''
<code bash>
client
dev tun
proto udp

remote 192.168.5.38 1194

; stoji za komentar
;resolv-retry infinite

nobind

persist-key
persist-tun

ca ca.crt
cert ten-vas.crt
key taky-ten-vas.key

verb 3
</code>
Konfigurace serveru ''/etc/openvpn/server.conf''
<code>
port 1194
proto udp
dev tun0

ca ca.crt
cert dalibor.crt
key dalibor.key

dh dh2048.pem
server 10.88.88.0 255.255.255.0
# okomentovat ifconfig-pool-persist ipp.txt

route 10.0.1.0 255.255.255.0
# Then create a file ccd/Thelonious with this line:

# okomentovat
#push "route 192.168.182.0 255.255.255.0"
#push "redirect-gateway"
#push "dhcp-option DNS 192.168.183.1"
#push "dhcp-option WINS 10.8.0.1"
#client-config-dir ccd


#okomentovat client-to-client
keepalive 10 120
#tls-auth ta.key 0   # secret file

#cipher BF-CBC         # Blowfish
#cipher AES-128-CBC   # AES
#cipher DES-EDE3-CBC  # Triple-DES

# pozor na mikrotiky! :-D
#comp-lzo   # compresion
;max-clients 100
status openvpn-status.log
</code>

====== Samba Server ======
Priklad jednoducheho konfiguracniho souboru ''/etc/samba/smb.conf''
<code>
[global]

        workgroup = MYGROUP
        server string = Samba Server Version %v

;       netbios name = MYSERVER

        log file = /var/log/samba/log.%m
        max log size = 50

        security = user
        passdb backend = tdbsam

        # the login script name depends on the machine name
;       logon script = %m.bat
        # the login script name depends on the unix user used
;       logon script = %u.bat
;       logon path = \\%L\Profiles\%u
        # disables profiles support by specifing an empty path
;       logon path =

[homes]
        comment = Home Directories
        browseable = no
        writable = yes

[pub]
        path=/srv/samba-public
        writable = yes
        readonly = no
        browsable = yes

</code>

Pridejte uzivatele uziv
<code>
  adduser uziv
  pdbedit -a uziv
</code>

Priklad vytvoreni slozky Kos (Trash)
<code>
  vfs object = recycle:recycle
  recycle:subdir_mode = 0777
  recycle:repository = .recycle
  recycle:keeptree = Yes
  recycle:touch = Yes
  recycle:versions = No
  recycle:maxsize = 100000000 ; 100 metric million bytes
</code>