Download and install the epel-release package from the EPEL repository, 6.8 is the version at this date but it can be different later, check the name of the file.
yum install wget wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm -ivh epel-release-6.8.noarch.rpm yum --enablerepo epel groupinstall Xfce
Nastavte ONBOOT na yes a NM_CONTROLLED na no
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 HWADDR=00:0C:29:46:73:F1 TYPE=Ethernet UUID=8e657a0a-96ed-412e-8e88-d6017267d83d ONBOOT=yes NM_CONTROLLED=no BOOTPROTO=dhcp
Dva druhy vypisu vsech interfaces
ifconfig -a ip a
Pozor, vypis se lisi pokud pridate vice IP adres na jeden interface pres “ip a a 1.2.3.4/24 dev eth0”, pak druha ip nebude pres ifconfig videt. Je lepsi pouzivat na vypis ip a
. Vystup ifconfig je vsak pro me oko prehlednejsi.
Shozeni a nahozeni interface 1. uplny restart site
/etc/init.d/network restart service network restart
2. restart jen jednoho interface
ifdown eth0 ifup eth0
Vypsani firewallu INPUT, OUTPUT, FORWARD
iptables -L -n
Vypsani firewallu nat a raw
iptables -t nat -L -n
Smazani obsahu vsech chainu firewallu, nastavit politiku na ACCEPT a smazani vsech chainu
iptables -F iptables -P INPUT ACCEPT iptables -X
alza czc starlab
yum install tcpdump
iptables -N starlab iptables -N alza iptables -N czc iptables -A INPUT -d 10.0.1.2 -j alza iptables -A INPUT -d 10.0.1.3 -j czc iptables -A INPUT -d 10.0.1.4 -j starlab
Nezapomenout zapnout forwarding v kernelu a jeste ACCEPT v iptables FORWARD
echo 1 > /proc/sys/net/ipv4/ip_forward iptabes -F iptables -P FORWARD ACCEPT
Lehky test jestli jsou vsechny ip adresy aktivni
for i in 16 17 18 19 20 21 22; do ping -c1 10.0.1.$i 1>/dev/null || echo Chyba $i; done
Hezky podrobny manual o iptables napsal pan Oscar Andreasson
Priklad natu pro firewall/router, ktery smeruje sluzbu www (port 80) na jinou ip
iptables -t nat -A POSTROUTING -o eth1/pozor nekdy eth0/ -j MASQUERADE iptables -t nat-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.1.18
Priklad pouziti tcpdump
tcpdump -i eth0 -n -nn not port 22 tcpdump -i eth0 -n tcp and port 80 -s 1500 -X
komu nestaci tcpdump muze pouzit wireshark.
yum install mrtg yum install net-snmp
Konfiguracni soubor /etc/snmp/snmpd.conf
. Upozorneni - tento soubor zpristupnuje prilis mnoho informaci o systemu. Pro ostry provoz je treba vyexportovat jen jednotlive uzitecne informace a jeste omezit v iptables pristup. V pripade localhosta muzete nechat poslouchat snmp demona jen na localhostu.
# sec.name source community com2sec readonly default public # GrupnSex.Name sec.model sec.name group MyROGroup v1 readonly group MyROGroup v2c readonly group MyROGroup usm readonly # incl/excl subtree mask view all included .1 80 # context sec.model sec.level match read write notif access MyROGroup "" any noauth exact all none none
Vytvorime konfiguraci pro mrtg pomoci utility cfgmaker public@localhost
a vystup presmeerujeme do /etc/mrtg/mrtg.cfg
cfgmaker public@localhost > /etc/mrtg/mrtg.cfg
Zvolime spravne cesty a trochu lepsi options
# for UNIX WorkDir: /var/www/mrtg/ # to get bits instead of bytes and graphs growing to the right Options[_]: growright, bits
cron je obvykle (centos i debian) nastaveny spravne instalacnim balikem.
a nastavime apache.
/etc/httpd/conf.d/mrtg.conf
staci jedina radka
alias /mrtg /var/www/mrtg
A vygenerujeme index.html podle configu
indexmaker /etc/mrtg/mrtg.cfg > /var/www/mrtg/index.html
VRRP nebo UCARP Instalace
yum install http://mirror.hosting90.cz/epel/6/x86_64/epel-release-6-8.noarch.rpm yum install ucarp
skripty up.sh
a down.sh
, uvadim priklad jen pro UP
#!/bin/sh ip a a 192.168.5.166/32 dev eth0 ip a a 10.0.1.166/32 dev eth1 #nezapomenout na arping
Dlouha prikazova radka
ucarp --interface eth0 --srcip 192.168.5.16 --vhid=16 --pass=dalibor \ --addr=192.168.5.166 --preempt --shutdown \ --upscript=/etc/ucarp/up.sh \ --downscript=/etc/ucarp/down.sh
yum install openvpn easy-rsa
Nasledujici se bude odehravat v adresari
/usr/share/easy-rsa/2.0
[root@router-bck 2.0]# . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys [root@router-bck 2.0]# ./clean-all [root@router-bck 2.0]# ./build-ca
Priklad konfigurace klienta '/etc/openvpn/client.conf
<code bash>
client
dev tun
proto udp
remote 192.168.5.38 1194
; stoji za komentar
;resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ten-vas.crt
key taky-ten-vas.key
verb 3
</code>
Konfigurace serveru
/etc/openvpn/server.conf
<code>
port 1194
proto udp
dev tun0
ca ca.crt
cert dalibor.crt
key dalibor.key
dh dh2048.pem
server 10.88.88.0 255.255.255.0
# okomentovat ifconfig-pool-persist ipp.txt
route 10.0.1.0 255.255.255.0
# Then create a file ccd/Thelonious with this line:
# okomentovat
#push “route 192.168.182.0 255.255.255.0”
#push “redirect-gateway”
#push “dhcp-option DNS 192.168.183.1”
#push “dhcp-option WINS 10.8.0.1”
#client-config-dir ccd
#okomentovat client-to-client
keepalive 10 120
#tls-auth ta.key 0 # secret file
#cipher BF-CBC # Blowfish
#cipher AES-128-CBC # AES
#cipher DES-EDE3-CBC # Triple-DES
# pozor na mikrotiky!
#comp-lzo # compresion
;max-clients 100
status openvpn-status.log
</code>
====== Samba Server ======
Priklad jednoducheho konfiguracniho souboru
/etc/samba/smb.conf''
[global] workgroup = MYGROUP server string = Samba Server Version %v ; netbios name = MYSERVER log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = tdbsam # the login script name depends on the machine name ; logon script = %m.bat # the login script name depends on the unix user used ; logon script = %u.bat ; logon path = \\%L\Profiles\%u # disables profiles support by specifing an empty path ; logon path = [homes] comment = Home Directories browseable = no writable = yes [pub] path=/srv/samba-public writable = yes readonly = no browsable = yes
Pridejte uzivatele uziv
adduser uziv pdbedit -a uziv
Priklad vytvoreni slozky Kos (Trash)
vfs object = recycle:recycle recycle:subdir_mode = 0777 recycle:repository = .recycle recycle:keeptree = Yes recycle:touch = Yes recycle:versions = No recycle:maxsize = 100000000 ; 100 metric million bytes