Skoleni Router, Firewall, Samba, VPN

Download and install the epel-release package from the EPEL repository, 6.8 is the version at this date but it can be different later, check the name of the file.

yum install wget
 
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
 
rpm -ivh epel-release-6.8.noarch.rpm
 
yum --enablerepo epel groupinstall Xfce

Zakladni prace se sitovymi interfaces

Nastavte ONBOOT na yes a NM_CONTROLLED na no /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
HWADDR=00:0C:29:46:73:F1
TYPE=Ethernet
UUID=8e657a0a-96ed-412e-8e88-d6017267d83d
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=dhcp

Dva druhy vypisu vsech interfaces

 ifconfig -a
 ip a

Pozor, vypis se lisi pokud pridate vice IP adres na jeden interface pres “ip a a 1.2.3.4/24 dev eth0”, pak druha ip nebude pres ifconfig videt. Je lepsi pouzivat na vypis ip a. Vystup ifconfig je vsak pro me oko prehlednejsi.

Shozeni a nahozeni interface 1. uplny restart site

/etc/init.d/network restart
service network restart

2. restart jen jednoho interface

   ifdown eth0
   ifup eth0

Firewall

Vypsani firewallu INPUT, OUTPUT, FORWARD

 iptables -L -n

Vypsani firewallu nat a raw

 iptables -t nat -L -n

Smazani obsahu vsech chainu firewallu, nastavit politiku na ACCEPT a smazani vsech chainu

 iptables -F
 iptables -P INPUT ACCEPT
 iptables -X

Budujeme predradny firewall pro tri obchody

alza czc starlab

je cas na tcpdump

 yum install tcpdump

Pridani tri novych chainu pravidel

   iptables -N starlab
   iptables -N alza
   iptables -N czc
 
   iptables -A INPUT -d 10.0.1.2 -j alza
   iptables -A INPUT -d 10.0.1.3 -j czc
   iptables -A INPUT -d 10.0.1.4 -j starlab

Nezapomenout zapnout forwarding v kernelu a jeste ACCEPT v iptables FORWARD

echo 1 > /proc/sys/net/ipv4/ip_forward
iptabes -F
iptables -P FORWARD ACCEPT

Lehky test jestli jsou vsechny ip adresy aktivni

for i in 16 17 18 19 20 21 22; do
   ping -c1 10.0.1.$i 1>/dev/null || echo Chyba $i;
done

Hezky podrobny manual o iptables napsal pan Oscar Andreasson

Priklad natu pro firewall/router, ktery smeruje sluzbu www (port 80) na jinou ip

iptables -t nat -A POSTROUTING -o eth1/pozor nekdy eth0/ -j MASQUERADE
iptables -t nat-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.1.18

Priklad pouziti tcpdump

   tcpdump -i eth0 -n -nn not port 22
   tcpdump -i eth0 -n tcp and port 80 -s 1500 -X

komu nestaci tcpdump muze pouzit wireshark.

MRTG - grafy toku

   yum install mrtg
   yum install net-snmp

Konfiguracni soubor /etc/snmp/snmpd.conf. Upozorneni - tento soubor zpristupnuje prilis mnoho informaci o systemu. Pro ostry provoz je treba vyexportovat jen jednotlive uzitecne informace a jeste omezit v iptables pristup. V pripade localhosta muzete nechat poslouchat snmp demona jen na localhostu.

#       sec.name  source      community
com2sec readonly  default     public

# GrupnSex.Name   sec.model   sec.name
group MyROGroup   v1          readonly
group MyROGroup   v2c         readonly
group MyROGroup   usm         readonly

#           incl/excl subtree                          mask
view  all    included  .1                              80

#                context sec.model sec.level match  read   write  notif
access MyROGroup ""      any       noauth    exact  all    none   none

Vytvorime konfiguraci pro mrtg pomoci utility cfgmaker public@localhost a vystup presmeerujeme do /etc/mrtg/mrtg.cfg

 cfgmaker public@localhost > /etc/mrtg/mrtg.cfg

Zvolime spravne cesty a trochu lepsi options

#  for UNIX
WorkDir: /var/www/mrtg/

#  to get bits instead of bytes and graphs growing to the right
Options[_]: growright, bits

cron je obvykle (centos i debian) nastaveny spravne instalacnim balikem. a nastavime apache. /etc/httpd/conf.d/mrtg.conf staci jedina radka

 alias /mrtg /var/www/mrtg

A vygenerujeme index.html podle configu

 indexmaker /etc/mrtg/mrtg.cfg > /var/www/mrtg/index.html

High Availability HA Router

VRRP nebo UCARP Instalace

yum install http://mirror.hosting90.cz/epel/6/x86_64/epel-release-6-8.noarch.rpm   
yum install ucarp

skripty up.sh a down.sh, uvadim priklad jen pro UP

#!/bin/sh

ip a a 192.168.5.166/32 dev eth0
ip a a 10.0.1.166/32 dev eth1

#nezapomenout na arping

Dlouha prikazova radka

   ucarp --interface eth0 --srcip 192.168.5.16 --vhid=16  --pass=dalibor \
   --addr=192.168.5.166 --preempt --shutdown \
   --upscript=/etc/ucarp/up.sh \
   --downscript=/etc/ucarp/down.sh

OpenVPN a Easy RSA

 yum install openvpn easy-rsa

Nasledujici se bude odehravat v adresari /usr/share/easy-rsa/2.0

[root@router-bck 2.0]# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
[root@router-bck 2.0]# ./clean-all
[root@router-bck 2.0]# ./build-ca

Priklad konfigurace klienta '/etc/openvpn/client.conf<code bash> client dev tun proto udp remote 192.168.5.38 1194 ; stoji za komentar ;resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert ten-vas.crt key taky-ten-vas.key verb 3 </code> Konfigurace serveru/etc/openvpn/server.conf<code> port 1194 proto udp dev tun0 ca ca.crt cert dalibor.crt key dalibor.key dh dh2048.pem server 10.88.88.0 255.255.255.0 # okomentovat ifconfig-pool-persist ipp.txt route 10.0.1.0 255.255.255.0 # Then create a file ccd/Thelonious with this line: # okomentovat #push “route 192.168.182.0 255.255.255.0” #push “redirect-gateway” #push “dhcp-option DNS 192.168.183.1” #push “dhcp-option WINS 10.8.0.1” #client-config-dir ccd #okomentovat client-to-client keepalive 10 120 #tls-auth ta.key 0 # secret file #cipher BF-CBC # Blowfish #cipher AES-128-CBC # AES #cipher DES-EDE3-CBC # Triple-DES # pozor na mikrotiky! #comp-lzo # compresion ;max-clients 100 status openvpn-status.log </code> ====== Samba Server ====== Priklad jednoducheho konfiguracniho souboru/etc/samba/smb.conf''

[global]

        workgroup = MYGROUP
        server string = Samba Server Version %v

;       netbios name = MYSERVER

        log file = /var/log/samba/log.%m
        max log size = 50

        security = user
        passdb backend = tdbsam

        # the login script name depends on the machine name
;       logon script = %m.bat
        # the login script name depends on the unix user used
;       logon script = %u.bat
;       logon path = \\%L\Profiles\%u
        # disables profiles support by specifing an empty path
;       logon path =

[homes]
        comment = Home Directories
        browseable = no
        writable = yes

[pub]
        path=/srv/samba-public
        writable = yes
        readonly = no
        browsable = yes

Pridejte uzivatele uziv

  adduser uziv
  pdbedit -a uziv

Priklad vytvoreni slozky Kos (Trash)

  vfs object = recycle:recycle
  recycle:subdir_mode = 0777
  recycle:repository = .recycle
  recycle:keeptree = Yes
  recycle:touch = Yes
  recycle:versions = No
  recycle:maxsize = 100000000 ; 100 metric million bytes

linux/skoleni/firewall.txt · Last modified: 2016/05/13 15:47 by admin

Table of Contents