This is an old revision of the document!

Table of Contents

Skoleni Router, Firewall, Samba, VPN

Download and install the epel-release package from the EPEL repository, 6.8 is the version at this date but it can be different later, check the name of the file. 

yum install wget
 
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
 
rpm -ivh epel-release-6.8.noarch.rpm
 
yum --enablerepo epel groupinstall Xfce

Zakladni prace se sitovymi interfaces

Nastavte ONBOOT na yes a NM_CONTROLLED na no /etc/sysconfig/network-scripts/ifcfg-eth0 

DEVICE=eth0
HWADDR=00:0C:29:46:73:F1
TYPE=Ethernet
UUID=8e657a0a-96ed-412e-8e88-d6017267d83d
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=dhcp

Dva druhy vypisu vsech interfaces 

 ifconfig -a
 ip a

Pozor, vypis se lisi pokud pridate vice IP adres na jeden interface pres “ip a a 1.2.3.4/24 dev eth0”, pak druha ip nebude pres ifconfig videt. Je lepsi pouzivat na vypis ip a. Vystup ifconfig je vsak pro me oko prehlednejsi.

Shozeni a nahozeni interface 1. uplny restart site 

/etc/init.d/network restart
service network restart

2. restart jen jednoho interface 

   ifdown eth0
   ifup eth0

Firewall

Vypsani firewallu INPUT, OUTPUT, FORWARD 

 iptables -L -n

Vypsani firewallu nat a raw 

 iptables -t nat -L -n

Smazani obsahu vsech chainu firewallu, nastavit politiku na ACCEPT a smazani vsech chainu 

 iptables -F
 iptables -P INPUT ACCEPT
 iptables -X

Budujeme predradny firewall pro tri obchody

alza czc starlab

je cas na tcpdump

 yum install tcpdump

Pridani tri novych chainu pravidel

   iptables -N starlab
   iptables -N alza
   iptables -N czc
 
   iptables -A INPUT -d 10.0.1.2 -j alza
   iptables -A INPUT -d 10.0.1.3 -j czc
   iptables -A INPUT -d 10.0.1.4 -j starlab

Nezapomenout zapnout forwarding v kernelu a jeste ACCEPT v iptables FORWARD 

echo 1 > /proc/sys/net/ipv4/ip_forward
iptabes -F
iptables -P FORWARD ACCEPT

Lehky test jestli jsou vsechny ip adresy aktivni 

for i in 16 17 18 19 20 21 22; do
   ping -c1 10.0.1.$i 1>/dev/null || echo Chyba $i;
done

Hezky podrobny manual o iptables napsal pan Oscar Andreasson

Priklad natu pro firewall/router, ktery smeruje sluzbu www (port 80) na jinou ip 

iptables -t nat -A POSTROUTING -o eth1/pozor nekdy eth0/ -j MASQUERADE
iptables -t nat-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.1.18

Priklad pouziti tcpdump 

   tcpdump -i eth0 -n -nn not port 22
   tcpdump -i eth0 -n tcp and port 80 -s 1500 -X

komu nestaci tcpdump muze pouzit wireshark.

MRTG - grafy toku

   yum install mrtg
   yum install net-snmp

Konfiguracni soubor /etc/snmp/snmpd.conf. Upozorneni - tento soubor zpristupnuje prilis mnoho informaci o systemu. Pro ostry provoz je treba vyexportovat jen jednotlive uzitecne informace a jeste omezit v iptables pristup. V pripade localhosta muzete nechat poslouchat snmp demona jen na localhostu. 

#       sec.name  source      community
com2sec readonly  default     public

# GrupnSex.Name   sec.model   sec.name
group MyROGroup   v1          readonly
group MyROGroup   v2c         readonly
group MyROGroup   usm         readonly

#           incl/excl subtree                          mask
view  all    included  .1                              80

#                context sec.model sec.level match  read   write  notif
access MyROGroup ""      any       noauth    exact  all    none   none

Vytvorime konfiguraci pro mrtg pomoci utility cfgmaker public@localhost a vystup presmeerujeme do /etc/mrtg/mrtg.cfg 

 cfgmaker public@localhost > /etc/mrtg/mrtg.cfg

Zvolime spravne cesty a trochu lepsi options 

#  for UNIX
WorkDir: /var/www/mrtg/

#  to get bits instead of bytes and graphs growing to the right
Options[_]: growright, bits

cron je obvykle (centos i debian) nastaveny spravne instalacnim balikem. a nastavime apache. /etc/httpd/conf.d/mrtg.conf staci jedina radka 

 alias /mrtg /var/www/mrtg

A vygenerujeme index.html podle configu 

 indexmaker /etc/mrtg/mrtg.cfg > /var/www/mrtg/index.html

High Availability HA Router

VRRP nebo UCARP

skripty up.sh a down.sh, uvadim priklad jen pro UP 

#!/bin/sh

ip a a 192.168.5.166/32 dev eth0
ip a a 10.0.1.166/32 dev eth1

#nezapomenout na arping

Dlouha prikazova radka 

   ucarp --interface eth0 --srcip 192.168.5.16 --vhid=16  --pass=dalibor --addr=192.168.5.166 --preempt --shutdown --upscript=/etc/ucarp/up.sh --downscript=/etc/ucarp/down.sh
 
linux/skoleni/firewall.1463056939.txt.gz · Last modified: 2016/05/12 14:42 by admin