This is an old revision of the document!

Table of Contents

Skoleni Router, Firewall, Samba, VPN

Download and install the epel-release package from the EPEL repository, 6.8 is the version at this date but it can be different later, check the name of the file. 

yum install wget
 
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
 
rpm -ivh epel-release-6.8.noarch.rpm
 
yum --enablerepo epel groupinstall Xfce

Zakladni prace se sitovymi interfaces

Nastavte ONBOOT na yes a NM_CONTROLLED na no /etc/sysconfig/network-scripts/ifcfg-eth0 

DEVICE=eth0
HWADDR=00:0C:29:46:73:F1
TYPE=Ethernet
UUID=8e657a0a-96ed-412e-8e88-d6017267d83d
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=dhcp

Dva druhy vypisu vsech interfaces 

 ifconfig -a
 ip a

Pozor, vypis se lisi pokud pridate vice IP adres na jeden interface pres “ip a a 1.2.3.4/24 dev eth0”, pak druha ip nebude pres ifconfig videt. Je lepsi pouzivat na vypis ip a. Vystup ifconfig je vsak pro me oko prehlednejsi.

Shozeni a nahozeni interface 1. uplny restart site 

/etc/init.d/network restart
service network restart

2. restart jen jednoho interface 

   ifdown eth0
   ifup eth0

Firewall

Vypsani firewallu INPUT, OUTPUT, FORWARD 

 iptables -L -n

Vypsani firewallu nat a raw 

 iptables -t nat -L -n

Smazani obsahu vsech chainu firewallu, nastavit politiku na ACCEPT a smazani vsech chainu 

 iptables -F
 iptables -P INPUT ACCEPT
 iptables -X

Budujeme predradny firewall pro tri obchody

alza czc starlab

je cas na tcpdump

 yum install tcpdump

Pridani tri novych chainu pravidel

   iptables -N starlab
   iptables -N alza
   iptables -N czc
 
   iptables -A INPUT -d 10.0.1.2 -j alza
   iptables -A INPUT -d 10.0.1.3 -j czc
   iptables -A INPUT -d 10.0.1.4 -j starlab

Nezapomenout zapnout forwarding v kernelu a jeste ACCEPT v iptables FORWARD 

echo 1 > /proc/sys/net/ipv4/ip_forward
iptabes -F
iptables -P FORWARD ACCEPT

Lehky test jestli jsou vsechny ip adresy aktivni 

for i in 16 17 18 19 20 21 22; do
   ping -c1 10.0.1.$i 1>/dev/null || echo Chyba $i;
done

Hezky podrobny manual o iptables napsal pan Oscar Andreasson

Priklad natu pro firewall/router, ktery smeruje sluzbu www (port 80) na jinou ip 

iptables -t nat -A POSTROUTING -o eth1/pozor nekdy eth0/ -j MASQUERADE
iptables -t nat-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.1.18

Priklad pouziti tcpdump 

   tcpdump -i eth0 -n -nn not port 22
   tcpdump -i eth0 -n tcp and port 80 -s 1500 -X

komu nestaci tcpdump muze pouzit wireshark.

MRTG - grafy toku

   yum install mrtg
   yum install net-snmp

Konfiguracni soubor /etc/snmp/snmpd.conf. Upozorneni - tento soubor zpristupnuje prilis mnoho informaci o systemu. Pro ostry provoz je treba vyexportovat jen jednotlive uzitecne informace a jeste omezit v iptables pristup. V pripade localhosta muzete nechat poslouchat snmp demona jen na localhostu. 

#       sec.name  source      community
com2sec readonly  default     public

# GrupnSex.Name   sec.model   sec.name
group MyROGroup   v1          readonly
group MyROGroup   v2c         readonly
group MyROGroup   usm         readonly

#           incl/excl subtree                          mask
view  all    included  .1                              80

#                context sec.model sec.level match  read   write  notif
access MyROGroup ""      any       noauth    exact  all    none   none

Vytvorime konfiguraci pro mrtg pomoci utility cfgmaker public@localhost a vystup presmeerujeme do /etc/mrtg/mrtg.cfg 

 cfgmaker public@localhost > /etc/mrtg/mrtg.cfg

Zvolime spravne cesty a trochu lepsi options 

#  for UNIX
WorkDir: /var/www/mrtg/

#  to get bits instead of bytes and graphs growing to the right
Options[_]: growright, bits

cron je obvykle (centos i debian) nastaveny spravne instalacnim balikem. a nastavime apache. /etc/httpd/conf.d/mrtg.conf staci jedina radka 

 alias /mrtg /var/www/mrtg

A vygenerujeme index.html podle configu 

 indexmaker /etc/mrtg/mrtg.cfg > /var/www/mrtg/index.html

High Availability HA Router

VRRP nebo UCARP Instalace 

yum install http://mirror.hosting90.cz/epel/6/x86_64/epel-release-6-8.noarch.rpm   
yum install ucarp

skripty up.sh a down.sh, uvadim priklad jen pro UP 

#!/bin/sh

ip a a 192.168.5.166/32 dev eth0
ip a a 10.0.1.166/32 dev eth1

#nezapomenout na arping

Dlouha prikazova radka 

   ucarp --interface eth0 --srcip 192.168.5.16 --vhid=16  --pass=dalibor \
   --addr=192.168.5.166 --preempt --shutdown \
   --upscript=/etc/ucarp/up.sh \
   --downscript=/etc/ucarp/down.sh

OpenVPN a Easy RSA

 yum install openvpn easy-rsa

Nasledujici se bude odehravat v adresari /usr/share/easy-rsa/2.0 

[root@router-bck 2.0]# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
[root@router-bck 2.0]# ./clean-all
[root@router-bck 2.0]# ./build-ca

Priklad konfigurace klienta '/etc/openvpn/client.conf <code bash> client dev tun proto udp remote 192.168.5.38 1194 ; stoji za komentar ;resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert ten-vas.crt key taky-ten-vas.key verb 3 </code> Konfigurace serveru /etc/openvpn/server.conf'' 

port 1194
proto udp
dev tun0

ca ca.crt
cert dalibor.crt
key dalibor.key

dh dh2048.pem
server 10.88.88.0 255.255.255.0
# okomentovat ifconfig-pool-persist ipp.txt

route 10.0.1.0 255.255.255.0
# Then create a file ccd/Thelonious with this line:

# okomentovat
#push "route 192.168.182.0 255.255.255.0"
#push "redirect-gateway"
#push "dhcp-option DNS 192.168.183.1"
#push "dhcp-option WINS 10.8.0.1"
#client-config-dir ccd


#okomentovat client-to-client
keepalive 10 120
#tls-auth ta.key 0   # secret file

#cipher BF-CBC         # Blowfish
#cipher AES-128-CBC   # AES
#cipher DES-EDE3-CBC  # Triple-DES

# pozor na mikrotiky! :-D
#comp-lzo   # compresion
;max-clients 100
status openvpn-status.log
 
linux/skoleni/firewall.1463141096.txt.gz · Last modified: 2016/05/13 14:04 by admin