Thứ Bảy, 11 tháng 4, 2009
vào lúc
23:30
|
Cấu hình Firewall (Shorewall) và DNS Server trên Firewall
Yêu cầu:
- Cài đặt và cấu hình DNS Server với domain: vnlamp-test.vn
- Cài đặt và cấu hình Shorewall thỏa các rule sau: (eth0: 192.168.1.x (150) (NET) và eth1: 10.0.0.x (150)(LOC)).
+ Các user bên trong truy cập internet với DNS Server Local
+ Các user bên trong không ping ra internet được
+ Mở port 3389 để user bên ngoài remote desktop vào một máy bên trong với ip 10.0.0.x(200) (máy này các bạn tự setup)
+ Cấu hình sao cho users trong mạng sử dụng cache proxy
- Cài đặt & cấu hình sarg để monitor user
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cấu hình DNS Server
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /var/named/chroot/etc/named.conf
acl mynet {
192.168.1.0/24;
172.16.1.0/24;
10.0.0.0/8;
127.0.0.1;
};
options {
directory "/var/named";
listen-on {
mynet;
};
allow-query { mynet; };
allow-notify {none;};
// allow-transfer {none;};
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
//
zone "localdomain" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
//
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
//
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
//
zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};
//
zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
include "/etc/rndc.key";
zone "vnlamp-test.vn" {
type master;
file "vnlamp-test.vn.zone";
allow-query{
mynet;
};
allow-update{
mynet;
};
};
zone "0.0.10.in-addr.arpa" {
type master;
file "0.0.10.in-addr.arpa.zone";
allow-query{
mynet;
};
allow-transfer{
mynet;
};
allow-update{
mynet;
};
};
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /var/named/chroot/var/named/vnlamp-test.vn.zone
$TTL 86400
@ IN SOA vnlamp-test.vn root.vnlamp-test.vn. (
2 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400);
@ IN NS vnlamp-test.vn.
@ IN MX 10 mail.vnlamp-test.vn.
@ IN MX 100 pop3.vnlamp-test.vn.
$ORIGIN vnlamp-test.vn.
@ IN A 10.0.0.150
dns1 IN A 10.0.0.150
mail IN A 10.0.0.150
pop3 IN A 10.0.0.150
www IN A 10.0.0.150
webmail IN A 10.0.0.150
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /var/named/chroot/var/named/0.0.10.in-addr.arpa.zone
$TTL 86400
@ IN SOA vnlamp-test.vn root.vnlamp-test.vn. (
3 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ) ;
@ IN NS vnlamp-test.vn.
150 IN PTR dns1.vnlamp-test.vn.
150 IN PTR www.vnlamp-test.vn.
150 IN PTR pop3.vnlamp-test.vn.
150 IN PTR mail.vnlamp-test.vn.
200 IN PTR 2k3.vnlamp-test.vn.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/resolv.conf
nameserver 10.0.0.150
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cấu hình Firewall (Shorewall)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/shorewall/zones
#
# Shorewall version 3.4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# For more information, see http://www.shorewall.net/3.0/Documentation.htm#Zones
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/shorewall/interfaces
#
# Shorewall version 3.4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# http://www.shorewall.net/3.0/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect -
loc eth1 detect -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/shorewall/masq
#
# Shorewall version 3.4 - Masq file
#
# For information about entries in this file, type "man shorewall-masq"
#
# For additional information, see http://www.shorewall.net/3.0/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/shorewall/policy
#
# Shorewall version 3.4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
net net DROP
fw all ACCEPT
net all DROP
all all REJECT
#LAST LINE -- DO NOT REMOVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/shorewall/rules
#
# Shorewall version 3.4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Rules for additional information.
#
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT fw all icmp echo-request
ACCEPT net all icmp echo-request
#ACCEPT loc net icmp echo-request
ACCEPT loc fw icmp echo-request
#ACCEPT fw net all -
#ACCEPT fw loc all -
#ACCEPT loc net all -
ACCEPT net fw tcp 22
ACCEPT loc fw tcp 53,22,25,80,110,443,902,8080
ACCEPT loc fw udp 53
ACCEPT loc net tcp 80,8080
REDIRECT loc:10.0.0.200/8 3128 tcp www - !10.0.0.150
DNAT net loc:10.0.0.200:3389 tcp 4444
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cấu hình Squid Proxy Server
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/squid/squid.conf
http_port 3128 transparent
icp_port 3130
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#visible_hostname = mail.vnlamp.vn
cache_mem 128 MB
maximum_object_size 2048 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_dir ufs /var/spool/squid 3000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid
debug_options ALL,1
#diskd_program /usr/lib64/squid/diskd-daemon >> danh cho he thong 64bit
#unlinkd_program /usr/lib64/squid/unlinkd
request_header_max_size 50 KB
request_body_max_size 2048 KB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
negative_ttl 3 minutes
negative_dns_ttl 5 minutes
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 81
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 3000
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl home_network src 10.0.0.0/8
acl denywebsite dstdom_regex "/etc/squid/denywebsite.txt"
http_access deny denywebsite
deny_info http://www.google.com.vn denywebsite
http_access allow home_network
http_access deny all
icp_access allow all
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/squid/denywebsite.txt
yahoo.com
lauxanh.us
vnexpress.net
dantri.com.vn
Yêu cầu:
- Cài đặt và cấu hình DNS Server với domain: vnlamp-test.vn
- Cài đặt và cấu hình Shorewall thỏa các rule sau: (eth0: 192.168.1.x (150) (NET) và eth1: 10.0.0.x (150)(LOC)).
+ Các user bên trong truy cập internet với DNS Server Local
+ Các user bên trong không ping ra internet được
+ Mở port 3389 để user bên ngoài remote desktop vào một máy bên trong với ip 10.0.0.x(200) (máy này các bạn tự setup)
+ Cấu hình sao cho users trong mạng sử dụng cache proxy
- Cài đặt & cấu hình sarg để monitor user
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cấu hình DNS Server
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /var/named/chroot/etc/named.conf
acl mynet {
192.168.1.0/24;
172.16.1.0/24;
10.0.0.0/8;
127.0.0.1;
};
options {
directory "/var/named";
listen-on {
mynet;
};
allow-query { mynet; };
allow-notify {none;};
// allow-transfer {none;};
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
//
zone "localdomain" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
//
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
//
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
//
zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};
//
zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
include "/etc/rndc.key";
zone "vnlamp-test.vn" {
type master;
file "vnlamp-test.vn.zone";
allow-query{
mynet;
};
allow-update{
mynet;
};
};
zone "0.0.10.in-addr.arpa" {
type master;
file "0.0.10.in-addr.arpa.zone";
allow-query{
mynet;
};
allow-transfer{
mynet;
};
allow-update{
mynet;
};
};
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /var/named/chroot/var/named/vnlamp-test.vn.zone
$TTL 86400
@ IN SOA vnlamp-test.vn root.vnlamp-test.vn. (
2 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400);
@ IN NS vnlamp-test.vn.
@ IN MX 10 mail.vnlamp-test.vn.
@ IN MX 100 pop3.vnlamp-test.vn.
$ORIGIN vnlamp-test.vn.
@ IN A 10.0.0.150
dns1 IN A 10.0.0.150
mail IN A 10.0.0.150
pop3 IN A 10.0.0.150
www IN A 10.0.0.150
webmail IN A 10.0.0.150
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /var/named/chroot/var/named/0.0.10.in-addr.arpa.zone
$TTL 86400
@ IN SOA vnlamp-test.vn root.vnlamp-test.vn. (
3 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ) ;
@ IN NS vnlamp-test.vn.
150 IN PTR dns1.vnlamp-test.vn.
150 IN PTR www.vnlamp-test.vn.
150 IN PTR pop3.vnlamp-test.vn.
150 IN PTR mail.vnlamp-test.vn.
200 IN PTR 2k3.vnlamp-test.vn.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/resolv.conf
nameserver 10.0.0.150
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cấu hình Firewall (Shorewall)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/shorewall/zones
#
# Shorewall version 3.4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# For more information, see http://www.shorewall.net/3.0/Documentation.htm#Zones
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/shorewall/interfaces
#
# Shorewall version 3.4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# http://www.shorewall.net/3.0/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect -
loc eth1 detect -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/shorewall/masq
#
# Shorewall version 3.4 - Masq file
#
# For information about entries in this file, type "man shorewall-masq"
#
# For additional information, see http://www.shorewall.net/3.0/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/shorewall/policy
#
# Shorewall version 3.4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
net net DROP
fw all ACCEPT
net all DROP
all all REJECT
#LAST LINE -- DO NOT REMOVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/shorewall/rules
#
# Shorewall version 3.4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Rules for additional information.
#
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT fw all icmp echo-request
ACCEPT net all icmp echo-request
#ACCEPT loc net icmp echo-request
ACCEPT loc fw icmp echo-request
#ACCEPT fw net all -
#ACCEPT fw loc all -
#ACCEPT loc net all -
ACCEPT net fw tcp 22
ACCEPT loc fw tcp 53,22,25,80,110,443,902,8080
ACCEPT loc fw udp 53
ACCEPT loc net tcp 80,8080
REDIRECT loc:10.0.0.200/8 3128 tcp www - !10.0.0.150
DNAT net loc:10.0.0.200:3389 tcp 4444
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cấu hình Squid Proxy Server
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/squid/squid.conf
http_port 3128 transparent
icp_port 3130
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#visible_hostname = mail.vnlamp.vn
cache_mem 128 MB
maximum_object_size 2048 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_dir ufs /var/spool/squid 3000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid
debug_options ALL,1
#diskd_program /usr/lib64/squid/diskd-daemon >> danh cho he thong 64bit
#unlinkd_program /usr/lib64/squid/unlinkd
request_header_max_size 50 KB
request_body_max_size 2048 KB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
negative_ttl 3 minutes
negative_dns_ttl 5 minutes
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 81
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 3000
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl home_network src 10.0.0.0/8
acl denywebsite dstdom_regex "/etc/squid/denywebsite.txt"
http_access deny denywebsite
deny_info http://www.google.com.vn denywebsite
http_access allow home_network
http_access deny all
icp_access allow all
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# vi /etc/squid/denywebsite.txt
yahoo.com
lauxanh.us
vnexpress.net
dantri.com.vn
Người đăng:
Linh Phan
Nhãn:
Linux LPI
0 nhận xét:
Đăng nhận xét