Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
vyuka:cviceni:y36sps:semestralky:holyj4 [2009/06/04 23:52] – holyj4 | vyuka:cviceni:y36sps:semestralky:holyj4 [2009/06/05 01:40] (current) – holyj4 | ||
---|---|---|---|
Line 10: | Line 10: | ||
====== Systém ====== | ====== Systém ====== | ||
- | Jako system jsem pouzil openSUSE 11.1, ktere ma velmi podarene klikatko v yastu, ovsem ne zcela prehledne a jasne. | + | Jako system jsem pouzil openSUSE 11.1, ktere ma velmi podarene klikatko v yastu, ovsem ne vzdy zcela prehledne a jasne. Pochopitelne by to bylo rychlejsi v konzoli, avsak kdovi co by se s mymi nastavenimi stalo po restartu. |
Dedikovany PC neni prilis vykonny (P3 600MHz), ale to mu neubira na kvalite, navic spotrebovava min energie, a jelikoz jako gateway by mel bezet stale, tak je to jeden z dulezitych faktoru. | Dedikovany PC neni prilis vykonny (P3 600MHz), ale to mu neubira na kvalite, navic spotrebovava min energie, a jelikoz jako gateway by mel bezet stale, tak je to jeden z dulezitych faktoru. | ||
Line 39: | Line 39: | ||
Je nutne nastavit kartu " | Je nutne nastavit kartu " | ||
- | {{: | + | {{ : |
Kartu z ktere povede kabel do LAN nastavime jako vnitrni zonu - nemame se ceho obavat, v jednom byte nebyva problem s utokem zevnitr, navic bychom si pak mohli odriznout cestu k vyhodam LAN. | Kartu z ktere povede kabel do LAN nastavime jako vnitrni zonu - nemame se ceho obavat, v jednom byte nebyva problem s utokem zevnitr, navic bychom si pak mohli odriznout cestu k vyhodam LAN. | ||
- | {{: | + | {{ : |
+ | ====== Firewall ====== | ||
+ | Firewall musime nechat zapnuty, bez nej nam nepojede nic, diky neaktivni maskarade. Tu zapneme snadno: | ||
+ | {{ : | ||
+ | Nebyva na skodu povolit z vnejsi zony port na ssh a na http, ale to je veci kazdeho z nas. | ||
+ | Muj report dopada takto, ale vim ze porty 22 a 80 proste chci otevrene, at si rika FAILED nebo ne. | ||
+ | {{ : | ||
+ | Samozrejme je treba take kontrolovat co ten FW nastavuje (coz muzeme az uplne nakonec): | ||
+ | < | ||
+ | kmotr:~ # iptables -S | ||
+ | -P INPUT DROP | ||
+ | -P FORWARD DROP | ||
+ | -P OUTPUT ACCEPT | ||
+ | -N forward_ext | ||
+ | -N forward_int | ||
+ | -N input_ext | ||
+ | -N input_int | ||
+ | -N reject_func | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -m state --state ESTABLISHED -j ACCEPT | ||
+ | -A INPUT -p icmp -m state --state RELATED -j ACCEPT | ||
+ | -A INPUT -i eth1 -j input_int | ||
+ | -A INPUT -i eth0 -j input_ext | ||
+ | -A INPUT -i wlan0 -j input_ext | ||
+ | -A INPUT -i wmaster0 -j input_ext | ||
+ | -A INPUT -j input_ext | ||
+ | -A INPUT -m limit --limit 3/min -j LOG --log-prefix " | ||
+ | -A INPUT -j DROP | ||
+ | -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | ||
+ | -A FORWARD -i eth1 -j forward_int | ||
+ | -A FORWARD -i eth0 -j forward_ext | ||
+ | -A FORWARD -i wlan0 -j forward_ext | ||
+ | -A FORWARD -i wmaster0 -j forward_ext | ||
+ | -A FORWARD -m limit --limit 3/min -j LOG --log-prefix " | ||
+ | -A FORWARD -j DROP | ||
+ | -A OUTPUT -o lo -j ACCEPT | ||
+ | -A OUTPUT -m state --state NEW, | ||
+ | -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix " | ||
+ | -A forward_ext -p icmp -m state --state RELATED, | ||
+ | -A forward_ext -p icmp -m state --state RELATED, | ||
+ | -A forward_ext -p icmp -m state --state RELATED, | ||
+ | -A forward_ext -p icmp -m state --state RELATED, | ||
+ | -A forward_ext -p icmp -m state --state RELATED, | ||
+ | -A forward_ext -p icmp -m state --state RELATED, | ||
+ | -A forward_ext -p icmp -m state --state RELATED, | ||
+ | -A forward_ext -p icmp -m state --state RELATED, | ||
+ | -A forward_ext -i eth0 -o eth1 -m state --state RELATED, | ||
+ | -A forward_ext -i wlan0 -o eth1 -m state --state RELATED, | ||
+ | -A forward_ext -i wmaster0 -o eth1 -m state --state RELATED, | ||
+ | -A forward_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix " | ||
+ | -A forward_ext -m pkttype --pkt-type multicast -j DROP | ||
+ | -A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN, | ||
+ | -A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix " | ||
+ | -A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix " | ||
+ | -A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix " | ||
+ | -A forward_ext -j DROP | ||
+ | -A forward_int -p icmp -m state --state RELATED, | ||
+ | -A forward_int -p icmp -m state --state RELATED, | ||
+ | -A forward_int -p icmp -m state --state RELATED, | ||
+ | -A forward_int -p icmp -m state --state RELATED, | ||
+ | -A forward_int -p icmp -m state --state RELATED, | ||
+ | -A forward_int -p icmp -m state --state RELATED, | ||
+ | -A forward_int -p icmp -m state --state RELATED, | ||
+ | -A forward_int -p icmp -m state --state RELATED, | ||
+ | -A forward_int -i eth1 -o eth0 -m state --state NEW, | ||
+ | -A forward_int -i eth1 -o wlan0 -m state --state NEW, | ||
+ | -A forward_int -i eth1 -o wmaster0 -m state --state NEW, | ||
+ | -A forward_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix " | ||
+ | -A forward_int -m pkttype --pkt-type multicast -j DROP | ||
+ | -A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN, | ||
+ | -A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix " | ||
+ | -A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix " | ||
+ | -A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix " | ||
+ | -A forward_int -j reject_func | ||
+ | -A input_ext -m pkttype --pkt-type broadcast -j DROP | ||
+ | -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT | ||
+ | -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT | ||
+ | -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN, | ||
+ | -A input_ext -p tcp -m tcp --dport 80 -j ACCEPT | ||
+ | -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 443 --tcp-flags FIN, | ||
+ | -A input_ext -p tcp -m tcp --dport 443 -j ACCEPT | ||
+ | -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN, | ||
+ | -A input_ext -p tcp -m tcp --dport 22 -j ACCEPT | ||
+ | -A input_ext -p udp -m udp --dport 443 -j ACCEPT | ||
+ | -A input_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix " | ||
+ | -A input_ext -m pkttype --pkt-type multicast -j DROP | ||
+ | -A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN, | ||
+ | -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix " | ||
+ | -A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix " | ||
+ | -A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix " | ||
+ | -A input_ext -j DROP | ||
+ | -A input_int -j ACCEPT | ||
+ | -A reject_func -p tcp -j REJECT --reject-with tcp-reset | ||
+ | -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable | ||
+ | -A reject_func -j REJECT --reject-with icmp-proto-unreachable | ||
+ | kmotr:~ # | ||
+ | </ | ||
+ | |||
+ | |||
+ | Nyni jiz muzeme pokracovat podle libovule pocitac vypnout, vyskubat kabely, presuout ho do komory, zapojit 3 nutne kabely (2x ethernet a 1x elektrika), a dal pracovat jen pres "ssh -X adresa" | ||
+ | Nez budeme mit nastavene DHCP, musime si IP na radnem PC/ | ||
+ | |||
+ | |||
+ | |||
+ | ====== DHCP ====== | ||
+ | Spustime v yastu modul "DHCP server", | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | V dalsi zalozce vybereme nasi kartu se statickou IP, a zvolime ji. Firewallu si nemusime vsimat, vnitrni zony si nevsima a z vnejsku se nas na IP stejne nikdo ptat nebude. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | V obecnych nastavenich nastavime nejdulezitejsi informace, ktere bude nas DHCP server predavat ostatnim. Router je jeho IP, jako DNS server jsme take zvolili nasi gateway, samotne DNS rozjedeme v dalsim kroku. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | V dynamickem DHCP si trosku pohrajeme s rozsahem IP adres, abychom si jich par mohli nadefinovat staticky - k nekterym PC se hodi vedet, jakou maji IP a ne to na nich zjistovat. Take je to ulehceni kvuli DNS, da se pote smerovat v lokalni siti. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Ve sprave pocitace si muzeme priradit nektere pevne IP konkretnim MAC adresam, a navic si je pojmenovat. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Do expertnich nastaveni chodit nepotrebujeme, | ||
+ | |||
+ | V / | ||
+ | |||
+ | < | ||
+ | option domain-name " | ||
+ | option domain-name-servers 192.168.1.1; | ||
+ | option routers 192.168.1.1; | ||
+ | ddns-update-style none; | ||
+ | default-lease-time 14400; | ||
+ | subnet 192.168.1.0 netmask 255.255.255.0 { | ||
+ | range 192.168.1.20 192.168.1.254; | ||
+ | default-lease-time 14400; | ||
+ | max-lease-time 172800; | ||
+ | host shawshank { | ||
+ | fixed-address 192.168.1.2; | ||
+ | hardware ethernet 00: | ||
+ | } | ||
+ | host forrest { | ||
+ | fixed-address 192.168.1.3; | ||
+ | hardware ethernet 00: | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ====== DNS ====== | ||
+ | DNS se spousti velmi podobne jako DHCP - jeho nastaveni je v necem snazsi, v necem slozitejsi. Zakladni funkcionality dosahneme v zalozce " | ||
+ | |||
+ | Nastaveni prekladani adres v LAN je trochu komplikovanejsi. V DNS zonach si pridame nasi TLD (pripadne cokoli jineho) (ja mam " | ||
+ | |||
+ | V zalozce Zaznamy pridame nasi gateway, a to typu A. Muzeme pridat i ostatni PC v siti. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | SOA je nastavene vicemene v poradku, neni treba do nej nejak zbesile sahat. Pridame nameserver, ktery namirime na nasi gateway (jiste jste si stihli vsimnout, ze ma gateway je " | ||
+ | |||
+ | |||
+ | V adresari / | ||
+ | |||
+ | < | ||
+ | $TTL 2d | ||
+ | @ IN SOA kmotr.doma. root.kmotr.doma. ( | ||
+ | 2009060503 ; | ||
+ | 3h ; refresh | ||
+ | 1h ; retry | ||
+ | 1w ; expiry | ||
+ | 1d ) ; minimum | ||
+ | |||
+ | doma. IN MX 0 kmotr.doma. | ||
+ | doma. IN NS kmotr.doma. | ||
+ | shawshank IN A 192.168.1.2 | ||
+ | kmotr.doma. IN A 192.168.1.1 | ||
+ | forrest IN A 192.168.1.3 | ||
+ | </ | ||
+ | |||
+ | |||
+ | ====== Konec a závěr ====== | ||
+ | Ulozime, ukoncime, vyzkousime. | ||
+ | |||
+ | Naucil jsem se nastavovat efektivne jednoduchou internetovou branu, a zjistil jsem, co se skryva "pod kapotou" | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | {{: | ||
~~DISCUSSION~~ | ~~DISCUSSION~~ |