Pas James, Scheldeman Robbe, Schelfhout Quinten-------------------------------

1. Pas James, Scheldeman Robbe, Schelfhout Quinten
2. ------------------------------------------------------------
3.  
4. .----------.
5. | |
6. | INTERNET |
7. | |
8. '----------'
9. \\
10. o--lan0--. .--lan0--o===o--lan0--. .---lan0---.
11. | | | | | | | |
12. | BOHR | | CURIE | | DIRAC | | EINSTEIN |
13. | | | | | | | |
14. '--lan1--o===o--lan1--' '--lan1--o===o---lan1---'
15.  
16.  
17. BOHR : Externe router
18. CURIE : Bastion host
19. DIRAC : Interne router
20. EINSTEIN: Client
21.  
22. CURIE wordt geconfigureerd als bridge, name-, mail-, web- en
23. proxyserver.
24.  
25.  
26. ////////////////////////////////////////////////////////////
27.  
28.  
29. ------------------------------------------------------------
30. BOHR
31. ------------------------------------------------------------
32. Instellen als router:
33. sysctl -w net.ipv4.ip_forward = 1
34. of
35. echo 1 > /proc/sys/net/ipv4/ip_forward
36.  
37. Persistent maken door /etc/sysctl.conf aan te passen:
38. net.ipv4.ip_forward = 1
39.  
40. Configuratiebestanden aanpassen:
41. cd /etc/sysconfig/network-scripts
42.  
43. nano ifcfg-lan0
44.  
45. DEVICE=lan0
46. BOOTPROTO=none
47. GATEWAY=192.168.16.8
48. IPADDR=192.168.16.73
49. PREFIX=24
50. ONBOOT=yes
51.  
52. nano ifcfg-lan1
53.  
54. DEVICE=lan1
55. BOOTPROTO=none
56. GATEWAY=192.168.16.8
57. IPADDR=192.168.63.254
58. PREFIX=24
59. ONBOOT=yes
60.  
61. cd /
62. nano /etc/resolv.conf
63.  
64. nameserver 192.168.63.1
65.  
66. Configuratie toepassen:
67. ifdown lan0
68. ifdown lan1
69. ifup lan0
70. ifup lan1
71.  
72. IP adressen controleren:
73. ifconfig
74.  
75. Zebra/RIP configureren:
76. nano /etc/quagga/zebra.conf
77.  
78. hostname bohr
79. password zebra
80. enable password zebra
81. !
82. interface lan0
83. !ip address 192.168.16.0/24
84. interface lan1
85. !ip address 192.168.63.0/24
86.  
87. nano /etc/quagga/ripd.conf
88.  
89. password zebra
90. enable password zebra
91. !
92. router rip
93. redistribute connected
94. network 192.168.16.0/24
95. !
96.  
97. !!! Hier moet als network het netwerk worden opgegeven naar
98. !!! waar de routes moeten worden aangeboden.
99.  
100. Zebra/RIP starten:
101. systemctl start zebra
102. systemctl start ripd
103.  
104.  
105. ------------------------------------------------------------
106. CURIE
107. ------------------------------------------------------------
108. Instellen als bridge kan op twee manieren:
109. 1. Persistent
110. Configuratiebestanden aanpassen:
111. cd /etc/sysconfig/network-scripts
112.  
113. nano ifcfg-lan0
114.  
115. DEVICE=lan0
116. HWADDR=02:00:00:00:00:00
117. BRIDGE=br0
118. NM_CONTROLLED=no
119. ONBOOT=yes
120.  
121. nano ifcfg-lan1
122.  
123. DEVICE=lan1
124. HWADDR=02:00:00:00:00:01
125. BRIDGE=br0
126. NM_CONTROLLED=no
127. ONBOOT=yes
128.  
129. nano ifcfg-br0
130.  
131. DEVICE=br0
132. TYPE=bridge
133. STP=on
134. BOOTPROTO=none
135. IPADDR=192.168.63.1
136. PREFIX=24
137. DELAY=0
138. NM_CONTROLLED=no
139. ONBOOT=yes
140.  
141.  
142. Configuratie toepassen:
143. ifdown lan0
144. ifdown lan1
145. ifup lan0
146. ifup lan1
147. ifup br0
148. of
149. systemctl restart network
150.  
151. 2. Tijdelijk
152. Configuratie volledig via CLI:
153. ifconfig lan0 0.0.0.0 down
154. ifconfig lan1 0.0.0.0 down
155. brctl addbr br0
156. brctl stp br0 on
157. brctl addif br0 lan0
158. brctl addif br0 lan1
159. ifconfig lan0 up
160. ifconfig lan1 up
161. ifconfig br0 up
162. ifconfig br0 192.168.63.1
163.  
164. Controle door uitvoer van ifconfig te bekijken
165.  
166. Nameserver aanpassen:
167. cd /
168. nano /etc/resolv.conf
169.  
170. nameserver localhost
171. # mag ook leeg zijn
172.  
173. DNS server configuratie:
174. nano /etc/named.conf
175.  
176. options {
177. directory "/var/named";
178. forwarders { 192.168.16.8; };
179. allow-query { any; };
180. empty-zones-enable no;
181. };
182.  
183. logging {
184. channel default_debug {
185. syslog daemon;
186. severity dynamic;
187. };
188. };
189.  
190. zone "groep13.iii.hogent.be" IN {
191. type master;
192. file “groep13.iii.hogent.be”;
193. };
194.  
195. zone "63.168.192.in-addr.arpa" IN {
196. type master;
197. file “63.168.192.in-addr.arpa”;
198. };
199.  
200. nano /var/named/groep13.iii.hogent.be
201.  
202. $TTL 60
203. @ IN SOA groep13.iii.hogent.be.
204. quinten.schelfhout.ugent.be. (
205. 2014121701
206. 1D
207. 1D
208. 1D
209. 3D)
210. IN NS curie
211. bohr IN A 192.168.63.254
212. curie IN A 192.168.63.1
213. dirac IN A 192.168.63.250
214.  
215. nano /var/named/63.168.192.in-addr.arpa
216.  
217. $TTL 60
218. @ IN SOA groep13.iii.hogent.be.
219. james.pas.ugent.be.(
220. 2014121701
221. 1D
222. 1D
223. 1D
224. 3D)
225. IN NS curie.groep13.iii.hogent.be.
226. 1 IN PTR curie.groep13.iii.hogent.be.
227. 250 IN PTR dirac.groep13.iii.hogent.be.
228. 254 IN PTR bohr.groep13.iii.hogent.be.
229.  
230. Controle van DNS configuratie:
231. named-checkconf
232. named-checkzone <zonenaam> <bestandsnaam>
233.  
234. Configuratie van sendmail:
235. DNS aanvullen met MX-record als tweede lijn:
236. @ IN MX 10 curie
237.  
238. Configuratie in /etc/mail/sendmail.mc van Curie:
239. include(`/usr/bin/m4)dnl
240. OSTYPE(`linux')dnl
241. define(`confMAX_HOP',`25')dnl
242. define(`confSMTP_LOGIN_MSG',`$j mailer ready at $b')dnl
243. define(`confMIME_FORMAT_ERRORS',`False')dnl
244. FEATURE(`promiscuous_relay')dnl
245. FEATURE(`accept_unqualified_senders')dnl
246. FEATURE(`use_cw_file')dnl
247. MASQUERADE_AS(groep13.iii.hogent.be)dnl
248. MAILER(smtp)dnl
249.  
250. Met behulp van de m4 opdracht het sendmail.cf bestand opbouwen:
251. m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
252.  
253. /etc/mail/local-host-names:
254. groep15.iii.hogent.be
255.  
256. /etc/hosts:
257. 127.0.0.1 localhost.localdomain localhost curie
258. curie.groep13.iii.hogent.be
259.  
260. Service (her)starten:
261. service sendmail (re)start
262.  
263. ------------------------------------------------------------
264. DIRAC
265. ------------------------------------------------------------
266. Instellen als router:
267. sysctl -w net.ipv4.ip_forward = 1
268. of
269. echo 1 > /proc/sys/net/ipv4/ip_forward
270.  
271. Persistent maken door /etc/sysctl.conf aan te passen:
272. net.ipv4.ip_forward = 1
273.  
274. Configuratiebestanden aanpassen:
275. cd /etc/sysconfig/network-scripts
276.  
277. nano ifcfg-lan0
278.  
279. DEVICE=lan0
280. BOOTPROTO=none
281. GATEWAY=192.168.63.254
282. IPADDR=192.168.63.250
283. PREFIX=24
284. ONBOOT=yes
285.  
286. nano ifcfg-lan1
287.  
288. DEVICE=lan1
289. BOOTPROTO=none
290. GATEWAY=192.168.63.254
291. IPADDR=10.0.0.254
292. PREFIX=24
293. ONBOOT=yes
294.  
295. cd /
296. nano /etc/resolv.conf
297.  
298. nameserver 192.168.63.1
299.  
300. Configuratie toepassen:
301. ifdown lan0
302. ifdown lan1
303. ifup lan0
304. ifup lan1
305.  
306. IP adressen controleren:
307. ifconfig
308.  
309. Firewall (iptables) configureren:
310. nano firewall.sh
311. ____________________________________________________________
312.  
313. #!/bin/bash
314.  
315. iptables -F
316. iptables -t nat -F
317. iptables -t mangle -F
318.  
319. iptables -X
320. iptables -t nat -X
321. iptables -t mangle -X
322.  
323. iptables -P INPUT DROP
324. iptables -P FORWARD DROP
325. iptables -P OUTPUT DROP
326.  
327. DMZ_NET="192.168.63.0/24"
328. LAN_NET="10.0.0.0/8"
329. DMZ_IP="192.168.63.1"
330.  
331. # ICMP verkeer toelaten op de twee verbonden netwerken.
332. # Eigenlijk zou het bericht type moeten worden opgegeven met
333. # --icmp-type om enkel pingen toe te laten.
334. # echo-request en echo-reply
335. iptables -I INPUT -p icmp -s $DMZ_NET -j ACCEPT
336. iptables -I INPUT -p icmp -s $LAN_NET -j ACCEPT
337. iptables -I FORWARD -p icmp -s $DMZ_NET -j ACCEPT
338. iptables -I FORWARD -p icmp -s $LAN_NET -j ACCEPT
339. iptables -I OUTPUT -p icmp -d $DMZ_NET -j ACCEPT
340. iptables -I OUTPUT -p icmp -d $LAN_NET -j ACCEPT
341.  
342. # DNS verkeer toelaten
343. iptables -I FORWARD -p udp -d $DMZ_IP --dport domain
344. -j ACCEPT
345. iptables -I FORWARD -p udp -s $DMZ_IP --sport domain
346. -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
347.  
348. # HTTP verkeer toelaten
349. iptables -I FORWARD -p tcp -d $DMZ_IP --dport http
350. -j ACCEPT
351. iptables -I FORWARD -p tcp -s $DMZ_IP --sport http
352. -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
353.  
354. # SSH verkeer toelaten
355. iptables -I FORWARD -p tcp -d $DMZ_IP --dport ssh
356. -j ACCEPT
357. iptables -I FORWARD -p tcp -s $DMZ_IP --sport ssh
358. -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
359.  
360. # SMTP verkeer toelaten
361. iptables -I FORWARD -p tcp -d $DMZ_IP --dport smtp
362. -j ACCEPT
363. iptables -I FORWARD -p tcp -s $DMZ_IP --sport smtp
364. -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
365.  
366. # Authenticated mail verkeer toelaten
367. iptables -I FORWARD -p tcp -d $DMZ_IP --dport submission
368. -j ACCEPT
369. iptables -I FORWARD -p tcp -s $DMZ_IP --sport submission
370. -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
371.  
372. # POP3 verkeer toelaten
373. iptables -I FORWARD -p tcp -d $DMZ_IP --dport pop3
374. -j ACCEPT
375. iptables -I FORWARD -p tcp -s $DMZ_IP --sport pop3
376. -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
377.  
378. # IMAP verkeer toelaten
379. iptables -I FORWARD -p tcp -d $DMZ_IP --dport imap
380. -j ACCEPT
381. iptables -I FORWARD -p tcp -s $DMZ_IP --sport imap
382. -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
383. ____________________________________________________________
384.  
385. sh firewall.sh
386. iptables -L
387.  
388. ------------------------------------------------------------
389. EINSTEIN
390. ------------------------------------------------------------
391. Configuratiebestanden aanpassen:
392. cd /etc/sysconfig/network-scripts
393.  
394. nano ifcfg-lan1
395.  
396. DEVICE=lan1
397. BOOTPROTO=none
398. GATEWAY=192.168.63.254
399. IPADDR=10.0.0.1
400. PREFIX=24
401. ONBOOT=yes
402.  
403. cd /
404. nano /etc/resolv.conf
405.  
406. nameserver 192.168.63.1
407.  
408. Configuratie toepassen:
409. ifdown lan1
410. ifup lan1
411.  
412. IP adressen controleren:
413. ifconfig