Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Pas James, Scheldeman Robbe, Schelfhout Quinten
- ------------------------------------------------------------
- .----------.
- | |
- | INTERNET |
- | |
- '----------'
- \\
- o--lan0--. .--lan0--o===o--lan0--. .---lan0---.
- | | | | | | | |
- | BOHR | | CURIE | | DIRAC | | EINSTEIN |
- | | | | | | | |
- '--lan1--o===o--lan1--' '--lan1--o===o---lan1---'
- BOHR : Externe router
- CURIE : Bastion host
- DIRAC : Interne router
- EINSTEIN: Client
- CURIE wordt geconfigureerd als bridge, name-, mail-, web- en
- proxyserver.
- ////////////////////////////////////////////////////////////
- ------------------------------------------------------------
- BOHR
- ------------------------------------------------------------
- Instellen als router:
- sysctl -w net.ipv4.ip_forward = 1
- of
- echo 1 > /proc/sys/net/ipv4/ip_forward
- Persistent maken door /etc/sysctl.conf aan te passen:
- net.ipv4.ip_forward = 1
- Configuratiebestanden aanpassen:
- cd /etc/sysconfig/network-scripts
- nano ifcfg-lan0
- DEVICE=lan0
- BOOTPROTO=none
- GATEWAY=192.168.16.8
- IPADDR=192.168.16.73
- PREFIX=24
- ONBOOT=yes
- nano ifcfg-lan1
- DEVICE=lan1
- BOOTPROTO=none
- GATEWAY=192.168.16.8
- IPADDR=192.168.63.254
- PREFIX=24
- ONBOOT=yes
- cd /
- nano /etc/resolv.conf
- nameserver 192.168.63.1
- Configuratie toepassen:
- ifdown lan0
- ifdown lan1
- ifup lan0
- ifup lan1
- IP adressen controleren:
- ifconfig
- Zebra/RIP configureren:
- nano /etc/quagga/zebra.conf
- hostname bohr
- password zebra
- enable password zebra
- !
- interface lan0
- !ip address 192.168.16.0/24
- interface lan1
- !ip address 192.168.63.0/24
- nano /etc/quagga/ripd.conf
- password zebra
- enable password zebra
- !
- router rip
- redistribute connected
- network 192.168.16.0/24
- !
- !!! Hier moet als network het netwerk worden opgegeven naar
- !!! waar de routes moeten worden aangeboden.
- Zebra/RIP starten:
- systemctl start zebra
- systemctl start ripd
- ------------------------------------------------------------
- CURIE
- ------------------------------------------------------------
- Instellen als bridge kan op twee manieren:
- 1. Persistent
- Configuratiebestanden aanpassen:
- cd /etc/sysconfig/network-scripts
- nano ifcfg-lan0
- DEVICE=lan0
- HWADDR=02:00:00:00:00:00
- BRIDGE=br0
- NM_CONTROLLED=no
- ONBOOT=yes
- nano ifcfg-lan1
- DEVICE=lan1
- HWADDR=02:00:00:00:00:01
- BRIDGE=br0
- NM_CONTROLLED=no
- ONBOOT=yes
- nano ifcfg-br0
- DEVICE=br0
- TYPE=bridge
- STP=on
- BOOTPROTO=none
- IPADDR=192.168.63.1
- PREFIX=24
- DELAY=0
- NM_CONTROLLED=no
- ONBOOT=yes
- Configuratie toepassen:
- ifdown lan0
- ifdown lan1
- ifup lan0
- ifup lan1
- ifup br0
- of
- systemctl restart network
- 2. Tijdelijk
- Configuratie volledig via CLI:
- ifconfig lan0 0.0.0.0 down
- ifconfig lan1 0.0.0.0 down
- brctl addbr br0
- brctl stp br0 on
- brctl addif br0 lan0
- brctl addif br0 lan1
- ifconfig lan0 up
- ifconfig lan1 up
- ifconfig br0 up
- ifconfig br0 192.168.63.1
- Controle door uitvoer van ifconfig te bekijken
- Nameserver aanpassen:
- cd /
- nano /etc/resolv.conf
- nameserver localhost
- # mag ook leeg zijn
- DNS server configuratie:
- nano /etc/named.conf
- options {
- directory "/var/named";
- forwarders { 192.168.16.8; };
- allow-query { any; };
- empty-zones-enable no;
- };
- logging {
- channel default_debug {
- syslog daemon;
- severity dynamic;
- };
- };
- zone "groep13.iii.hogent.be" IN {
- type master;
- file “groep13.iii.hogent.be”;
- };
- zone "63.168.192.in-addr.arpa" IN {
- type master;
- file “63.168.192.in-addr.arpa”;
- };
- nano /var/named/groep13.iii.hogent.be
- $TTL 60
- @ IN SOA groep13.iii.hogent.be.
- quinten.schelfhout.ugent.be. (
- 2014121701
- 1D
- 1D
- 1D
- 3D)
- IN NS curie
- bohr IN A 192.168.63.254
- curie IN A 192.168.63.1
- dirac IN A 192.168.63.250
- nano /var/named/63.168.192.in-addr.arpa
- $TTL 60
- @ IN SOA groep13.iii.hogent.be.
- james.pas.ugent.be.(
- 2014121701
- 1D
- 1D
- 1D
- 3D)
- IN NS curie.groep13.iii.hogent.be.
- 1 IN PTR curie.groep13.iii.hogent.be.
- 250 IN PTR dirac.groep13.iii.hogent.be.
- 254 IN PTR bohr.groep13.iii.hogent.be.
- Controle van DNS configuratie:
- named-checkconf
- named-checkzone <zonenaam> <bestandsnaam>
- Configuratie van sendmail:
- DNS aanvullen met MX-record als tweede lijn:
- @ IN MX 10 curie
- Configuratie in /etc/mail/sendmail.mc van Curie:
- include(`/usr/bin/m4)dnl
- OSTYPE(`linux')dnl
- define(`confMAX_HOP',`25')dnl
- define(`confSMTP_LOGIN_MSG',`$j mailer ready at $b')dnl
- define(`confMIME_FORMAT_ERRORS',`False')dnl
- FEATURE(`promiscuous_relay')dnl
- FEATURE(`accept_unqualified_senders')dnl
- FEATURE(`use_cw_file')dnl
- MASQUERADE_AS(groep13.iii.hogent.be)dnl
- MAILER(smtp)dnl
- Met behulp van de m4 opdracht het sendmail.cf bestand opbouwen:
- m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
- /etc/mail/local-host-names:
- groep15.iii.hogent.be
- /etc/hosts:
- 127.0.0.1 localhost.localdomain localhost curie
- curie.groep13.iii.hogent.be
- Service (her)starten:
- service sendmail (re)start
- ------------------------------------------------------------
- DIRAC
- ------------------------------------------------------------
- Instellen als router:
- sysctl -w net.ipv4.ip_forward = 1
- of
- echo 1 > /proc/sys/net/ipv4/ip_forward
- Persistent maken door /etc/sysctl.conf aan te passen:
- net.ipv4.ip_forward = 1
- Configuratiebestanden aanpassen:
- cd /etc/sysconfig/network-scripts
- nano ifcfg-lan0
- DEVICE=lan0
- BOOTPROTO=none
- GATEWAY=192.168.63.254
- IPADDR=192.168.63.250
- PREFIX=24
- ONBOOT=yes
- nano ifcfg-lan1
- DEVICE=lan1
- BOOTPROTO=none
- GATEWAY=192.168.63.254
- IPADDR=10.0.0.254
- PREFIX=24
- ONBOOT=yes
- cd /
- nano /etc/resolv.conf
- nameserver 192.168.63.1
- Configuratie toepassen:
- ifdown lan0
- ifdown lan1
- ifup lan0
- ifup lan1
- IP adressen controleren:
- ifconfig
- Firewall (iptables) configureren:
- nano firewall.sh
- ____________________________________________________________
- #!/bin/bash
- iptables -F
- iptables -t nat -F
- iptables -t mangle -F
- iptables -X
- iptables -t nat -X
- iptables -t mangle -X
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT DROP
- DMZ_NET="192.168.63.0/24"
- LAN_NET="10.0.0.0/8"
- DMZ_IP="192.168.63.1"
- # ICMP verkeer toelaten op de twee verbonden netwerken.
- # Eigenlijk zou het bericht type moeten worden opgegeven met
- # --icmp-type om enkel pingen toe te laten.
- # echo-request en echo-reply
- iptables -I INPUT -p icmp -s $DMZ_NET -j ACCEPT
- iptables -I INPUT -p icmp -s $LAN_NET -j ACCEPT
- iptables -I FORWARD -p icmp -s $DMZ_NET -j ACCEPT
- iptables -I FORWARD -p icmp -s $LAN_NET -j ACCEPT
- iptables -I OUTPUT -p icmp -d $DMZ_NET -j ACCEPT
- iptables -I OUTPUT -p icmp -d $LAN_NET -j ACCEPT
- # DNS verkeer toelaten
- iptables -I FORWARD -p udp -d $DMZ_IP --dport domain
- -j ACCEPT
- iptables -I FORWARD -p udp -s $DMZ_IP --sport domain
- -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # HTTP verkeer toelaten
- iptables -I FORWARD -p tcp -d $DMZ_IP --dport http
- -j ACCEPT
- iptables -I FORWARD -p tcp -s $DMZ_IP --sport http
- -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # SSH verkeer toelaten
- iptables -I FORWARD -p tcp -d $DMZ_IP --dport ssh
- -j ACCEPT
- iptables -I FORWARD -p tcp -s $DMZ_IP --sport ssh
- -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # SMTP verkeer toelaten
- iptables -I FORWARD -p tcp -d $DMZ_IP --dport smtp
- -j ACCEPT
- iptables -I FORWARD -p tcp -s $DMZ_IP --sport smtp
- -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # Authenticated mail verkeer toelaten
- iptables -I FORWARD -p tcp -d $DMZ_IP --dport submission
- -j ACCEPT
- iptables -I FORWARD -p tcp -s $DMZ_IP --sport submission
- -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # POP3 verkeer toelaten
- iptables -I FORWARD -p tcp -d $DMZ_IP --dport pop3
- -j ACCEPT
- iptables -I FORWARD -p tcp -s $DMZ_IP --sport pop3
- -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # IMAP verkeer toelaten
- iptables -I FORWARD -p tcp -d $DMZ_IP --dport imap
- -j ACCEPT
- iptables -I FORWARD -p tcp -s $DMZ_IP --sport imap
- -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- ____________________________________________________________
- sh firewall.sh
- iptables -L
- ------------------------------------------------------------
- EINSTEIN
- ------------------------------------------------------------
- Configuratiebestanden aanpassen:
- cd /etc/sysconfig/network-scripts
- nano ifcfg-lan1
- DEVICE=lan1
- BOOTPROTO=none
- GATEWAY=192.168.63.254
- IPADDR=10.0.0.1
- PREFIX=24
- ONBOOT=yes
- cd /
- nano /etc/resolv.conf
- nameserver 192.168.63.1
- Configuratie toepassen:
- ifdown lan1
- ifup lan1
- IP adressen controleren:
- ifconfig
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement