====== Настройка шлюза в классе ======
===== ISP1 =====
==== FreeBSD/Debian/Ubuntu ====
* Сменить пароль
# cat /etc/resolv.conf
search isp.un
nameserver 127.0.0.1
# cat /etc/hosts
127.0.0.1 localhost localhost.isp.un
172.16.1.254 gate.isp.un gate
==== FreeBSD ====
[gate.isp.un:~] # cat /etc/rc.conf
hostname="gate.isp.un"
ifconfig_em0="inet 10.N.M.252"
ifconfig_em0_alias0="inet 172.16.1.254/24"
defaultrouter="10.N.M.254"
gateway_enable=yes
keyrate="fast"
sshd_enable=yes
pf_enable=yes
[gate.isp.un:~] # cat > /etc/pf.conf
ext_ip="10.N.M.252"
table {127/8, 172.16/12, !172.16.1.254, 10.N.M/24 ,192.168/16}
nat from to ! -> $ext_ip
[gate.isp.un:~] # cat route.sh
for i in `jot 55 1`
do
route add 192.168.${i}/24 172.16.1.${i}
done
[gate.isp.un:~] # sh
# for i in `jot 55 1`; do rmuser -y user$i; done
# for i in `jot 55 1`; do echo user$i:::russian:::::/bin/csh:password$i; done | adduser -f -
# for i in `jot 55 1`; do echo user$i::::::::/bin/csh:password$i; done | adduser -f -
==== Debian/Ubuntu ====
root@nessus.isp.un:~# cat /etc/hostname
nessus.isp.un
root@nessus.isp.un:~# grep forw /etc/sysctl.conf
...
net.ipv4.ip_forward=1
...
root@nessus.isp.un:~# sysctl -f
root@nessus.isp.un:~# cat nat.sh
iptables -t nat --flush
iptables -t nat -A POSTROUTING -s 172.16.1.254 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.16.1.0/24,192.168.0.0/16 -j SNAT --to-source 10.M.N.178
conntrack -F
root@nessus.isp.un:~# sh nat.sh
root@nessus.isp.un:~# iptables-save > /etc/iptables.rules
root@nessus.isp.un:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
pre-up iptables-restore < /etc/iptables.rules
address 10.N.M.178
netmask 255.255.255.0
gateway 10.N.M.254
auto eth0:0
iface eth0:0 inet static
address 172.16.1.254
netmask 255.255.255.0
# up route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.1.1
# ...
# up route add -net 192.168.55.0 netmask 255.255.255.0 gw 172.16.1.55
# cat route.bash
for i in {1..55}
do
#route add -net 192.168.${i}.0 netmask 255.255.255.0 gw 172.16.1.${i}
#echo " " up route add -net 192.168.${i}.0 netmask 255.255.255.0 gw 172.16.1.${i}
done
root@nessus.isp.un:~# cat createuser.bash
for i in {1..55}
do
echo $i
useradd user${i} -m -s /bin/bash
echo user${i}:password${i} | chpasswd
# userdel -r user${i}
done
==== FreeBSD/Ubuntu ====
* [[Установка, настройка и запуск пакета SQUID]]
* [[Сервис Clamav]]
* [[Локализация системы]]
* [[Сервер dovecot]]
* [[Сервис MTA]] для зоны isp.un
===== DNS =====
* [[Сервис DNS]]
# cat /usr/local/etc/namedb/named.conf
# cat /etc/bind/named.conf.options
# cat /etc/bind/named.conf.local
options {
...
forwarders {
10.N.M.Z;
};
...
allow-recursion { any; };
...
// dnssec-validation auto;
...
};
zone "un" {
type master;
// file "/usr/local/etc/namedb/master/un";
// file "/etc/bind/un";
};
//For lin7 (depricate), msc (depricate)
zone "168.192.in-addr.arpa" {
type master;
// file "/usr/local/etc/namedb/master/192.168.rev";
// file "/etc/bind/192.168.rev";
};
//for lin2
zone "corp1.un" IN {type forward;forwarders {192.168.1.10;};};
...
zone "corp55.un" IN {type forward;forwarders {192.168.55.10;};};
//zone "corp1.un" IN {type forward;forwarders {172.16.1.1;};};
...
//zone "corp55.un" IN {type forward;forwarders {172.16.1.55;};};
# cat un
$TTL 3h
@ SOA ns root.gate.isp.un. 44 1d 12h 1w 3h
NS ns
ns A 172.16.1.254
isp A 172.16.1.254
;voip1 A 80.250.209.226
gate.isp A 172.16.1.254
mail.isp A 172.16.1.254
;openvas.isp A 172.16.1.252
;for lin1, asterisk1
;$GENERATE 1-55 server.corp$ A 172.16.1.$
;for lin2, asterisk2
;$GENERATE 1-55 ns$ A 172.16.1.$
;$GENERATE 1-55 ns$ A 192.168.$.10
;$GENERATE 1-55 corp$ NS ns$
;for lin5
;$GENERATE 1-9 router$.isp A 172.16.1.19$
;for lin7, lin3
;$GENERATE 1-55 server.corp$ A 192.168.$.10
;$GENERATE 1-55 www.corp$ A 192.168.$.20
;$GENERATE 1-55 gate.corp$ A 192.168.$.1
;$GENERATE 1-55 router.corp$ A 192.168.$.1
;$GENERATE 1-55 switch.corp$ A 192.168.$.3
;$GENERATE 1-55 switch1.corp$ A 192.168.$.3
;$GENERATE 1-55 switch2.corp$ A 192.168.$.4
;$GENERATE 1-55 switch3.corp$ A 192.168.$.5
;$GENERATE 1-9 lan.corp$ A 192.168.10$.10
;$GENERATE 10-55 lan.corp$ A 192.168.1$.10
;$GENERATE 10-55 corp$ A 192.168.$.10
;$GENERATE 10-55 mgmt.corp$ A 192.168.$.20
;for CGP
;$GENERATE 1-9 mail.corp$ A 172.16.1.10$
;$GENERATE 10-15 mail.corp$ A 172.16.1.1$
;$GENERATE 1-9 corp$ A 172.16.1.10$
;$GENERATE 10-15 corp$ A 172.16.1.1$
;corp1 MX 10 mail.corp1
;corp2 MX 10 mail.corp2
;corp3 MX 10 mail.corp3
;corp4 MX 10 mail.corp4
;corp5 MX 10 mail.corp5
;corp6 MX 10 mail.corp6
;corp7 MX 10 mail.corp7
;corp8 MX 10 mail.corp8
;corp9 MX 10 mail.corp9
;corp10 MX 10 mail.corp10
;corp11 MX 10 mail.corp11
;corp12 MX 10 mail.corp12
;corp13 MX 10 mail.corp13
;corp14 MX 10 mail.corp14
;corp15 MX 10 mail.corp15
;$GENERATE 1-9 mail.comp$ A 172.16.1.20$
;$GENERATE 10-15 mail.comp$ A 172.16.1.2$
;$GENERATE 1-9 comp$ A 172.16.1.20$
;$GENERATE 10-15 comp$ A 172.16.1.2$
;$GENERATE 1-9 autoconfig.corp$ A 172.16.1.10$
;$GENERATE 1-9 user1.corp$ A 172.16.1.10$
;$GENERATE 1-9 www.corp$ A 172.16.1.10$
;$GENERATE 1-9 corp$ MX 10 mail.corp$
;$GENERATE 1-9 corp$ A 172.16.1.10$
;$GENERATE 1-9 mail.comp$ A 172.16.1.20$
;$GENERATE 1-9 comp$ MX 10 mail.comp$
;$GENERATE 1-9 comp$ A 172.16.1.20$
# cat isp.dns.sh
STANDS="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 51 53 54 55"
for i in $STANDS
do
#dir=/etc/bind
#dir=/usr/local/etc/namedb/master
echo zone "comp$i.un" \{type master\; file \"${dir}/comp$i.un\"\;\}\;
cat > ${dir}/comp$i.un<
===== ISP2 =====
==== Debian/Ubuntu ====
# git clone http://val.bmstu.ru/unix/conf.git
# cat conf/isp2/readme.txt
root@gate.isp2.un:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 172.16.2.254
netmask 255.255.255.0
auto eth0:0
iface eth0:0 inet static
pre-up iptables-restore < /etc/iptables.rules
address 10.N.M.179
netmask 255.255.255.0
gateway 10.N.M.254
root@gate.isp2.un:~# cat nat.sh
iptables -t nat --flush
iptables -t nat -A POSTROUTING -s 172.16.2.254 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.16.2.0/24 -j SNAT --to-source 10.N.M.179
conntrack -F
root@gate.isp2.un:~# grep forw /etc/sysctl.conf
...
net.ipv4.ip_forward=1
...
==== FreeBSD ====
[gate.isp2.un:~] # cat /etc/rc.conf
hostname="gate.isp2.un"
ipv6_network_interfaces=none
ifconfig_em0="inet 172.16.2.254/24"
ifconfig_em0_alias0="inet 10.N.M.126/24"
defaultrouter="10.N.M.254"
gateway_enable="YES"
pf_enable=yes
keyrate="fast"
sshd_enable=yes
named_enable=yes
[gate.isp2.un:~] # cat /etc/pf.conf
ext_ip="10.N.M.126"
table {127/8, 172.16/12, !172.16.2.254, 10.N.M/24}
nat from to ! -> $ext_ip
===== Voip1 =====
==== SIP ====
[radio:~] # cat /usr/local/asterisk/etc/asterisk/sip.conf
[general]
context=office
udpbindaddr=80.250.209.226
udpbindport=5060
allowguest=no
alwaysauthreject=yes
disallow=all
allow=alaw
dtmfmode=rfc2833
;register => xxxxxxxx:xxxxxxxx@sipnet.ru/sipnet_xxxxxxxx
[sipnet_xxxxxxx]
defaultuser=xxxxxxxx
secret=xxxxxxxx
host=sipnet.ru
type=peer
insecure=invite
fromuser=xxxxxxxx
fromdomain=sipnet.ru
canreinvite=no
callbackextension=sipnet_xxxxxxxx
[200](!)
type=friend
host=dynamic
canreinvite=no
[202](200)
secret=tpassword202
[204](200)
secret=tpassword204
;canreinvite=no
;mailbox=204@isp
[000000](!)
;type=friend
type=user
host=dynamic
context=voip
;nat=yes
;qualify=yes
;canreinvite=no
[000001](000000)
secret=spassword1
[000002](000000)
secret=spassword2
[000003](000000)
secret=spassword3
[000004](000000)
secret=spassword4
[000005](000000)
secret=spassword5
[000006](000000)
secret=spassword6
[000007](000000)
secret=spassword7
[000008](000000)
secret=spassword8
[000009](000000)
secret=spassword9
[000010](000000)
secret=spassword10
[000011](000000)
secret=spassword11
[000012](000000)
secret=spassword12
[000013](000000)
secret=spassword13
==== IAX ====
root@server.corp13.un:~# cat /etc/asterisk/iax.conf
...
[corp1]
type=user
host=dynamic
secret=apassword1
auth=md5
[corp01]
type=peer
host=server.corp1.un
username=corp13
secret=apassword13
auth=md5
[corp2]
type=user
host=dynamic
secret=apassword2
auth=md5
[corp02]
type=peer
host=server.corp2.un
username=corp13
secret=apassword13
auth=md5
[corp3]
type=user
host=dynamic
secret=apassword3
auth=md5
[corp03]
type=peer
host=server.corp3.un
username=corp13
secret=apassword13
auth=md5
[corp4]
type=user
host=dynamic
secret=apassword4
auth=md5
[corp04]
type=peer
host=server.corp4.un
username=corp13
secret=apassword13
auth=md5
[corp5]
type=user
host=dynamic
secret=apassword5
auth=md5
[corp05]
type=peer
host=server.corp5.un
username=corp13
secret=apassword13
auth=md5
[corp6]
type=user
host=dynamic
secret=apassword6
auth=md5
[corp06]
type=peer
host=server.corp6.un
username=corp13
secret=apassword13
auth=md5
[corp7]
type=user
host=dynamic
secret=apassword7
auth=md5
[corp07]
type=peer
host=server.corp7.un
username=corp13
secret=apassword13
auth=md5
[corp8]
type=user
host=dynamic
secret=apassword8
auth=md5
[corp08]
type=peer
host=server.corp8.un
username=corp13
secret=apassword13
auth=md5
[corp9]
type=user
host=dynamic
secret=apassword9
auth=md5
[corp09]
type=peer
host=server.corp9.un
username=corp13
secret=apassword13
auth=md5
[corp10]
type=user
host=dynamic
secret=apassword10
auth=md5
[corp10]
type=peer
host=server.corp10.un
username=corp13
secret=apassword13
auth=md5
[corp11]
type=user
host=dynamic
secret=apassword11
auth=md5
[corp11]
type=peer
host=server.corp11.un
username=corp13
secret=apassword13
auth=md5
[corp12]
type=user
host=dynamic
secret=apassword12
auth=md5
[corp12]
type=peer
host=server.corp12.un
username=corp13
secret=apassword13
auth=md5
root@server.corp13.un:~# cat /etc/asterisk/extensions.conf
...
exten => _89XXXXXXXXX,1,Dial(SIP/sipnet_xxxxxxxx/${EXTEN})
exten => _8XX,1,Dial(SIP/0000${EXTEN:1})
;exten => sipnet_xxxxxxxx,1,Dial(SIP/204&SIP/202)
exten => sipnet_xxxxxxxx,1,Dial(SIP/000001&SIP/000002&SIP/000003&SIP/000004&SIP/000005&SIP/000006&SIP/000007&SIP/000008&SIP/000009&SIP/000010&SIP/000011&SIP/000012)
exten => _0XX4XX,1,Set(CALLERID(num)=013${CALLERID(num)})
exten => _0XX4XX,n,Dial(IAX2/corp${EXTEN:1:2}/${EXTEN:3})
[voip]
exten => _89XXXXXXXXX,1,Dial(SIP/sipnet_xxxxxxxx/${EXTEN})
...