====== Настройка шлюза в классе ====== ===== ISP1 ===== ==== FreeBSD/Debian/Ubuntu ==== * Сменить пароль # cat /etc/resolv.conf search isp.un nameserver 127.0.0.1 # cat /etc/hosts 127.0.0.1 localhost localhost.isp.un 172.16.1.254 gate.isp.un gate ==== FreeBSD ==== [gate.isp.un:~] # cat /etc/rc.conf hostname="gate.isp.un" ifconfig_em0="inet 10.N.M.252" ifconfig_em0_alias0="inet 172.16.1.254/24" defaultrouter="10.N.M.254" gateway_enable=yes keyrate="fast" sshd_enable=yes pf_enable=yes [gate.isp.un:~] # cat > /etc/pf.conf ext_ip="10.N.M.252" table {127/8, 172.16/12, !172.16.1.254, 10.N.M/24 ,192.168/16} nat from to ! -> $ext_ip [gate.isp.un:~] # cat route.sh for i in `jot 55 1` do route add 192.168.${i}/24 172.16.1.${i} done [gate.isp.un:~] # sh # for i in `jot 55 1`; do rmuser -y user$i; done # for i in `jot 55 1`; do echo user$i:::russian:::::/bin/csh:password$i; done | adduser -f - # for i in `jot 55 1`; do echo user$i::::::::/bin/csh:password$i; done | adduser -f - ==== Debian/Ubuntu ==== root@nessus.isp.un:~# cat /etc/hostname nessus.isp.un root@nessus.isp.un:~# grep forw /etc/sysctl.conf ... net.ipv4.ip_forward=1 ... root@nessus.isp.un:~# sysctl -f root@nessus.isp.un:~# cat nat.sh iptables -t nat --flush iptables -t nat -A POSTROUTING -s 172.16.1.254 -j ACCEPT iptables -t nat -A POSTROUTING -s 172.16.1.0/24,192.168.0.0/16 -j SNAT --to-source 10.M.N.178 conntrack -F root@nessus.isp.un:~# sh nat.sh root@nessus.isp.un:~# iptables-save > /etc/iptables.rules root@nessus.isp.un:~# cat /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static pre-up iptables-restore < /etc/iptables.rules address 10.N.M.178 netmask 255.255.255.0 gateway 10.N.M.254 auto eth0:0 iface eth0:0 inet static address 172.16.1.254 netmask 255.255.255.0 # up route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.1.1 # ... # up route add -net 192.168.55.0 netmask 255.255.255.0 gw 172.16.1.55 # cat route.bash for i in {1..55} do #route add -net 192.168.${i}.0 netmask 255.255.255.0 gw 172.16.1.${i} #echo " " up route add -net 192.168.${i}.0 netmask 255.255.255.0 gw 172.16.1.${i} done root@nessus.isp.un:~# cat createuser.bash for i in {1..55} do echo $i useradd user${i} -m -s /bin/bash echo user${i}:password${i} | chpasswd # userdel -r user${i} done ==== FreeBSD/Ubuntu ==== * [[Установка, настройка и запуск пакета SQUID]] * [[Сервис Clamav]] * [[Локализация системы]] * [[Сервер dovecot]] * [[Сервис MTA]] для зоны isp.un ===== DNS ===== * [[Сервис DNS]] # cat /usr/local/etc/namedb/named.conf # cat /etc/bind/named.conf.options # cat /etc/bind/named.conf.local options { ... forwarders { 10.N.M.Z; }; ... allow-recursion { any; }; ... // dnssec-validation auto; ... }; zone "un" { type master; // file "/usr/local/etc/namedb/master/un"; // file "/etc/bind/un"; }; //For lin7 (depricate), msc (depricate) zone "168.192.in-addr.arpa" { type master; // file "/usr/local/etc/namedb/master/192.168.rev"; // file "/etc/bind/192.168.rev"; }; //for lin2 zone "corp1.un" IN {type forward;forwarders {192.168.1.10;};}; ... zone "corp55.un" IN {type forward;forwarders {192.168.55.10;};}; //zone "corp1.un" IN {type forward;forwarders {172.16.1.1;};}; ... //zone "corp55.un" IN {type forward;forwarders {172.16.1.55;};}; # cat un $TTL 3h @ SOA ns root.gate.isp.un. 44 1d 12h 1w 3h NS ns ns A 172.16.1.254 isp A 172.16.1.254 ;voip1 A 80.250.209.226 gate.isp A 172.16.1.254 mail.isp A 172.16.1.254 ;openvas.isp A 172.16.1.252 ;for lin1, asterisk1 ;$GENERATE 1-55 server.corp$ A 172.16.1.$ ;for lin2, asterisk2 ;$GENERATE 1-55 ns$ A 172.16.1.$ ;$GENERATE 1-55 ns$ A 192.168.$.10 ;$GENERATE 1-55 corp$ NS ns$ ;for lin5 ;$GENERATE 1-9 router$.isp A 172.16.1.19$ ;for lin7, lin3 ;$GENERATE 1-55 server.corp$ A 192.168.$.10 ;$GENERATE 1-55 www.corp$ A 192.168.$.20 ;$GENERATE 1-55 gate.corp$ A 192.168.$.1 ;$GENERATE 1-55 router.corp$ A 192.168.$.1 ;$GENERATE 1-55 switch.corp$ A 192.168.$.3 ;$GENERATE 1-55 switch1.corp$ A 192.168.$.3 ;$GENERATE 1-55 switch2.corp$ A 192.168.$.4 ;$GENERATE 1-55 switch3.corp$ A 192.168.$.5 ;$GENERATE 1-9 lan.corp$ A 192.168.10$.10 ;$GENERATE 10-55 lan.corp$ A 192.168.1$.10 ;$GENERATE 10-55 corp$ A 192.168.$.10 ;$GENERATE 10-55 mgmt.corp$ A 192.168.$.20 ;for CGP ;$GENERATE 1-9 mail.corp$ A 172.16.1.10$ ;$GENERATE 10-15 mail.corp$ A 172.16.1.1$ ;$GENERATE 1-9 corp$ A 172.16.1.10$ ;$GENERATE 10-15 corp$ A 172.16.1.1$ ;corp1 MX 10 mail.corp1 ;corp2 MX 10 mail.corp2 ;corp3 MX 10 mail.corp3 ;corp4 MX 10 mail.corp4 ;corp5 MX 10 mail.corp5 ;corp6 MX 10 mail.corp6 ;corp7 MX 10 mail.corp7 ;corp8 MX 10 mail.corp8 ;corp9 MX 10 mail.corp9 ;corp10 MX 10 mail.corp10 ;corp11 MX 10 mail.corp11 ;corp12 MX 10 mail.corp12 ;corp13 MX 10 mail.corp13 ;corp14 MX 10 mail.corp14 ;corp15 MX 10 mail.corp15 ;$GENERATE 1-9 mail.comp$ A 172.16.1.20$ ;$GENERATE 10-15 mail.comp$ A 172.16.1.2$ ;$GENERATE 1-9 comp$ A 172.16.1.20$ ;$GENERATE 10-15 comp$ A 172.16.1.2$ ;$GENERATE 1-9 autoconfig.corp$ A 172.16.1.10$ ;$GENERATE 1-9 user1.corp$ A 172.16.1.10$ ;$GENERATE 1-9 www.corp$ A 172.16.1.10$ ;$GENERATE 1-9 corp$ MX 10 mail.corp$ ;$GENERATE 1-9 corp$ A 172.16.1.10$ ;$GENERATE 1-9 mail.comp$ A 172.16.1.20$ ;$GENERATE 1-9 comp$ MX 10 mail.comp$ ;$GENERATE 1-9 comp$ A 172.16.1.20$ # cat isp.dns.sh STANDS="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 51 53 54 55" for i in $STANDS do #dir=/etc/bind #dir=/usr/local/etc/namedb/master echo zone "comp$i.un" \{type master\; file \"${dir}/comp$i.un\"\;\}\; cat > ${dir}/comp$i.un< ===== ISP2 ===== ==== Debian/Ubuntu ==== # git clone http://val.bmstu.ru/unix/conf.git # cat conf/isp2/readme.txt root@gate.isp2.un:~# cat /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 172.16.2.254 netmask 255.255.255.0 auto eth0:0 iface eth0:0 inet static pre-up iptables-restore < /etc/iptables.rules address 10.N.M.179 netmask 255.255.255.0 gateway 10.N.M.254 root@gate.isp2.un:~# cat nat.sh iptables -t nat --flush iptables -t nat -A POSTROUTING -s 172.16.2.254 -j ACCEPT iptables -t nat -A POSTROUTING -s 172.16.2.0/24 -j SNAT --to-source 10.N.M.179 conntrack -F root@gate.isp2.un:~# grep forw /etc/sysctl.conf ... net.ipv4.ip_forward=1 ... ==== FreeBSD ==== [gate.isp2.un:~] # cat /etc/rc.conf hostname="gate.isp2.un" ipv6_network_interfaces=none ifconfig_em0="inet 172.16.2.254/24" ifconfig_em0_alias0="inet 10.N.M.126/24" defaultrouter="10.N.M.254" gateway_enable="YES" pf_enable=yes keyrate="fast" sshd_enable=yes named_enable=yes [gate.isp2.un:~] # cat /etc/pf.conf ext_ip="10.N.M.126" table {127/8, 172.16/12, !172.16.2.254, 10.N.M/24} nat from to ! -> $ext_ip ===== Voip1 ===== ==== SIP ==== [radio:~] # cat /usr/local/asterisk/etc/asterisk/sip.conf [general] context=office udpbindaddr=80.250.209.226 udpbindport=5060 allowguest=no alwaysauthreject=yes disallow=all allow=alaw dtmfmode=rfc2833 ;register => xxxxxxxx:xxxxxxxx@sipnet.ru/sipnet_xxxxxxxx [sipnet_xxxxxxx] defaultuser=xxxxxxxx secret=xxxxxxxx host=sipnet.ru type=peer insecure=invite fromuser=xxxxxxxx fromdomain=sipnet.ru canreinvite=no callbackextension=sipnet_xxxxxxxx [200](!) type=friend host=dynamic canreinvite=no [202](200) secret=tpassword202 [204](200) secret=tpassword204 ;canreinvite=no ;mailbox=204@isp [000000](!) ;type=friend type=user host=dynamic context=voip ;nat=yes ;qualify=yes ;canreinvite=no [000001](000000) secret=spassword1 [000002](000000) secret=spassword2 [000003](000000) secret=spassword3 [000004](000000) secret=spassword4 [000005](000000) secret=spassword5 [000006](000000) secret=spassword6 [000007](000000) secret=spassword7 [000008](000000) secret=spassword8 [000009](000000) secret=spassword9 [000010](000000) secret=spassword10 [000011](000000) secret=spassword11 [000012](000000) secret=spassword12 [000013](000000) secret=spassword13 ==== IAX ==== root@server.corp13.un:~# cat /etc/asterisk/iax.conf ... [corp1] type=user host=dynamic secret=apassword1 auth=md5 [corp01] type=peer host=server.corp1.un username=corp13 secret=apassword13 auth=md5 [corp2] type=user host=dynamic secret=apassword2 auth=md5 [corp02] type=peer host=server.corp2.un username=corp13 secret=apassword13 auth=md5 [corp3] type=user host=dynamic secret=apassword3 auth=md5 [corp03] type=peer host=server.corp3.un username=corp13 secret=apassword13 auth=md5 [corp4] type=user host=dynamic secret=apassword4 auth=md5 [corp04] type=peer host=server.corp4.un username=corp13 secret=apassword13 auth=md5 [corp5] type=user host=dynamic secret=apassword5 auth=md5 [corp05] type=peer host=server.corp5.un username=corp13 secret=apassword13 auth=md5 [corp6] type=user host=dynamic secret=apassword6 auth=md5 [corp06] type=peer host=server.corp6.un username=corp13 secret=apassword13 auth=md5 [corp7] type=user host=dynamic secret=apassword7 auth=md5 [corp07] type=peer host=server.corp7.un username=corp13 secret=apassword13 auth=md5 [corp8] type=user host=dynamic secret=apassword8 auth=md5 [corp08] type=peer host=server.corp8.un username=corp13 secret=apassword13 auth=md5 [corp9] type=user host=dynamic secret=apassword9 auth=md5 [corp09] type=peer host=server.corp9.un username=corp13 secret=apassword13 auth=md5 [corp10] type=user host=dynamic secret=apassword10 auth=md5 [corp10] type=peer host=server.corp10.un username=corp13 secret=apassword13 auth=md5 [corp11] type=user host=dynamic secret=apassword11 auth=md5 [corp11] type=peer host=server.corp11.un username=corp13 secret=apassword13 auth=md5 [corp12] type=user host=dynamic secret=apassword12 auth=md5 [corp12] type=peer host=server.corp12.un username=corp13 secret=apassword13 auth=md5 root@server.corp13.un:~# cat /etc/asterisk/extensions.conf ... exten => _89XXXXXXXXX,1,Dial(SIP/sipnet_xxxxxxxx/${EXTEN}) exten => _8XX,1,Dial(SIP/0000${EXTEN:1}) ;exten => sipnet_xxxxxxxx,1,Dial(SIP/204&SIP/202) exten => sipnet_xxxxxxxx,1,Dial(SIP/000001&SIP/000002&SIP/000003&SIP/000004&SIP/000005&SIP/000006&SIP/000007&SIP/000008&SIP/000009&SIP/000010&SIP/000011&SIP/000012) exten => _0XX4XX,1,Set(CALLERID(num)=013${CALLERID(num)}) exten => _0XX4XX,n,Dial(IAX2/corp${EXTEN:1:2}/${EXTEN:3}) [voip] exten => _89XXXXXXXXX,1,Dial(SIP/sipnet_xxxxxxxx/${EXTEN}) ...