Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace: настройка_шлюза_в_классе
настройка_шлюза_в_классе

This is an old revision of the document!

Table of Contents

Настройка шлюза в классе

ISP1

FreeBSD/Ubuntu

  • Сменить пароль
# cat /etc/resolv.conf
search          isp.un
nameserver      127.0.0.1
# cat /etc/hosts
127.0.0.1               localhost localhost.isp.un
172.16.1.254            gate.isp.un gate

FreeBSD

[gate.isp.un:~] # cat /etc/rc.conf
hostname="gate.isp.un"
ifconfig_em0="inet 10.N.M.252"
ifconfig_em0_alias0="inet 172.16.1.254/24"
defaultrouter="10.N.M.254"
gateway_enable=yes

keyrate="fast"
sshd_enable=yes

pf_enable=yes
[gate.isp.un:~] # cat > /etc/pf.conf
ext_ip="10.N.M.252"

table <int_net> {127/8, 172.16/12, !172.16.1.254, 10.N.M/24 ,192.168/16}

nat from <int_net> to !<int_net> -> $ext_ip
[gate.isp.un:~] # cat route.sh
for i in `jot 55 1`
do
        route add 192.168.${i}/24 172.16.1.${i}
done
[gate.isp.un:~] # sh

# for i in `jot 55 1`; do rmuser -y user$i; done

# for i in `jot 55 1`; do echo user$i:::russian:::::/bin/csh:password$i; done | adduser -f -

# for i in `jot 55 1`; do echo user$i::::::::/bin/csh:password$i; done | adduser -f -

Ubuntu

root@nessus.isp.un:~# cat /etc/hostname
nessus.isp.un
root@nessus.isp.un:~# grep forw /etc/sysctl.conf
...
net.ipv4.ip_forward=1
...
root@nessus.isp.un:~# sysctl -f
root@nessus.isp.un:~# cat nat.sh
iptables -t nat --flush

iptables -t nat -A POSTROUTING -s 172.16.1.254 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.16.1.0/24,192.168.0.0/16 -j SNAT --to-source 10.M.N.178

conntrack -F
root@nessus.isp.un:~# sh nat.sh

root@nessus.isp.un:~# iptables-save -c > /etc/iptables.rules
root@nessus.isp.un:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        pre-up iptables-restore -c < /etc/iptables.rules
        address 10.N.M.252
        netmask 255.255.255.0
        gateway 10.N.M.254

auto eth0:0
iface eth0:0 inet static
        address 172.16.1.254
        netmask 255.255.255.0

# up route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.1.1
# ...
# up route add -net 192.168.20.0 netmask 255.255.255.0 gw 172.16.1.20
# cat route.sh
for i in `jot 20 1`
do
        #route add -net 192.168.${i}.0 netmask 255.255.255.0 gw 172.16.1.${i}
        #echo up route add -net 192.168.${i}.0 netmask 255.255.255.0 gw 172.16.1.${i}
done
root@nessus.isp.un:~# cat createuser.sh
for i in `jot 20 1`
do
        echo $i
        useradd user${i} -m -s /bin/bash
        echo user${i}:password${i} | chpasswd
#       userdel -r user${i} 
done

FreeBSD/Ubuntu

DNS

# cat /usr/local/etc/namedb/named.conf

# cat /etc/bind/named.conf.options

# cat /etc/bind/named.conf.local
options {
...
        forwarders {
                10.N.M.Z;
        };

...
        allow-recursion { any; };
...
//        dnssec-validation auto;
...
};

zone "un" {
        type master;
//        file "/usr/local/etc/namedb/master/un";
//        file "/etc/bind/un";
};

//For un4, msc
zone "168.192.in-addr.arpa" {
        type master;
//        file "/usr/local/etc/namedb/master/192.168.rev";
//        file "/etc/bind/192.168.rev";
};

//for un2, bsd2
zone "corp1.un" IN {type forward;forwarders {192.168.1.10;};};
...
zone "corp20.un" IN {type forward;forwarders {192.168.20.10;};};

//zone "corp1.un" IN {type forward;forwarders {172.16.1.1;};};
...
//zone "corp20.un" IN {type forward;forwarders {172.16.1.20;};};
# cat un
$TTL 3h
@ SOA ns root.gate.isp.un. 44 1d 12h 1w 3h

                NS      ns

ns              A       172.16.1.254
isp             A       172.16.1.254
voip1           A       80.250.209.226

gate.isp        A       172.16.1.254
mail.isp        A       172.16.1.254
openvas.isp     A       172.16.1.252


;for un2, bsd2, un3, asterisk2
;$GENERATE 1-26 ns$ A 172.16.1.$
;$GENERATE 1-26 ns$ A 192.168.$.10
;$GENERATE 1-26 corp$ NS ns$

; for uncom, un1, bsd1
;$GENERATE 27-37 server.corp$ A 172.16.1.$

;asterisk1
;$GENERATE 1-14 server.corp$ A 172.16.1.$
;$GENERATE 1-9 server.corp$ A 172.16.1.10$
;$GENERATE 10-14 server.corp$ A 172.16.1.1$


;for CGP
;$GENERATE 1-9 mail.corp$ A 172.16.1.10$
;$GENERATE 10-15 mail.corp$ A 172.16.1.1$
;$GENERATE 1-9 corp$ A 172.16.1.10$
;$GENERATE 10-15 corp$ A 172.16.1.1$

;corp1 MX 10 mail.corp1
;corp2 MX 10 mail.corp2
;corp3 MX 10 mail.corp3
;corp4 MX 10 mail.corp4
;corp5 MX 10 mail.corp5
;corp6 MX 10 mail.corp6
;corp7 MX 10 mail.corp7
;corp8 MX 10 mail.corp8
;corp9 MX 10 mail.corp9
;corp10 MX 10 mail.corp10
;corp11 MX 10 mail.corp11
;corp12 MX 10 mail.corp12
;corp13 MX 10 mail.corp13
;corp14 MX 10 mail.corp14
;corp15 MX 10 mail.corp15

;$GENERATE 1-9 mail.comp$ A 172.16.1.20$
;$GENERATE 10-15 mail.comp$ A 172.16.1.2$
;$GENERATE 1-9 comp$ A 172.16.1.20$
;$GENERATE 10-15 comp$ A 172.16.1.2$

;$GENERATE 1-9 autoconfig.corp$ A 172.16.1.10$
;$GENERATE 1-9 user1.corp$ A 172.16.1.10$
;$GENERATE 1-9 www.corp$ A 172.16.1.10$
;$GENERATE 1-9 corp$ MX 10 mail.corp$
;$GENERATE 1-9 corp$ A 172.16.1.10$
;$GENERATE 1-9 mail.comp$ A 172.16.1.20$
;$GENERATE 1-9 comp$ MX 10 mail.comp$
;$GENERATE 1-9 comp$ A 172.16.1.20$

;for msc, un4, unbez
$GENERATE 38-55 server.corp$ A 192.168.$.10
$GENERATE 38-55 www.corp$ A 192.168.$.20
$GENERATE 38-55 gate.corp$ A 192.168.$.1
$GENERATE 38-55 router.corp$ A 192.168.$.1
;$GENERATE 1-9 lan.corp$ A 192.168.10$.10
$GENERATE 38-55 lan.corp$ A 192.168.1$.10
$GENERATE 38-55 corp$ A 192.168.$.10
$GENERATE 38-55 mgmt.corp$ A 192.168.$.20
# cat 192.168.rev
$TTL 3h
@ SOA ns.un. root.gate.isp.un. 43 1d 12h 1w 3h

                NS      ns.un.

;for msc, un4, unbez, !!! not for un3
;$GENERATE 40-55 1.$ PTR gate.corp$.un.
$GENERATE 40-55 1.$ PTR router.corp$.un.

$GENERATE 40-55 10.$ PTR server.corp$.un.
$GENERATE 40-55 3.$ PTR switch.corp$.un.
$GENERATE 40-55 20.$ PTR mgmt.corp$.un.
# cat dns.sh
STANDS="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25"

for i in $STANDS
do

#dir=/etc/bind
#dir=/usr/local/etc/namedb/master

echo zone "comp$i.un" \{type master\; file \"${dir}/comp$i.un\"\;\}\;

cat > ${dir}/comp$i.un<<EOF
\$TTL 3h
@ SOA ns root.ns 45 1d 12h 1w 3h

                NS      ns
                NS      ns.corp$i.un.
                A       192.168.$i.10
;                MX 10       mail

ns              A       172.16.1.254
;mail            A       192.168.$i.10
;mail            A       172.16.1.$(( $i + 200))
EOF

done

for i in $STANDS
do
echo zone "corp$i.un" IN \{type forward\;forwarders \{192.168.$i.10\;\}\;\}\;
done

for i in $STANDS
do
echo zone "corp$i.un" IN \{type forward\;forwarders \{172.16.1.$i\;\}\;\}\;
done

ISP2

Ubuntu

root@gate.isp2.un:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 172.16.2.254
        netmask 255.255.255.0

auto eth0:0
iface eth0:0 inet static
        pre-up iptables-restore -c < /etc/iptables.rules
        address 10.N.M.179
        netmask 255.255.255.0
        gateway 10.N.M.254

auto eth0:1
iface eth0:1 inet static
        address 172.16.1.60
        netmask 255.255.255.0
root@gate.isp2.un:~# cat nat.sh
iptables -t nat --flush

iptables -t nat -A POSTROUTING -s 172.16.2.254 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.16.2.0/24 -j SNAT --to-source 10.N.M.179

conntrack -F
root@gate.isp2.un:~# grep forw /etc/sysctl.conf
...
net.ipv4.ip_forward=1
...

FreeBSD

[gate.isp2.un:~] # cat /etc/rc.conf
hostname="gate.isp2.un"
ipv6_network_interfaces=none
ifconfig_em0="inet 172.16.2.254/24"
ifconfig_em0_alias0="inet 10.N.M.126/24"
defaultrouter="10.N.M.254"
gateway_enable="YES"
pf_enable=yes
keyrate="fast"
sshd_enable=yes
named_enable=yes
[gate.isp2.un:~] # cat /etc/pf.conf
ext_ip="10.N.M.126"

table <int_net> {127/8, 172.16/12, !172.16.2.254, 10.N.M/24}

nat from <int_net> to !<int_net> -> $ext_ip

Voip1

SIP

[radio:~] # cat /usr/local/asterisk/etc/asterisk/sip.conf
[general]
context=office
udpbindaddr=80.250.209.226
udpbindport=5060
allowguest=no
alwaysauthreject=yes
disallow=all
allow=alaw
dtmfmode=rfc2833

;register => xxxxxxxx:xxxxxxxx@sipnet.ru/sipnet_xxxxxxxx

[sipnet_xxxxxxx]
defaultuser=xxxxxxxx
secret=xxxxxxxx
host=sipnet.ru
type=peer
insecure=invite
fromuser=xxxxxxxx
fromdomain=sipnet.ru
canreinvite=no
callbackextension=sipnet_xxxxxxxx

[200](!)
type=friend
host=dynamic
canreinvite=no

[202](200)
secret=tpassword202

[204](200)
secret=tpassword204
;canreinvite=no
;mailbox=204@isp

[000000](!)
;type=friend
type=user
host=dynamic
context=voip
;nat=yes
;qualify=yes
;canreinvite=no

[000001](000000)
secret=spassword1

[000002](000000)
secret=spassword2

[000003](000000)
secret=spassword3

[000004](000000)
secret=spassword4

[000005](000000)
secret=spassword5

[000006](000000)
secret=spassword6

[000007](000000)
secret=spassword7

[000008](000000)
secret=spassword8

[000009](000000)
secret=spassword9

[000010](000000)
secret=spassword10

[000011](000000)
secret=spassword11

[000012](000000)
secret=spassword12

[000013](000000)
secret=spassword13

IAX

root@server.corp13.un:~# cat /etc/asterisk/iax.conf
...
[corp1]
type=user
host=dynamic
secret=apassword1
auth=md5

[corp01]
type=peer
host=server.corp1.un
username=corp13
secret=apassword13
auth=md5

[corp2]
type=user
host=dynamic
secret=apassword2
auth=md5

[corp02]
type=peer
host=server.corp2.un
username=corp13
secret=apassword13
auth=md5

[corp3]
type=user
host=dynamic
secret=apassword3
auth=md5

[corp03]
type=peer
host=server.corp3.un
username=corp13
secret=apassword13
auth=md5

[corp4]
type=user
host=dynamic
secret=apassword4
auth=md5

[corp04]
type=peer
host=server.corp4.un
username=corp13
secret=apassword13
auth=md5

[corp5]
type=user
host=dynamic
secret=apassword5
auth=md5

[corp05]
type=peer
host=server.corp5.un
username=corp13
secret=apassword13
auth=md5

[corp6]
type=user
host=dynamic
secret=apassword6
auth=md5

[corp06]
type=peer
host=server.corp6.un
username=corp13
secret=apassword13
auth=md5

[corp7]
type=user
host=dynamic
secret=apassword7
auth=md5

[corp07]
type=peer
host=server.corp7.un
username=corp13
secret=apassword13
auth=md5

[corp8]
type=user
host=dynamic
secret=apassword8
auth=md5

[corp08]
type=peer
host=server.corp8.un
username=corp13
secret=apassword13
auth=md5

[corp9]
type=user
host=dynamic
secret=apassword9
auth=md5

[corp09]
type=peer
host=server.corp9.un
username=corp13
secret=apassword13
auth=md5

[corp10]
type=user
host=dynamic
secret=apassword10
auth=md5

[corp10]
type=peer
host=server.corp10.un
username=corp13
secret=apassword13
auth=md5

[corp11]
type=user
host=dynamic
secret=apassword11
auth=md5

[corp11]
type=peer
host=server.corp11.un
username=corp13
secret=apassword13
auth=md5

[corp12]
type=user
host=dynamic
secret=apassword12
auth=md5

[corp12]
type=peer
host=server.corp12.un
username=corp13
secret=apassword13
auth=md5
root@server.corp13.un:~# cat /etc/asterisk/extensions.conf
...
exten => _89XXXXXXXXX,1,Dial(SIP/sipnet_xxxxxxxx/${EXTEN})

exten => _8XX,1,Dial(SIP/0000${EXTEN:1})

;exten => sipnet_xxxxxxxx,1,Dial(SIP/204&SIP/202)

exten => sipnet_xxxxxxxx,1,Dial(SIP/000001&SIP/000002&SIP/000003&SIP/000004&SIP/000005&SIP/000006&SIP/000007&SIP/000008&SIP/000009&SIP/000010&SIP/000011&SIP/000012)

exten => _0XX4XX,1,Set(CALLERID(num)=013${CALLERID(num)})
exten => _0XX4XX,n,Dial(IAX2/corp${EXTEN:1:2}/${EXTEN:3})

[voip]

exten => _89XXXXXXXXX,1,Dial(SIP/sipnet_xxxxxxxx/${EXTEN})

...
настройка_шлюза_в_классе.1480577729.txt.gz · Last modified: 2016/12/01 10:35 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki