Connectivitat: Firewall - Proxy - NAT - servidor DHCP - servidor DNS

De El raconet d'en Jordi

Dreceres ràpides: navegació, cerca

Firewall

Fem servir el paquet shorewall per connectar les dues xarxes, amb la configuració: 

 #/etc/shorewall/interfaces
 #
 #ZONE<->INTERFACE<----->BROADCAST<----->OPTIONS
 #
 net     eth1            detect          tcpflags
 loc     eth0            detect          tcpflags



 #/etc/shorewall/masq
 #
 #INTERFACE<----><------>SOURCE<><------>ADDRESS><------>PROTO<->PORT(S)>IPSEC<->
 eth1                    eth0

 #/etc/shorewall/policy
 #
 #SOURCE><------>DEST<--><------>POLICY<><------>LOG LEVEL<----->LIMIT:BURST
 loc<---><------>net<---><------>ACCEPT
 loc<---><------>$FW<---><------>ACCEPT
 loc<---><------>all<---><------>REJECT<><------>info
 #
 $FW<---><------>net<---><------>ACCEPT
 $FW<---><------>loc<---><------>ACCEPT
 $FW<---><------>all<---><------>ACCEPT
 #
 net<---><------>$FW<---><------>ACCEPT
 net<---><------>loc<---><------>DROP<--><------>info
 net<---><------>all<---><------>DROP<--><------>info
 #
 all<---><------>all<---><------>REJECT<><------>info

 #/etc/shorewall/routestopped
 #
 #INTERFACE<---->HOST(S)                  OPTIONS
 eth0<--><------>-

 #/etc/shorewall/rules
 #
 #ACTION><------>SOURCE<><------>DEST<--><------>PROTO<->DEST<-->SOURCE<><------>ORIGINAL<------>RATE<--><------>USER/<->MARK 
 #<-----><------><------><------><------><------><------>PORT<-->PORT(S)><------>DEST<--><------>LIMIT<-><------>GROUP 
 #
 DNS/ACCEPT<---->$FW<---><------>net
 # 
 SSH/ACCEPT<---->loc<---><------>$FW
 # 
 Ping/ACCEPT<--->loc<---><------>$FW
 # 
 Ping/DROP<----->net<---><------>$FW
 #
 ACCEPT<><------>$FW<---><------>loc<---><------>icmp
 ACCEPT<><------>$FW<---><------>net<---><------>icmp
 #
 ACCEPT<><------>net<--->  <---->fw<----><------>tcp<--->ssh,auth
 # 
 ACCEPT<><------>$FW<--->  <---->net<---><------>udp<--->ntp<--->
 ACCEPT<><------>net<--->  <---->fw<----><------>tcp<--->www,3128
 # reconeix iespviana.xtec.cat 
 DNAT<--><------>loc<--->net:192.168.1.52:80<--->tcp<--->80<---->-<----->85.192.110.189
 DNAT<--><------>loc<--->net:192.168.1.53:80<--->tcp<--->8088<-->-<----->85.192.110.189
 DNAT<--><------>fw<---->net:192.168.1.52:80<--->tcp<--->80<---->-<----->85.192.110.189
 DNAT<--><------>fw<---->net:192.168.1.53:80<--->tcp<--->8088<-->-<----->85.192.110.189
 # mrtg local 
 ACCEPT<><------>loc<--->  <---->fw<----><------>tcp<--->www



 #/etc/shorewall/zones
 #
 #ZONE<->TYPE<-->OPTIONS><------><------>IN<----><------><------>OUT
 #<-----><------><------><------><------>OPTIONS><------><------>OPTIONS
 fw<---->firewall
 net<--->ipv4
 loc<--->ipv4

Proxy

Fem servir el paquet squid, amb la configuració: 

 #/etc/squid/squid.conf
 #
 acl snmppublic snmp_community public
 #
 acl all src all
 acl manager proto cache_object
 acl localhost src 127.0.0.1/32
 acl to_localhost dst 127.0.0.0/8
 #
 acl localnet src 192.168.0.0/24># vianet internal network
 #
 acl SSL_ports port 443          # https 
 acl SSL_ports port 563          # snews 
 acl SSL_ports port 873          # rsync 
 acl Safe_ports port 80          # http 
 acl Safe_ports port 21          # ftp 
 acl Safe_ports port 443         # https 
 acl Safe_ports port 70          # gopher 
 acl Safe_ports port 210         # wais 
 acl Safe_ports port 1025-65535  # unregistered ports 
 acl Safe_ports port 280         # http-mgmt 
 acl Safe_ports port 488         # gss-http 
 acl Safe_ports port 591         # filemaker 
 acl Safe_ports port 777         # multiling http 
 acl Safe_ports port 631         # cups 
 acl Safe_ports port 873         # rsync 
 acl Safe_ports port 901         # SWAT 
 acl purge method PURGE 
 acl CONNECT method CONNECT 
 # Only allow cachemgr access from localhost
 http_access allow manager localhost
 http_access deny manager
 # Only allow purge requests from localhost
 http_access allow purge localhost
 http_access deny purge
 # Deny requests to unknown ports 
 http_access deny !Safe_ports
 # Deny CONNECT to other than SSL ports
 http_access deny CONNECT !SSL_ports
 #
 http_access allow localnet
 http_access allow localhost
 http_access deny all
 #
 icp_access allow localnet
 icp_access deny all
 #
 http_port 3128
 #
 hierarchy_stoplist cgi-bin ?
 #
 cache_dir ufs /var/spool/squid 2048 16 256
 #
 access_log /var/log/squid/access.log squid
 #
 refresh_pattern ^ftp:<-><------>1440<-->20%<--->10080 
 refresh_pattern ^gopher:<------>1440<-->0%<---->1440
 refresh_pattern -i (/cgi-bin/|\?) 0<--->0%<---->0
 refresh_pattern (Release|Package(.gz)*)$<------>0<----->20%<--->2880
 refresh_pattern .<-----><------>0<----->20%<--->4320
 #
 acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
 upgrade_http0.9 deny shoutcast
 #
 acl apache rep_header Server ^Apache
 broken_vary_encoding allow apache
 #
 extension_methods REPORT MERGE MKACTIVITY CHECKOUT
 #
 snmp_port 3401
 #
 snmp_access allow snmppublic localhost
 #
 hosts_file /etc/hosts
 #
 coredump_dir /var/spool/squid
 #

Els clients carreguen la configuració mitjançant el servidor web (http://192.168.0.1/proxy.pac): 

 function FindProxyForURL (url,host) { 
         if ((url.substring(0,5) != "http:") &&
 	      (url.substring(0,6) != "https:") &&
 	      (url.substring(0,4) != "ftp:") &&
 	      (url.substring(0,7) != "gopher:")) {
 	      return "DIRECT";
 	      }
 	  if ((host == "iespviana.xtec.cat") ||
 	      (host == "linux") || 
 	      shExpMatch(host,"192.168.*") || 
 	      shExpMatch(host,"127.*")) {
 	      return "DIRECT";
             }
 	  return "PROXY 192.168.0.1:3128; DIRECT";
 	}


Filtratge de continguts

Farem servir el plug per a el squid squidguard[1]

Obtingut de «http://www.jorts.net/index.php/Connectivitat:_Firewall_-_Proxy_-_NAT_-_servidor_DHCP_-_servidor_DNS»