Вы не вошли.
Страницы 1
Шлюз будет работать на основе прокси сервера Squid, программы редиректора rejik, встроенного фаервола Iptables, а так же будет использоваться парсер логов awstats.
На шлюзе 2 сетевые карты. Они настроены следующим образом (файл /etc/network/interfaces):
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.20.1
network 192.168.20.0
netmask 255.255.255.0
broadcast 192.168.20.255
auto eth1
iface eth1 inet static
address 192.168.0.2
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1
nameserver 195.162.32.5, 195.162.41.8
#enforta
#auto eth1
#iface eth1 inet static
# address 79.122.131.34
# netmask 255.255.255.252
# gateway 79.122.131.33
#nameserver 87.241.223.68
#nameserver 81.17.2.171
таким образом: сетевой интерфейс eth1 "смотрит" в сторону адсл модема (т.е. в интернет), eth0 - в локальную сеть.
установка необходимых пакетов:
настройка производится после установки системы мониторинга, поэтому в системе уже есть некоторые необходимые пакеты(сервер БД,Апач)
apt-get install libpcre3 libpcre3-dev libmysqlclient15-dev php-fpdf squid gcc make php5-gd apache2 apache2-mpm-prefork apache2-doc php5 libapache2-mod-php5 php5-cli php5-common php5-mysql php5-gd php-fpdf mysql-server mysql-client libmysqlclient15off libpcre3 libpcre3-dev ntpdate squid winbind make
скачиваем и устанавливаем режик:
mkdir /usr/local/src/rejik
cd /usr/local/src/rejik
wget http://rejik.ru/download/redirector-3.2.8.tgz
wget http://rejik.ru/download/banlists-2.x.x.tgz
wget http://rejik.ru/download/www.tgz
wget http://rejik.ru/download/dbl-2.0.tgz
tar -zxvf redirector-3.2.8.tgz
cd redirector-3.2.8
nano Makefile
Изменяем параметры файла сборки
[SQUID_USER=nobody на SQUID_USER=proxy
SQUID_GROUP=nogroup на SQUID_GROUP=proxy
Компилируем Rejik и устанавливаем его в систему
make
make install
Устанавливаем Бан листы
tar -zxvf banlists-2.x.x.tgz
mv banlists /usr/local/rejik3/
Создаем файлы логов Rejik и выставляем на них права
touch /var/log/squid/redirector.log
touch /var/log/squid/redirector.err
chown proxy:proxy /var/log/squid/redirector.log
chown proxy:proxy /var/log/squid/redirector.err
chown -R proxy:proxy banlists/*
Редактируем конфигурационный файл Rejik
cd /usr/local/rejik3
cp redirector.conf.dist redirector.conf
nano redirector.conf
Изменяем пути к логам Rejik
error_log /var/log/squid/redirector.log
error_log /var/log/squid/redirector.err
Рабочие настройки режика /usr/local/rejik3/redirector.conf
error_log /var/log/squid/redirector.log #/usr/local/rejik3/redirector.err
change_log /usr/local/rejik3/redirector.log
make-cache /usr/local/rejik3/make-cache
#allow_urls /usr/local/rejik3/banlists/white
<BANNER>
ban_dir /usr/local/rejik3/banlists/banners
url http://127.0.0.1:3512/centreon/img/icones/1x1/blank.gif
#log off
<PORNO>
ban_dir /usr/local/rejik3/banlists/porno
url http://127.0.0.1:3512/centreon/squid.html
<MP3>
ban_dir /usr/local/rejik3/banlists/mp3
url http://127.0.0.1:3512/centreon/squid.html
<JS>
ban_dir /usr/local/rejik3/banlists/js
url http://127.0.0.1:3512/centreon/img/icones/1x1/blank.gif
#url http://127.0.0.1/ban/js.js
#log off
# Open ONLY white list
#<WHITE.ALL>
# work_ip f:/etc/squid/network/test
# ban_dir /usr/local/rejik3/banlists/white_all
# url http://127.0.0.1:3512/centreon/no-inet.html
# reverse
# Open white list for sale
<WHITE_prod>
work_ip f:/etc/squid/network/prod
ban_dir /usr/local/rejik3/banlists/prod
url http://192.168.20.1:3512/centreon/squid.html
reverse
для работы режика нужно создать файл /etc/squid/network/prod - содержит ИПадреса продавцов
папку /usr/local/rejik3/banlists/prod, в этой папке создать файл urls - содержит список разрешенных сайтов
ngk.ru
autoxp.ru
www.isaco.ir
www.japancats.ru
www.drom.ru
www.elcats.ru
www.olyslager-lubricants.nl
mail.google.com
ms-motor-service.com
onlineshop.ms-motor-service.com
motorenteile.mahle.com
mahle.com
mahle-aftermarket.com
clevite.com
217.6.60.45
www.autowelt.ru
www.parts-mall.com
www.parts.com
public.servicebox.peugeot.com
service.citroen.com
ew5.earlweb.com
filtron.pl
delphi.com
avtoall.ru
gmail.com
autodok.ru
online.emex.ru
order.ivers.ru
m2cabin.ru
akira-oil.com
favoritoil.ru
castrol.com
wikipedia.ru
emex.ru
exist.ru
favoritoil.ru
epcdata.ru
exist.ru
motul.ru
http://olyslager-lubricants.nl/
samovarchik.info
ru55.ru
fouroom.ru
martialarts.org.ru
72.14.213.27
74.125.39.27
74.125.43.27
74.125.47.27
74.125.65.27
74.125.67.27
74.125.115.27
74.125.155.27
74.125.232.245
74.125.232.246
74.125.232.247
74.125.232.248
209.85.149.17
209.85.149.18
209.85.149.19
209.85.149.83
216.239.32.10
216.239.34.10
216.239.36.10
216.239.38.10
alt1.gmail-smtp-in.l.google.com
alt2.gmail-smtp-in.l.google.com
alt3.gmail-smtp-in.l.google.com
alt4.gmail-smtp-in.l.google.com
dns-admin.google.com
gmail-smtp-in.l.google.com
imap.gmail.com
imap.googlemail.com
ns1.google.com
ns2.google.com
ns3.google.com
ns4.google.com
smtp.gmail.com
smtp.googlemail.com
pravomsk.ru
fouroom.ru
omsk.be
megaros.ru
reaktor55.ru
ru55.ru
samovarchik.org
google.ru
googlemail.com
martialarts.org.ru
pravoomsk.ru
vse-sto.ru
настраиваем Сквид:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl reaktor src 192.168.20.0/24
acl black url_regex "/etc/squid/lists/black.list"
#####
#acl cup8 src 192.168.20.245
#####
http_access allow manager localhost
http_access deny manager
http_access deny reaktor black
http_access allow reaktor
#режим канал для компа с айпи адресом 20.245, delay_parameters - измеряется в байтах т.е. 1000/64000 означает что фалы, больше 64000 байт будут скачиваться со скоростью 1000 байт
#delay_pools 1
#delay_class 1 1
#delay_access 1 allow cup8
#delay_access 1 deny all
#delay_parameters 1 32500/64000
http_access deny all
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports !Safe_ports
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern \.bz2$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.exe$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.gif$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.gz$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.ico$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.jpg$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.mid$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.mp3$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.pdf$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.swf$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.tar$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.tgz$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.zip$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
#2gis
refresh_pattern \.dgdat$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
refresh_pattern \.dll$ 43200 100% 43200 override-lastmod override-expire ignore-reload ignore-no-cache
shutdown_lifetime 3 seconds
http_port 3128 transparent
cache_mem 100 MB
cache_dir ufs /var/spool/squid 4096 32 256
maximum_object_size 2560 KB
emulate_httpd_log on
access_log /var/log/squid/log.squid
coredump_dir /var/cache/squid
visible_hostname debian-proxy
redirect_program /usr/local/rejik3/redirector /usr/local/rejik3/redirector.conf
Настраиваем парсер логов
aptitude install awstats
редактируем /etc/awstats/awstats.conf
изменяем строки
LogFile="/var/log/squid/log.squid"
LogType=W
LogFormat = 4
LogSeparator=" "
SiteDomain="site1.ru"
содержание файла /etc/apache2/conf.d/awstats
<Directory /var/lib/awstats>
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# This provides worldwide access to everything below the directory
# Security concerns: none known
<Directory /usr/share/awstats/icon>
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# This provides worldwide access to everything below the directory
# Security concerns: none known
<Directory /usr/share/java/awstats>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# This provides worldwide access to everything in the directory
# Security concerns: none known
Alias /awstats-icon/ /usr/share/awstats/icon/
# This provides worldwide access to everything in the directory
# Security concerns: none known
Alias /awstatsclasses/ /usr/share/java/awstats/
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
выполним команду в консоли
/usr/lib/cgi-bin/awstats.pl -update -config=site1.ru
результат примерно следующий:
Create/Update database for config "/etc/awstats/awstats.conf" by AWStats version 6.95 (build 1.943)
From data in log file "/var/log/squid/log.squid"...
Phase 1 : First bypass old records, searching new record...
Direct access after last parsed record (after line 400673)
Flush history file on disk (unique url reach flush limit of 5000)
Jumped lines in file: 400673
Found 400673 already parsed records.
Parsed lines in file: 126421
Found 0 dropped records,
Found 0 corrupted records,
Found 0 old records,
Found 126421 new qualified records.
теперь можно просмотреть статистику по адресу: http://192.168.20.1/cgi-bin/awstats.pl
создаем правила для iptables:
apt-get install iptables
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe iptable_nat
modprobe ipt_MASQUERADE
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.2(интернет интерфейс) --dport 10881(порт, на который скидывает модем) -j DNAT —to-destination(куда передавать пакет:порт) 192.168.20.2:3389
заворачиваем на сквид:
Ipbles -t nat -A PREROUTING -i eth0 (интерфейс, смотрит в локальную сеть) -p tcp --dport 80 (на какой порт приходят запросы)-j REDIRECT --to-ports 3128 (перекидывать на порт сквида)
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.2 --dport 10882 -j DNAT --to-destination 192.168.20.2:3389
далее необходимо сохранить существующие правила,
iptables-save > /etc/backup/iptables
# Generated by iptables-save v1.4.8 on Fri Oct 7 19:34:17 2011
*filter
:INPUT ACCEPT [2118:297745]
:FORWARD ACCEPT [1496:90096]
:OUTPUT ACCEPT [2166:345304]
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
COMMIT
# Completed on Fri Oct 7 19:34:17 2011
# Generated by iptables-save v1.4.8 on Fri Oct 7 19:34:17 2011
*nat
:PREROUTING ACCEPT [23:2236]
:POSTROUTING ACCEPT [16:1551]
:OUTPUT ACCEPT [21:1227]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -d 192.168.0.2/32 -p tcp -m tcp --dport 10881 -j DNAT --to-destination 192.168.20.251:3389
-A PREROUTING -d 192.168.0.2/32 -p tcp -m tcp --dport 10882 -j DNAT --to-destination 192.168.20.2:3389
-A PREROUTING -d 192.168.0.2/32 -p tcp -m tcp --dport 10883 -j DNAT --to-destination 192.168.20.3:3389
-A PREROUTING -d 192.168.0.2/32 -p tcp -m tcp --dport 35300 -j DNAT --to-destination 192.168.20.150:35300
-A PREROUTING -d 192.168.0.2/32 -p udp -m udp --dport 35300 -j DNAT --to-destination 192.168.20.150:35300
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Fri Oct 7 19:34:17 2011
# Generated by iptables-save v1.4.8 on Fri Oct 7 19:34:17 2011
*mangle
:PREROUTING ACCEPT [5673:885798]
:INPUT ACCEPT [2119:297874]
:FORWARD ACCEPT [3554:587924]
:OUTPUT ACCEPT [2166:345304]
:POSTROUTING ACCEPT [5720:933228]
COMMIT
# Completed on Fri Oct 7 19:34:17 2011
создаем скрипт,который восстанавливает правила после перезагрузки:
touch /etc/init.d/iptables && chmod +x /etc/init.d/iptables
nano /etc/init.d/iptables
скрит должен быть таким:
#!/bin/sh
### BEGIN INIT INFO
# Provides: mountnfs-bootclean
# Required-Start: $local_fs
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: add firewall rules.
# Description: add firewall rules
### END INIT INFO
/sbin/iptables-restore < /etc/backup/iptables
добавляем в автозагрузку скрипт
update-rc.d iptables defaults
Страницы 1
[ Сгенерировано за 0.018 сек, 13 запросов выполнено - Использовано памяти: 1.94 MiB (Пик: 2.01 MiB) ]