Benutzer-Werkzeuge
Action disabled: source
planck
Inhaltsverzeichnis
Planck (5. Oktober 2015)
- openSUSE 11.3, 32-Bit → XEN virtualisiert auf HP ProLiant DL160 unter SLES 11 SP1, 64-Bit
eth0 inet Adresse:178.189.48.118 Bcast:178.189.48.254 Maske:255.255.255.0 178.189.48.118/28
eth1 inet Adresse:192.168.238.254 Bcast:192.168.239.255 Maske:255.255.254.0 192.168.238.254/23
eth2 inet Adresse:192.168.100.254 Bcast:192.168.101.255 Maske:255.255.254.0 192.168.100.254/23
sommerfeld
br0 Link encap:Ethernet Hardware Adresse 9C:B6:54:B8:FA:88
inet Adresse:193.170.221.5 Bcast:193.170.221.7 Maske:255.255.255.248
br1 Link encap:Ethernet Hardware Adresse 9C:8E:99:31:71:62
inet Adresse:192.168.238.253 Bcast:192.168.239.255 Maske:255.255.254.0
br2 Link encap:Ethernet Hardware Adresse 9C:8E:99:31:71:63
inet Adresse:192.168.100.15 Bcast:192.168.100.255 Maske:255.255.254.0
SSH
- SSH-Server starten:
insserv sshd; rcsshd start
- Schutz vor Einbrüchen /etc/ssh/sshd_config :
... AllowUsers root ...
rcsshd restart
-
- auf 192.168.100.2
Firewall
- SuSE-Firewall deaktivieren:
yast firewall
- (x) Enable Firewall Automatic Starting
- Zonen: eth0 extern; eth1, eth2 intern
- (x) Masquerading aktivieren
... FW_REDIRECT="192.168.100.0/24,0/0,tcp,80,3128 192.168.238.0/24,0/0,tcp,80,3128" FW_SERVICES_DMZ_TCP="80" FW_CONFIGURATIONS_EXT="bind dhcp-server sshd" FW_SERVICES_EXT_TCP="4949" ...
Software-Repositories
- OSS
- NON-OSS
- Update
- Packman: http://packman.inode.at
Software
zypper in mc gcc gcc-c++ make htop munin-node
zypper in squid squidGuard bind expect dhcp-server
Hostnamen und DNS
yast dns
- Hostname: planck
- Domaine: bgweiz.at
- DNS1: 8.8.8.8
- DNS2: 193.170.221.5
- DNS3: 193.170.221.1
DNS Server
- Einstellungen von Einstein (oder anderen funktionierenden Nameserver) übernehmen:
- /etc/named.conf
- /var/lib/named: .zone .hosts .rev
- chown -R named:named /var/lib/named
insserv named; rcnamed start
NFS-Client
- /etc/fstab
... 193.170.221.1:/tmp/internet /tmp/internet nfs defaults,nolock 0 0 ...
mkdir /tmp/internet
mount /tmp/internet
DHCP Server
- /etc/dhcpd.conf
authoritative;
ddns-update-style none;
# eth2 unterrichtsnetz
subnet 192.168.100.0 netmask 255.255.254.0 {
authoritative;
range 192.168.101.1 192.168.101.254;
#range 192.168.100.30 192.168.100.100;
default-lease-time 14400;
max-lease-time 172800;
option broadcast-address 192.168.101.255;
option routers 192.168.100.254;
option subnet-mask 255.255.254.0;
option netbios-name-servers 192.168.100.254;
option netbios-node-type 8;
option domain-name-servers 193.170.221.1, 8.8.4.4, 8.8.8.8;
option ntp-servers 193.170.221.1;
# pxe
filename "pxelinux.0";
next-server 192.168.100.14;
}
# HP dc7600
#host e01 { hardware ethernet 00:15:60:51:a7:53; fixed-address 192.168.100.61; }
...
# eth1 verwaltungsnetz
subnet 192.168.238.0 netmask 255.255.254.0 {
range 192.168.239.1 192.168.239.254;
# range 192.168.238.50 192.168.238.200;
default-lease-time 345600;
max-lease-time 691200;
option broadcast-address 192.168.238.255;
option routers 192.168.238.254;
option subnet-mask 255.255.254.0;
option netbios-name-servers 193.170.221.1;
option domain-name-servers 8.8.8.8, 193.170.221.1, 8.8.8.8;
option ntp-servers 193.170.221.1;
# pxe
filename "pxelinux.0";
next-server 192.168.238.254;
}
- /etc/sysconfig/dhcpd
... DHCPD_INTERFACE="eth1 eth2" ...
insserv dhcpd; rcdhcpd start
Munin
insserv munin-node; rcmunin-node restart
SQUID Proxyserver
- /etc/squid/squid.conf
http_port 3128 transparent # Umleiten auf SquidGuard redirect_program /usr/sbin/squidGuard -c /etc/squidguard.conf redirect_children 25 cache_mem 24 MB cache_dir ufs /var/cache/squid/ 100 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl CONNECT method CONNECT acl Safe_ports port 80 81 443 210 119 70 21 1025-65535 acl unterricht src 192.168.100.0/255.255.254.0 acl verwaltung src 192.168.238.0/255.255.254.0 acl internet arp "/tmp/internet/internet.txt" http_access deny internet acl blocked-doms dstdomain "/etc/squid/blocked-domains" http_access deny blocked-doms http_access allow unterricht http_access allow verwaltung http_access deny !Safe_ports http_access allow localhost http_access deny CONNECT http_access deny all
- /etc/squid/blocked-domains
#.facebook.com .myspace.com .studivz.at .schuelervz.at
- /etc/squidguard.conf
logdir /var/log/squidGuard
dbhome /var/lib/squidGuard/db/blacklists
src privileged {
ip 192.168.100.1-192.168.100.254
ip 192.168.238.1-192.168.238.254
}
dest ads
{
domainlist ads/domains
urllist ads/urls
}
dest aggressive
{
domainlist aggressive/domains
urllist aggressive/urls
}
dest gambling
{
domainlist gambling/domains
}
dest hacking
{
domainlist hacking/domains
urllist hacking/urls
}
dest proxy
{
domainlist proxy/domains
}
dest violence
{
domainlist violence/domains
}
dest warez
{
domainlist warez/domains
urllist warez/urls
}
dest porn
{
domainlist porn/domains
urllist porn/urls
}
dest drugs
{
domainlist drugs/domains
urllist drugs/urls
}
acl {
privileged {
pass !drugs !ads !porn !hacking !proxy !violence !warez all # !proxy !violence !warez all
}
default {
pass none
redirect http://193.170.221.5
}
}
chown squid -R /var/lib/squidGuard/ chmod 755 -R /var/lib/squidGuard/db/blacklists
insserv squid; rcsquid start
Wartungsarbeiten
- Squid Konfiguration neu einlesen
squid -k reconfigure
- Squid neu starten
rcsquid restart
- Blacklists neu einlesen (dauert sehr lange):
rcsquid stop squidGuard -C all
Download von .exe Dateien blockieren
- /etc/squid/squid.conf
... acl EXE urlpath_regex \.[eE][xX][eE] http_access deny EXE ...
RONO Romans Online Netzwerk Obdrahrer
Saal manuell sperren
IKT: plank:/tmp/internet/ikt_file eine 0 eintragen EG: plank:/tmp/internet/eg_file eine 0 eintragen UG: plank:/tmp/internet/ug_file eine 0 eintragen
Saal manuell freigeben
IKT: plank:/tmp/internet/ikt_file eine 1 eintragen EG: plank:/tmp/internet/eg_file eine 1 eintragen UG: plank:/tmp/internet/ug_file eine 1 eintragen
- /sbin/rono
- /sbin/rcrono (ln -sf /etc/init.d/rono /sbin/rcrono)
- /etc/init.d/rono
insserv rono; rcrono start
- Folgendes PHP-Skript trägt am Webserver den Surf-Status in eine Datei (ug_file) ein.
Das Verzeichnis /tmp/internet wird vom Webserver über NFS eingebunden.
Webserver: /etc/fstab 193.170.221.5:/tmp/internet /tmp/internet
<? include("header.php"); ?> <? buildtitle("Internetkontrolle"); ?> <br /><br /> <? $ug_file="ug_file"; $eg_file="eg_file"; $ikt_file="ikt_file"; $author="author"; $fp = fopen($ug_file); $ug_status = file($ug_file); $ug = $ug_status[0]; $fp = fclose($fp); $fp = fopen($eg_file); $eg_status = file($eg_file); $eg = $eg_status[0]; $fp = fclose($fp); $fp = fopen($ikt_file); $ikt_status = file($ikt_file); $ikt = $ikt_status[0]; $fp = fclose($fp); $fp = fopen($ug_file, "w+"); if (isset($_GET['newug'])) { $ug=$_GET['newug']; } fwrite($fp, $ug); fclose($fp); $fp = fopen($eg_file, "w+"); if (isset($_GET['neweg'])) { $eg=$_GET['neweg']; } fwrite($fp, $eg); fclose($fp); $fp = fopen($ikt_file, "w+"); if (isset($_GET['newikt'])) { $ikt=$_GET['newikt']; } fwrite($fp, $ikt); fclose($fp); $fp = fopen($author, "r"); $who = file($author); fclose($pf); if (isset($_GET['newug']) || isset($_GET['neweg']) || isset($_GET['newikt']) ) { $fp = fopen($author, "w+"); fwrite($fp, $_SESSION['user']); fclose($fp); } if ($ug==1) { $switchug=0; $statusug="ein"; } else { $switchug=1; $statusug="aus"; } if ($eg==1) { $switcheg=0; $statuseg="ein"; } else { $switcheg=1; $statuseg="aus"; } if ($ikt==1) { $switchikt=0; $statusikt="ein"; } else { $switchikt=1; $statusikt="aus"; } echo " <h3>Derzeitiger Status:</h3> <table> <tr><td width=200>Saal</td><td></td></tr> <tr><td>UG</td><td><a href='?newug=".$switchug."&&neweg=".$eg."&&newikt=".$ikt."'>".$statusug."</a></td></tr> <tr><td>EG</td><td><a href='?neweg=".$switcheg."&&newug=".$ug."&&newikt=".$ikt."'>".$statuseg."</a></td></tr> <tr><td>IKT</td><td><a href='?newikt=".$switchikt."&&newug=".$ug."&&neweg=".$eg."'>".$statusikt."</a></td></tr> </table>"; echo "<br />zuletzt gesetzt von: ".$who[0]."!"; ?> <? include("footer.php"); ?>
- /etc/squid/surfen_sperren/ug.txt am Proxy-Server enthält die zu sperrenden MAC-Adressen
- squid.conf - mit der Datei internet.txt (enthält die entsprechenden MAC-Adressen) wird der Zugriff auf das Internet gesteuert
- siehe oben…
- Folgendes Shell-Skript auf dem Proxy-Server aktualisiert in einer Endlosschleife die Datei internet.txt und startet squid neu.
- /sbin/rono
#!/bin/bash while true do surfen=0 cat /tmp/internet/ug_file > /tmp/uga diff /tmp/uga /tmp/ugb >> /dev/null 2>&1 || surfen=1 cp /tmp/uga /tmp/ugb cat /tmp/internet/eg_file > /tmp/ega diff /tmp/ega /tmp/egb >> /dev/null 2>&1 || surfen=1 cp /tmp/ega /tmp/egb cat /tmp/internet/ikt_file > /tmp/ikta diff /tmp/ikta /tmp/iktb >> /dev/null 2>&1 || surfen=1 cp /tmp/ikta /tmp/iktb if [ "$surfen" = "1" ] ; then if test -f /tmp/internet/internet.txt; then echo "00:00:00:00:00:00" > /tmp/internet/internet.txt else touch /tmp/internet/internet.txt fi ug_status=$(cat /tmp/internet/ug_file) eg_status=$(cat /tmp/internet/eg_file) ikt_status=$(cat /tmp/internet/ikt_file) if [ "$ug_status" = "0" ]; then cat /etc/squid/surfen_sperren/ug.txt >> /tmp/internet/internet.txt fi if [ "$eg_status" = "0" ]; then cat /etc/squid/surfen_sperren/eg.txt >> /tmp/internet/internet.txt fi if [ "$ikt_status" = "0" ]; then cat /etc/squid/surfen_sperren/ikt.txt >> /tmp/internet/internet.txt fi /usr/sbin/squid -k reconfigure fi sleep 3 done
Diverse Anleitungen
planck.txt · Zuletzt geändert: 2015/10/07 19:09 von admin
Seiten-Werkzeuge
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial-Share Alike 4.0 International
