Benutzer-Werkzeuge

Webseiten-Werkzeuge


planck

Planck (5. Oktober 2015)

  • openSUSE 11.3, 32-Bit → XEN virtualisiert auf HP ProLiant DL160 unter SLES 11 SP1, 64-Bit
eth0      inet Adresse:178.189.48.118  Bcast:178.189.48.254  Maske:255.255.255.0
178.189.48.118/28
eth1      inet Adresse:192.168.238.254  Bcast:192.168.239.255  Maske:255.255.254.0
192.168.238.254/23
eth2      inet Adresse:192.168.100.254  Bcast:192.168.101.255  Maske:255.255.254.0
192.168.100.254/23

sommerfeld

br0       Link encap:Ethernet  Hardware Adresse 9C:B6:54:B8:FA:88  
        inet Adresse:193.170.221.5  Bcast:193.170.221.7  Maske:255.255.255.248
br1       Link encap:Ethernet  Hardware Adresse 9C:8E:99:31:71:62  
        inet Adresse:192.168.238.253  Bcast:192.168.239.255  Maske:255.255.254.0
br2       Link encap:Ethernet  Hardware Adresse 9C:8E:99:31:71:63  
        inet Adresse:192.168.100.15  Bcast:192.168.100.255  Maske:255.255.254.0

SSH

  • SSH-Server starten:
insserv sshd; rcsshd start
  • Schutz vor Einbrüchen /etc/ssh/sshd_config :
...
AllowUsers root
...
rcsshd restart

Firewall

  • SuSE-Firewall deaktivieren:
yast firewall
  • (x) Enable Firewall Automatic Starting
  • Zonen: eth0 extern; eth1, eth2 intern
  • (x) Masquerading aktivieren
...
FW_REDIRECT="192.168.100.0/24,0/0,tcp,80,3128 192.168.238.0/24,0/0,tcp,80,3128"
FW_SERVICES_DMZ_TCP="80"
FW_CONFIGURATIONS_EXT="bind dhcp-server sshd"
FW_SERVICES_EXT_TCP="4949"
...

Software-Repositories

Software

zypper in mc gcc gcc-c++ make htop munin-node
zypper in squid squidGuard bind expect dhcp-server

Hostnamen und DNS

yast dns
  • Hostname: planck
  • Domaine: bgweiz.at
  • DNS1: 8.8.8.8
  • DNS2: 193.170.221.5
  • DNS3: 193.170.221.1

DNS Server

  • Einstellungen von Einstein (oder anderen funktionierenden Nameserver) übernehmen:
  • /etc/named.conf
  • /var/lib/named: .zone .hosts .rev
    • chown -R named:named /var/lib/named
insserv named; rcnamed start

NFS-Client

  • /etc/fstab
...
193.170.221.1:/tmp/internet /tmp/internet nfs defaults,nolock 0 0
...
mkdir /tmp/internet
mount /tmp/internet

DHCP Server

  • /etc/dhcpd.conf
authoritative;
ddns-update-style none;

# eth2 unterrichtsnetz
subnet 192.168.100.0 netmask 255.255.254.0 {
  authoritative;
  range 192.168.101.1 192.168.101.254;
  #range 192.168.100.30 192.168.100.100;
  default-lease-time 14400;
  max-lease-time 172800;
  option broadcast-address 192.168.101.255;
  option routers 192.168.100.254;
  option subnet-mask 255.255.254.0;
  option netbios-name-servers 192.168.100.254;
  option netbios-node-type 8;
  option domain-name-servers 193.170.221.1, 8.8.4.4, 8.8.8.8;
  option ntp-servers 193.170.221.1;
  # pxe 
  filename "pxelinux.0";
  next-server 192.168.100.14;
}

# HP dc7600
#host e01 { hardware ethernet 00:15:60:51:a7:53; fixed-address 192.168.100.61; }
...

# eth1 verwaltungsnetz 

subnet 192.168.238.0 netmask 255.255.254.0 {
  range 192.168.239.1 192.168.239.254;
#  range 192.168.238.50 192.168.238.200;
  default-lease-time 345600;
  max-lease-time 691200;
  option broadcast-address 192.168.238.255;
  option routers 192.168.238.254;
  option subnet-mask 255.255.254.0;
  option netbios-name-servers 193.170.221.1;
  option domain-name-servers 8.8.8.8, 193.170.221.1, 8.8.8.8;
  option ntp-servers 193.170.221.1;
  # pxe 
  filename "pxelinux.0";
  next-server 192.168.238.254;
}
  • /etc/sysconfig/dhcpd
...
DHCPD_INTERFACE="eth1 eth2"
...
insserv dhcpd; rcdhcpd start

Munin

insserv munin-node; rcmunin-node restart

SQUID Proxyserver

  • /etc/squid/squid.conf
http_port 3128 transparent

# Umleiten auf SquidGuard
redirect_program /usr/sbin/squidGuard -c /etc/squidguard.conf
redirect_children 25

cache_mem 24 MB
cache_dir ufs /var/cache/squid/ 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl CONNECT method CONNECT
acl Safe_ports port 80 81 443 210 119 70 21 1025-65535

acl unterricht src 192.168.100.0/255.255.254.0
acl verwaltung src 192.168.238.0/255.255.254.0

acl internet arp "/tmp/internet/internet.txt"
http_access deny internet

acl blocked-doms dstdomain "/etc/squid/blocked-domains"
http_access deny blocked-doms

http_access allow unterricht
http_access allow verwaltung

http_access deny !Safe_ports
http_access allow localhost
http_access deny CONNECT
http_access deny all
  • /etc/squid/blocked-domains
#.facebook.com
.myspace.com
.studivz.at
.schuelervz.at
  • /etc/squidguard.conf
logdir /var/log/squidGuard
dbhome /var/lib/squidGuard/db/blacklists

src privileged {
         ip 192.168.100.1-192.168.100.254
         ip 192.168.238.1-192.168.238.254
}

dest ads
{
  domainlist      ads/domains
  urllist         ads/urls
}

dest aggressive
{
  domainlist    aggressive/domains
  urllist       aggressive/urls
}

dest gambling
{
  domainlist    gambling/domains
}

dest hacking
{
  domainlist    hacking/domains
  urllist       hacking/urls
}

dest proxy
{
  domainlist    proxy/domains
}

dest violence
{
  domainlist    violence/domains
}

dest warez
{
  domainlist    warez/domains
  urllist       warez/urls
}

dest porn
{
  domainlist      porn/domains
  urllist         porn/urls
}

dest drugs
{
  domainlist      drugs/domains
  urllist         drugs/urls
}

acl {
         privileged {
             pass !drugs !ads !porn !hacking !proxy !violence !warez all # !proxy !violence !warez all
         }

         default {
             pass none
             redirect http://193.170.221.5
         }
}
chown squid -R /var/lib/squidGuard/
chmod 755 -R /var/lib/squidGuard/db/blacklists
insserv squid; rcsquid start

Wartungsarbeiten

  • Squid Konfiguration neu einlesen
squid -k reconfigure
  • Squid neu starten
rcsquid restart
  • Blacklists neu einlesen (dauert sehr lange):
rcsquid stop
squidGuard -C all

Download von .exe Dateien blockieren

  • /etc/squid/squid.conf
...
acl EXE urlpath_regex \.[eE][xX][eE]
http_access deny EXE
...

RONO Romans Online Netzwerk Obdrahrer

Saal manuell sperren

IKT: plank:/tmp/internet/ikt_file eine 0 eintragen
EG: plank:/tmp/internet/eg_file eine 0 eintragen
UG: plank:/tmp/internet/ug_file eine 0 eintragen

Saal manuell freigeben

IKT: plank:/tmp/internet/ikt_file eine 1 eintragen
EG: plank:/tmp/internet/eg_file eine 1 eintragen
UG: plank:/tmp/internet/ug_file eine 1 eintragen
  • /sbin/rono
  • /sbin/rcrono (ln -sf /etc/init.d/rono /sbin/rcrono)
  • /etc/init.d/rono
insserv rono; rcrono start
  • Folgendes PHP-Skript trägt am Webserver den Surf-Status in eine Datei (ug_file) ein.

Das Verzeichnis /tmp/internet wird vom Webserver über NFS eingebunden.

Webserver: /etc/fstab
193.170.221.5:/tmp/internet /tmp/internet
<? include("header.php"); ?>
 
<? buildtitle("Internetkontrolle"); ?>
 
<br /><br />
 
<?
$ug_file="ug_file";
$eg_file="eg_file";
$ikt_file="ikt_file";
$author="author";
 
$fp = fopen($ug_file);
$ug_status = file($ug_file);
$ug = $ug_status[0];
$fp = fclose($fp);
 
$fp = fopen($eg_file);
$eg_status = file($eg_file);
$eg = $eg_status[0];
$fp = fclose($fp);
 
$fp = fopen($ikt_file);
$ikt_status = file($ikt_file);
$ikt = $ikt_status[0];
$fp = fclose($fp);
 
$fp = fopen($ug_file, "w+");
if (isset($_GET['newug'])) { $ug=$_GET['newug']; }
fwrite($fp, $ug);
fclose($fp);
 
$fp = fopen($eg_file, "w+");
if (isset($_GET['neweg'])) { $eg=$_GET['neweg']; }
fwrite($fp, $eg);
fclose($fp);
 
$fp = fopen($ikt_file, "w+");
if (isset($_GET['newikt'])) { $ikt=$_GET['newikt']; }
fwrite($fp, $ikt);
fclose($fp);
 
$fp = fopen($author, "r");
$who = file($author);
fclose($pf);
 
if (isset($_GET['newug']) || isset($_GET['neweg']) || isset($_GET['newikt']) )
{
$fp = fopen($author, "w+");
fwrite($fp, $_SESSION['user']);
fclose($fp);
}
 
if ($ug==1)
{ $switchug=0; $statusug="ein"; }
else 
{ $switchug=1; $statusug="aus"; }
 
if ($eg==1) 
{ $switcheg=0; $statuseg="ein"; }
else 
{ $switcheg=1; $statuseg="aus"; }
 
if ($ikt==1)
{ $switchikt=0; $statusikt="ein"; }
else 
{ $switchikt=1; $statusikt="aus"; }
 
echo "
<h3>Derzeitiger Status:</h3>
<table>
<tr><td width=200>Saal</td><td></td></tr>
<tr><td>UG</td><td><a href='?newug=".$switchug."&&neweg=".$eg."&&newikt=".$ikt."'>".$statusug."</a></td></tr>
<tr><td>EG</td><td><a href='?neweg=".$switcheg."&&newug=".$ug."&&newikt=".$ikt."'>".$statuseg."</a></td></tr>
<tr><td>IKT</td><td><a href='?newikt=".$switchikt."&&newug=".$ug."&&neweg=".$eg."'>".$statusikt."</a></td></tr>
</table>";
 
echo "<br />zuletzt gesetzt von: ".$who[0]."!";
 
 
 
?>
 
<? include("footer.php"); ?>
  • /etc/squid/surfen_sperren/ug.txt am Proxy-Server enthält die zu sperrenden MAC-Adressen

mac_ug

  • squid.conf - mit der Datei internet.txt (enthält die entsprechenden MAC-Adressen) wird der Zugriff auf das Internet gesteuert
    • siehe oben…
  • Folgendes Shell-Skript auf dem Proxy-Server aktualisiert in einer Endlosschleife die Datei internet.txt und startet squid neu.
  • /sbin/rono
#!/bin/bash
 
while true
do
surfen=0
 
cat /tmp/internet/ug_file > /tmp/uga
diff /tmp/uga /tmp/ugb >> /dev/null 2>&1 || surfen=1
cp /tmp/uga /tmp/ugb
 
cat /tmp/internet/eg_file > /tmp/ega
diff /tmp/ega /tmp/egb >> /dev/null 2>&1 || surfen=1
cp /tmp/ega /tmp/egb
 
cat /tmp/internet/ikt_file > /tmp/ikta
diff /tmp/ikta /tmp/iktb >> /dev/null 2>&1 || surfen=1
cp /tmp/ikta /tmp/iktb
 
if [ "$surfen" = "1" ] ; then
        if test -f /tmp/internet/internet.txt; then
                echo "00:00:00:00:00:00" > /tmp/internet/internet.txt
        else
                touch /tmp/internet/internet.txt
        fi
 
        ug_status=$(cat /tmp/internet/ug_file)
        eg_status=$(cat /tmp/internet/eg_file)
        ikt_status=$(cat /tmp/internet/ikt_file)
 
        if [ "$ug_status" = "0" ]; then
                cat /etc/squid/surfen_sperren/ug.txt >> /tmp/internet/internet.txt
        fi
 
        if [ "$eg_status" = "0" ]; then
                cat /etc/squid/surfen_sperren/eg.txt >> /tmp/internet/internet.txt
        fi
 
        if [ "$ikt_status" = "0" ]; then
                cat /etc/squid/surfen_sperren/ikt.txt >> /tmp/internet/internet.txt
        fi
 
        /usr/sbin/squid -k reconfigure
fi
 
sleep 3 
done

Diverse Anleitungen

planck.txt · Zuletzt geändert: 2015/10/07 19:09 von admin