Benutzer-Werkzeuge
planck
Dies ist eine alte Version des Dokuments!
Inhaltsverzeichnis
Planck (5. August 2010)
- openSUSE 11.3, 32-Bit, 32 GB HDD, 3 GB RAM
- DELL Pizzaschachtel-Server
SSH
- SSH-Server starten:
insserv sshd; rcsshd start
- Schutz vor Einbrüchen /etc/ssh/sshd_config :
... AllowUsers root ...
rcsshd restart
-
- auf 192.168.100.2
Firewall
- SuSE-Firewall deaktivieren:
yast firewall
- (x) Enable Firewall Automatic Starting
- Zonen: eth0 extern; eth1, eth2 intern
- (x) Masquerading aktivieren
... FW_REDIRECT="192.168.100.0/24,0/0,tcp,80,3128 192.168.238.0/24,0/0,tcp,80,3128" FW_SERVICES_DMZ_TCP="80" FW_CONFIGURATIONS_EXT="bind dhcp-server sshd" FW_SERVICES_EXT_TCP="4949" ...
Netzwerkkonfiguration
- eth0: 193.170.221.5/29
- eth1: 192.168.238.254/24
- eth2: 192.168.100.254/24
Software-Repositories
- OSS
- NON-OSS
- Update
- Packman: http://packman.inode.at
Software
zypper in mc gcc gcc-c++ make htop munin-node
zypper in squid squidGuard bind expect dhcp-server
Hostnamen und DNS
yast dns
- Hostname: planck
- Domaine: bgweiz.at
- DNS1: 193.171.4.60
- DNS2: 193.170.221.5
- DNS3: 193.170.221.1
DNS Server
- Einstellungen von Einstein (oder anderen funktionierenden Nameserver) übernehmen:
- /etc/named.conf
- /var/lib/named: .zone .hosts .rev
- chown -R named:named /var/lib/named
insserv named; rcnamed start
NFS-Client
- /etc/fstab
... 193.170.221.1:/tmp/internet /tmp/internet nfs defaults,nolock 0 0 ...
mkdir /tmp/internet
mount /tmp/internet
DHCP Server
- /etc/dhcpd.conf
authoritative;
ddns-update-style none;
#eth2 unterrichtsnetz
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.60 192.168.100.200;
default-lease-time 3600;
max-lease-time 172800;
option broadcast-address 192.168.100.255;
option routers 192.168.100.254;
option subnet-mask 255.255.255.0;
option netbios-name-servers 193.170.221.1;
option domain-name-servers 193.170.221.1, 193.170.221.3, 193.171.4.60;
#option domain-name-servers 8.8.8.8, 193.171.4.60;
option ntp-servers 193.170.221.1;
}
# eth1 verwaltungsnetz
subnet 192.168.238.0 netmask 255.255.255.0 {
range 192.168.238.100 192.168.238.200;
default-lease-time 345600;
max-lease-time 691200;
option broadcast-address 192.168.238.255;
option routers 192.168.238.254;
option subnet-mask 255.255.255.0;
option netbios-name-servers 193.170.221.1;
option domain-name-servers 193.170.221.1, 193.170.221.3, 193.171.4.60;
#option domain-name-servers 8.8.8.8, 193.171.4.60;
option ntp-servers 193.170.221.1;
}
- /etc/sysconfig/dhcpd
... DHCPD_INTERFACE="eth1 eth2" ...
insserv dhcpd; rcdhcpd start
Munin
insserv munin-node; rcmunin-node restart
SQUID Proxyserver
- /etc/squid/squid.conf
http_port 3128 transparent # Umleiten auf SquidGuard redirect_program /usr/sbin/squidGuard -c /etc/squidguard.conf redirect_children 25 cache_mem 24 MB cache_dir ufs /var/cache/squid/ 100 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl CONNECT method CONNECT acl Safe_ports port 80 81 443 210 119 70 21 1025-65535 acl unterricht src 192.168.100.0/255.255.255.0 acl verwaltung src 192.168.238.0/255.255.255.0 acl internet arp "/tmp/internet/internet.txt" http_access deny internet acl blocked-doms dstdomain "/etc/squid/blocked-domains" http_access deny blocked-doms http_access allow unterricht http_access allow verwaltung http_access deny !Safe_ports http_access allow localhost http_access deny CONNECT http_access deny all
- /etc/squid/blocked-domains
#.facebook.com .myspace.com .studivz.at .schuelervz.at
- /etc/squidguard.conf
logdir /var/log/squidGuard
dbhome /var/lib/squidGuard/db/blacklists
src privileged {
ip 192.168.100.1-192.168.100.254
ip 192.168.238.1-192.168.238.254
}
dest ads
{
domainlist ads/domains
urllist ads/urls
}
dest aggressive
{
domainlist aggressive/domains
urllist aggressive/urls
}
dest gambling
{
domainlist gambling/domains
}
dest hacking
{
domainlist hacking/domains
urllist hacking/urls
}
dest proxy
{
domainlist proxy/domains
}
dest violence
{
domainlist violence/domains
}
dest warez
{
domainlist warez/domains
urllist warez/urls
}
dest porn
{
domainlist porn/domains
urllist porn/urls
}
dest drugs
{
domainlist drugs/domains
urllist drugs/urls
}
acl {
privileged {
pass !drugs !ads !porn !hacking !proxy !violence !warez all # !proxy !violence !warez all
}
default {
pass none
redirect http://193.170.221.5
}
}
chown squid -R /var/lib/squidGuard/ chmod 755 -R /var/lib/squidGuard/db/blacklists
insserv squid; rcsquid start
Wartungsarbeiten
- Squid Konfiguration neu einlesen
squid -k reconfigure
- Squid neu starten
rcsquid restart
- Blacklists neu einlesen (dauert sehr lange):
rcsquid stop squidGuard -C all
Download von .exe Dateien blockieren
- /etc/squid/squid.conf
... acl EXE urlpath_regex \.[eE][xX][eE] http_access deny EXE ...
RONO Romans Online Netzwerk Obdrahrer
- /sbin/rono
- /sbin/rcrono (ln -sf /etc/init.d/rono /sbin/rcrono)
- /etc/init.d/rono
insserv rono; rcrono start
- Folgendes PHP-Skript trägt am Webserver den Surf-Status in eine Datei (ug_file) ein. Diese Datei wird über NFS am Proxy-Server eingebunden.
<? include("header.php"); ?> <? buildtitle("Internetkontrolle"); ?> <br /><br /> <? $ug_file="ug_file"; $eg_file="eg_file"; $ikt_file="ikt_file"; $author="author"; $fp = fopen($ug_file); $ug_status = file($ug_file); $ug = $ug_status[0]; $fp = fclose($fp); $fp = fopen($eg_file); $eg_status = file($eg_file); $eg = $eg_status[0]; $fp = fclose($fp); $fp = fopen($ikt_file); $ikt_status = file($ikt_file); $ikt = $ikt_status[0]; $fp = fclose($fp); $fp = fopen($ug_file, "w+"); if (isset($_GET['newug'])) { $ug=$_GET['newug']; } fwrite($fp, $ug); fclose($fp); $fp = fopen($eg_file, "w+"); if (isset($_GET['neweg'])) { $eg=$_GET['neweg']; } fwrite($fp, $eg); fclose($fp); $fp = fopen($ikt_file, "w+"); if (isset($_GET['newikt'])) { $ikt=$_GET['newikt']; } fwrite($fp, $ikt); fclose($fp); $fp = fopen($author, "r"); $who = file($author); fclose($pf); if (isset($_GET['newug']) || isset($_GET['neweg']) || isset($_GET['newikt']) ) { $fp = fopen($author, "w+"); fwrite($fp, $_SESSION['user']); fclose($fp); } if ($ug==1) { $switchug=0; $statusug="ein"; } else { $switchug=1; $statusug="aus"; } if ($eg==1) { $switcheg=0; $statuseg="ein"; } else { $switcheg=1; $statuseg="aus"; } if ($ikt==1) { $switchikt=0; $statusikt="ein"; } else { $switchikt=1; $statusikt="aus"; } echo " <h3>Derzeitiger Status:</h3> <table> <tr><td width=200>Saal</td><td></td></tr> <tr><td>UG</td><td><a href='?newug=".$switchug."&&neweg=".$eg."&&newikt=".$ikt."'>".$statusug."</a></td></tr> <tr><td>EG</td><td><a href='?neweg=".$switcheg."&&newug=".$ug."&&newikt=".$ikt."'>".$statuseg."</a></td></tr> <tr><td>IKT</td><td><a href='?newikt=".$switchikt."&&newug=".$ug."&&neweg=".$eg."'>".$statusikt."</a></td></tr> </table>"; echo "<br />zuletzt gesetzt von: ".$who[0]."!"; ?> <? include("footer.php"); ?>
- ug.txt am Proxy-Server enthält die zu sperrenden MAC-Adressen
00:0C:6E:CC:D5:DA 00:0C:6E:CC:D6:11 00:0C:6E:E3:A8:8C 00:0C:6E:E3:A7:2E 00:0C:6E:E3:A5:C7 00:11:2F:15:17:1D 00:0C:6E:E3:A8:70 00:0C:6E:E3:A6:D7 # beamerrechner ug09 00:0C:6E:E3:A8:6D 00:0C:6E:CC:D3:61 00:0C:6E:CC:D5:8E 00:0C:6E:CC:D6:0B 00:0C:6E:E3:A8:92 00:0C:6E:E3:A6:C8 00:11:2F:1D:5A:A5 00:0C:6E:E3:AA:CD
- squid.conf - mit der Datei internet.txt (enthält die entsprechenden MAC-Adressen) wird der Zugriff auf das Internet gesteuert
- siehe oben…
- Folgendes Shell-Skript auf dem Proxy-Server aktualisiert in einer Endlosschleife die Datei internet.txt und startet squid neu.
- /sbin/rono
#!/bin/bash while true do surfen=0 cat /tmp/internet/ug_file > /tmp/uga diff /tmp/uga /tmp/ugb >> /dev/null 2>&1 || surfen=1 cp /tmp/uga /tmp/ugb cat /tmp/internet/eg_file > /tmp/ega diff /tmp/ega /tmp/egb >> /dev/null 2>&1 || surfen=1 cp /tmp/ega /tmp/egb cat /tmp/internet/ikt_file > /tmp/ikta diff /tmp/ikta /tmp/iktb >> /dev/null 2>&1 || surfen=1 cp /tmp/ikta /tmp/iktb if [ "$surfen" = "1" ] ; then if test -f /tmp/internet/internet.txt; then echo "00:00:00:00:00:00" > /tmp/internet/internet.txt else touch /tmp/internet/internet.txt fi ug_status=$(cat /tmp/internet/ug_file) eg_status=$(cat /tmp/internet/eg_file) ikt_status=$(cat /tmp/internet/ikt_file) if [ "$ug_status" = "0" ]; then cat /etc/squid/surfen_sperren/ug.txt >> /tmp/internet/internet.txt fi if [ "$eg_status" = "0" ]; then cat /etc/squid/surfen_sperren/eg.txt >> /tmp/internet/internet.txt fi if [ "$ikt_status" = "0" ]; then cat /etc/squid/surfen_sperren/ikt.txt >> /tmp/internet/internet.txt fi /usr/sbin/squid -k reconfigure fi sleep 3 done
Diverse Anleitungen
planck.1283862917.txt.gz · Zuletzt geändert: 2015/04/29 16:56 (Externe Bearbeitung)
Seiten-Werkzeuge
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial-Share Alike 4.0 International
