makaleler / Debian / Ubuntu / Pardus / Shorewall Kurulum & Squid Kurulum Notları ...

Shorewall Kurulum & Squid Kurulum Notları ...

18.05.2011 11:32:32

Basit Shorewall kurulumu Genelde kullandığım yapıdır. Web sunucularda kullanılabilir.

cp /usr/share/doc/shorewall/examples/one-interface/interfaces /etc/shorewall/
cp /usr/share/doc/shorewall/examples/one-interface/policy /etc/shorewall/
cp /usr/share/doc/shorewall/examples/one-interface/zones /etc/shorewall/
cp /usr/share/doc/shorewall/examples/one-interface/rules /etc/shorewall/

vim /etc/shorewall/rules
	#fw
	ACCEPT          fw                      net             icmp
	# net
	ACCEPT          net:172.16.244.200      fw              tcp     3306
	ACCEPT          net                     fw              tcp     514
	ACCEPT          net                     fw              udp     514
	ACCEPT          net                     fw              udp     1812
	ACCEPT          net                     fw              udp     1813
	ACCEPT          net                     fw              udp     1814
	ACCEPT          net                     fw              tcp     41122
	ACCEPT          net                     fw              tcp     11121
	ACCEPT          net                     fw              tcp     40000:40100
	HTTP/ACCEPT     net                     fw
	Ping/ACCEPT     net                     fw


vim /etc/default/shorewall
	startup=1

/etc/init.d/shorewall restart




Detaylar
ağ arayüzleri ( bu makinede DNS sunucunun kurulu olduğu varsayılmıştır)

	vim /etc/network/interfaces
		auto eth0
		iface eth0 inet static
		address 192.168.1.2
		netmask 255.255.255.0
		network 192.168.1.0
		broadcast 192.168.1.255
		gateway 192.168.1.1
		# dns-* options are implemented by the resolvconf package, if installed
		dns-nameservers localhost
		dns-search mynetwork.net
								
		auto eth1
		iface eth1 inet static
		address 10.0.0.1
		netmask 255.0.0.0
		network 10.0.0.0
		broadcast 10.255.255.255

	- /etc/init.d/networking restart


paketlerin kurulumu
	vim /etc/apt/sources.list #dosyasına eklenecek satır
		deb [url]http://volatile.debian.org/debian-volatile[/url] etch/volatile main contrib non-free


paketlerin yüklenmesi
		apt-get install shorewall squid dansguardian (sarg?)


bağımlılıklar:
			shorewall	-> iptables iproute
			squid		-> squid-common
			sarg		-> libgd2-noxpm




Shorewall ayarları

# /usr/share/doc/shorewall-common/examples/ klasöründen uygun olan örnekler indirilir

	vim /etc/shorewall/zones
		fw		firewall
		net		ipv4
		loc		ipv4
		grup1:loc	ipv4		(alt gruplar varsa belirtilir)



	vim /etc/shorewall/hosts	(varsa, sub zone'lar buraya...)
		grup1		eth0:10.0.0.0/8



	vim /etc/shorewall/interfaces
		net	eth0	detect	tcpflags,blacklist,routefilter,dhcp,nosmurfs
		loc	eth1	detect	tcpflags,blacklist,routefilter,dhcp

		-> tcpflags	uygunsuz flag'e sahip TCP paketleri yok edilir
		-> blacklist	blacklist dosyasından yasaklı adresler kontrol edilir
		-> routefilter	spoofing'i engellemek için çekirdekte route filtresini, bu arayüz için  açar
		-> logmartians	mümkün olmayan kaynak adresli paketlerin log'unu tutar
		-> nosmurfs	broadcast kaynaklı gözüken paketleri yok eder
		-> dhcp		bu arayüz için IP, DHCP sunucudan alınıyorsa...
		-> norfc1918	kaynak adresi, RFC1918'de kayıtlı olan paketleri kabul etmez


	vim /etc/shorewall/policy
		$FW	grup1	REJECT
		$FW	loc	REJECT
		$FW	net	REJECT
		$FW	all	REJECT
		
		grup1	$FW	REJECT
		grup1	loc	REJECT
		grup1	net	REJECT
		grup1	all	REJECT
		
		loc	$FW	REJECT
		loc	grup1	REJECT
		loc	net	REJECT
		loc	all	REJECT
		
		net	$FW	REJECT
		net	grup1	REJECT
		net	loc	REJECT
		net	all	REJECT
		
		all	all	REJECT



	vim /etc/shorewall/shorewall.conf
		IP_FORWARDING=Yes		( yerel ağ için gateway olacaksa...)
		ADD_SNAT_ALIASES=Yes		( yerel ağ için gateway olacaksa...)



	vim /etc/shorewall/masq
		eth0			eth1		( yerel ağ için gateway olacaksa... 	)
		eth0:!192.168.1.0/24	192.168.1.0/24	( sub zone için gateway olacaksa...	)



	vim /etc/shorewall/routestopped
	  proxy için gerekli değil ama bu dosyaya resetlenmemesi gereken bağlantılar yazılacak
	  zorunlu değilse yapılmamalı çünkü firewall başlarken sunucuyu kısa bir süre güvensiz halde bırakıyor
	  nfs mount eden disksiz sistemler için uygun
	  	eth0	192.168.1.1	critical



	 touch /etc/shorewall/blacklist



	vim /etc/default/shorewall
		startup=1



	vim /etc/shorewall/rules
		# makro listesi icin /usr/share/shorewall/ klasorune bakilacak
		# tcp   21      ftp
		# tcp   22      ssh
		# tcp   25      smtp
		# udp   53      dns
		# tcp   53      dns
		# udp   67      dhcpd
		# udp   69      tftpd
		# tcp   80      http
		# tcp   110     pop3
		# tcp   135     samba (smbd)
		# udp   137     samba (nmbd)
		# udp   138     samba (nmbd)
		# tcp   139     samba (smbd)
		# tcp   143     imap
		# tcp   443     https
		# tcp   445     samba (smbd)
		# tcp	587	gmail
		# udp   631     cups
		# tcp   631     cups
		# tcp   993     imaps
		# tcp   995     pop3s
		# tcp   1863    msn
		# tcp   3000    ntop
		# tcp   3128    squid
		# tcp   3306    mysql
		# tcp   3389	rdesktop
		# tcp   4559    hylafax
		# tcp   6667    IRC
		# tcp   8080    dansguardian
		# tcp   9999    apt-proxy
		# tcp   10000   webmin
	
		# firewal
		SSH/ACCEPT              fw              loc
		ACCEPT                  fw              loc             icmp

		DNS/ACCEPT              fw              net
		HTTP/ACCEPT             fw              net
		HTTPS/ACCEPT            fw              net
		NTP/ACCEPT              fw              net
		SMTP/ACCEPT             fw              net
		SMTPS/ACCEPT            fw              net
		SSH/ACCEPT              fw              net
		ACCEPT                  fw              net             tcp     587
		ACCEPT                  fw              net             icmp
		
		# local
		Ping/ACCEPT		loc		net
		CVS/ACCEPT              loc             net
		DNS/ACCEPT              loc             net
		FTP/ACCEPT              loc             net
		HTTP/ACCEPT             loc             net
		HTTPS/ACCEPT            loc             net
		JabberPlain/ACCEPT      loc             net
		JabberSecure/ACCEPT     loc             net
		NTP/ACCEPT              loc             net
		POP3/ACCEPT		loc		net
		POP3S/ACCEPT		loc		net
		RDP/ACCEPT              loc             net
		Rsync/ACCEPT            loc             net
		SMTP/ACCEPT             loc             net
		SMTPS/ACCEPT            loc             net
		SSH/ACCEPT              loc             net
		VNC/ACCEPT              loc             net
		Whois/ACCEPT            loc             net
		ACCEPT                  loc             net             tcp     587
		ACCEPT                  loc             net             tcp     1863
		ACCEPT                  loc             net             tcp     6667
		ACCEPT                  loc             net             tcp     priv_rdesktop
		ACCEPT                  loc             net             tcp     priv_ssh
		ACCEPT                  loc             net             tcp     priv_vnc

		Ping/ACCEPT		loc		fw		-	-		3/sec:10
		DNS/ACCEPT		loc		fw
		SSH/ACCEPT		loc		fw
		HTTP/ACCEPT		loc		fw
		ACCEPT			loc		fw		tcp	priv_ssh


		# proxy sunucuya yonlendirme...
		# dansguardian icin 8080. port'a, squid icin 3128. port'a yonlendirilecek
		REDIRECT		loc		8080		tcp	80		-		!10.0.0.1
		#REDIRECT		loc		3128		tcp	80		-		!10.0.0.1
		
		# yerel sunucular varsa...
		FTP/ACCEPT		net		loc:10.0.0.xxx
		FTP/DNAT		net		loc:10.0.0.xxx
		
		# net
		Ping/ACCEPT		net		fw		-	-		3/sec:10
		SSH/ACCEPT		net		fw
		ACCEPT			net		fw		tcp	priv_ssh



	vim /etc/hosts
		127.0.0.1	localhost.localdomain	localhost
		192.168.1.2	host1.mynetwork.net	host1
		10.0.0.1	host2.mynetwork.net	host2



	/etc/init.d/shorewall restart

	# Eger konsola log yazmasi istenmiyorsa
		/etc/sysctl.conf
			kernel.printk = 4 4 1 7




Squid ayarları
	vim /etc/security/limits.conf
	
		*              soft    nofile         8192
		*              hard    nofile         8192



	vim /etc/squid/squid.conf

		# Sarge icin yapilacak ayarlar
		acl				our_networks src 192.168.1.0/24 192.168.2.0/24
		http_access			allow our_networks
		httpd_accel_host		virtual
		httpd_accel_port		80
		httpd_accel_with_proxy		on
		httpd_accel_uses_host_header	on

		# Etch icin yapilacak ayarlar
		acl 				our_networks 	src 192.168.1.0/24 192.168.2.0/24
		http_access			allow		our_networks
		http_port			3128		transparent

		# Lenny icin yapilacak ayarlar
		acl localnet src 10.0.0.0/8
		acl localnet src 172.16.0.0/12
		acl localnet src 192.168.0.0/16
		http_access allow localnet
		http_port 3128 transparent



blacklist


	# [url]http://urlblacklist.com/[/url] adresinden blacklist download edilir

	# download edilen dosya ile blacklists klasörü oluşturulur
	
		cd /etc/dansguardian/lists
		tar xzf bigblacklist.tar.gz




DansGuardian ayarları

	vim /etc/dansguardian/dansguardian.conf
		#UNCONFIGURED		( başına # konularak satır devreden çıkarılır			)
		maxuploadsize = 0	( POST metodu ile dosya upload etmeyi sınırlandırmak için...	)
					( 0  tamamen blokluyor						)
					( x  upload edilecek maksimum dosya boyutunu x Kb yapıyor	)
					( -1 sınırsız upload hakkı veriyor				)
		logfileformat=3		( Squid log file format						)



	vim /etc/dansguardian/lists/bannedsitelist
		.Include</etc/dansguardian/lists/blacklists/ads/domains>    
		.Include</etc/dansguardian/lists/blacklists/adult/domains>  
		.Include</etc/dansguardian/lists/blacklists/astrology/domains>
		.Include</etc/dansguardian/lists/blacklists/chat/domains>   
		.Include</etc/dansguardian/lists/blacklists/dating/domains> 
		.Include</etc/dansguardian/lists/blacklists/dialers/domains>
		.Include</etc/dansguardian/lists/blacklists/drugs/domains>  
		.Include</etc/dansguardian/lists/blacklists/gambling/domains>
		.Include</etc/dansguardian/lists/blacklists/games/domains>  
		.Include</etc/dansguardian/lists/blacklists/hacking/domains>
		.Include</etc/dansguardian/lists/blacklists/instantmessaging/domains>
		.Include</etc/dansguardian/lists/blacklists/kidstimewasting/domains>
		.Include</etc/dansguardian/lists/blacklists/malware/domains>
		.Include</etc/dansguardian/lists/blacklists/mixed_adult/domains>
		.Include</etc/dansguardian/lists/blacklists/onlinegames/domains>
		.Include</etc/dansguardian/lists/blacklists/phishing/domains>
		.Include</etc/dansguardian/lists/blacklists/porn/domains>   
		.Include</etc/dansguardian/lists/blacklists/proxy/domains>  
		.Include</etc/dansguardian/lists/blacklists/sexuality/domains>
		.Include</etc/dansguardian/lists/blacklists/socialnetworking/domains>
		.Include</etc/dansguardian/lists/blacklists/spyware/domains>
		.Include</etc/dansguardian/lists/blacklists/virusinfected/domains>
		.Include</etc/dansguardian/lists/blacklists/warez/domains>  
		                                                            
		badboys.com  



	vim /etc/dansguardian/lists/bannedurllist
		.Include</etc/dansguardian/lists/blacklists/ads/urls>
		.Include</etc/dansguardian/lists/blacklists/adult/urls>
		.Include</etc/dansguardian/lists/blacklists/chat/urls>
		.Include</etc/dansguardian/lists/blacklists/dating/urls>
		.Include</etc/dansguardian/lists/blacklists/dialers/urls>
		.Include</etc/dansguardian/lists/blacklists/drugs/urls>
		.Include</etc/dansguardian/lists/blacklists/gambling/urls>
		.Include</etc/dansguardian/lists/blacklists/games/urls>
		.Include</etc/dansguardian/lists/blacklists/hacking/urls>
		.Include</etc/dansguardian/lists/blacklists/instantmessaging/urls>
		.Include</etc/dansguardian/lists/blacklists/kidstimewasting/urls>
		.Include</etc/dansguardian/lists/blacklists/malware/urls>
		.Include</etc/dansguardian/lists/blacklists/onlinegames/urls>
		.Include</etc/dansguardian/lists/blacklists/phishing/urls>
		.Include</etc/dansguardian/lists/blacklists/porn/urls>
		.Include</etc/dansguardian/lists/blacklists/proxy/urls>
		.Include</etc/dansguardian/lists/blacklists/sexuality/urls>
		.Include</etc/dansguardian/lists/blacklists/socialnetworking/urls>
		.Include</etc/dansguardian/lists/blacklists/virusinfected/urls>
		.Include</etc/dansguardian/lists/blacklists/warez/urls>

		members.home.net/uporn



	vim /etc/dansguardian/lists/exceptionsitelist
		.tr
		sourtimes.org
		video.google.com
		windowsupdate.microsoft.com



	vim /etc/dansguardian/lists/weightedphraselist
	  # Malezyaca ve Portekizce yasakli kelimeler, normal Turkce kelimelerle benzeşiyor
	  # Bu kelime listesi kullanilirsa, normal Turkce sitelerde problem cikiyor
	  	
		#.Include</etc/dansguardian/lists/phraselists/pornography/weighted_japanese>
		#.Include</etc/dansguardian/lists/phraselists/pornography/weighted_malay>
		#.Include</etc/dansguardian/lists/phraselists/pornography/weighted_portuguese>



	vim /etc/dansguardian/lists/exceptionextensionlist
		# eklenenler
		.bz2
		.doc
		.gz
		.iso
		.pdf
		.pps
		.rar
		.tar
		.tgz
		.xls
		.zip


	vim /etc/dansguardian/lists/bannedphraselist
		#.Include</etc/dansguardian/lists/phraselists/safelabel/banned>




SARG ayarları (özellikle istenmiyorsa, kurulmasın)

	vim /etc/squid/sarg.conf
		language		English		(Turkish yapınca raporda bazı format sorunları oluyor)
		charset			Latin5
		output_dir		/var/www/squid-reports
		access_log		/var/log/dansguardian/access.log


	vim /etc/squid/sarg-reports.conf (etch)
		LOGOIMG=/squid-reports/Daily/images/sarg.png
		LOGOLINK="[url]http://$(hostname)/squid-reports/[/url]"


	vim /etc/crontab (etch)
		00      08-20/1 * * *   root    sarg-reports today
		00      00      * * *   root    sarg-reports daily
		00      01      * * 1   root    sarg-reports weekly
		10      01      1 * *   root    sarg-reports weekly


	vim /etc/crontab (sarge)
		10 3 * * * root		/etc/squid/sarg-maint.sh >/dev/null 2>&1


	vim /etc/squid/sarg-maint.sh (sarge) 
		/usr/bin/sarg -d $YESTERDAY-$YESTERDAY -e kullanici@domain.com
yazar husonet

Yorumlar

Bu içerik için sizde yorum yapabilirsiniz!
anasayfa | makaleler | haberler | dosyalar | linkler | hakkımızda