pythontr.com
cp /usr/share/doc/shorewall/examples/one-interface/interfaces /etc/shorewall/ cp /usr/share/doc/shorewall/examples/one-interface/policy /etc/shorewall/ cp /usr/share/doc/shorewall/examples/one-interface/zones /etc/shorewall/ cp /usr/share/doc/shorewall/examples/one-interface/rules /etc/shorewall/ vim /etc/shorewall/rules #fw ACCEPT fw net icmp # net ACCEPT net:172.16.244.200 fw tcp 3306 ACCEPT net fw tcp 514 ACCEPT net fw udp 514 ACCEPT net fw udp 1812 ACCEPT net fw udp 1813 ACCEPT net fw udp 1814 ACCEPT net fw tcp 41122 ACCEPT net fw tcp 11121 ACCEPT net fw tcp 40000:40100 HTTP/ACCEPT net fw Ping/ACCEPT net fw vim /etc/default/shorewall startup=1 /etc/init.d/shorewall restart
vim /etc/network/interfaces auto eth0 iface eth0 inet static address 192.168.1.2 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers localhost dns-search mynetwork.net auto eth1 iface eth1 inet static address 10.0.0.1 netmask 255.0.0.0 network 10.0.0.0 broadcast 10.255.255.255 - /etc/init.d/networking restart
vim /etc/apt/sources.list #dosyasına eklenecek satır deb [url]http://volatile.debian.org/debian-volatile[/url] etch/volatile main contrib non-free
apt-get install shorewall squid dansguardian (sarg?)
shorewall -> iptables iproute squid -> squid-common sarg -> libgd2-noxpm
vim /etc/shorewall/zones fw firewall net ipv4 loc ipv4 grup1:loc ipv4 (alt gruplar varsa belirtilir)
vim /etc/shorewall/hosts (varsa, sub zone'lar buraya...) grup1 eth0:10.0.0.0/8
vim /etc/shorewall/interfaces net eth0 detect tcpflags,blacklist,routefilter,dhcp,nosmurfs loc eth1 detect tcpflags,blacklist,routefilter,dhcp -> tcpflags uygunsuz flag'e sahip TCP paketleri yok edilir -> blacklist blacklist dosyasından yasaklı adresler kontrol edilir -> routefilter spoofing'i engellemek için çekirdekte route filtresini, bu arayüz için açar -> logmartians mümkün olmayan kaynak adresli paketlerin log'unu tutar -> nosmurfs broadcast kaynaklı gözüken paketleri yok eder -> dhcp bu arayüz için IP, DHCP sunucudan alınıyorsa... -> norfc1918 kaynak adresi, RFC1918'de kayıtlı olan paketleri kabul etmez
vim /etc/shorewall/policy $FW grup1 REJECT $FW loc REJECT $FW net REJECT $FW all REJECT grup1 $FW REJECT grup1 loc REJECT grup1 net REJECT grup1 all REJECT loc $FW REJECT loc grup1 REJECT loc net REJECT loc all REJECT net $FW REJECT net grup1 REJECT net loc REJECT net all REJECT all all REJECT
vim /etc/shorewall/shorewall.conf IP_FORWARDING=Yes ( yerel ağ için gateway olacaksa...) ADD_SNAT_ALIASES=Yes ( yerel ağ için gateway olacaksa...)
vim /etc/shorewall/masq eth0 eth1 ( yerel ağ için gateway olacaksa... ) eth0:!192.168.1.0/24 192.168.1.0/24 ( sub zone için gateway olacaksa... )
vim /etc/shorewall/routestopped proxy için gerekli değil ama bu dosyaya resetlenmemesi gereken bağlantılar yazılacak zorunlu değilse yapılmamalı çünkü firewall başlarken sunucuyu kısa bir süre güvensiz halde bırakıyor nfs mount eden disksiz sistemler için uygun eth0 192.168.1.1 critical
touch /etc/shorewall/blacklist
vim /etc/default/shorewall startup=1
vim /etc/shorewall/rules # makro listesi icin /usr/share/shorewall/ klasorune bakilacak # tcp 21 ftp # tcp 22 ssh # tcp 25 smtp # udp 53 dns # tcp 53 dns # udp 67 dhcpd # udp 69 tftpd # tcp 80 http # tcp 110 pop3 # tcp 135 samba (smbd) # udp 137 samba (nmbd) # udp 138 samba (nmbd) # tcp 139 samba (smbd) # tcp 143 imap # tcp 443 https # tcp 445 samba (smbd) # tcp 587 gmail # udp 631 cups # tcp 631 cups # tcp 993 imaps # tcp 995 pop3s # tcp 1863 msn # tcp 3000 ntop # tcp 3128 squid # tcp 3306 mysql # tcp 3389 rdesktop # tcp 4559 hylafax # tcp 6667 IRC # tcp 8080 dansguardian # tcp 9999 apt-proxy # tcp 10000 webmin # firewal SSH/ACCEPT fw loc ACCEPT fw loc icmp DNS/ACCEPT fw net HTTP/ACCEPT fw net HTTPS/ACCEPT fw net NTP/ACCEPT fw net SMTP/ACCEPT fw net SMTPS/ACCEPT fw net SSH/ACCEPT fw net ACCEPT fw net tcp 587 ACCEPT fw net icmp # local Ping/ACCEPT loc net CVS/ACCEPT loc net DNS/ACCEPT loc net FTP/ACCEPT loc net HTTP/ACCEPT loc net HTTPS/ACCEPT loc net JabberPlain/ACCEPT loc net JabberSecure/ACCEPT loc net NTP/ACCEPT loc net POP3/ACCEPT loc net POP3S/ACCEPT loc net RDP/ACCEPT loc net Rsync/ACCEPT loc net SMTP/ACCEPT loc net SMTPS/ACCEPT loc net SSH/ACCEPT loc net VNC/ACCEPT loc net Whois/ACCEPT loc net ACCEPT loc net tcp 587 ACCEPT loc net tcp 1863 ACCEPT loc net tcp 6667 ACCEPT loc net tcp priv_rdesktop ACCEPT loc net tcp priv_ssh ACCEPT loc net tcp priv_vnc Ping/ACCEPT loc fw - - 3/sec:10 DNS/ACCEPT loc fw SSH/ACCEPT loc fw HTTP/ACCEPT loc fw ACCEPT loc fw tcp priv_ssh # proxy sunucuya yonlendirme... # dansguardian icin 8080. port'a, squid icin 3128. port'a yonlendirilecek REDIRECT loc 8080 tcp 80 - !10.0.0.1 #REDIRECT loc 3128 tcp 80 - !10.0.0.1 # yerel sunucular varsa... FTP/ACCEPT net loc:10.0.0.xxx FTP/DNAT net loc:10.0.0.xxx # net Ping/ACCEPT net fw - - 3/sec:10 SSH/ACCEPT net fw ACCEPT net fw tcp priv_ssh
vim /etc/hosts 127.0.0.1 localhost.localdomain localhost 192.168.1.2 host1.mynetwork.net host1 10.0.0.1 host2.mynetwork.net host2
/etc/init.d/shorewall restart # Eger konsola log yazmasi istenmiyorsa /etc/sysctl.conf kernel.printk = 4 4 1 7
vim /etc/security/limits.conf * soft nofile 8192 * hard nofile 8192
vim /etc/squid/squid.conf # Sarge icin yapilacak ayarlar acl our_networks src 192.168.1.0/24 192.168.2.0/24 http_access allow our_networks httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on # Etch icin yapilacak ayarlar acl our_networks src 192.168.1.0/24 192.168.2.0/24 http_access allow our_networks http_port 3128 transparent # Lenny icin yapilacak ayarlar acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16 http_access allow localnet http_port 3128 transparent
# [url]http://urlblacklist.com/[/url] adresinden blacklist download edilir # download edilen dosya ile blacklists klasörü oluşturulur cd /etc/dansguardian/lists tar xzf bigblacklist.tar.gz
vim /etc/dansguardian/dansguardian.conf #UNCONFIGURED ( başına # konularak satır devreden çıkarılır ) maxuploadsize = 0 ( POST metodu ile dosya upload etmeyi sınırlandırmak için... ) ( 0 tamamen blokluyor ) ( x upload edilecek maksimum dosya boyutunu x Kb yapıyor ) ( -1 sınırsız upload hakkı veriyor ) logfileformat=3 ( Squid log file format )
vim /etc/dansguardian/lists/bannedsitelist .Include</etc/dansguardian/lists/blacklists/ads/domains> .Include</etc/dansguardian/lists/blacklists/adult/domains> .Include</etc/dansguardian/lists/blacklists/astrology/domains> .Include</etc/dansguardian/lists/blacklists/chat/domains> .Include</etc/dansguardian/lists/blacklists/dating/domains> .Include</etc/dansguardian/lists/blacklists/dialers/domains> .Include</etc/dansguardian/lists/blacklists/drugs/domains> .Include</etc/dansguardian/lists/blacklists/gambling/domains> .Include</etc/dansguardian/lists/blacklists/games/domains> .Include</etc/dansguardian/lists/blacklists/hacking/domains> .Include</etc/dansguardian/lists/blacklists/instantmessaging/domains> .Include</etc/dansguardian/lists/blacklists/kidstimewasting/domains> .Include</etc/dansguardian/lists/blacklists/malware/domains> .Include</etc/dansguardian/lists/blacklists/mixed_adult/domains> .Include</etc/dansguardian/lists/blacklists/onlinegames/domains> .Include</etc/dansguardian/lists/blacklists/phishing/domains> .Include</etc/dansguardian/lists/blacklists/porn/domains> .Include</etc/dansguardian/lists/blacklists/proxy/domains> .Include</etc/dansguardian/lists/blacklists/sexuality/domains> .Include</etc/dansguardian/lists/blacklists/socialnetworking/domains> .Include</etc/dansguardian/lists/blacklists/spyware/domains> .Include</etc/dansguardian/lists/blacklists/virusinfected/domains> .Include</etc/dansguardian/lists/blacklists/warez/domains> badboys.com
vim /etc/dansguardian/lists/bannedurllist .Include</etc/dansguardian/lists/blacklists/ads/urls> .Include</etc/dansguardian/lists/blacklists/adult/urls> .Include</etc/dansguardian/lists/blacklists/chat/urls> .Include</etc/dansguardian/lists/blacklists/dating/urls> .Include</etc/dansguardian/lists/blacklists/dialers/urls> .Include</etc/dansguardian/lists/blacklists/drugs/urls> .Include</etc/dansguardian/lists/blacklists/gambling/urls> .Include</etc/dansguardian/lists/blacklists/games/urls> .Include</etc/dansguardian/lists/blacklists/hacking/urls> .Include</etc/dansguardian/lists/blacklists/instantmessaging/urls> .Include</etc/dansguardian/lists/blacklists/kidstimewasting/urls> .Include</etc/dansguardian/lists/blacklists/malware/urls> .Include</etc/dansguardian/lists/blacklists/onlinegames/urls> .Include</etc/dansguardian/lists/blacklists/phishing/urls> .Include</etc/dansguardian/lists/blacklists/porn/urls> .Include</etc/dansguardian/lists/blacklists/proxy/urls> .Include</etc/dansguardian/lists/blacklists/sexuality/urls> .Include</etc/dansguardian/lists/blacklists/socialnetworking/urls> .Include</etc/dansguardian/lists/blacklists/virusinfected/urls> .Include</etc/dansguardian/lists/blacklists/warez/urls> members.home.net/uporn
vim /etc/dansguardian/lists/exceptionsitelist .tr sourtimes.org video.google.com windowsupdate.microsoft.com
vim /etc/dansguardian/lists/weightedphraselist # Malezyaca ve Portekizce yasakli kelimeler, normal Turkce kelimelerle benzeşiyor # Bu kelime listesi kullanilirsa, normal Turkce sitelerde problem cikiyor #.Include</etc/dansguardian/lists/phraselists/pornography/weighted_japanese> #.Include</etc/dansguardian/lists/phraselists/pornography/weighted_malay> #.Include</etc/dansguardian/lists/phraselists/pornography/weighted_portuguese>
vim /etc/dansguardian/lists/exceptionextensionlist # eklenenler .bz2 .doc .gz .iso .pdf .pps .rar .tar .tgz .xls .zip
vim /etc/dansguardian/lists/bannedphraselist #.Include</etc/dansguardian/lists/phraselists/safelabel/banned>
vim /etc/squid/sarg.conf language English (Turkish yapınca raporda bazı format sorunları oluyor) charset Latin5 output_dir /var/www/squid-reports access_log /var/log/dansguardian/access.log
vim /etc/squid/sarg-reports.conf (etch) LOGOIMG=/squid-reports/Daily/images/sarg.png LOGOLINK="[url]http://$(hostname)/squid-reports/[/url]"
vim /etc/crontab (etch) 00 08-20/1 * * * root sarg-reports today 00 00 * * * root sarg-reports daily 00 01 * * 1 root sarg-reports weekly 10 01 1 * * root sarg-reports weekly
vim /etc/crontab (sarge) 10 3 * * * root /etc/squid/sarg-maint.sh >/dev/null 2>&1
vim /etc/squid/sarg-maint.sh (sarge) /usr/bin/sarg -d $YESTERDAY-$YESTERDAY -e kullanici@domain.com
Yorumlar