Lws2: Porovnání verzí
| Řádek 125: | Řádek 125: | ||
JohnnyK - obed - pujcenej | JohnnyK - obed - pujcenej | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | == doplnujici data == | ||
| + | |||
| + | *** Firewall | ||
| + | |||
| + | #!/bin/sh | ||
| + | # | ||
| + | # Smaz vse | ||
| + | iptables -F | ||
| + | iptables -t nat -F | ||
| + | iptables -X | ||
| + | # | ||
| + | # Default polici | ||
| + | iptables -P INPUT DROP | ||
| + | iptables -P OUTPUT DROP | ||
| + | iptables -P FORWARD DROP | ||
| + | # | ||
| + | # Ven a skrz vse | ||
| + | iptables -A OUTPUT -j ACCEPT | ||
| + | iptables -A FORWARD -j ACCEPT | ||
| + | # | ||
| + | # navazane i dovnitr | ||
| + | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| + | # | ||
| + | # loopback | ||
| + | iptables -A INPUT -i lo -j ACCEPT | ||
| + | iptables -A INPUT -s 127.0.0.0/255.0.0.0 -j DROP | ||
| + | # | ||
| + | # Povol PING, HTTP a PROXy | ||
| + | iptables -A INPUT -p icmp -m icmp --icmp-type 0 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT # obrana proti zahlceni pingama | ||
| + | iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT # obrana proti zahlceni pingama | ||
| + | iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT # FTP | ||
| + | iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH | ||
| + | iptables -A INPUT -p tcp --dport 25 -j ACCEPT # SMTP | ||
| + | iptables -A INPUT -p tcp --dport 37 -j ACCEPT # RDATE | ||
| + | iptables -A INPUT -p udp --dport 37 -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS | ||
| + | iptables -A INPUT -p udp --dport 53 -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport 80 -j ACCEPT # WWW | ||
| + | iptables -A INPUT -p tcp --dport 110 -j ACCEPT # POP3 | ||
| + | iptables -A INPUT -p tcp --dport 123 -j ACCEPT # NTP | ||
| + | iptables -A INPUT -p udp --dport 123 -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport 143 -j ACCEPT # IMAP | ||
| + | iptables -A INPUT -p tcp --dport 443 -j ACCEPT # WWW + SSL | ||
| + | iptables -A INPUT -p tcp --dport 465 -j ACCEPT # SMTP + SSL | ||
| + | iptables -A INPUT -p tcp --dport 953 -j ACCEPT # DNS - Commands | ||
| + | iptables -A INPUT -p tcp --dport 993 -j ACCEPT # IMAP + SSL | ||
| + | iptables -A INPUT -p tcp --dport 995 -j ACCEPT # POP3 + SSL | ||
| + | iptables -A INPUT -p udp --dport 1235 -j ACCEPT # VPN - Opatovice | ||
| + | iptables -A INPUT -p tcp --dport 3306 -j ACCEPT # MySQL | ||
| + | iptables -A INPUT -p tcp --dport 5432 -j ACCEPT # PostgreSQL | ||
| + | iptables -A INPUT -p udp --dport 5432 -j ACCEPT # PostgreSQL | ||
| + | iptables -A INPUT -p udp --dport 8767 -j ACCEPT # Team Speek | ||
| + | iptables -A INPUT -p tcp --dport 14534 -j ACCEPT # Team Speek - webadmin | ||
| + | iptables -A INPUT -p tcp --dport 51234 -j ACCEPT # Team Speek - TCPquery | ||
| + | iptables -A INPUT -i eth1 -p tcp --dport 2600:2608 -j ACCEPT # Zebra - OSPF, BGPD | ||
| + | iptables -A INPUT -i eth1 -p ospf -j ACCEPT # OSPF pakety | ||
| + | # | ||
| + | |||
| + | |||
| + | *** zebra.conf | ||
| + | |||
| + | ! | ||
| + | hostname Pokusnej_Server | ||
| + | password heslo | ||
| + | enable password tajny_heslo | ||
| + | service advanced-vty | ||
| + | !!! pokud chcete logoat do souboru !!! | ||
| + | log file /var/log/quagga/zebra.log | ||
| + | ! | ||
| + | interface lo | ||
| + | ! | ||
| + | interface eth0 | ||
| + | description linka-hkfree | ||
| + | ! | ||
| + | interface eth1 | ||
| + | description domaci-sit | ||
| + | ! | ||
| + | ip route 224.0.0.5/32 127.0.0.1 | ||
| + | ip route 224.0.0.6/32 127.0.0.1 | ||
| + | ! | ||
| + | !!! pro verejnou IP | ||
| + | ip route 85.132.161.50/32 eth1 | ||
| + | ! | ||
| + | !!! pro staticke routovani !!! | ||
| + | ip route 10.107.99.0/24 10.107.98.2 | ||
| + | ! | ||
| + | line vty | ||
| + | ! | ||
| + | |||
| + | |||
| + | *** ospfd.conf | ||
| + | |||
| + | hostname Pokusnej_Server | ||
| + | password heslo | ||
| + | enable password tajny_heslo | ||
| + | service advanced-vty | ||
| + | !!! pokud chcete logoat do souboru !!! | ||
| + | log file /var/log/quagga/ospfd.log | ||
| + | ! | ||
| + | interface lo | ||
| + | ! | ||
| + | interface eth0 | ||
| + | description link-hkfree | ||
| + | ip ospf cost 10 | ||
| + | ip ospf hello-interval 5 | ||
| + | ip ospf dead-interval 300 | ||
| + | ! | ||
| + | interface eth1 | ||
| + | description lokalni-sit | ||
| + | ip ospf cost 100 | ||
| + | ! | ||
| + | router ospf | ||
| + | ospf router-id 10.107.97.1 | ||
| + | redistribute connected metric-type 1 route-map just-10 | ||
| + | redistribute kernel metric-type 1 | ||
| + | redistribute static metric-type 1 | ||
| + | ! | ||
| + | network 10.107.97.1/26 area 0.0.0.0 | ||
| + | network 10.107.98.1/28 area 0.0.0.0 | ||
| + | ! | ||
| + | passive-interface eth1 | ||
| + | ! | ||
| + | line vty | ||
| + | ! | ||
Verze z 4. 6. 2006, 10:48
Je PRELOZEN na: 3.6.2006 (duvod prelozeni je vypadek konektivity do internetu - bez internetu se neobejdu)
zacatek od: 9:00
Misto: Rusek - Zahradkarska Skola
Co je nutne mit s sebou pro ucast:
- PC na kterem uz budete mit nainstalovany Linux - Debian - testing
- kdo bude mit jinou verzi, tak se asi moc dit nebude, jen mu mozna nebudou sohlasit vsechny veci
- kdo bude mit jinou distribuci bude si muset v nekterych bodech poradit sam,
jelikoz nebude tilik casu aby se to vysvetlovalo kazdemu zvlast
- Klavesnici
- Monitor je mozno si pujcit ten co uz v ucebne je
- v PC mit funkcni ethernetvou kartu se zdirkou pro RJ45
- pro jistotu i svoji klavesnici (obvzlast si ji musej vzit ti co maj jeste DIN)
- mozna se bude neco malo platit za zapujceni prostoru, tak si dyztak vemte par drobnych (jeste to zjistim)
- a hlavne DOBROU NALADU :-)
Casovy plan:
Obsah
09:00-9:29 - Zacatek
- Zacatek - Konfigurace pocitacu - Konfigurace priojeni k siti - Zjisteni zda maj vsichni nainstalovano vse potrebne
09:30-9:59 - Routovani
prednasi: Cool/Explosion - Vysvetleni routovani - co to je - k cemu to je - vyhody a nevyhody - zajimavosti
10:00-11:29 - Quagga
prednasi: Cool/Explosion ??? - co to je zebra - co to je ospfd - jak to pracuje - konfigurace
11:30-11:59 - DHCP
prednasi: Bongo ??? - co to je - uplatneni - konfigurace - DHCP Relay
13:00 - 13:30 - OBED
Kureci rizky s hranolkama a oblohou
13:00 - 13:59 - Verejne IP
prednasi: Cool/Explosion ??? - co to je - vyhody a nevyhody - nastaveni na routerech - nastaveni u klientu
14:00-14:59 ? - SSH
prednasi: Bongo - co to je, implementace SSH - vzdálené přihlášení pomocí SSH, autentizace, omezení přístupu - správa klíčů pomocí agenta, použití SSH ve scriptech - přenášení souborů pomocí SSH (scp) - forward portů, SSH tunel, forward X - a dalsi
15:00-15:30 ? - Bridge a ostatni
prednasi: Cool/Explosion - tohle tema bude jen v pripade ze vsechno casove stihnem a ze sezenu zarizeni na simulaci - Bridge a jejich problematika - Nastaveni Ovislinka 1120 a 5460 (pokud bude nekdo chtit) - Uprava v Custom Firmwaru pro Ovislink 1120 pro snizeni pravdepodobnosti zaseku - Nastaveni Compexe WPE54AG a predvedeni rozdilu chovani AP-Client a WDS-WDS - Volitelne temata
nejdele v 18:00 - KONEC
- Pokud by tam nekdo tak dlouho vydzel ;-)
- Prihlasky:
!!! Max. 20 lidi s PC + 5 s NB !!!
Nick - Obed/Bez obedu - monitor vlastni/pujcenej
Cool-Explosion - obed - pujcenej
Fugas - obed - pujcenej
Polin - obed - vlastni
Paul - obed - pujcenej
reaper - obed - pujcenej
Vladi - OBED - pujcenej
Vitek (Theo) - obed - NB
koulinek - obed - NB
PetrS(+1) - 2x obed - pujcenej (muzeme dva k jednomu stroji?) - ano muzete
Vcela - Obidek - NB
pavkriz - obed asi ne, ucast nejista (50%) - NB
Lubos Spacek(+1) - 2x obed - NB
Chip - obed - vlastni
Petr Zitny - Obed - Fotim :D LCD display na fotaku mam, takze nepotrebuju pujcit monitor :D
clovek (PVK)- oběd - NB
Bongo - obed ne - NB
JohnnyK - obed - pujcenej
doplnujici data
- Firewall
- !/bin/sh
- Smaz vse
iptables -F iptables -t nat -F iptables -X
- Default polici
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
- Ven a skrz vse
iptables -A OUTPUT -j ACCEPT iptables -A FORWARD -j ACCEPT
- navazane i dovnitr
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- loopback
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
- Povol PING, HTTP a PROXy
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT # obrana proti zahlceni pingama iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT # obrana proti zahlceni pingama iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT # FTP iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH iptables -A INPUT -p tcp --dport 25 -j ACCEPT # SMTP iptables -A INPUT -p tcp --dport 37 -j ACCEPT # RDATE iptables -A INPUT -p udp --dport 37 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT # WWW iptables -A INPUT -p tcp --dport 110 -j ACCEPT # POP3 iptables -A INPUT -p tcp --dport 123 -j ACCEPT # NTP iptables -A INPUT -p udp --dport 123 -j ACCEPT iptables -A INPUT -p tcp --dport 143 -j ACCEPT # IMAP iptables -A INPUT -p tcp --dport 443 -j ACCEPT # WWW + SSL iptables -A INPUT -p tcp --dport 465 -j ACCEPT # SMTP + SSL iptables -A INPUT -p tcp --dport 953 -j ACCEPT # DNS - Commands iptables -A INPUT -p tcp --dport 993 -j ACCEPT # IMAP + SSL iptables -A INPUT -p tcp --dport 995 -j ACCEPT # POP3 + SSL iptables -A INPUT -p udp --dport 1235 -j ACCEPT # VPN - Opatovice iptables -A INPUT -p tcp --dport 3306 -j ACCEPT # MySQL iptables -A INPUT -p tcp --dport 5432 -j ACCEPT # PostgreSQL iptables -A INPUT -p udp --dport 5432 -j ACCEPT # PostgreSQL iptables -A INPUT -p udp --dport 8767 -j ACCEPT # Team Speek iptables -A INPUT -p tcp --dport 14534 -j ACCEPT # Team Speek - webadmin iptables -A INPUT -p tcp --dport 51234 -j ACCEPT # Team Speek - TCPquery iptables -A INPUT -i eth1 -p tcp --dport 2600:2608 -j ACCEPT # Zebra - OSPF, BGPD iptables -A INPUT -i eth1 -p ospf -j ACCEPT # OSPF pakety
- zebra.conf
! hostname Pokusnej_Server password heslo enable password tajny_heslo service advanced-vty !!! pokud chcete logoat do souboru !!! log file /var/log/quagga/zebra.log ! interface lo ! interface eth0
description linka-hkfree
! interface eth1
description domaci-sit
! ip route 224.0.0.5/32 127.0.0.1 ip route 224.0.0.6/32 127.0.0.1 ! !!! pro verejnou IP ip route 85.132.161.50/32 eth1 ! !!! pro staticke routovani !!! ip route 10.107.99.0/24 10.107.98.2 ! line vty !
- ospfd.conf
hostname Pokusnej_Server password heslo enable password tajny_heslo service advanced-vty !!! pokud chcete logoat do souboru !!! log file /var/log/quagga/ospfd.log ! interface lo ! interface eth0
description link-hkfree ip ospf cost 10 ip ospf hello-interval 5 ip ospf dead-interval 300
! interface eth1
description lokalni-sit ip ospf cost 100
! router ospf
ospf router-id 10.107.97.1 redistribute connected metric-type 1 route-map just-10 redistribute kernel metric-type 1 redistribute static metric-type 1
!
network 10.107.97.1/26 area 0.0.0.0 network 10.107.98.1/28 area 0.0.0.0
! passive-interface eth1 ! line vty !
