Make-ubunturouter.txt

จาก Wiki Opensource
sudo apt-get install shorewall
sudo cp /usr/share/doc/shorewall/examples/two-interfaces/zones /etc/shorewall
sudo cp /usr/share/doc/shorewall/examples/two-interfaces/interfaces /etc/shorewall
sudo cp /usr/share/doc/shorewall/examples/two-interfaces/policy /etc/shorewall
sudo cp /usr/share/doc/shorewall/examples/two-interfaces/rules /etc/shorewall
sudo cp /usr/share/doc/shorewall/examples/two-interfaces/masq /etc/shorewall

sudo vi /etc/shorewall/zones 
fw    firewall
net    ipv4
loc    ipv4

sudo vi /etc/shorewall/interfaces 
net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     eth1            detect          

sudo vi /etc/shorewall/policy 
$FW        net        ACCEPT
$FW        loc        ACCEPT
loc             net             ACCEPT
loc        $FW        ACCEPT
net        all        DROP        info
# THE FOLLOWING POLICY MUST BE LAST
all        all        ACCEPT        

sudo vi /etc/shorewall/rules 
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#

#Ping(DROP)    net        $FW

ACCEPT        $FW        loc        icmp
ACCEPT        $FW        net        icmp
#
#DROP loc:10.0.100.193 $FW
DROP net:42.2.192.0/19 $FW
DROP net:116.8.0.0/14 $FW
DROP net:140.115.0.0/16 $FW
DROP net:190.120.232.0/21 $FW
DROP net:202.65.138.200/29 $FW
# FTP
ACCEPT all $FW tcp 21
# SSH
ACCEPT all $FW tcp 22
# HTTP,HTTPS
ACCEPT all $FW tcp 80,443
# STREAM
ACCEPT all $FW tcp 8080
# RSYNC
ACCEPT all $FW tcp 873
# TRACEROUTE
ACCEPT all $FW udp 33434:33443
# DNSMASQ
ACCEPT all $FW udp 53,953
# DHCPD
ACCEPT all $FW udp 67:68

sudo vi /etc/shorewall/masq 
eth0            10.0.0.0/8,\
            169.254.0.0/16,\
            172.16.0.0/12,\
            192.168.0.0/16

sudo vi /etc/default/shorewall
startup=1

sudo vi /etc/shorewall/shorewall.conf 
STARTUP_ENABLED=Yes
IP_FORWARDING=On

sudo /etc/init.d/shorewall start

sudo apt-get install bind9
sudo vi /etc/bind/named.conf.options 
    forward first;
    forwarders {
    // Office in PSU
        192.100.77.5;
    // Home
    //    8.8.8.8;
    };
//    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on { any; };
    listen-on-v6 { any; };

sudo vi /etc/bind/named.conf.local
zone "example.com" in {
        type master;
        file "db.example.com";
};

zone "internal.example.com" in {
        type master;
        file "db.internal.example.com";
};

sudo vi /var/cache/bind/db.example.com 
$TTL 3h 
example.com. IN SOA ns1.example.com. root.localhost.example.com. ( 
 2013032400 ; Serial 
 3h       ; Refresh after 3 hours 
 1h       ; Retry after 1 hour 
 1w       ; Expire after 1 week 
 1h       ; Negative caching TTL of 1 hour 
)      
 
; 
; Name servers 
; 
example.com.  IN NS  ns1.example.com. 
 
; 
; Addresses for the canonical names 
; 
localhost.example.com.      IN A     127.0.0.1 
ns1.example.com.            IN A     10.0.100.1 
dhcpserver.example.com.     IN A     10.0.100.2 
vyattarouter.example.com.   IN A     10.0.100.3 
myserver.example.com.       IN A     10.0.100.5 
radiusserver.example.com.   IN A     10.0.100.6 
mailserver.example.com.     IN A     10.0.100.7 
 
; 
; Aliases 
; 
mail                   IN CNAME    mailserver 
dns.example.com.       IN CNAME ns1.example.com.

sudo vi /var/cache/bind/db.internal.example.com 
$TTL 3h 
internal.example.com. IN SOA ns1.example.com. root.localhost.example.com. ( 
 2013032400 ; Serial 
 3h       ; Refresh after 3 hours 
 1h       ; Retry after 1 hour 
 1w       ; Expire after 1 week 
 1h       ; Negative caching TTL of 1 hour 
)      
 
; 
; Name servers 
; 
internal.example.com.  IN NS  ns1.example.com. 
 
; 
; Addresses for the canonical names 
; 
r1.internal.example.com.            IN A     10.0.200.3 
webserver.internal.example.com.     IN A     10.0.200.4 
 
; 
; Aliases 
;

sudo service bind9 restart

sudo vi /etc/rc.local
route add -net 10.0.200.0 netmask 255.255.255.0 gw 10.0.100.3 dev eth1

sudo vi /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 10.0.100.1
netmask 255.255.255.0
dns-nameservers 10.0.100.1