Servidor NTP Centos
Este servidor consta de dos tarjetas de red: Una con la que se conecta a Internet desde el router del proveedor de acceso a Internet (ISP) y otra para la red interna. El sistema operativo es Centos 6.9 excelente sistema con una extensa documentación. DHCP, DNS, Samba, Iptables, etc..
eth0 = Internet
eth1 = Red interna
Centos 6.9 puede instalarse desde un dvd o una memoria USB en modo gráfico (conectando el servidor a un monitor). A partir de la mínima configuración puede continuar vía ssh desde una máquina de la red. La opción a elegir es servidor.
Estructurar la red eth0 eth1. /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth0
HWADDR=00:22:4D:A5:9D:06
TYPE=Ethernet
UUID=2288f191-aa67-420a-b23c-ad5ce6bc1736
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=dhcp
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
DEVICE=eth1
HWADDR=00:22:4D:A5:9D:0A
TYPE=Ethernet
UUID=6f52e738-8c50-4c34-9f47-399086d5406f
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=192.168.0.1
NETMASK=255.255.255.0
PEERDNS=no
Servidor DHCP para entregar direcciones de red a los equipos de la red interna /etc/dhcp/dhcpd.conf
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
# see 'man 5 dhcpd.conf'
#
ddns-update-style interim;
ignore client-updates;
authoritative;
default-lease-time 900;
max-lease-time 7200;
option ip-forwarding off;
option domain-name "linux.bcn";
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option domain-name-servers 8.8.8.8,8.8.4.4,192.168.0.1;
option ntp-servers 192.168.0.1;
range 192.168.0.50 192.168.0.99;
}
PermitRootLogin no
AllowUsers carles
Activar el reenvío de paquetes IP
# sysctl net.ipv4.ip_forward = 1
En el archivo /etc/sysctl.conf cambiar
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
por
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Iptables para administrar Netfilter
# Generated by iptables-save v1.4.7 on Fri Feb 9 23:38:57 2018
*mangle
:PREROUTING ACCEPT [1128:95583]
:INPUT ACCEPT [1033:84832]
:FORWARD ACCEPT [95:10751]
:OUTPUT ACCEPT [722:117312]
:POSTROUTING ACCEPT [789:118879]
COMMIT
# Completed on Fri Feb 9 23:38:57 2018
# Generated by iptables-save v1.4.7 on Fri Feb 9 23:38:57 2018
*nat
:PREROUTING ACCEPT [11:704]
:POSTROUTING ACCEPT [1:116]
:OUTPUT ACCEPT [32:9528]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Feb 9 23:38:57 2018
# Generated by iptables-save v1.4.7 on Fri Feb 9 23:38:57 2018
*filter
:INPUT DROP [9:353]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth1 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth1 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 135:139 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 135:139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -j LOG
-A INPUT -i eth1 -j LOG --log-prefix "From LAN:"
-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -p tcp -m tcp --sport 31337 --dport 31337 -j DROP
-A FORWARD -j LOG --log-prefix "forward:"
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 31337 --dport 31337 -j DROP
-A OUTPUT -s 192.168.0.0/24 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -o eth1 -p udp -m udp --dport 67:68 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -o eth1 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -o eth1 -p udp -m udp --dport 5353 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -o eth1 -p udp -m udp --dport 67:68 -j DROP
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A OUTPUT -o WAN_IFACE -p tcp -m tcp --sport 1:1024 -j DROP
-A OUTPUT -o WAN_IFACE -p udp -m udp --sport 1:1024 -j DROP
-A OUTPUT -o eth0 -p udp -m udp --sport 1:1024 -j DROP
COMMIT
# Completed on Fri Feb 9 23:38:57 2018
Reiniciar el servicio iptables
# service iptables restart
Linux es genial!.
No hay comentarios:
Publicar un comentario