-= Gateway / Dhcp / Firewall / Proxy e Content Filter / =- v.0.2 - (1) Installazione base Debian Lenny - nessun accesso per root - utente con password - aggiornamenti sicurezza e volatile - installazione software base (sistema standard) (2) Aggiornamento e installazione pacchetti aggiuntivi ( prima decommenta il source verso il cd-rom debian in /etc/apt/sources.list): # apt-get update # apt-get upgrade # apt-get install openssh-server (3) configurazione della rete, masquerading e firewall - configurazione di /etc/network/interfaces ####### /etc/network/interfaces #################################### # The loopback network interface auto lo iface lo inet loopback # LAN allow-hotplug eth0 iface eth0 inet static address 192.168.10.254 netmask 255.255.255.0 network 192.168.10.0 broadcast 192.168.10.255 dns-nameservers 8.8.4.4 8.8.8.8 # INTERNET allow-hotplug eth1 iface eth1 inet dhcp -------------------------------------------------------------------- - configurazione /etc/resolv.conf ####### etc/resolv.conf ############################################ nameserver 8.8.8.8 nameserver 8.8.4.4 -------------------------------------------------------------------- - configurazione dello script per settare iptables: ####### /etc/init.d/wbox.sh ######################################## #!/bin/bash iptables -F iptables -t nat -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth1 -p icmp -j ACCEPT # accesso libero a SSH iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -m conntrack --ctstate NEW -j DROP # per il proxy trasparente #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth1 -o eth1 -j REJECT echo 1 > /proc/sys/net/ipv4/ip_forward -------------------------------------------------------------------- rendi eseguibile lo script # chmod +x wbox.sh linkare lo script all'avvio: # cd /etc/rc2.d # ln -s ../init.d/wbox.sh S99wbox modifica il file /etch/hosts: ######## /etc/hosts ################################################ 127.0.0.1 localhost 127.0.1.1 wbox1 192.168.10.254 gateway proxy # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts -------------------------------------------------------------------- (4) DNS/DHCP server sulla LAN # apt-get install dnsmasq configura /etc/dnsmasq.conf, configurazioni base ######### /etc/dnsmasq.conf ######################################## listen-address=192.168.10.254 dhcp-range=192.168.10.50,192.168.10.150,12h dhcp-option=3,192.168.10.254 dhcp-option=option:ntp-server,193.204.114.232 dhcp-authoritative log-queries log-dhcp -------------------------------------------------------------------- (riavvia e testa la configurazione) (5) squid per transparent proxy sulla 80 # apt-get install squid configurazione di squid ####### /etc/squid/squid.conf ###################################### acl localnet src 192.168.10.0/24 http_access allow localnet http_port 3128 transparent cache_dir ufs /var/spool/squid 500 16 256 cache_mgr box@dominio.xyz -------------------------------------------------------------------- (6) Attiva il proxy trasparente decommenta la linea in wbox.sh: #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 (7) content filter dansguardian e antivirus # apt-get install dansguardian edit configurazione danguardian ########/etc/dansguardian/dansguardian.conf ######################## reportinglevel = 0 language = 'italian' loglocation = '/var/log/dansguardian/access.log' filterip = 192.168.10.254 contentscanner = '/etc/dansguardian/contentscanners/clamav.conf' pidfilename = '/var/run/dansguardian.pid' daemonuser = 'dansguardian' daemongroup = 'dansguardian' -------------------------------------------------------------------- # /etc/init.d/dansguardian start modifica in wbox.sh per passare le richieste a dansguardian: da: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 a: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 edit e test della configurazione dei filtri di dansguardian sotto /etc/dansguardian -- FINE --