Xaqiijinta Squid + PAM ee CentOS 7- Shabakadaha SMB

Tusmada guud ee taxanaha: Shabakadaha Kombuyuutarka ee loogu talagalay SMEs: Hordhac

Waad salaaman tihiin asxaabta iyo asxaabta!

Cinwaanka maqaalka waa inuu ahaado: «MATE + NTP + Dnsmasq + Adeegga Gateway + Apache + Squid oo wata Xaqiijinta PAM ee Centos 7 - Shabakadaha SME«. Sababo la taaban karo ayaan u soo gaabinay.

Waxaan ku sii wadaynaa aqoonsiga isticmaaleyaasha maxalliga ah kombuyuutarka Linux adoo adeegsanaya PAM, markan waxaan arki doonnaa sida aan ugu siin karno adeegga Wakiilka Squid ee shabakad yar oo kombiyuutarro ah, adoo adeegsanaya aqoonsiga aqoonsiga ee ku kaydsan isla kombiyuutarka meesha adeegu wuu socdaa Squid.

In kasta oo aan ognahay inay tahay dhaqan aad u caadi ah maalmahan, si loo xaqiijiyo adeegyada ka dhanka ah OpenLDAP, Red Hat's Directory Server 389, Microsoft Active Directory, iwm, waxaan u aragnaa inay tahay inaan marka hore soo marno xalal fudud oo jaban, ka dibna aan la kulanno kuwa ugu adag. Waxaan aaminsanahay inay tahay inaan ka gudubno waxyaabaha fudud fudud.

Marxalad

Waa urur yar - oo aad uyar oo ilaha dhaqaalaha ah - oo loogu talagalay taageerida adeegsiga Software-ka Bilaashka ah taasna waxay doorteen magaca DesdeLinux.Taageerayaal. Iyagu waa kuwa OS xamaasad badan CentOS koox koox looga dhigay hal xafiis. Waxay iibsadeen xarun-shaqo - maahan adeege xirfad-yaqaan ah - oo ay ugu deeqi doonaan inay u shaqeeyaan sidii "server".

Dadka xamaasada lihi aqoon dheer uma lahan sida loo hirgaliyo server OpenLDAP ama Samba 4 AD-DC, mana awoodaan inay shati siiyaan Microsoft Active Directory. Si kastaba ha noqotee, shaqadooda maalinlaha ah, waxay u baahan yihiin adeegyo marin-u-hel ah oo internetka ah iyada oo loo marayo Wakiil - si loo dedejiyo daalacashada - iyo meel bannaan oo lagu keydinayo dukumiintiyada ugu qiimaha badan ugana shaqeeyaan sidii nuqullo keyd ah.

Wali waxay inta badan isticmaalaan nidaamyo hawlgal oo si sharci ah ku helay Microsoft, laakiin waxay rabaan inay u beddelaan Nidaamyada Hawlgalka ee Linux-ku saleysan, iyaga oo ka bilaabaya "Server "kooda.

Waxa kale oo ay ku taamayaan inay yeeshaan server mailkooda u gaar ah si ay u madax bannaanaadaan - uguyaraan meesha ay ka yimaadeen - adeegyada sida Gmail, Yahoo, HotMail, iwm, oo ah tan ay hadda adeegsadaan.

Xeerarka Firewall iyo Routing ee ka dhanka ah internetka ayaa ka dhex dhisi doona ADSL Router qandaraasle.

Ma haystaan ​​magac domain oo dhab ah maadaama aysan u baahnayn inay wax adeeg ah ku daabacaan internetka.

CentOS 7 oo ah adeege aan lahayn GUI

Waxaan ka bilaabaynaa cusbooneysiin cusub oo server ah oo aan lahayn muuqaal garaaf ah, iyo ikhtiyaarka kaliya ee aan dooranay inta howshu socoto waa «Server Kaabayaasha»Sidaan ku aragnay maqaaladi hore taxanaha.

Dejinta bilowga ah

[xididka @ linuxbox ~] # bisad / iwm / hostname 
sanduuqa Linux

[xididka @ linuxbox ~] # bisad / iwm / martigeliyayaal
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.5    linuxbox.desdelinux.fan linuxbox

[xididka @ linuxbox ~] # magaca martida
sanduuqa Linux

[xididka @ Linux_ ~] # magaca martida -f
linuxbox.desdelinux. taageere

[xididka @ linuxbox ~] # ip addr liiska
[xididka @ Linux_ ~] # ifconfig -a
[xididka @ linuxbox ~] # ls / sys / class / net /
ens32 ens34 bal eeg

Waxaan joojinay Maareeyaha Shabakada

[xididka @ Linux_ ~] # systemctl jooji NetworkManager

[xididka @ linuxbox ~] # systemctl gab barnaamijka NetworkManager

[xididka @ linuxbox ~] # systemctl status NetworkManager
M NetworkManager.service - Maareeyaha Shabakada Load: xamuul ah (/usr/lib/systemd/system/NetworkManager.service; naafo ah; iibiyaha horay loo sii daayay: karti leh) Firfircoon: firfircoon (dhintay) Dukumiintiyo: nin: NetworkManager (8)

[xididka @ Linux_ ~] # ifconfig -a

Waxaan u qaabeynaa isku xirnaanta shabakadda

Iskuxirka Ens32 LAN wuxuu kuxiranyahay Shabakada Gudaha

[xididka @ linuxbox ~] # nano / etc / sysconfig / network-scripts / ifcfg-ens32
DEVICE=ens32
ONBOOT=yes
BOOTPROTO=static
HWADDR=00:0c:29:da:a3:e7
NM_CONTROLLED=no
IPADDR=192.168.10.5
NETMASK=255.255.255.0
GATEWAY=192.168.10.1
DOMAIN=desdelinux.fanaan DNS1=127.0.0.1
QAYBTA = dadweynaha

[xididka @ Linux_ ~] # ifdown ens32 && ifup ens32

Ens34 WAN wuxuu kuxiranyahay internetka

[xididka @ linuxbox ~] # nano / etc / sysconfig / network-scripts / ifcfg-ens34
DEVICE=ens34 ONBOOT=haa BOOTPROTO=static HWADDR=00:0c:29:da:a3:e7 NM_CONTROLLED=maya IPADDR=172.16.10.10 NETMASK=255.255.255.0 # ADSL Router-ka soo socda wuxuu ku xidhan yahay # ciwaanka soo socda IP GATEWAY=172.16.10.1 DOMAIN=desdelinux.fanaan DNS1=127.0.0.1
AAGA = dibedda

[xididka @ Linux_ ~] # ifdown ens34 && ifup ens34

Qaabeynta keydinta

[xididka @ linuxbox ~] # cd /etc/yum.repos.d/
[xididka @ Linux_ ~] # asalka mkdir
[xididka @ linuxbox ~] # mv Centos- * original /

[xididka @ linuxbox ~] # nano centos.repo
[Base-Repo]
name=CentOS-$releasever
baseurl=http://192.168.10.1/repos/centos/7/base/x86_64/
gpgcheck=0
enabled=1

[CentosPlus-Repo]
name=CentOS-$releasever
baseurl=http://192.168.10.1/repos/centos/7/centosplus/x86_64/
gpgcheck=0
enabled=1

[Epel-Repo]
name=CentOS-$releasever
baseurl=http://192.168.10.1/repos/centos/7/epel/x86_64/
gpgcheck=0
enabled=1

[Updates-Repo]
name=CentOS-$releasever
baseurl=http://192.168.10.1/repos/centos/7/updates/x86_64/
gpgcheck=0
enabled=1

[xididka @ linuxbox yum.repos.d] # yum nadiif dhan
Qalabka la rakibo: fastestmirror, langpacks Meelaha lagu nadiifiyo: Base-Repo CentosPlus-Repo Epel-Repo Media-Repo: Updates-Repo Nadiifinta wax kasta Nadiifinta liiska muraayadaha ugu dhakhsaha badan

[xididka @ linuxbox yum.repos.d] # yum cusbooneysiin
Plugins la raray: fastestmirror, langpacks Base-Repo | 3.6 kB 00:00 CentosPlus-Repo | 3.4 kB 00:00 Epel-Repo | 4.3 kB 00:00 Media-Repo | 3.6 kB 00:00 Cusbooneysiin-Repo | 3.4 kB 00:00 (1/9): Saldhig-Repo / koox_gz | 155 kB 00:00 (2/9): Epel-Repo / koox_gz | 170 kB 00:00 (3/9): Media-Repo / koox_gz | 155 kB 00:00 (4/9): Epel-Repo / updateinfo | 734 kB 00:00 (5/9): Media-Repo / primary_db | 5.3 MB 00:00 (6/9): CentosPlus-Repo / primary_db | 1.1 MB 00:00 (7/9): Cusbooneysiin-Repo / primary_db | 2.2 MB 00:00 (8/9): Epel-Repo / primary_db | 4.5 MB 00:01 (9/9): Saldhig-Repo / primary_db | 5.6 MB 00:01 Go'aaminta muraayadaha ugu dhakhsaha badan Ma jiraan xirmooyin loo calaamadeeyay cusbooneysiinta

Farriinta "Xirmo ma jiraan oo loo calaamadeeyay cusbooneysiinta»Waa la muujiyay maxaa yeelay intii aan rakibnay waxaan shaaca ka qaadnay isla keydadkii maxalliga ahaa ee aan hayno.

Centos 7 oo leh MATE desktop desktop

Si loo adeegsado aaladaha maamulka ee aadka u wanaagsan oo leh qaab muuqaal ah oo ay soo bandhigto CentOS / Red Hat, iyo sababta oo ah marwalba waan u xiiseynaa GNOME2, waxaan go'aansanay inaan ku rakibo MATE sidii jawi desktop ah.

[xididka @ Linux_ ~] # yum groupinstall "X Window system"
[xididka @ Linux_ ~] # yum groupinstall "MATE Desktop"

Si loo hubiyo in MATE si sax ah u rartay, waxaan ku fulinnaa amarka soo socda konsole -local ama remote-:

[xididka @ linuxbox ~] # systemctl gooni u saar garaafka.target

iyo jawiga desktop-ka waa in la rakibaa -kooxda deegaanka- si habsami leh, oo muujinaya iftiin sida login garaaf ah. Waxaan ku qoreynaa magaca isticmaalaha maxalliga ah iyo lambarkiisa sirta ah, waxaanan geli doonnaa MATE.

In loo sheego systemd in heerka boot-ka uu yahay 5-deegaan-waxaan abuureynaa isku xirka astaamaha:

[xididka @ Linux_ ~] # ln -sf /lib/systemd/system/runlevel5.target /etc/systemd/system/default.target

Waxaan dib udajinay nidaamka wax walbana sifiican ayey u shaqeeyaan.

Waxaan rakibnaa Adeegga Waqtiga ee Shabakadaha

[xididka @ Linux_ ~] # yum rakib ntp

Inta lagu guda jiro rakibida waxaan isku habeynaynaa in saacada maxalliga ah lala jaanqaadi doono waqtiga adeegaha qalabka sysadmin.desdelinux. taageere leh IP 192.168.10.1. Marka, waxaan keydineynaa feylka ntp.conf asalka ah:

[xididka @ Linux_ ~] # cp /etc/ntp.conf /etc/ntp.conf.original

Hadda, waxaan abuureynaa mid cusub oo leh waxyaabaha soo socda:

[root @ linuxbox ~] # nano /etc/ntp.conf # Servers ayaa loo habeeyay inta lagu gudajiray: server 192.168.10.1 iburst # Wixii macluumaad dheeraad ah, ka eeg ninka bogagga: # ntp.conf (5), ntp_acc (5) , ntp_auth (5), ntp_clock (5), ntp_misc (5), ntp_mon (5). driftfile / var / lib / ntp / drift # U oggolow is waafajinta waqtiga isha, laakiin # u oggolaan ilaha inay la tashato ama wax ka beddesho adeegan xaddididda nomodify notrap nopeer noquery caadiga ah # U oggolow dhammaan marinka marin-u-helka Loopback xaddid 127.0.0.1 xaddid :: 1 # In yar ka xaddid kombiyuutarrada shabakadda maxalliga ah. xaddido 192.168.10.0 maaskaro 255.255.255.0 nomodify notrap # Isticmaal boggaga dadweynaha ee mashruuca pool.ntp.org # Haddii aad rabto inaad ku soo biirto mashruuca booqo # (http://www.pool.ntp.org/join.html). #broadcast 192.168.10.255 autokey # server broadcast broadcastclient # broadcast broadcast #broadcast 224.0.1.1 autokey # multicast server #multicastclient 224.0.1.1 # macmiil fara badan #manycastserver 239.255.254.254 # manycast server #manycastclient 239.255.254.254 auto. 192.168.10.255 # Suurta gali sirta dadweynaha. # encrypto includefile / etc / ntp / crypto / pw # Faylka furaha oo ay kujiraan furayaasha iyo aqoonsi furaha # loo isticmaalo marka lagu shaqeynayo furayaasha furaha iskudhafka ah / iwm / ntp / furayaasha # Sheeg aqoonsiyo muhiim ah oo lagu kalsoon yahay. #trustedkey 4 8 42 # Sheeg aqoonsiga furaha si aad ugu isticmaasho utpdc utility. #requestkey 8 # Sheeg aqoonsiga furaha si aad ugu adeegsato utpq utility. #controlkey 8 # Awood u qorista diiwaanada tirakoobka. # Disable kormeerka goosashada si looga hortago kordhinta # weerarada adoo adeegsanaya amarka ntpdc monlist, marka ugu horeynta # xayiraad uusan ku jirin calanka noquery. Akhriso CVE-2013-5211 # wixii faahfaahin dheeraad ah. # Xusuusin: Kormeeraha ayaan ku naafoobin calanka xaddidan ee xaddidan. gab qalabka

Waxaan awood u siineynaa, bilownaa oo aan hubinnaa adeegga NTP

[xididka @ linuxbox ~] # systemctl status ntpd
Ntpd.service - Adeegga Waqtiga Shabakadda Lagu Rariyay: raran (/usr/lib/systemd/system/ntpd.service; naafo ah; iibiyaha horay loo siiyaya: naafo ah) Firfircoon: firfircooneyn (dhintay)

[xididka @ linuxbox ~] # systemctl awood ntpd
Summad laga sameeyay /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.

[xididka @ Linux_ ~] # systemctl bilaw ntpd
[xididka @ linuxbox ~] # systemctl status ntpd

[xididka @ linuxbox ~] # systemctl status ntpd
● ntpd.service - Adeegga Waqtiga Shabakadda
   Loaded: la raray (/usr/lib/systemd/system/ntpd.service; karti leh; iibiyaha horay loo sii qorsheeyay: naafo ah) Firfircoon: firfircoon (socda) ilaa Fri 2017-04-14 15:51:08 EDT; 1s kahor Hannaanka: 1307 ExecStart = / usr / sbin / ntpd -u ntp: ntp $ OPTIONS (koodh = kabax, xaalad = 0 / SUCCESS) Main PID: 1308 (ntpd) CGroup: /system.slice/ntpd.service └─ 1308 / usr / sbin / ntpd -u ntp: ntp -g

Ntp iyo Firewall

[xididka @ linuxbox ~] # firewall-cmd --get-firfircoon-aagag
external
  isweydaarsi: ens34
dadweynaha
  isweydaarsi: ens32

[xididka @ linuxbox ~] # firewall-cmd --zone = dadweynaha --add-port = 123 / udp - joogto ah
guul
[xididka @ linuxbox ~] # firewall-cmd --reload
guul

Waxaan awood u siineynaa oo aan u habeynaynaa Dnsmasq

Sidii aan ku aragnay maqaal hore taxanaha Shabakadaha Ganacsiga Yaryar, Dnsamasq waxaa loogu rakibay si caadi ah Server Centre 7 Infrastructure Server.

[xididka @ linuxbox ~] # systemctl status dnsmasq
Ns dnsmasq.service - server keydinta DNS. Xamuus: xamuul (/usr/lib/systemd/system/dnsmasq.service; naafo ah; iibiyaha horena uleeyahay: naafo ah) Firfircoon: firfircoonayn (dhintay)

[xididka @ linuxbox ~] # systemctl awood dnsmasq
Summad laga sameeyay /etc/systemd/system/multi-user.target.wants/dnsmasq.service to /usr/lib/systemd/system/dnsmasq.service.

[xididka @ linuxbox ~] # systemctl bilaw dnsmasq
[xididka @ linuxbox ~] # systemctl status dnsmasq
Ns dnsmasq.service - server keydinta DNS. Loaded: la rakibey (/usr/lib/systemd/system/dnsmasq.service; karti leh; iibiyaha horay loo sii qorsheeyay: naafo ah) Firfircoon: firfircoon (socda) ilaa Jimcaha 2017-04-14 16:21:18 EDT; 4s ago Main PID: 33611 (dnsmasq) CGroup: /system.slice/dnsmasq.service └─33611 / usr / sbin / dnsmasq -k

[xididka @ linuxbox ~] # mv /etc/dnsmasq.conf /etc/dnsmasq.conf.original

[xididka @ linuxbox ~] # nano /etc/dnsmasq.conf
# -------------------------------------------------------------------
# O P C I O N E S   G E N E R A L E S
# -------------------------------------------------------------------
domain-needed   # No pasar nombres sin la parte del dominio
bogus-priv  # No pasar direcciones en el espacio no enrutado
expand-hosts    # Adiciona automaticamente el dominio al host
interface=ens32 # Interface LAN

strict-order    # Orden en que consulta el archivo /etc/resolv.conf
conf-dir=/etc/dnsmasq.d
domain=desdelinux.fan   # Nombre del dominio

address=/time.windows.com/192.168.10.5

# Envía una opción vacía del valor WPAD. Se requiere para que 
# se comporten bien los clientes Windos 7 y posteriores. ;-)
dhcp-option=252,"\n"

# Archivo donde declararemos los HOSTS que serán "baneados"
addn-hosts=/etc/banner_add_hosts

local=/desdelinux.fan/

# -------------------------------------------------------------------
# R E G I S T R O S   C N A M E    M X    T X T
# -------------------------------------------------------------------
# Este tipo de registro requiere de una entrada
# en el archivo /etc/hosts
# ej: 192.168.10.5 linuxbox.desdelinux.fan linuxbox
# cname=ALIAS,REAL_NAME
cname=mail.desdelinux.fan,linuxbox.desdelinux.fan # MX DIIWAANKA # Soo celisa rikoorka MX oo wata magaca "desdelinux.fan" loogu talagalay # kooxda boostada.desdelinux.fan iyo mudnaanta 10 mx-host=desdelinux.fan,mail.desdelinux.fan,10 # Meesha ugu habboon ee diiwaannada MX la sameeyay # iyadoo la adeegsanayo xulashada localmx waxay noqon doontaa: mx-target=mail.desdelinuxtaageere # Wuxuu soo celiyaa rikoorka MX ee tilmaamaya mx-target ee DHAMMAAN mashiinnada maxalliga ah ee # localmx # TXT. Waxaan sidoo kale ku dhawaaqi karnaa diiwaanka SPF txt-record=desdelinux.fan,"v=spf1 a -all" txt-record=desdelinux.fanaan,"DesdeLinux, su Blog dedicado al Software Libre"

# -------------------------------------------------------------------
# R A N G O   Y   S U S   O P C I O N E S
# -------------------------------------------------------------------
# Rango IPv4 y tiempo de arrendamiento
# De la 1 a la 29 son para los Servidores y otras necesidades
dhcp-range=192.168.10.30,192.168.10.250,8h

dhcp-lease-max=222      # Cantidad máxima de direcciones a arrendar
                        # por defecto son 150
# Rango IPV6
# dhcp-range=1234::, ra-only

# Opciones para el RANGO
# O P C I O N E S
dhcp-option=1,255.255.255.0 # NETMASK
dhcp-option=3,192.168.10.5  # ROUTER GATEWAY
dhcp-option=6,192.168.10.5  # DNS Servers
dhcp-option=15,desdelinux.fan   # DNS Domain Name
dhcp-option=19,1        # option ip-forwarding ON
dhcp-option=28,192.168.10.255   # BROADCAST
dhcp-option=42,192.168.10.5 # NTP

dhcp-authoritative      # DHCP Autoritario en la subnet

# -------------------------------------------------------------------
# Si desean almacenar en /var/log/messages el log de las consultas
# elimine el comentario de la línea a continuación
# -------------------------------------------------------------------
# log-weydiimo
# DHAMMAAD faylka /etc/dnsmasq.conf # -------------------------------------- ----------------------------

Waxaan abuuraynaa faylka / iwm / banner_add_hosts

[xididka @ Linux_ ~] # nano / iwm / banner_add_hosts
192.168.10.5 windowsupdate.com 192.168.10.5 ctldl.windowsupdate.com 192.168.10.5 ocsp.verisign.com 192.168.10.5 csc3-2010-crl.verisign.com 192.168.10.5 www.msftncsi.com 192.168.10.5 ipv6.msftncsi.com 192.168.10.5 teredo.ipv6.microsoft.com 192.168.10.5 ds.download.windowsupdate.com 192.168.10.5 download.microsoft.com 192.168.10.5 fe2.update.microsoft.com 192.168.10.5 crl.microsoft.com 192.168.10.5 www .download.windowsupdate.com 192.168.10.5 win8.ipv6.microsoft.com 192.168.10.5 spynet.microsoft.com 192.168.10.5 spynet1.microsoft.com 192.168.10.5 spynet2.microsoft.com 192.168.10.5 spynet3.microsoft.com 192.168.10.5. 4 spynet192.168.10.5.microsoft.com 5 spynet192.168.10.5.microsoft.com 15 office192.168.10.5client.microsoft.com 192.168.10.5 addons.mozilla.org XNUMX crl.verisign.com

Cinwaanada IP-ga oo go'an

[xididka @ linuxbox ~] # nano / etc / host
127.0.0.1       localhost localhost.localdomain localhost4 localhost4.localdomain4
::1             localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.5    linuxbox.desdelinux.fan linuxbox
192.168.10.1    sysadmin.desdelinux.fan sysadmin

Waxaan u qaabeyneynaa feylka /etc/resolv.conf - xallin

[xididka @ linuxbox ~] # nano /etc/resolv.conf
search desdelinux.fan
nameserver 127.0.0.1
# Para consultas DNS externas o 
# que no sean del dominio desdelinux.fan
# local=/desdelinux.fan/
nameserver 8.8.8.8

Waxaan hubineynaa qaabka faylka dnsmasq.conf, waxaan bilownaa oo aan hubinaa xaaladda adeegga

[xididka @ linuxbox ~] # dnsmasq --test
dnsmasq: syntax hubi OK.
[xididka @ Linux_ ~] # systemctl dib u bilaabi dnsmasq
[xididka @ linuxbox ~] # systemctl status dnsmasq

Dnsmasq iyo Firewall

[xididka @ linuxbox ~] # firewall-cmd --get-firfircoon-aagag
external
  isweydaarsi: ens34
dadweynaha
  isweydaarsi: ens32

Adeeg domain o Server Name Server (dns). Hab maamuuska dadban «IP leh sirta«

[xididka @ linuxbox ~] # firewall-cmd --zone = dadweynaha --add-port = 53 / tcp --permanent
guul
[xididka @ linuxbox ~] # firewall-cmd --zone = dadweynaha --add-port = 53 / udp - joogto ah
guul

Weydiimaha Dnsmasq ee server-yada dibedda ee DNS

[xididka @ Linux_ ~] # firewall-cmd --zone = dibedda --add-port = 53 / tcp - joogto ah
guul
[xididka @ linuxbox ~] # firewall-cmd --zone = dibedda --add-port = 53 / udp - joogto ah
guul

Adeeg kabaha o Server BOOTP (dhcp). Hab maamuuska ippc «Qalabka Internetka ee Pluribus Packet«

[xididka @ linuxbox ~] # firewall-cmd --zone = dadweynaha --add-port = 67 / tcp --permanent
guul
[xididka @ linuxbox ~] # firewall-cmd --zone = dadweynaha --add-port = 67 / udp - joogto ah
guul

[xididka @ linuxbox ~] # firewall-cmd --reload
guul

[root @ linuxbox ~] # firewall-cmd --info-zone dadweynaha guud (firfircoon)
  bartilmaameedka: default icmp-block-inversion: no interfaces: ens32 sources: services: dhcp dns ntp ssh ports: 67 / tcp 53 / udp 123 / udp 67 / udp 53 / tcp protocols: masquerade: no-ports-ports: sourceports: icmp -blocks: xeerarka hodanka ah:

[xididka @ linuxbox ~] # firewall-cmd --info-zone bannaanka dibedda ah (firfircoon)
  bartilmaameedka: default icmp-block-inversion: no interfaces: ens34 sources: services: dns ports: 53 / udp 53 / tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: parameter-problem rediuter-advertisement router- codsi il-demin xeerar hodan ah:

Haddii aan dooneyno inaan adeegsanno shaxanka qaabeynta qaabeynta Firewall-ka CentOS 7, waxaan eegeynaa liiska guud - waxay ku xirnaan doontaa jawiga desktop-ka ee ay ka muuqato submenu - codsiga «Firewall», waan fulinnaa iyo kadib markaan galno lambarka sirta ah xidid, waxaan u heli doonnaa barnaamijka barnaamijka sidiisa oo kale. MATE-ka waxay ka muuqataa liiska «Nidaamka »->" Maamulka "->" Firewall ".

Waxaan dooranaa Aagga «dadweynaha»Anaguna waxaan fasax u siinaynaa Adeegyada aan dooneyno in lagu daabaco LAN-ka, oo illaa iyo hadda ah dhcp, DNS, ntp iyo ssh. Ka dib xulashada adeegyada, xaqiijinta in wax waliba si sax ah u shaqeeyaan, waa inaan ku sameynaa isbeddelada Runtime to Permanent. Si tan loo sameeyo waxaan tagnaa xulashada xulashada oo xulo ikhtiyaarka «Waqtiga ku orod si joogto ah«.

Mar dambe ayaan doorannaa Aagga «external»Waxaanan hubineynaa in Dekedaha lagama maarmaanka u ah isgaarsiinta internetka ay furan yihiin. HA ku daabicin Adeegyada Aaggan illaa aan si fiican u ogaanno waxa aan qabaneyno mooyee!.

Ha iloobin in isbeddelada lagu sameeyo Joogto iyada oo loo marayo ikhtiyaarka «Waqtiga ku orod si joogto ah»Oo dib u carar jinka Dab-damis, mar kasta oo aan adeegsanno aaladdan garaafka ee awoodda badan.

NTP iyo Dnsmasq oo ka socda macmiilka Windows 7

Iswaafajinta NTP

external

Kireynta IP address

Microsoft Windows [Nooca 6.1.7601] Xuquuqda daabacaadda (c) 2009 Microsoft Corporation. Xuquuqda daabacaadu way xifdisan. C: \ Users \ buzz> ipconfig / dhamaan Windows IP Configuration Host Host. . . . . . . . . . . . : TODDOBAAD
   Dffix Primary Dns. . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : desdelinux.fan

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : desdelinux.fan
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-D6-14-36
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Cinwaanka IPv4. . . . . . . . . . . : 192.168.10.115 (Jeclaa)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, April 14, 2017 5:12:53 PM
   Lease Expires . . . . . . . . . . : Saturday, April 15, 2017 1:12:53 AM
   Default Gateway . . . . . . . . . : 192.168.10.1
   DHCP Server . . . . . . . . . . . : 192.168.10.5
   DNS Servers . . . . . . . . . . . : 192.168.10.5
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.desdelinux.fan:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : desdelinux.fan
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\buzz>

Tip

Qiimaha muhiimka ah ee macaamiisha Windows waa "Primary Dns Suffix" ama "Main Main suffix". Markaad isticmaalin Microsoft Domain Controller, nidaamka hawlgalku wax qiimo ah ugama dhigaayo. Haddii aan wajaheyno kiis la mid ah midka lagu sharraxay bilowga maqaalka oo aan dooneyno inaan si cad u sheegno qiimahaas, waa inaan ku sii socono sida ku cad muuqaalka soo socda, aqbalno isbeddelada oo aan dib ugu bilawno macmiilka.

Haddaan mar labaad tartano CMD -> ipconfig / dhammaan waxaan heli doonaa waxyaabaha soo socda:

Microsoft Windows [Nooca 6.1.7601] Xuquuqda daabacaadda (c) 2009 Microsoft Corporation. Xuquuqda daabacaadu way xifdisan. C: \ Users \ buzz> ipconfig / dhamaan Windows IP Configuration Host Host. . . . . . . . . . . . : TODDOBAAD
   Dffix Primary Dns. . . . . . . : desdelinux. taageere
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : desdelinux. taageere

Qiimaha intiisa kale weli isma beddelin

Hubinta DNS

buzz @ sysadmin: ~ $ host spynet.microsoft.com
spynet.microsoft.com has address 127.0.0.1
Host spynet.microsoft.com not found: 5(REFUSED)
spynet.microsoft.com mail is handled by 1 mail.desdelinux. taageere.

buzz @ sysadmin: ~ $ host linuxbox
linuxbox.desdelinux.fanku waxa uu leeyahay ciwaanka 192.168.10.5 linuxbox.desdelinuxBoostada fanka waxaa lagu maamulaa 1 mail.desdelinux. taageere.

buzz @ sysadmin: ~ $ host sysadmin
sysadmin.desdelinux.fan has address 192.168.10.1
sysadmin.desdelinuxBoostada fanka waxaa lagu maamulaa 1 mail.desdelinux. taageere.

buzz @ sysadmin: ~ $ boostada martida loo yahay
email.desdelinuxfanku waa magac loo yaqaan linuxbox.desdelinux. taageere. linuxbox.desdelinux.fanku waxa uu leeyahay ciwaanka 192.168.10.5 linuxbox.desdelinuxBoostada fanka waxaa lagu maamulaa 1 mail.desdelinux. taageere.

Waxaan rakibnaa -imtixaanka kaliya- server DNS A awood leh NSD gudaha sysadmin.desdelinux. taageere, oo waxaan ku darnaa cinwaanka IP-ga 172.16.10.1 kaydka /etc/resolv.conf kooxda linuxbox.desdelinux. taageere, si loo xaqiijiyo in Dnsmasq ay si sax ah u gudaneysay howsheeda gudbiyaha. Sanduuqyada Sandbox-ka ee server-ka NSD waa faavt.org y toujague.org. Dhammaan IP-yada waa khayaali ama waxay ka yimaadaan shabakadaha gaarka loo leeyahay.

Haddii aan joojino interface-ka WAN damqasho34 adoo adeegsanaya amarka haddii hoos u dhaco en34, Dnsmasq ma awoodi doonto inay wax weyddiiso server-yada DNS-ka ah.

[buzz @ linuxbox ~] $ sudo ifdown ens34 [buzz @ linuxbox ~] $ host -t mx toujague.org
Marti-geliyaha toujague.org lama helin: 3 (NXDOMAIN)

[buzz @ linuxbox ~] $ host pizzapie.favt.org
Marti geliyaha pizzapie.favt.org lama helin: 3 (NXDOMAIN)

Aynu karno is-dhexgalka 'ens34 interface' oo aan mar kale hubino:

[buzz @ linuxbox ~] $ sudo ifup ens34

buzz @ linuxbox ~] $ host pizzapie.favt.org
pizzapie.favt.org waa naaneysi loogu magacdaray paisano.favt.org. paisano.favt.org wuxuu leeyahay cinwaan 172.16.10.4

[buzz @ linuxbox ~] $ host pizzapie.toujague.org
Marti geliyaha pizzas.toujague.org lama helin: 3 (NXDOMAIN)

[buzz @ linuxbox ~] $ host poblacion.toujague.org
poblacion.toujague.org wuxuu leeyahay cinwaan 169.18.10.18

[buzz @ linuxbox ~] $ host -t NS favt.org
magaca favt.org server server ns1.favt.org. favt.org server name ns2.favt.org.

[buzz @ linuxbox ~] $ host -t NS toujague.org
toujague.org magaca adeegaha ns1.toujague.org. toujague.org magaca serverka ns2.toujague.org.

[buzz @ linuxbox ~] $ host -t MX toujague.org
mailka toujague.org waxaa gacanta ku haya 10 mail.toujague.org.

Aynu tashano sysadmin.desdelinux. taageere:

buzz @ sysadmin: ~ $ bisad /etc/resolv.conf 
search desdelinux.magacaye taageere 192.168.10.5

xeon @ sysadmin: ~ $ host mail.toujague.org
mail.toujague.org wuxuu leeyahay cinwaan 169.18.10.19

Dnsmasq wuxuu u shaqeeyaa sida Weeraryahan si sax ah.

Squid

Buugga oo ku jira qaab PDF «Dejinta Server Linux»Taariikhda 25-Luulyo, 2016, qoraaga Joel Barrios (darkshram@gmail.com - http://www.alcancelibre.org/), qoraalka aan ugu soo gudbiyay maqaaladii hore, waxaa jira cutub dhan oo loogu talagalay Ikhtiyaarrada Isku-xidhka Aasaasiga ah.

Muhiimadda ay leedahay Adeegga Websaydhka - Wakiilka awgeed, waxaannu u soo saari doonnaa Hordhac laga sameeyey Squid buugga aan kor ku soo sheegnay:

105.1. Hordhac.

105.1.1. Waa maxay Server dhexdhexaad ah (Wakiil)?

Ereyga oo ah Ingiriisi "Wakiil" wuxuu leeyahay macno aad u guud iyo isla mar ahaantaana macno mugdi ku jiro, in kastoo
waxaa marwalba loo tixgeliyaa isku mid ahaanshaha fikradda ah "Dhexdhexaad". Badanaa waxaa loo tarjumay, macnaha adag, sida wakiisho o awood (kan kale awood ku leh).

Un Server dhexdhexaad ah Waxaa lagu qeexay kombuyuutar ama qalab bixiya adeeg shabakad ka kooban u oggolaanshaha macaamiisha inay xiriirro toos ah oo aan toos ahayn la yeeshaan adeegyada kale ee shabakadda. Inta hawshu socoto waxa soo socda ayaa soo socda:

• Macmiilku wuxuu ku xiraa a Server wakiil ah.
• Macmiilku wuxuu codsanayaa isku xir, feyl, ama ilo kale oo laga heli karo server kale.
• Intermediary Server wuxuu bixiyaa kheyraadka midkood iyadoo lagu xirayo serverka la cayimay
  ama uga adeegaya keyd.
• Xaaladaha qaarkood Server dhexdhexaad ah beddeli karaa codsiga macaamilka ama kan
  jawaabta server ujeedooyin kala duwan.

ka Wakiilka Wakiilada guud ahaan waxaa loo sameeyaa inay isku mar u shaqeeyaan sidii darbiga dabka ee ka shaqeeya gudaha Heerka shabakadda, oo u dhaqmaya sidii shaandhada baakadka, sida kiiska Iptables ama ka shaqeynaya Heerka Codsiga, xakamaynta adeegyada kala duwan, sida ay tahay xaaladdu Duub TCP. Waxay kuxirantahay macnaha guud, darbiga dabka sidoo kale waxaa loo yaqaanaa Kordhinta BPD o Bsi Protection Device ama kaliya filter baakada.

Codsi guud oo ah Wakiilka Wakiilada waa inuu u shaqeeyaa sidii keyd shabakadeed ah (inta badan HTTP), iyadoo u dhawdahay macaamiisha kayd ah bogag iyo faylal laga heli karo Shabakadda ku jirta server-yada fog ee HTTP, taasoo u oggolaanaysa macaamiisha shabakadda maxalliga ah inay ku helaan dhakhso badan oo lagu kalsoonaan karo.

Marka codsi la helo ilaha shabakad cayiman ee a URL (Ulebis Resoos Locator) kan Server dhexdhexaad ah raadi natiijada URL gudaha keydka. Haddii la helo, ka Server dhexdhexaad ah Waxay uga jawaabtaa macaamilka iyadoo si deg deg ah u siinaysa waxyaabaha la codsaday. Haddii waxyaabaha la codsaday ka maqan yahay keydka, ka Server dhexdhexaad ah waxay ka soo qaadaneysaa server fog, iyadoo u geynaysa macmiilkii ka codsaday isla markaana nuqul ku keydinaya keydka. Waxyaabaha ku jira keydka ayaa markaa laga saaraa iyada oo loo marayo algorithm dhicitaan ah iyadoo loo eegayo da'da, cabirka iyo taariikhda jawaabaha codsiyada (hits) (tusaalooyin) LRU, LFUDA y GDSF).

Wakiilka Wakiilada ee Shabakada Shabakadaha (Web Proxies) sidoo kale waxay u dhaqmi karaan sida miirayaasha waxyaabaha loo adeegsaday, iyagoo adeegsanaya siyaasadaha faafreebka iyada oo la raacayo shuruudaha sharci darrada ah..

Nooca Squid ee aan rakibi doono waa 3.5.20-2.el7_3.2 keydka updates.

Ku rakibida

[xididka @ linuxbox ~] # yum rakib squid

[xididka @ linuxbox ~] # ls / etc / squid /
cachemgr.conf errorpage.css.default  xayawaan.conf
cachemgr.conf.andime mime.conf              squid.conf.default
errorpage.css mime.conf.default

[xididka @ linuxbox ~] # systemctl awood u yeelo isugeynta

Muhiim ah

• Ujeeddada ugu weyn ee maqaalkani waa in loo oggolaado isticmaaleyaasha maxalliga ah inay ku xirmaan Squid kombiyuutarrada kale ee ku xiran LAN. Intaas waxaa sii dheer, hirgelinta xuddunta serverka oo adeegyo kale lagu dari doono. Ma aha qodob loogu talagalay shirkadda 'Squid' sida oo kale.
• Si aad fikrad uga hesho xulashooyinka qaabeynta Squid, akhri faylka /usr/share/doc/squid-3.5.20/squid.conf.documented, oo leh 7915 khadad.

SELinux iyo Squid

[xididka @ linuxbox ~] # getsebool -a | xoqin xoq
squid_connect_any -> on squid_use_tproxy -> off

[xididka @ linuxbox ~] # setsebool -P squid_connect_any = on

qaabeynta

[xidid @ linuxbox ~] # nano /etc/squid/squid.conf
# LAN acl localnet src 192.168.10.0/24 acl dekedda SSL_ports 443 21
acl dekedda Safe_ports 80 # http acl Safe_ports dekedda 21 # ftp acl dekedda Safe_ports 443 # https acl dekedda Safe_ports 70 # gopher acl dekedda Safe_ports 210 # wais acl dekedda Safe_ports 1025-65535 # dekedaha aan diiwaangashanayn acl dekedda Safe_ports 280 # http-mgmt acl dekedda Safe_ports 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Waxaan diidnay su'aalaha dekedaha aan amaanka ahayn http_access diid! Maamulaha Kaydka kaliya ee ka socda localhost http_access u oggolow maareeyaha localhost http_access u diid maamulaha # Waxaan si adag ugu talineynaa kuwa soo socda inay noqdaan kuwo aan la ilaawin si loo ilaaliyo # codsiyada webka ee aan waxba galabsan ee ku shaqeynaya serverka wakiilka kuwaas oo u maleynaya in qofka kaliya ee heli kara adeegyada "localhost" uu yahay qof maxalli ah isticmaale http_access u diid in_localhost # # KU DARSAN XEERKAAGA (S) HALKAN SI AAD UGU oggolaATO HELITAANKA Macaamiishaada # # PAM oggolaanshaha
auth_param barnaamijka aasaasiga ah / usr / lib64 / squid / basic_pam_auth
auth_param basic children 5
auth_param basic realm desdelinux.fan
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# Para acceder al Squid se requiere autenticación
acl Entusiastas proxy_auth REQUIRED

# Permitimos el acceso a usuarios autenticados
# mediante PAM
http_access deny !Entusiastas

# Acceso a sitios FTP
acl ftp proto FTP
http_access allow ftp

http_access allow localnet
http_access allow localhost

# Negamos cualquier otro acceso al proxy
http_access deny all

# Squid normalmente escucha por el puerto 3128
http_port 3128

# Dejamos los "coredumps" en el primer directorio caché
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

cache_mem 64 MB
# Memoria Caché
memory_replacement_policy lru
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid 4096 16 256
maximum_object_size 4 MB
cache_swap_low 85
cache_swap_high 90
cache_mgr buzz@desdelinux.fan

# Otros parámetros
visible_hostname linuxbox.desdelinux. taageere

Waxaan hubinnaa qaabeynta faylka /etc/squid/squid.conf

[xididka @ Linux_ ~] # squid -k parse
2017/04/16 15:45:10| Startup: Initializing Authentication Schemes ...
2017/04/16 15:45:10| Startup: Initialized Authentication Scheme 'basic'
2017/04/16 15:45:10| Startup: Initialized Authentication Scheme 'digest'
2017/04/16 15:45:10| Startup: Initialized Authentication Scheme 'negotiate'
2017/04/16 15:45:10| Startup: Initialized Authentication Scheme 'ntlm'
2017/04/16 15:45:10| Startup: Initialized Authentication.
2017/04/16 15:45:10| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2017/04/16 15:45:10| Processing: acl localnet src 192.168.10.0/24
2017/04/16 15:45:10| Processing: acl SSL_ports port 443 21
2017/04/16 15:45:10| Processing: acl Safe_ports port 80     # http
2017/04/16 15:45:10| Processing: acl Safe_ports port 21     # ftp
2017/04/16 15:45:10| Processing: acl Safe_ports port 443        # https
2017/04/16 15:45:10| Processing: acl Safe_ports port 70     # gopher
2017/04/16 15:45:10| Processing: acl Safe_ports port 210        # wais
2017/04/16 15:45:10| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2017/04/16 15:45:10| Processing: acl Safe_ports port 280        # http-mgmt
2017/04/16 15:45:10| Processing: acl Safe_ports port 488        # gss-http
2017/04/16 15:45:10| Processing: acl Safe_ports port 591        # filemaker
2017/04/16 15:45:10| Processing: acl Safe_ports port 777        # multiling http
2017/04/16 15:45:10| Processing: acl CONNECT method CONNECT
2017/04/16 15:45:10| Processing: http_access deny !Safe_ports
2017/04/16 15:45:10| Processing: http_access deny CONNECT !SSL_ports
2017/04/16 15:45:10| Processing: http_access allow localhost manager
2017/04/16 15:45:10| Processing: http_access deny manager
2017/04/16 15:45:10| Processing: http_access deny to_localhost
2017/04/16 15:45:10| Processing: auth_param basic program /usr/lib64/squid/basic_pam_auth
2017/04/16 15:45:10| Processing: auth_param basic children 5
2017/04/16 15:45:10| Processing: auth_param basic realm desdelinux.fan
2017/04/16 15:45:10| Processing: auth_param basic credentialsttl 2 hours
2017/04/16 15:45:10| Processing: auth_param basic casesensitive off
2017/04/16 15:45:10| Processing: acl Entusiastas proxy_auth REQUIRED
2017/04/16 15:45:10| Processing: http_access deny !Entusiastas
2017/04/16 15:45:10| Processing: acl ftp proto FTP
2017/04/16 15:45:10| Processing: http_access allow ftp
2017/04/16 15:45:10| Processing: http_access allow localnet
2017/04/16 15:45:10| Processing: http_access allow localhost
2017/04/16 15:45:10| Processing: http_access deny all
2017/04/16 15:45:10| Processing: http_port 3128
2017/04/16 15:45:10| Processing: coredump_dir /var/spool/squid
2017/04/16 15:45:10| Processing: refresh_pattern ^ftp:      1440    20% 10080
2017/04/16 15:45:10| Processing: refresh_pattern ^gopher:   1440    0%  1440
2017/04/16 15:45:10| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%  0
2017/04/16 15:45:10| Processing: refresh_pattern .      0   20% 4320
2017/04/16 15:45:10| Processing: cache_mem 64 MB
2017/04/16 15:45:10| Processing: memory_replacement_policy lru
2017/04/16 15:45:10| Processing: cache_replacement_policy heap LFUDA
2017/04/16 15:45:10| Processing: cache_dir aufs /var/spool/squid 4096 16 256
2017/04/16 15:45:10| Processing: maximum_object_size 4 MB
2017/04/16 15:45:10| Processing: cache_swap_low 85
2017/04/16 15:45:10| Processing: cache_swap_high 90
2017/04/16 15:45:10| Processing: cache_mgr buzz@desdelinux.fan
2017/04/16 15:45:10| Processing: visible_hostname linuxbox.desdelinux.fan
2017/04/16 15:45:10| Initializing https proxy context

Waxaan ku hagaajinaa rukhsadaha / usr / lib64 / squid / basic_pam_auth

[xididka @ Linux_ ~] # chmod u + s / usr / lib64 / squid / basic_pam_auth

Waxaan abuureynaa buugga keydka

# Haddii ay dhacdo ... [xidid @ linuxbox ~] # joogsiga squid adeegga
U jeedinta / bin / systemctl joojinta squid.service

[xididka @ Linux_ ~] # squid -z
[xididka @ Linux_ ~] # 2017/04/16 15:48:28 kid1 | U samee Diiwaanka Hadda / var / spool / squid 2017/04/16 15:48:28 kid1 | Abuuritaanka tusayaasha isdhaafsiga maqan 2017/04/16 15:48:28 kid1 | / var / spool / squid jira 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 00 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 01 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 02 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 03 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 04 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 05 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 06 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 07 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 08 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 09 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 0A 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 0B 2017/04/16 15:48:28 kid1 | Samaynta tusayaal / / var / spool / squid / 0C 2017/04/16 15:48:29 kid1 | Samaynta tusayaal / / var / spool / squid / 0D 2017/04/16 15:48:29 kid1 | Samaynta tusayaal / / var / spool / squid / 0E 2017/04/16 15:48:29 kid1 | Sameynta tusayaal / var / spool / squid / 0F

Waqtigan xaadirka ah, haddii ay qaadato wakhti in la soo celiyo amarka degdegga ah - oo aan waligey igu soo noqon - riix Gali.

[xididka @ linuxbox ~] # adeegga squid bilawga
[xididka @ Linux_ ~] dib u bilaw adeeg # squid
[xididka @ linuxbox ~] # xaaladda squid service
Ujedinta / bin / systemctl status squid.service ● squid.service - Wakiilka qafiska Squid Loaded: xamuul ah (/usr/lib/systemd/system/squid.service; naafo ah; iibiyaha horay loo sii qorsheeyay: naafo ah) Firfircoon: firfircoon (socda) ilaa gurigii 2017-04-16 15:57:27 EDT; 1s kahor Hannaanka: 2844 ExecStop = / usr / sbin / squid -k shutdown -f $ SQUID_CONF (lambar = kabax, xaalad = 0 / SUCCESS) Nidaamka: 2873 ExecStart = / usr / sbin / squid $ SQUID_OPTS -f $ SQUID_CONF (lambar = baxay, status = 0 / SUCCESS) Nidaamka: 2868 ExecStartPre = / usr / libexec / squid / cache_swap.sh (koodh = kabax, xaalad = 0 / SUCCESS) Main PID: 2876 (squid) CGroup: /system.slice/squid .service └─2876 / usr / sbin / squid -f /etc/squid/squid.conf Apr 16 15:57:27 linuxbox systemd [1]: Starting Squid caching proxy ... Apr 16 15:57:27 linuxbox systemd [1]: Wakiilka keydinta maqaayadaha ee la bilaabay. Apr 16 15:57:27 linuxbox squid [2876]: Waalidka Squid: wuxuu bilaabi doonaa 1 caruur Apr 16 15:57:27 linuxbox squid [2876]: Squid Parent: (squid-1) process 2878 ... ed Apr 16 15 : 57: 27 linuxbox squid [2876]: Waalidka Squid: (squid-1) geedi socodka 2878 ... 1 Tilmaam: Khadadka qaar ayaa la jeexjeexay, isticmaal -l si buuxda loo muujiyo

[xididka @ Linux_ ~] # cat / var / log / messages | xoqin xoq

Dayactirka Firewall

Waa inaan sidoo kale ka furnaa aagga «external"dekedaha 80HTTP y 443 HTTPS sidaa awgeed Squid-ka ayaa kula xiriiri kara internetka.

[xididka @ Linux_ ~] # firewall-cmd --zone = dibedda --add-port = 80 / tcp - joogto ah
guul
[xididka @ Linux_ ~] # firewall-cmd --zone = dibedda --add-port = 443 / tcp - joogto ah
guul
[xididka @ linuxbox ~] # firewall-cmd --reload
guul
[root @ linuxbox ~] # firewall-cmd --info-zone dibadda
dibedda (firfircoon) bartilmaameedka: default icmp-block-inversion: no interfaces: ens34 Ilo: adeegyo: dns ports: 443 / tcp 53 / udp 80 / tcp 53 / tcp
  maamuusyo: masquerade: haa horay-dekedaha: soodhawrka: icmp-blocks: parameter-problem rediuter-xayaysiis router-codsi il-demin xeerar hodan ah:

• Ma aha caajis in loo aado arjiga garaafka ah «Isku xidhka Firewall»Oo hubi in dekedaha 443 tcp, 80 tcp, 53 tcp, iyo 53 udp ay u furan yihiin aagga«external«, Iyo inaanan u daabicin wax adeeg ah iyada.

Ogsoonow barnaamijka caawiyaha aasaasiga_pam_auth

Haddii aan la tashanno buug-gacmeedka hay'addan nin aasaasi_pam_auth Waxaan aqrin doonnaa in qoraaga laftiisu uu soo jeedin adag ka bixinayo in barnaamijka loo wareejiyo hage halkaas oo dadka isticmaala caadiga aysan haysan rukhsad ku filan oo ay ku helaan qalabka.

Dhinaca kale, waxaa la ogyahay in qorshahan oggolaanshaha, aqoonsiyadaha ay ku socdaan qoraal cad oo aysan ammaan u ahayn jawiga colaadeed, aqri shabakadaha furan.

jeff yestrumskas u hibee maqaalka «Sida loo-qabanayo: Deji wakiilka webka ee aaminka ah adoo adeegsanaya sirta SSL, Squid Caching Proxy iyo xaqiijinta PAM»Arrinta ku saabsan kordhinta amniga ee nidaamkan xaqiijinta si loogu adeegsado shabakadaha furan ee cadowtinimada leh.

Waxaan rakibnaa httpd

Si loo hubiyo hawlgalka Squid -iyo si kadis ah kan Dnsmasq- waanu rakibi doonaa adeegga httpd -Apache web server- kaas oo aan loo baahnayn in la sameeyo. Faylka kuxiran Dnsmasq / iwm / banner_add_hosts Waxaan cadeyneynaa boggaga aan dooneyno in nalaga mamnuuco, waxaanna si cad u xilsaaraynaa isla cinwaanka IP-ga ee uu leeyahay sanduuqa Linux. Sidaa darteed, haddii aan codsanno helitaanka mid ka mid ah bogaggan, bogga hoyga ah httpd.

[xididka @ Linux_ ~] # yum ku rakib httpd [xididka @ linuxbox ~] # systemctl oo awood u siinaya httpd
Summad laga sameeyay /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

[xididka @ linuxbox ~] # systemctl bilaw httpd

[xididka @ Linux_ ~] # systemctl status httpd
D httpd.service - Apache HTTP Server Load: xamuul (/usr/lib/systemd/system/httpd.service; karti; iibiyaha horay loo sii qorsheeyay: naafo) Firfircoon: firfircoon (socda) ilaa Sun 2017-04-16 16:41: 35 EDT; 5s ago Docs: man: httpd (8) man: apachectl (8) Main PID: 2275 (httpd) Status: "Processing codsiyada ..." CGroup: /system.slice/httpd.service ├─2275 / usr / sbin / httpd -DFOREGROUND ├─2276 / usr / sbin / httpd -DFOREGROUND ├─2277 / usr / sbin / httpd -DFOREGROUND ├─2278 / usr / sbin / httpd -DFOREGROUND ├─2279 / usr / sbin / httpd -DFOREGROUND └─2280 / usr / sbin / httpd -DFOREGROUND Apr 16 16:41:35 linuxbox systemd [1]: Starting The Apache HTTP Server ... Apr 16 16:41:35 linuxbox systemd [1]: Started The Apache HTTP Server.

SELinux iyo Apache

Apache waxay leedahay siyaasado dhowr ah si loogu rakibo gudaha macnaha SELinux.

[xididka @ linuxbox ~] # getsebool -a | grep httpd
httpd_anon_write -> off httpd_builtin_scripting -> on httpd_can_check_spam -> off httpd_can_connect_ftp -> off httpd_can_connect_ldap -> off httpd_can_connect_mythtv -> off httpd_can_connect off_zabbix - httpd_can_network_memcache -> off httpd_can_network_relay -> off httpd_can_sendmail -> off httpd_dbus_avahi -> off httpd_dbus_sssd -> off httpd_dontaudit_search_dirs -> offddag_enff_miver httpd_graceful_shutdown -> on httpd_manage_ipa -> off httpd_mod_auth_ntlm_winbind -> off httpd_mod_auth_pam -> off httpd_read_user_content -> off httpd_run_ipa -> off httpd_run_preupgrade -> off httpd_runcorun off- httpd_ssi_exec -> off httpd_sys_script_anon_write -> off httpd_tmp_exec -> off httpd_tty_comm - > ka joog httpd_unified -> off httpd_use_cifs -> off httpd_use_fusefs -> off httpd_use_gpg -> off httpd_use_nfs -> off httpd_use_openstack -> off httpd_use_sasl -> off httpd_verify_dns -> off

Waxaan kaliya u habeyn doonnaa waxyaabaha soo socda:

Iimayl ugu soo dir Apache

xididka @ linuxbox ~] # setsebool -P httpd_can_sendmail 1

U oggolow Apache inuu akhriyo waxyaabaha ku jira tusaha guriga ee isticmaalayaasha maxalliga ah

xididka @ linuxbox ~] # setsebool -P httpd_read_user_content 1

U oggolow inaad ku maamusho FTP ama FTPS wixii tusaha ay maamusho
Apache ama u oggolow Apache inuu u shaqeeyo sidii server FTP ah oo lagu dhageysto codsiyada dekedda FTP

[xididka @ Linux_ ~] # setsebool -P httpd_enable_ftp_server 1

Wixii macluumaad dheeraad ah, fadlan akhri Dejinta Server Linux.

Waxaan hubinaa HUBINTA

Waxaa haray oo kaliya in la furo biraawsar goobta shaqada iyo barta, tusaale ahaan, in http://windowsupdate.com. Waxaan hubin doonnaa in codsiga si sax ah loogu weeciyay Apache home page-ka oo kujira linuxbox. Xaqiiqdii, magac kastoo magac ah oo lagu caddeeyay feylka / iwm / banner_add_hosts waxaa lagugu wareejin doonaa isla bogga.

Sawirada dhamaadka qodobka ayaa cadeeyay.

Maareynta Isticmaalayaasha

Waxaan ku sameynaa iyadoo la adeegsanayo aaladda garaafka «Maamulka adeegsadaha»Taas oo aan ka helno nidaamka Nidaamka -> Maamulka -> Maareynta isticmaale. Mar kasta oo aan ku darno isticmaale cusub, galka ayaa la sameeyay / guriga / isticmaalaha si otomaatig ah.

Kabitaanno

Macaamiisha Linux

Kaliya waxaad ubaahantahay biraawsarka feylasha caadiga ah waxaadna muujisaa inaad rabto inaad isku xirto, tusaale ahaan: ssh: // buzz @ linuxbox / home / buzz iyo ka dib gelitaanka erayga sirta ah, galka ayaa la soo bandhigi doonaa guriga adeegsadaha buzz.

Macaamiisha Windows

Macaamiisha Windows, waxaan u adeegsanaa aaladda WinSCP. Marka la rakibo, waxaan u isticmaalnaa habka soo socda:

Fudud, sax?

Resumen

Waxaan aragnay inay suurtagal tahay in loo isticmaalo PAM si loo xaqiijiyo adeegyada shabakad yar iyo jawi kontorool ah oo gebi ahaanba ka go'doonsan gacmaha Anonymous. Waxay badanaa sabab u tahay xaqiiqda ah in aqoonsiyada aqoonsiga ay ku socdaan qoraal cad sidaa darteedna aysan ahayn qorshe xaqiijin in loo adeegsado shabakadaha furan sida garoomada diyaaradaha, shabakadaha Wi-Fi, iwm. Si kastaba ha noqotee, waa farsamo oggolaansho fudud, fudud oo la hirgaliyo lana qaabeeyo.

Ilaha laga tashaday

• Dejinta Server Linux
• Tilmaamaha amarrada - bogaga

Nooca PDF

Kala soo bax nooca PDF-ka ah Halkan.

Ilaa maqaalka soo socda!