Mudanças entre as edições de "Projeto Integrador - 2012.1 - Equipe 1"
Linha 615: | Linha 615: | ||
* Configuração modem filial | * Configuração modem filial | ||
+ | |||
+ | ==Configurações da Filial== | ||
+ | |||
+ | ===OpenVPN=== | ||
+ | ====client.conf==== | ||
+ | |||
+ | <code>client | ||
+ | dev tap0 | ||
+ | ;dev tun | ||
+ | ;dev-node MyTap | ||
+ | ;proto tcp | ||
+ | proto udp | ||
+ | remote 200.135.37.95 1194 | ||
+ | ;remote my-server-2 1194 | ||
+ | ;remote-random | ||
+ | resolv-retry infinite | ||
+ | nobind | ||
+ | ;user nobody | ||
+ | ;group nogroup | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | ;http-proxy-retry # retry on connection failures | ||
+ | ;http-proxy [proxy server] [proxy port #] | ||
+ | ;mute-replay-warnings | ||
+ | ca ca.crt | ||
+ | cert traveller.crt | ||
+ | key traveller.key | ||
+ | ns-cert-type server | ||
+ | tls-auth ta.key 1 | ||
+ | ;cipher x | ||
+ | comp-lzo | ||
+ | verb 3 | ||
+ | ;mute 20</syntaxhighlight> |
Edição das 19h27min de 16 de julho de 2012
Dia 15/06/2012
Sistema Operacional
- Instalação do sistema operacional (Ubuntu Server) nas máquinas Matriz e Filial.
Dia 20/06/2012
DNS
Instalação
apt-get install bind9 bind9utils</syntaxhighlight>
Configuração
-named.conf.local-
- /etc/bind/named.conf.local
zone "traveller.sj.ifsc.edu.br" {
type master;
file "/etc/bind/zones/matriz.zone";
};
- Zona reversa
zone "5.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/rev.5.168.192.in-addr.arpa";
};</syntaxhighlight>
Foi criado a pasta zones:
mkdir /etc/bind/zones
-matriz.zone-
- /etc/bind/zones/matriz.zone
@ IN SOA ns1.traveller.sj.ifsc.edu.br. admin.ns1.traveller.sj.ifsc.edu.br. (
2012062001
28800
3600
604800
38400 )
NS ns1.traveller.sj.ifsc.edu.br.
MX 10 mail.traveller.sj.ifsc.edu.br.
IN A 192.168.5.1
$ORIGIN traveller.sj.ifsc.edu.br.
ns1 IN A 192.168.5.1
mail IN A 192.168.5.1
www IN A 192.168.5.1</syntaxhighlight>
-rev.5.168.192.in-addr.arpa-
- /etc/bind/zones/rev.5.168.192.in-addr.arpa
$ORIGIN 5.168.192.in-addr.arpa.
@ IN SOA ns1.traveller.sj.ifsc.edu.br. admin.ns1.traveller.sj.ifsc.edu.br. (
2012062001;
28800;
604800;
604800;
86400 )
IN NS ns1.traveller.sj.ifsc.edu.br.
1 IN PTR ns1.traveller.sj.ifsc.edu.br.
1 IN PTR mail.traveller.sj.ifsc.edu.br.
1 IN PTR www.traveller.sj.ifsc.edu.br.</syntaxhighlight>
-resolv.conf-
- /etc/resolv.conf
nameserver 192.168.5.1
nameserver 8.8.8.8
domain traveller.sj.ifsc.edu.br
search traveller.sj.ifsc.edu.br</syntaxhighlight>
DHCP
Instalação
apt-get install dhcp3-server</syntaxhighlight>
Configuração
-dhcpd.conf-
- /etc/dhcp3/dhcpd.conf
ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
vlan5;
subnet 192.168.1.0 netmask 255.255.255.192 {
option subnet-mask 255.255.255.192;
option broadcast-address 192.168.1.63;
option routers 192.168.1.2;
option domain-name-servers 192.168.1.2, 8.8.8.8, 8.8.4.4;
option domain-name "traveller.sj.ifsc.edu.br";
option netbios-name-servers 192.168.1.2;
range 192.168.1.3 192.168.1.62;
}
vlan10;
subnet 192.168.2.0 netmask 255.255.255.192 {
option subnet-mask 255.255.255.192;
option broadcast-address 192.168.2.63;
option routers 192.168.2.2;
option domain-name-servers 192.168.2.2, 8.8.8.8, 8.8.4.4;
option domain-name "traveller.sj.ifsc.edu.br";
option netbios-name-servers 192.168.2.2;
range 192.168.2.3 192.168.2.62;
}
vlan15;
subnet 192.168.3.0 netmask 255.255.255.192 {
option subnet-mask 255.255.255.192;
option broadcast-address 192.168.3.63;
option routers 192.168.3.2;
option domain-name-servers 192.168.3.2, 8.8.8.8, 8.8.4.4;
option domain-name "traveller.sj.ifsc.edu.br";
option netbios-name-servers 192.168.3.2;
range 192.168.3.3 192.168.3.62;
}
group {
use-host-decl-names on;
}</syntaxhighlight>
Domínio: traveller.sj.ifsc.edu.br
IP: 200.135.37.95/26
Rota Padrão: 200.135.37.126</syntaxhighlight>
Dia 22/06/2012
Samba
Instalação
apt-get install samba
apt-get install smbfs</syntaxhighlight>
Configuração
-smb.conf-
- /etc/samba/smb.conf
[global]
workgroup = traveller
server string = SMB Server %v em %h
printcap name = cups
load printers = no
printcap cache time = 60
printing = cups
log file = /var/log/samba/%m.log
max log size = 50
hosts allow = 192.168.23. 127. 192.168.1.
map to guest = bad user
security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
dns proxy = no
[homes]
comment = Arquivos do usuario %u em %h
browseable = no
writable = yes
public = no</syntaxhighlight>
Dia 26/06/2012
Scripts para configuração no boot e teste da rede feitos;
- Configuração do roteador.
#!/bin/bash
- Testa a rede
ping="8.8.8.8"
teste=$(ping -c 5 ${ping} | awk {'print $4 $5'} | tail -n 2 | head -n 1 | cut -d r -f 1)
if [ "${teste}" -gt "0" ]
then
ifconfig wlan0 down
else
ifconfig wlan0 up
ifconfig wlan0 192.168.5.1/24
route add default gw 192.168.5.254
fi</syntaxhighlight>
Dia 28/06/2012
- Fixação da linha EXT. no patch panel;
- Instalada a central telefônia com uma linha tronco e 3 ramais (toda fiação que sai da central está fixada permanentemente no patch panel);
Foram instaladas 3 tomadas telecom (todas as portas do patch panel, que estão em uso, foram devidamente identificadas e testadas).
Dia 29/06/2012
- Configuração AP para autenticar via RADIUS.
FreeRadius
Instalação
apt-get install freeradius freeradius-mysql
apt-get install mysql-server</syntaxhighlight>
Configuração
-Users-
- /etc/freeradius/users
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
fgenius Cleartext-Password := "fgenius"</syntaxhighlight>
-Hosts-
- /etc/hosts
127.0.0.1 localhost
192.168.1.254 matriz
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters</syntaxhighlight>
- Configurar o Mysql para trabalhar com o FreeRadius
Logar no servidor mysql: mysql -u root -p
Criar o banco de dados para autenticação com o
freeradius create database radius;
Verificar as tabelas que existem na base de dados
radius use radius; show tables;
Sair do mysql: exit
Importar o arquivo .sql de
/etc/freeradius/sql/mysql/schema.sql para o mysql: mysql -u
root -p radius < /etc/freeradius/sql/mysql/schema.sql
Logar no servidor mysql: mysql -u root -p
Verificar as tabelas que existem na base de dados
radius use radius; show tables;</syntaxhighlight>
-sql.conf-
- /etc/freeradius/sql.conf
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radius"
password = "radpass"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf</syntaxhighlight>
-radiusd.conf-
- /etc/freeradius/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/</syntaxhighlight>
-default-
- /etc/freeradius/sites-available/default
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
sql
attr_filter.accounting_response
}
session {
radutmp
sql
}
post-auth {
sql
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}</syntaxhighlight>
-inner-tunnel-
- /etc/freeradius/sites-available/inner-tunnel
server inner-tunnel {
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
expiration
logintime
pap
}
st-proxy {
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}</syntaxhighlight>
Dia 03/07/2012
OpenVPN
Instalação
- apt-get install openvpn bridge-utils
Configuração
vars
- /etc/openvpn/2.0/vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="BR"
export KEY_PROVINCE="SJ"
export KEY_CITY="SaoJose"
export KEY_ORG="IFSC"
export KEY_EMAIL="root@traveller.sj.edu.br"</syntaxhighlight>
server.conf
- /etc/openvpn/server.conf
local 192.168.5.1
port 1194
- proto tcp
proto udp
dev tap0
- dev tun
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
crl-verify crl.pem
- dev-node MyTap
ca ca.crt
cert servidor.crt
key servidor.key # This file should be kept secret
dh dh1024.pem
- server 192.168.5.0 255.255.255.0
ifconfig-pool-persist ipp.txt
server-bridge 192.168.5.1 255.255.255.0 192.168.5.2 192.168.5.10
- server-bridge
push "route 192.168.0.254 255.255.255.0"
- push "route 192.168.20.0 255.255.255.0"
- client-config-dir ccd
- route 192.168.40.128 255.255.255.248
- client-config-dir ccd
- route 10.9.0.0 255.255.255.252
- learn-address ./script
push "redirect-gateway def1"
push "dhcp-option DNS 200.135.37.95"
- push "dhcp-option DNS 208.67.220.220"
- client-to-client
- duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
- cipher BF-CBC # Blowfish (default)
- cipher AES-128-CBC # AES
- cipher DES-EDE3-CBC # Triple-DES
comp-lzo
- max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
- log openvpn.log
- log-append openvpn.log
verb 3
- mute 20</syntaxhighlight>
up.sh
- /etc/openvpn/up.sh
#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ip link set $DEV up promisc on mtu $MTU
/usr/sbin/brctl addif $BR $DEV</syntaxhighlight>
down.sh
- /etc/openvpn/down.sh
#!/bin/sh
BR=$1
DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ip link set $DEV down</syntaxhighlight>
interfaces
- /etc/network/interfaces
auto lo eth1 br0
iface lo inet loopback
iface br0 inet static
address 192.168.5.1
netmask 255.255.255.0
gateway 192.168.5.254
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
iface eth0 inet manual
up ip link set $IFACE up promisc on
down ip link set $IFACE down promisc off
iface eth1 inet static
address 192.168.0.2
netmask 255.255.255.0</syntaxhighlight>
cliente.conf
- /usr/share/doc/openvpn/examples/sample-config-files/client.conf
client
- dev tap
dev tun
- dev-node MyTap
- proto tcp
proto udp
remote my-server-1 1194
- remote my-server-2 1194
- remote-random
resolv-retry infinite
nobind
- user nobody
- group nogroup
persist-key
persist-tun
- http-proxy-retry # retry on connection failures
- http-proxy [proxy server] [proxy port #]
- mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
- tls-auth ta.key 1
- cipher x
comp-lzo
verb 3
- mute 20</syntaxhighlight>
- Configurando o OpenVPN no cliente (filial) encontramos um problema no disco rígido. Necessidade da troca do disco, formatação, instalação do GRUB e configuração;
Dia 05/07/2012
- Configuração modem filial
Configurações da Filial
OpenVPN
client.conf
client
dev tap0
- dev tun
- dev-node MyTap
- proto tcp
proto udp
remote 200.135.37.95 1194
- remote my-server-2 1194
- remote-random
resolv-retry infinite
nobind
- user nobody
- group nogroup
persist-key
persist-tun
- http-proxy-retry # retry on connection failures
- http-proxy [proxy server] [proxy port #]
- mute-replay-warnings
ca ca.crt
cert traveller.crt
key traveller.key
ns-cert-type server
tls-auth ta.key 1
- cipher x
comp-lzo
verb 3
- mute 20</syntaxhighlight>