# # Shorewall -- /etc/shorewall/zones # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall red ipv4 grn ipv4 tun ipv4
# # Shorewall -- /etc/shorewall/params # # Assign any variables that you need here. # # It is suggested that variable names begin with an upper case letter # to distinguish them from variables used internally within the # Shorewall programs # # Example: # # NET_IF=eth0 # NET_BCAST=130.252.100.255 # NET_OPTIONS=routefilter,norfc1918 # # Example (/etc/shorewall/interfaces record): # # net $NET_IF $NET_BCAST $NET_OPTIONS # # The result will be the same as if the record had been written # # net eth0 130.252.100.255 routefilter,norfc1918 # ############################################################################### IF_RED1=eth0 IF_GRN=eth1 NET_GRN=172.16.0.0/23 IF_TUN=tap+ #LAST LINE -- DO NOT REMOVE
# # Shorewall -- /etc/shorewall/interfaces # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### ?FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS red $IF_RED1 dhcp,routeback,optional grn $IF_GRN dhcp,routeback,optional tun $IF_TUN dhcp,routeback,optional
############################################################################### # # Shorewall Version 5 -- /etc/shorewall/shorewall.conf # # For information about the settings in this file, type "man shorewall.conf" # # Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html ############################################################################### # STARTUPENABLED ############################################################################### STARTUP_ENABLED=Yes ############################################################################### # FIREWALL OPTIONS ############################################################################### BLACKLIST="ALL" CLAMPMSS=Yes IP_FORWARDING=Yes ################################################################################ # PACKETMARKLAYOUT ################################################################################ TC_BITS=14 PROVIDER_BITS=8 PROVIDER_OFFSET=16 MASK_BITS=16 ZONE_BITS=0
# # Shorewall -- /etc/shorewall/policy # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW all ACCEPT grn all ACCEPT red all DROP tun grn ACCEPT tun red REJECT tun $FW ACCEPT
# # Shorewall -- /etc/shorewall/masq # # For information about entries in this file, type "man shorewall-masq" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-masq.html # ################################################################################################################################### #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL PROBABILITY # GROUP DEST $IF_RED1 $NET_GRN
#!/bin/bash IF=$1 # , STATUS=$2 # case $STATUS in up) # shorewall enable $IF shorewall6 enable $IF ;; down) # shorewall disable $IF shorewall6 disable $IF ;; esac
# Configuration file for dnsmasq. # # Format is one option per line, legal options are the same # as the long options legal on the command line. See # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. # If you want dnsmasq to listen for DHCP and DNS requests only on # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than one interface. interface=eth1 # Set the domain for dnsmasq. this is optional, but if it is set, it # does the following things. # 1) Allows DHCP hosts to have fully qualified domain names, as long # as the domain part matches this setting. # 2) Sets the "domain" DHCP option thereby potentially setting the # domain of all systems configured by DHCP # 3) Provides the domain part for "expand-hosts" domain=domain.local # This is an example of a DHCP range where the netmask is given. This # is needed for networks we reach the dnsmasq DHCP server via a relay # agent. If you don't know what a DHCP relay agent is, you probably # don't need to worry about this. dhcp-range=172.16.0.50,172.16.0.150,255.255.254.0,12h # Set the DHCP server to authoritative mode. In this mode it will barge in # and take over the lease for any client which broadcasts on the network, # whether it has a record of the lease or not. This avoids long timeouts # when a machine wakes up on a new network. DO NOT enable this if there's # the slightest chance that you might end up accidentally configuring a DHCP # server for your campus/company accidentally. The ISC server uses # the same option, and this URL provides more information: # http://www.isc.org/files/auth.html dhcp-authoritative
port 1194 proto udp topology subnet dev tap0 ca ./easy-rsa/keys/ca.crt cert ./easy-rsa/keys/server.crt key ./easy-rsa/keys/server.key dh ./easy-rsa/keys/dh1024.pem client-config-dir ./ccd/inter-lan/ client-to-client keepalive 10 120 tls-server tls-auth ./easy-rsa/keys/ta.key 0 cipher AES-256-OFB comp-lzo no auth SHA256 status /var/run/openvpn/inter-lan.status sndbuf 393216 rcvbuf 393216 push "sndbuf 393216" push "rcvbuf 393216" mode server push "topology subnet" ifconfig 172.16.3.1 255.255.255.128 ifconfig-pool 172.16.3.2 172.16.3.126 255.255.255.128 ifconfig-pool-persist /var/run/openvpn/inter-lan.db 3600 verb 1
push "comp-lzo no"
client port 1194 dev tap4 proto udp remote < > 1194 tls-client ns-cert-type server cipher AES-256-OFB auth SHA256 verb 1 comp-lzo no <ca> -----CERTIFICATE-CA----- </ca> <cert> -----CERTIFICATE----- </cert> <key> -----KEY----- </key> key-direction 1 <tls-auth> -----TLS----- </tls-auth>
#!/bin/bash # $2 - [ "$2" == "-r" ] && ./build-key $1 CWD=$(pwd) RUN=$(dirname $0) cd "$RUN" mkdir -p ../ovpn/$1 for i in $(ls -1 ./templates/); do TEMPLATE=$(basename $i .conf) sed -e '/-----CERTIFICATE-CA-----/{r /etc/openvpn/easy-rsa/keys/ca.crt' -e 'd}' ./templates/${TEMPLATE}.conf | \ sed -e '/-----CERTIFICATE-----/{r /etc/openvpn/easy-rsa/keys/'"$1.crt"'' -e 'd}' | \ sed -e '/-----KEY-----/{r /etc/openvpn/easy-rsa/keys/'"$1.key"'' -e 'd}' | \ sed -e '/-----TLS-----/{r /etc/openvpn/easy-rsa/keys/ta.key' -e 'd}' > ../ovpn/$1/${TEMPLATE}-$1.ovpn done cd "$CWD"
# , :), , DEFAULT
systemctl enable openvpn@< conf conf>.service && systemctl start openvpn@< conf conf>.service
# # Shorewall -- /etc/shorewall/rules # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT(S) PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # : /usr/share/shorewall/macro.OpenVPN # , /etc/shorewall, OpenVPN(ACCEPT) red $FW # , : #ACCEPT red $FW udp 1194
cp /usr/share/doc/quagga-0.99.22.4/ospfd.conf.sample /etc/quagga/ospfd.conf && chown quagga. /etc/quagga/ospfd.conf systemctl enable ospfd.service && systemctl start ospfd.service
IPADDR2=172.16.248.1 NETMASK2=255.255.255.255
telnet localhost ospfd # zebra ospfd# enable # ospfd# configure terminal # ospfd(config)# password <> # ospfd(config)# hostname < > # , ospfd(config)# log syslog # ospfd(config)# interface < tap0> # ospfd(config-if)# ip ospf network point-to-multipoint # tap ( , ) ospfd(config-if)# exit # ospfd(config)# router ospf # ospf ospfd(config-router)# router-id 172.16.248.1 # ospfd(config-router)# passive-interface default # OSPF ospfd(config-router)# no passive-interface < > # , ospf ( tap0) ospfd(config-router)# network 172.16.0.0/12 area 0.0.0.0 # , , , . /12 , ospfd(config-router)# write memory #
! ! Zebra configuration saved from vty ! 2016/01/05 14:20:08 ! hostname ospfd password zebra log stdout log syslog ! ! ! interface eth0 ! interface eth1 ! interface lo ! interface tap0 ip ospf network point-to-multipoint ip ospf cost 3 ! router ospf ospf router-id 172.16.248.1 passive-interface default no passive-interface tap0 network 172.16.0.0/12 area 0.0.0.0 ! line vty !
default via 192.168.10.1 dev eth0 proto static metric 100 172.16.0.0/23 dev eth1 proto kernel scope link src 172.16.0.1 metric 100 172.16.3.0/25 dev tap0 proto kernel scope link src 172.16.3.1 172.16.3.1 dev tap0 proto zebra 172.16.8.0/23 via 172.16.3.2 dev tap0 proto zebra metric 13 172.16.11.1 via 172.16.3.2 dev tap0 proto zebra metric 3 172.16.12.129 via 172.16.3.2 dev tap0 proto zebra metric 3 172.16.248.2 via 172.16.3.2 dev tap0 proto zebra metric 13 192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.37 metric 100 192.168.10.1 dev eth0 scope link src 192.168.10.37
Source: https://habr.com/ru/post/274639/
All Articles