montar uma rede Linux

arthuryuri · Novato Registrado em: Apr 01, 2006 Mensagens: 28

É o seguite gostaria de configurar uma rede linux com os seguintes componetes : um modem adsl dsl502GII - DLINK com uma conexão 400 e ip fixo, uma máquina que será o firewall/proxy, outra sera o www, outra o e-mail, e aida terei um servidor LTSP e tudo rodando FC4
1) como devo configurar o modem;
2)como deve ficar o endereço ip da rede e de cada equipamento;
3)Servidor firewall/proxy;
4)Servidor www;
5)Servidor e-mail;
6)servidor Ltsp;
Minha intenção e montar um manual (aqui no fórum) completo para quem deseja montar uma rede linux. Na internet so encontramos artigos que falam apenas de partes isoladas e assumindo que estamos todos no mesmo nível!

dinho · Usuário Registrado em: Mar 29, 2006 Mensagens: 113

cara eh meio complicado pq eh muita coisa pra se configurar.

Vamos em parte

Maquina nº 1

pode se configurar os serviços de dns (por consumir pouco procesamento)
na minha opiniao essa maquina pode ser www - dns - dhcp -ftp - firewal/proxy

coloque duas placas de rede

uma com ip do modem (ip recebido do seu provedor) nomeda de eth0

configure nela o ip - broadcast - e dns fornecido por seu provedor, se for dhcp nao precisa mexer.

a segunda placa de rede será a eth1 - coloque

ip: 192.168.0.1 - 255.255.255.0 - broadcast = 255.255.254 - dns (ip do dns) no caso 192.168.0.1

dai eh soh configurar iptables pra liberar os recursos para

iptables

#!/bin/sh
#VARIÃVEIS

#LOCAL BINARIO IPTABLES

IPTABLES="/sbin/iptables"

#SERVIDOR DE DNS

DNS="192.168.0.1"

#PORTAS PARA REDE Sem tÃtulo 1

TCP_ALLOW="21 22 25 80 110 3128 8080"

#UDP MUDEI A PORTA PARA SEGURANÃ‡A

UDP_ALLOW="500"

#INTERFACE INTERNET

INET_IFACE="eth0"

#INTERFACE REDE

LAN_IFACE="eth1"

#PARA USAR SSH

USE_SSH1="TRUE"
USE_OPENSSH="TRUE"

#REDE INTERNA

INTERNAL_LAN="192.168.0.0/24"

AUTH_ALLOW=""
DENY_ALL=""
DROP="REJECT"

MAC_LAN=""
USE_MASQ="TRUE"
USE_SNAT=""
TCP_FW=""
UDP_FW=""

# ----------------------------------------------------------------------|

DROP="REJECT"
FILTER_CHAINS="INETIN INETOUT LDROP LREJECT TCPACCEPT UDPACCEPT"

# ----------------------------------------------------------------------|

# INICIO!

echo "Carregando firewall:"

# CHECA CONFIGURAÃ‡ÃƒO

echo -n "checando configuraÃ§Ã£o...."
if [ "$USE_MASQ" = "TRUE" ] && ! [ "$USE_SNAT" = "" ] ; then
echo
echo "ERRO NA CONFIGURAÃ‡ÃƒO: MASCARAMENTO OU NAT NAO ENCONTRADO!"
exit 1
fi
if [ "$INET_IFACE" = "$LAN_IFACE" ] ; then
if [ "$USE_MASQ" = "TRUE" ] || [ "$USE_SNAT" != "" ] ; then

echo
echo "ERRO NA CONFIGURAÃ‡ÃƒO: nÃ£o foi encontrado mascara na rede ou SNAT!"
exit 1
fi
fi
if ! [ -x $IPTABLES ] ; then
echo
echo "ERROR IN CONFIGURATION: IPTABLES executÃ¡vel nÃ£o encontrado!"
exit 1
fi
echo "teste ok"

# LIBERA O ROTEAMENTO

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding habilitado..."

# HABILITA TCP Syncookies

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "IP SynCookies habilitado..."

# CARREGANDO MODULOS NO KERNEL...

echo "carregando modulos..."

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_state
/sbin/modprobe ipt_MASQUERADE

echo "modulos carregados com sucesso!"

# FLUSH

echo -n "Flush: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo

#BLOQUEAR MSN

echo -n "Bloqueando MSN: ok"

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT

#liberando MSN para maquina especifica
iptables -A FORWARD -s 192.168.0.10/24 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.10/24 -d loginnet.passport.com -j ACCEPT
echo

echo -n "Para liberar portas especificas dentro da rede / entrada e saida:"
#DNS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

#VNC

iptables -A INPUT -p tcp --dport 5901 -j ACCEPT
iptables -A INPUT -p udp --dport 5901 -j ACCEPT

echo

echo -n "redirecionamento de porta para uma maquina interna: Ok"
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to-dest 192.168.0.5
iptables -A FORWARD -p tcp -i eth0 --dport 2222 -d 192.168.0.5 -j ACCEPT

# coloquei a 2222 pra demonstrar o funcionamento da regra
echo

# CRIANDO NOVAS chains

echo -n "Creating chains: "
for chain in ${FILTER_CHAINS} ; do
${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -N ${chain}
echo -n "${chain} "
done
echo

# POLITICAS

echo -n "Politica padrÃ£o: "

${IPTABLES} -t filter -P INPUT ACCEPT
echo -n "INPUT:ACCEPT "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD:DROP "
echo

echo -n "Regras de trafego local: "

for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT
echo -n "${subnet}:ACCEPT "
done
echo

#NAT

if [ $USE_MASQ = TRUE ] ; then
echo -n "Setting up NAT: "
if [ "$MAC_LAN" = "" ] ; then
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
echo -n "${subnet}:MASQUERADE "
done
else
for address in ${MAC_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE
echo -n "${address}:MASQUERADE "
done
fi
echo
elif [ "$USE_SNAT" != "" ] ; then

echo -n "Setting up NAT: "
if [ "$MAC_LAN" = "" ] ; then
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT}
echo -n "${subnet}:SNAT "
done
else
for address in ${MAC_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT}
echo -n "${address}:SNAT "
done
fi
echo
fi

#TCP Port-Forwards

if [ "$TCP_FW" != "" ] ; then
echo -n "TCP Port Forwards: "
if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then
for rule in ${TCP_FW} ; do
ports=`echo $rule | sed 's/>.*//g'`
srcport=`echo $ports | sed 's/:.*//g'`
destport=`echo $ports | sed 's/.*://g'`
host=`echo $rule | sed 's/.*>//g'`
${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
echo -n "${rule} "
done
else
for rule in ${TCP_FW} ; do
ports=`echo $rule | sed 's/>.*//g'`
srcport=`echo $ports | sed 's/:.*//g'`
destport=`echo $ports | sed 's/.*://g'`
host=`echo $rule | sed 's/.*>//g'`
${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
echo -n "${rule} "
done
fi
echo
fi

#UDP Port Forwards
if [ "$UDP_FW" != "" ] ; then
echo -n "UDP Port Forwards: "
if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then
for rule in ${UDP_FW} ; do
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 443 -j ACCEPT ports=`echo $rule | sed 's/>.*//g'`
srcport=`echo $ports | sed 's/:.*//g'`
destport=`echo $ports | sed 's/.*://g'`
host=`echo $rule | sed 's/.*>//g'`
${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
echo -n "${rule} "
done
else
for rule in ${UDP_FW} ; do
ports=`echo $rule | sed 's/>.*//g'`
srcport=`echo $ports | sed 's/:.*//g'`
destport=`echo $ports | sed 's/.*://g'`
host=`echo $rule | sed 's/.*>//g'`
${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
echo -n "${rule} "
done
fi
echo
fi

# ===============================================
#
# ===============================================

#INET chains

echo -n "INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
echo -n "INETIN "
${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
echo -n "INETOUT "
echo

#LOGANDO CHAINS

echo -n "LOGS CHAINS: "

${IPTABLES} -t filter -A LDROP -p tcp -j LOG --log-level info --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -j LOG --log-level info --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LDROP -f -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
echo -n "LDROP "

#LREJECT

${IPTABLES} -t filter -A LREJECT -p tcp -j LOG --log-level info --log-prefix "TCP Rejected "
${IPTABLES} -t filter -A LREJECT -p udp -j LOG --log-level info --log-prefix "UDP Rejected "
${IPTABLES} -t filter -A LREJECT -p icmp -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LREJECT -f -j LOG --log-level warning --log-prefix "FRAGMENT Rejected "
${IPTABLES} -t filter -A LREJECT -j REJECT
echo -n "LREJECT "

#NOVA LINHA
echo

echo -n "per-proto ACCEPT: "

# TCPACCEPT

# SYN Flood (CONTRA ATAQUES)

iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 443 -j ACCEPT

${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT

${IPTABLES} -t filter -A TCPACCEPT -j LOG --log-prefix "Mismatch in TCPACCEPT "
${IPTABLES} -t filter -A TCPACCEPT -j ${DROP}
echo -n "TCPACCEPT "

#UDPACCEPT

${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT

${IPTABLES} -t filter -A UDPACCEPT -j LOG --log-prefix "Mismatch on UDPACCEPT "
${IPTABLES} -t filter -A UDPACCEPT -j ${DROP}
echo -n "UDPACCEPT "

#Done

echo

# -------------------------------------------------
# =================================================
# -------------------------------------------------

#BLOQUEIOS DIRETOS

if [ "$DENY_ALL" != "" ] ; then
echo -n "Denying hosts: "
for host in ${DENY_ALL} ; do
${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP}
echo -n "${host}:${DROP}"
done
echo
fi

#PACOTES INVALIDOS

echo -n "${DROP}ing pacotes invalidos..."
${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP}
echo "done"

# ================================================================

#ALLOWS

echo -n "Flood limiting: "

${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo -n "ICMP-PING "
echo

echo -n "aguarde..."
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT
echo "done"

if [ "$TCP_ALLOW" != "" ] ; then
echo -n "TCP Input Allow: "
for port in ${TCP_ALLOW} ; do
if [ "0$port" == "021" ]; then
${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j TCPACCEPT
fi
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
echo -n "${port} "
done
echo
fi

if [ "$UDP_ALLOW" != "" ] ; then
echo -n "UDP Input Allow: "
for port in ${UDP_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j UDPACCEPT
echo -n "${port} "
done
echo
fi

if [ "$DNS" != "" ] ; then
echo -n "DNS Zone Transfers: "
for server in ${DNS} ; do
${IPTABLES} -t filter -A INETIN -p udp -s ${server} --sport 53 -j UDPACCEPT
echo -n "${server} "
done
echo
fi

#SSH Rulesets

if [ $USE_SSH1 = TRUE ] || [ $USE_OPENSSH = TRUE ]; then
echo -n "Accounting for SSH..."
if [ $USE_SSH1 = TRUE ]; then #SSH1
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j TCPACCEPT
echo -n "SSH1 "
fi
if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j TCPACCEPT
echo -n "OpenSSH "
fi
echo
fi

#AUTH(identd) host-based allows

if [ "$AUTH_ALLOW" != "" ] ; then
echo -n "AUTH accepts: "
for host in ${AUTH_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport 113 -j TCPACCEPT
echo -n "${host} "
done
echo
fi

echo -n "MANTENDO CONEXOES JA EXISTENTES..."

${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "done"

echo -n "Setting up INET policies: "

${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "

${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo

###############################################################################

#LIBERANDO MAQUINA PARA NAVEGAÃ‡ÃƒO FORA PROXY

iptables -t nat -A PREROUTING -s 192.168.0.10 -p tcp --dport 80 -j ACCEPT

###############################################################################

#BLOQUEIA QUALQUER USUÃRIO DE NAVERGAR FORA DO PROXY

iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128

echo "firewall carregado!"

dinho · Usuário Registrado em: Mar 29, 2006 Mensagens: 113

DNS

quando vc instala ele jah vai configurado pra resolver nomes entao nao precisa mexer, se for hostar sites jah eh mais complicado pq envolve named.conf e outros arquivos.

dhcp.conf

ddns-update-style none;
default-lease-time 21600;
max-lease-time 21600;

option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
option domain-name "seudominio.com.br";

#shared-network WORKSTATIONS {
subnet 192.168.0.0 netmask 255.255.255.0 {
#}
#}

#group {
use-host-decl-names on;
option log-servers 192.168.0.1;
}

#}

Instale o squid e configure o squid.conf

Squid.conf

########### -----------------------------------------------------------------------------

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

########### TAMANHO DA CACHE
########### -----------------------------------------------------------------------------

cache_mem 16 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 700 MB
minimum_object_size 1 KB
maximum_object_size_in_memory 4096 KB
cache_dir ufs /var/spool/squid 10000 16 256

ipcache_size 3600
ipcache_low 90
ipcache_high 95

########### -----------------------------------------------------------------------------

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

########### REFRESHS
########### -----------------------------------------------------------------------------

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

########### CONTROLE DE ACESSO
########### -----------------------------------------------------------------------------

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 ########### http
acl Safe_ports port 21 ########### ftp
acl Safe_ports port 20 ########### ftp
acl Safe_ports port 443 563 ########### https, snews
acl Safe_ports port 70 ########### gopher
acl Safe_ports port 210 ########### wais
acl Safe_ports port 1025-65535 ########### unregistered ports
acl Safe_ports port 280 ########### http-mgmt
acl Safe_ports port 488 ########### gss-http
acl Safe_ports port 591 ########### filemaker
acl Safe_ports port 777 ########### multiling http
acl CONNECT method CONNECT

########### ACLS DE BLOQUEIO
########### -----------------------------------------------------------------------------

#acl bloquear urlpath_regex -i \.mp3$ \.wav$ \.zip$ \.pps$ \.mpg$ \.rar$ \.bat$ \.com$ \.pif$ \.scr$ \.reg$ \.ocx$
#http_access deny bloquear

########### IPS / ACLS maquinas
########### -----------------------------------------------------------------------------

acl usuarios src 192.168.0.1

########### CONTROLE POR HORÃRIOS (DESABILITADO)
########### -----------------------------------------------------------------------------

###########acl manha time MTWHF 08:00-12:00
###########acl almoco time MTWHF 12:00-13:00
###########acl finaldia time MTWHF 17:45-24:00
###########http_access allow usuarios manha
###########http_access allow usuarios almoco
###########http_access allow usuarios finaldia

########### CONTROLE SITES POR USUÃRIOS
########### -----------------------------------------------------------------------------

acl regraconteudo urlpath_regex "/etc/squid/chaves"
http_access deny usuarios regraconteudo

# vc tem que criar um arquivo chamado chaves dentro de /etc/squid/ e dentro dele coloque as palavras chaves que deseja bloquear

#----------------------------------------------------------------------------------------

#bloqueia dominio - mesmo esquema de criar o arquivo como acima descrito ( soh que o nome eh sites_bloqueados).

acl sites dstdom_regex "/etc/squid/sites_bloqueados"
http_access deny sites usuarios

########### BLOQUEANDO MSN
########### -----------------------------------------------------------------------------

acl msn dstdomain loginnet.passport.com
http_access deny msn

acl msnmessenger url_regex -i gateway.dll

http_access deny msnmessenger

http_access deny MSN

acl webmsn dstdomain webmessenger.msn.com
http_access deny webmsn

########### CONTROLE DE BANDA
########### -----------------------------------------------------------------------------

delay_pools 1
delay_class 1 3

delay_access 1 allow usuarios

delay_access 1 deny all
delay_parameters 1 64000/64000 -1/-1 16000/54000
cache_access_log /var/log/squid/access.log

#setei pra +- 256 k por usuario (25k)

########### CONTROLE DE USUARIOS DENY /ALLOW
########### -----------------------------------------------------------------------------

http_access allow usuarios

#aqui vc diz que o usuario pode usar o proxy

########### REGRAS
########### -----------------------------------------------------------------------------

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny all
http_reply_access allow all
icp_access allow all

########### NOME E LOCAL DA CACHE
########### -----------------------------------------------------------------------------

visible_hostname webserver

cache_access_log /var/log/squid/access.log

coredump_dir /var/cache/squid

dinho · Usuário Registrado em: Mar 29, 2006 Mensagens: 113

lembrando que nas maquinas tem que ser setado nas configurações do navegador o proxy que neste caso eh

IP : 192.168.0.1 porta 3128

bom se tudo correu bem seu servidor jah esta com proxy on, compartilhando internet, resolvendo nomes, e com firewall.

bom por hoje nao posso continuar pois tenho que sair mas amanha dou continuidade neste assunto lembrando que to partindo do principio que o usuario saiba instalar os serviços na maquina.

jasonn · Enviada: Qua Abr 05, 2006 5:46 pm Assunto:

Hehehehe sem palavras.
_________________
Cristiano Furtado dos Santos
Gerente de Projetos de SL
Embaixador do Projeto Fedora Brasil.
Pagina Pessoal: http://jasonnfedora.eti.br

luciano · Enviada: Qui Abr 06, 2006 5:38 pm Assunto: puts!!!

Kracas agora até eu consigo montar um server assim depois desse passo a passo nuossa parabéns Dinho valews a comunidade orgulha-se....
isso que é barba, cabelo e bigode!!!
_________________
Agora lembre-se que se este post estiver resolvido edite o título e adicione a tag
[RESOLVIDO]

dinho · Usuário Registrado em: Mar 29, 2006 Mensagens: 113

agradeço ao pessoal pelos elogios , sou novato aqui no forum mas pretendo contribuir mas ainda e aprender mais ainda pq cada caso eh um caso e sempre tem algo pra se aprender e ajudar tb não custa nada se a galera soubesse que se aprende ajudando teriamos muito mas avanços.

valeu rapaziada..... abraço a todos....

arthuryuri · Novato Registrado em: Apr 01, 2006 Mensagens: 28

dinho ta legal mesmo estou montando ele aqui!!!:)

dinho · Usuário Registrado em: Mar 29, 2006 Mensagens: 113

se precisar de ajuda estamos ai!

dinho · Usuário Registrado em: Mar 29, 2006 Mensagens: 113

continuando esse tópico vamos configurar agora o pure-ftp com mysql, por que com my sql, para aumentar a segurança de acesso dos usuarios ao ftp, pois não há nescecidade de criar usuarios locais no servidor e para administração eh muito mais fácil pondendo se criar até uma interface de administração de usuarios em php com interface para web. alias eu ainda nao criei isso pq sou uma negação e php mas convidos os programadores em php a desenvolverem uma interface que pegue os usuarios do mysql do pure-ftp e gere uma tela de adminstração intuitiva para usuarios leigos (cabeçudos). r socorro

. brincadeira em galera.

vamos lah

1º - Instale o Pure-ftpd

mas uma vez vou partir do principio que o camarada ai jah tenha instalado.

#MySql - PhpMyAdmin

caso nao tenha ai vai o comando

pra quem usa apt-get:

apt-get install mysql-server mysql-client libmysqlclient12-dev phpmyadmin

pra quem usa yum:

yum install mysql-server mysql-client libmysqlclient12-dev phpmyadmin

ou baixe pelo yumex ou baixe o pacote na net.

obs: paras os cabeçudos que utilizam interface grafica tem uma ferramentinha chamada yumex que eh uma mão na roda eh como se fosse um adcionar e remover programas soh que com a funcionalidade do yum ou seja digita o nome do pacote que quer e ele te lista dai eh soh selecionar e instalar.

#No mysql :

se vc jah tiver instalado o MySql e jah tenha configurado o root blz mas se nao use esse comando aqui depois de instalar o mySql, nao vou entrar na instalação do mysql pq tem n variações.

mysqladmin -u root password suasenhacabeçudo

instale agora o pure-ftp-mysql

apt-get install pure-ftpd-mysql

yum install pure-ftpd-mysql

crie o grupo do pure ftpd

groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd" -g ftpgroup ftpuser

obs: pode dar alguns erros pq cada distro ta configurada de um jeito o meu deu que o grupo ja existia mas ignorei o erro e prosegui e no final tudo funcionou. mas como o famosa peça que todos os computadores possuem chamada burrinhodoteclado da problema, sempre temos algum pepino.

#No mysql
############################################

mysql -u root -p
CREATE DATABASE pureftpd;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO 'pureftpd'@'localhost' IDENTIFIED BY 'senhadoftp';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO 'pureftpd'@'localhost.localdomain' IDENTIFIED BY 'senhadoftp';
FLUSH PRIVILEGES;

#############################################

se quiser copiar e colar tudo no console acho que funciona

criando a tabela de usuarios

#############################################

USE pureftpd;

#############################################

CREATE TABLE ftpd (
User varchar(16) NOT NULL default '',
status enum('0','1') NOT NULL default '0',
Password varchar(64) NOT NULL default '',
Uid varchar(11) NOT NULL default '-1',
Gid varchar(11) NOT NULL default '-1',
Dir varchar(128) NOT NULL default '',
ULBandwidth smallint(5) NOT NULL default '0',
DLBandwidth smallint(5) NOT NULL default '0',
comment tinytext NOT NULL,
ipaccess varchar(15) NOT NULL default '*',
QuotaSize smallint(5) NOT NULL default '0',
QuotaFiles int(11) NOT NULL default 0,
PRIMARY KEY (User),
UNIQUE KEY User (User)
) TYPE=MyISAM;

#############################################

quit;

#############################################

Configure PureFTPd

#############################################

pure-ftpd.conf

############################################################
# #
# Configuration file for pure-ftpd wrappers #
# #
############################################################

# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# /usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf
#
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.shtml for a complete list of
# options.

# Cage in every user in his home directory

ChrootEveryone yes

# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

# TrustedGID 100

# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility no

# Maximum number of simultaneous users

MaxClientsNumber 50

# Fork in background

Daemonize yes

# Maximum number of sim clients with the same IP address

MaxClientsPerIP 8

# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.

VerboseLog no

# List dot-files even when the client doesn't send "-a".

DisplayDotFiles yes

# Don't allow authenticated users - have a public anonymous FTP only.

AnonymousOnly no

# Disallow anonymous connections. Only allow authenticated users.

NoAnonymous no

# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.

SyslogFacility ftp

# Display fortune cookies

# FortunesFile /usr/share/fortune/zippy

# Don't resolve host names in log files. Logs are less verbose, but
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.

DontResolve yes

# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime 15

# LDAP configuration file (see README.LDAP)

# LDAPConfigFile /etc/pure-ftpd/pureftpd-ldap.conf

# MySQL configuration file (see README.MySQL)

MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf

# Postgres configuration file (see README.PGSQL)

# PGSQLConfigFile /etc/pure-ftpd/pureftpd-pgsql.conf

# PureDB user database (see README.Virtual-Users)

# PureDB /etc/pure-ftpd/pureftpd.pdb

# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth /var/run/ftpd.sock

# If you want to enable PAM authentication, uncomment the following line

PAMAuthentication yes

# If you want simple Unix (/etc/passwd) authentication, uncomment this

# UnixAuthentication yes

# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given.

# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth

LimitRecursion 7500 8

# Are anonymous users allowed to create new directories ?

AnonymousCanCreateDirs no

# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.

MaxLoad 4

# Port range for passive connections replies. - for firewalling.

# PassivePortRange 30000 50000

# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.

# ForcePassiveIP 192.168.0.1

# Upload/download ratio for anonymous users.

# AnonymousRatio 1 10

# Upload/download ratio for all users.
# This directive superscedes the previous one.

# UserRatio 1 10

# Disallow downloading of files owned by "ftp", ie.
# files that were uploaded but not validated by a local admin.

AntiWarez yes

# IP address/port to listen to (default=all IP and port 21).

# Bind 127.0.0.1,21

# Maximum bandwidth for anonymous users in KB/s

# AnonymousBandwidth 8

# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.

# UserBandwidth 8

# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.

Umask 133:022

# Minimum UID for an authenticated user to log in.

MinUID 500

# Allow FXP transfers for authenticated users.

AllowUserFXP no

# Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP no

# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.

ProhibitDotFilesWrite no

# Prohibit *reading* of files beginning with a dot (.history, .ssh...)

ProhibitDotFilesRead no

# Never overwrite files. When a file whoose name already exist is uploaded,
# it get automatically renamed to file.1, file.2, file.3, ...

AutoRename no

# Disallow anonymous users to upload new files (no = upload is allowed)

AnonymousCantUpload yes

# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.

#TrustedIP 10.1.1.1

# If you want to add the PID to every logged line, uncomment the following
# line.

#LogPID yes

# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by www traffic analyzers.

AltLog clf:/var/log/pureftpd.log

# Create an additional log file with transfers logged in a format optimized
# for statistic reports.

# AltLog stats:/var/log/pureftpd.log

# Create an additional log file with transfers logged in the standard W3C
# format (compatible with most commercial log analyzers)

# AltLog w3c:/var/log/pureftpd.log

# Disallow the CHMOD command. Users can't change perms of their files.

#NoChmod yes

# Allow users to resume and upload files, but *NOT* to delete them.

#KeepAllFiles yes

# Automatically create home directories if they are missing

#CreateHomeDir yes

# Enable virtual quotas. The first number is the max number of files.
# The second number is the max size of megabytes.
# So 1000:10 limits every user to 1000 files and 10 Mb.

#Quota 1000:10

# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid

#PIDFile /var/run/pure-ftpd.pid

# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.

#CallUploadScript yes

# This option is useful with servers where anonymous upload is
# allowed. As /var/ftp is in /var, it save some space and protect
# the log files. When the partition is more that X percent full,
# new uploads are disallowed.

MaxDiskUsage 99

# Set to 'yes' if you don't want your users to rename files.

#NoRename yes

# Be 'customer proof' : workaround against common customer mistakes like
# 'chmod 0 public_html', that are valid, but that could cause ignorant
# customers to lock their files, and then keep your technical support busy
# with silly issues. If you're sure all your users have some basic Unix
# knowledge, this feature is useless. If you're a hosting service, enable it.

CustomerProof yes

# Per-user concurrency limits. It will only work if the FTP server has
# been compiled with --with-peruserlimits (and this is the case on
# most binary distributions) .
# The format is : <max sessions per user>:<max anonymous sessions>
# For instance, 3:20 means that the same authenticated user can have 3 active
# sessions max. And there are 20 anonymous sessions max.

# PerUserLimits 3:20

# When a file is uploaded and there is already a previous version of the file
# with the same name, the old file will neither get removed nor truncated.
# Upload will take place in a temporary file and once the upload is complete,
# the switch to the new version will be atomic. For instance, when a large PHP
# script is being uploaded, the web server will still serve the old version and
# immediatly switch to the new one as soon as the full file will have been
# transfered. This option is incompatible with virtual quotas.

# NoTruncate yes

# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

# TLS 1

# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
# By default, both IPv4 and IPv6 are enabled.

# IPV4Only yes

# Listen only to IPv6 addresses in standalone mode (ie. disable IPv4)
# By default, both IPv4 and IPv6 are enabled.

# IPV6Only yes

# Do not use the /etc/ftpusers file to disable accounts. We're already
# using MinUID to block users with uid < 500

#############################################
#############################################
#############################################

pureftpd-mysql.conf

#############################################

este eh o arquivo mais importante e que costuma dar dor de cabeça se mal configurado.

#MYSQLSocket /tmp/mysql.sock

MYSQLSocket /var/run/mysqld/mysqld.sock
MYSQLServer localhost
MYSQLPort 3306
MYSQLUser pureftpd

MYSQLPassword senhadoftp #aqui eh a senha que vc configurou no mysql do banco

MYSQLDatabase pureftpd
#MYSQLCrypt md5, cleartext, crypt() or password() - md5 is VERY RECOMMENDABLE uppon cleartext
MYSQLCrypt md5
MYSQLGetPW SELECT Password FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetUID SELECT Uid FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetGID SELECT Gid FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetDir SELECT Dir FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthUL SELECT ULBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthDL SELECT DLBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTASZ SELECT QuotaSize FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTAFS SELECT QuotaFiles FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")

#############################################
#############################################
#############################################
verifique esse arquivo aqui

/etc/pure-ftpd/conf/ChrootEveryone

veja se contem yes na primeira linha

caso não adicione yes

mesma coisa aqui /etc/pure-ftpd/conf/CreateHomeDir

adcione yes na primeira linha do arquivo e salve

#############################################

agora da um restart no mysql

service mysqld restart

#############################################

abra o mysql e

mysql -u root -p

USE pureftpd;

INSERT INTO `ftpd` (`User`, `status`, `Password`, `Uid`, `Gid`, `Dir`, `ULBandwidth`, `DLBandwidth`, `comment`, `ipaccess`, `QuotaSize`, `QuotaFiles`) VALUES ('seuusuario', '1', MD5('senhadousuario'), '2001', '2001', '/var/www/html/pastadousuario', '25', '25', '', '*', '50', '0');

lembrando que aqui no final do aquivo '25', '25', '', '*', '50',

significa 25 k de download depis 25k de upload e 50 equivale a cota de disco do usuario.

/var/www/html/pastadousuario
isto eh a pasta do usuario que esta sendo criado.

pra adcionar outro usuario eh soh repetir o comando e modificar

prontinho se tudo correu bem agora u seu ftp ta usando o mysql como banco de usuarios e com controle de banda. e o mais importante segurança.

valeuuu rapaziada ..................
qualquer duvida estamos ai, e outra acho que nao esqueci de nada mas podem me corrigir se es estiver errado galera estamos aqui pra aprender.

wjoliveira · Enviada: Sex Abr 07, 2006 8:10 pm Assunto:

dinho, não sei se faz parte do tópico aqui mas queria fazer uma pergunta...

No caso de uma conexão feita pelo modem.... o que precisa mudar nesse seu script??

Se eu estiver viajando na maionese vc me fala

dinho · Usuário Registrado em: Mar 29, 2006 Mensagens: 113

cara soh basta mudar o ip da internet no firewall, por isso criei com variaveis pra facilitar, e se quiser personalizar as paradas eh soh ir adcionando ou removendo os codigos de cada configuração nos arquivos.

wjoliveira · Enviada: Seg Abr 10, 2006 1:44 pm Assunto:

Show de bola dinho,

agora consegui fazer o trem funcionar de acordo.

esse script seu ficou muito fácil pra trabalhar com ele.

parabens e obrigado.

dinho · Usuário Registrado em: Mar 29, 2006 Mensagens: 113

para facilitar pegue o codigo do firewall e crie um arquivo e save come firewall.sh e jogue em qualquer lugar

depois basta digitar no console pra rodar o firewall

ex: eu joguei no diretorio etc

comando no console: . /etc/firewall.sh

pra ir adptando facilita muito pc vc vai mexendo no arquivo e vai dando o comando no console que as regras entram em atividade na hora

valeuuuuuuuuu se precisar estamos ai!

acedraz · Enviada: Ter Nov 27, 2007 4:48 pm Assunto:

Como faço para limitar a banda para conexões P2P?