3ekiname me mia ka8arh egkatastash ths Linux dianomhs sas. (Xrhsimopoihsa to RH 3.0.3 kai ta paradeigmata einai basismena se ayth th dianomh). Oso pio ligo logismiko exete fortwsei, toso pio liges trupes, pisw portes kai (h) bugs 8a yparxoyn gia na paroysiasoyn problhmata asfaleias sto susthma sas, etsi fortwnete mono thn elaxisth syllogh apo efarmoges (minimum installation).
Parte ena sta8ero pyrhna. Xrhsimopoihsa ton 2.0.14 pyrhna toy Linux gia to susthma moy. Etsi ayth h tekmhriwsh einai basismenh sth dikh moy sun8esh.
8a xreiastei na metaglwttisete jana to pyrhna toy Linux me tis analoges ry8miseis. Gi' ayto koitajte sta Kernel-HOWTO, Ethernet-HOWTO kai NET-2 HOWTO, ean den to exete janakanei.
Parakatw akoloy8oun oi ry8miseis poy gnwrizw oti doyleuoyn me to make config.
Twra mporeite na metaglwttisete kai na epanegkatasthsete to pyrhna kai epanekkinhsh (reboot). H karta (-es) diktuoy 8a emfanistoun kata th diarkeia ths ekkinhshs. Ean oxi, phgainete sta alla HOWTO jana mexri na doylecoyn
Ean exete duo kartes diktuoy ston ypologisth sas, pi8anws 8a xreiastei na pros8esete mia dhlwsh sto arxeio /etc/lilo.conf gia th perigrafh twn IRQ kai twn diey8unsewn twn duo kartwn. H dhlwsh sto diko moy lilo.conf einai kapws etsi:
append="ether=12,0x300,eth0 ether=15,0x340,eth1"
Ayto einai pragmatika ena endiaferon kommati. Twra 8a exete merikes apofaseis na parete. Epeidh den 8eloyme to Internet na exei prosbash se kanena tmhma toy proswpikou mas diktuoy, den xreiazetai na xrhsimopoihsoyme pragmatikes diey8unseis. Yparxei enas ari8mos diey8unsewn Internet poy briskontai sthn akrh gia ta proswpika diktya. Epeidh o ka8enas xreiazetai perissoteres diey8unseis kai epeidh aytes oi diey8unseis den mporoun na diastayrw8oun mesa sto Internet, einai kalh epilogh.
Aytes, 192.168.2.xxx, einai topo8ethmenes sthn akrh kai 8a tis xrhsimopoihsoyme sto paradeigma mas.
O firewall sas, 8a einai melos kai sta duo diktya kai etsi 8a mporei na metabibazei dedomena apo kai pros to proswpiko sas diktyo.
199.1.2.10 __________ 192.168.2.1
_ __ _ \ | | / _______________
| \/ \/ | \| Firewall |/ | |
/ Internet \--------| System |------------| Workstation/s |
\_/\_/\_/\_/ |__________| |_______________|
Ean epi8ymeite na xrhsimopoihsete firewalls filtrarismatos mporeite na xrhsimopoihsete akomh kai toys parapanw ari8mous. 8a xreiastei omws na xrhsimopoihsete IP masqurading gia na symbei ayto. Me ayth th diadikasia o firewall 8a prow8ei paketa kai 8a ta metabibazei se "REAL (pragmatikes)" diey8unseis gia to tajidi toys sto Internet.
8a prepei na orisete tis pragmatikes IR diey8unseis sth karta diktuoy panw sth (ejw) pleyra toy Internet. Kai na orisete 192.168.2.1 sthn Ethernet karta sto eswteriko. Ayth 8a einai h IP dieu8ynsh toy ejoysiodoth/pulh. Mporeite na orisete se oloys toys alloy H/Y mesa sto prostateyomeno diktyo merikous ari8mous apo to 192.168.2.xxx pedio (192.168.2.2 ews 192.168.2.254)
Epeidh xrhsimopoiw RH Linux (E! Paidia, moy kanete ena antigrafo gia ta plugs? ;-) gia na ry8misw to diktyo kata to xrono ekkinhshs pros8esa ena ifcfg-eth1 arxeio sto katalogo /etc/sysconfig/network-scripts. Ayto to arxeio diabazetai kata th diarkeia ths ekkinhshs gia thn egkatastash toy diktuoy kai twn pinakwn.
Parakatw paroysiazw me ti to ifcfg-eth1 moiazei.
#!/bin/sh
#>>>Device type: ethernet
#>>>Variable declarations:
DEVICE=eth1
IPADDR=192.168.2.1
NETMASK=255.255.255.0
NETWORK=192.168.2.0
BROADCAST=192.168.2.255
GATEWAY=199.1.2.10
ONBOOT=yes
#>>>End variable declarations
Mporeite na xrhsimopoihsete ayta ta scripts gia na synde8hte aytomata mesw modem sto paroxea sas Internet. Koitajte sto ipup-ppp script.
Ean proorizete na xrhsimopoihsete modem gia th sundesh sas me to Internet, h ejwterikh IR dieu8ynsh 8a prepei na oristei apo ton ISP gia esas kata th diarkeia ths sundeshs.
3ekinhste elegxontas ta ifconfig kai route. Ean exete duo kartes diktuoy to ifconfig 8a einai kapws etsi:
#ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.0 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
RX packets:1620 errors:0 dropped:0 overruns:0
TX packets:1620 errors:0 dropped:0 overruns:0
eth0 Link encap:10Mbps Ethernet HWaddr 00:00:09:85:AC:55
inet addr:199.1.2.10 Bcast:199.1.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:0
Interrupt:12 Base address:0x310
eth1 Link encap:10Mbps Ethernet HWaddr 00:00:09:80:1E:D7
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:0
Interrupt:15 Base address:0x350
kai o pinakas route kapws etsi:
#route -n Kernel routing table Destination Gateway Genmask Flags MSS Window Use Iface 199.1.2.0 * 255.255.255.0 U 1500 0 15 eth0 192.168.2.0 * 255.255.255.0 U 1500 0 0 eth1 127.0.0.0 * 255.0.0.0 U 3584 0 2 lo default 199.1.2.10 * UG 1500 0 72 eth0
Shmeiwsh: 199.1.2.0 einai h Internet pleyra aytou toy firewall kai 192.168.2.0 h proswpikh pleyra.
Twra prospa8hste na kanete ping to Internet apo to firewall. Synh8iza na xrhsimopoiw to nic.ddn.mil san dokimastiko shmeio. Einai kalo shmeio dokimhs, alla exei apodeix8ei oti einai ligotero ajiopisto ap' oti eixa elpisei. An den doylecei me th prwth, prospa8hste na kanete ping se merika alla shmeia poy den einai syndedemena me to topiko sas diktyo (LAN). Ean den doylecei oute twra, tote to RRR den einai sthmeno swsta. 3anadiabaste to NET-2 HOWTO kai prospa8hste jana.
Meta, prospa8hste na kanete ping ena host mesa sto prostateyomeno diktyo apo to firewall. Oloi oi ypologistes mporoun na kanoyn ping metaju toys. Ean oxi, phgainete sto NET-2 HOWTO jana kai doylecete ligo panw sto diktyo sas akomh.
Ustera, prospa8hste na kanete ping thn ejwterikh dieu8ynsh toy firewall apo to eswteriko toy prostateyomenoy diktuoy. (Shmeiwsh: H dieu8ynsh ths ejwterikhs pleyras toy firewall den einai kanenas 192.168.2.xxx IR ari8mos). Ean mporeite, tote den exete apenergopoihsei to IP Forwarding. Sigoyreythte oti to 8elete ayto. Ean to afhsete energopoihmeno mporeite na pate katey8eian sto kefalaio "IP egkatastash filtrarismatos (kefalaio 6)" ayths ths tekmhriwshs.
Twra, prospa8hste na kanete ping sto Internet pisw apo to firewall xrhsimopoiwntas tis idies diey8unseis poy doulecan prohgoymenos. (px nic.ddn.mil). 3ana, ean exete apenergopoihmeno to IP Forwarding, ayto den prokeitai na doylecei. An omws to exete energopoihmeno ayto 8a doylecei.
An exete to IP Forwarding epilegmeno na xrhsimopoihte "Pragmatikes (REAL)" (kai oxi 192.168.2.xxx) IP diey8unseis gia to proswpiko sas diktyo. An den mporeite na kanete ping to Internet alla mporeite thn Internet pleyra toy firewall elejte an o epomenos dromologhths ths grammhs (pros to Internet) dromologei paketa sth dieu8ynsh toy proswpikou sas diktuoy. (O ISP to kanei ayto gia esas)
Ean exete ka8orisei to prostateyomeno diktyo sto 192.168.2.xxx, tote kanena paketo den mporei na dromologh8ei se ayto me tipota. Ean exete proxwrisei kai exete hdh to IP masqurading energopoihmeno, ayto to test 8a doylecei.
Twra exete to basiko sas susthma etoimo.
O firewall den kanei kalo an ton exoyme diaplata anoikto se epi8eseis mesw mh xrhsimopoioumenwn yphresiwn. Enas "kakos tupos (bad guy)" mporei na apokthsei prosbash sto firewall kai na ton tropopoihsei analoga me tis anagkes toy.
3ekiname apenergopoiwntas oles tis axrhstes yphresies. Koitajte to arxeio /etc/inetd.conf. Ayto to arxeio elegxei to ti kalese ton "yper diakomisth (super server)". Elegxei mia omada apo daimones yphretes kai toys jekina otan aytoi zhth8oun.
Opwsdhpote apenergopoioume ta netstat, systat, tftp, bootp, kai finger. Gia na apenergopoihsoyme mia yphresia, balte # sto prwto xarakthra ths grammhs ths ka8e yphresias poy den 8eloyme. Otan to kanete ayto, steilte ena SIG-HUP sth diergasia grafontas "kill -HUP <pid>", opoy <pid> einai o ari8mos ergasias toy inetd. Ayto mporei na kanei to inedt na janadiabasei to arxeio ry8misewn toy (inedt.conf) kai epanekkinhsh (restart).