Ir ao conteúdo
  • Cadastre-se
GeisonRDS

Configurar placas de rede em servidor Centos 7

Recommended Posts

Boa noite galera, precisei criar um servidor proxy utilizando um notebook Acer que é a única máquina disponível que possuo e estou com dificuldades em acesso a internet com os clientes wifi. O notebook é um Acer com 3gb de ram, processador core i3, 240gb de disco, placa de rede ethernet e uma placa de rede wifi usb.

A minha ideia era criar um servidor proxy que distribuiria a internet pela placa wifi usb, então instalei o Centos 7 conectei o cado do modem da mina operadora de internet no notebook e pluguei a placa wifi usb.

 

A placa ethernet que está plugada no modem da operadora ficou assim:

placa enp2s0f0

IP  192.168.2.1

 

A placa wifi usb configurei como access pint e ficou assim:

IP 192.168.1.1

Gateway 192.168.2.1

DNS 8.8.8.8

DNS 8.8.4.4

 

Depois de configurar as placas de rede instalei o squid, o dhcp e configurei o iptables, consigo conectar na rede wifi mas não tenho acesso a internet já fiz várias alterações no squid.conf, no script do iptables e não consigo acessar a internet, não tenho experiência em redes e acredito que possa ter cometido algum erro, já pesquisei em vários foruns e blogs e não consegui resolver o problema, abaixo está o script do firewall iptables e os arquivos de configuração do squid e do dhcp.

Agradeço a ajuda.

 

firewall iptables

#!/bin/bash

iniciar_firewall(){
echo "################################################"
echo "# SCRIPT FIREWALL - COMPARTILHAMENTO DE REDE   #"                                            
echo "################################################"

externa="enp2s0f0"
interna="wlp0s29u1u2"
rede_interna="192.168.1.0/24"

echo "Interface Rede Externa .......................... "$externa
echo "Interface Rede Interna .......................... "$interna
echo "Faixa de IP Rede Interna ........................ "$rede_interna

echo "Limpando Politicas .............................. [ OK ]" 
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t filter
iptables -F -t mangle

echo "Aplicando nova politica ......................... [ OK ]"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

echo "Ativa Modulos Basicos ........................... [ OK ]"
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_REDIRECT
modprobe ipt_owner
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

echo "Roteamento de Kernal ............................ [ OK ]"
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Compartilhar Internet ........................... [ OK ]"
iptables -t nat -A POSTROUTING -o $externa -j MASQUERADE

echo "Mantendo conexões estabelecidas ................. [ OK ]"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT

echo "Logs de bloqueios ............................... [ OK ]"
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG

echo "Regras DNAT para servidor WEB ................... [ OK ]"
iptables -t nat -A PREROUTING -i $externa -p tcp --dport 80 -j DNAT --to 192.168.1.1:80

#REGRAS FORWARD
echo "Permite ping pra Rede Externa ................... [ OK ]"
iptables -A FORWARD -i $interna -o $externa -p icmp -j ACCEPT

echo "Permite conexões da Rede Interna pra Externa .... [ OK ]"
iptables -A FORWARD -i $interna -o $externa -p tcp -m multiport --dports 80,443,3128,110,20,21,587,995,143,22,3389,25,5900,5100,3389 -j ACCEPT

echo "Regras cliente .................................. [ OK ]"
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


echo "Regras servidor ................................. [ OK ]"
iptables -A INPUT -p tcp -i $interna --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i $interna -m multiport --dports 3128,443,445,113,80,587,25,22,110,53,139,5900,5100,3389 -j ACCEPT
iptables -A INPUT -p udp -i $interna -m multiport --dports 53,110,67,68,137,113,443,138 -j ACCEPT 

echo "Redirecionamento de porta ....................... [ OK ]"
iptables -t nat -A PREROUTING -i $interna -p tcp --dport 80 -j REDIRECT --to-port 3128 

echo "Permite conexões loopback ....................... [ OK ]"
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo "##################### SEGURANÇA ########################"

echo "Segurança contra IP Spoofing .................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
iptables -A INPUT -m state --state INVALID -j DROP

echo "Proteção contra alteração de rota ............... [ OK ]"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo "Proteção contra alteração de caminho ............ [ OK ]"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "Proteção contra responses bogus ................. [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "Bloqueando traceroute ........................... [ OK ]"
iptables -A INPUT -p udp -s 0/0 -i $interna --dport 33435:33525 -j DROP

echo "Proteção para SYN flood ......................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --syn -j DROP

echo "Negando portas invalidas (trojans, trinoo) ...... [ OK ]"
iptables -A INPUT -p tcp -i $externa -m multiport --dports 666,4000,6000,6006,16660,27444,27665,31335,34555,35555 -j DROP
iptables -A INPUT -p tcp -i $interna -m multiport --dports 1433,6670,6711,6712,6713,12345,12346,20034,31337,6000 -j DROP

echo "Proteção contra telnet .......................... [ OK ]"
iptables -A INPUT -p TCP -i $externa --dport telnet -j DROP

echo "Dropando pacotes TCP indesejaveis ............... [ OK ]"
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

echo "Proteção contra worms ........................... [ OK ]"
iptables -A FORWARD -p tcp --dport 135 -i $externa -j REJECT

echo "Proteção contra ICMP Broadcasting ............... [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "Proteção contra Port Scanners ocultos ........... [ OK ]"
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

echo "Proteção contra Ping da morte ................... [ OK ]"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

echo "Proteção contra IP Spoofing ..................... [ OK ]"
iptables -A INPUT -s 172.16.0.0/12 -i $externa -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i $externa -j DROP
iptables -A INPUT -s 10.0.0.0/8 -i $externa -j DROP
iptables -A INPUT -s 192.168.0.0/16 -i $externa -j DROP

echo "Bloqueando Pacotes Fragmentados.................. [ OK ]"
iptables -A INPUT -i $externa -f -j LOG --log-prefix "Pacote Fragmentado: "
iptables -A INPUT -i $externa -f -j DROP
iptables -A INPUT -i $interna -f -j LOG --log-prefix "Pacote Fragmentado: "
iptables -A INPUT -i $interna -f -j DROP

}
parar_firewall(){

echo "Parando Firewall ................................ [ OK ]"
iptables -X
iptables -F 
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F

echo "Liberando Politicas ............................. [ OK ]"
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

echo "Parando  ................................ [ OK ]"
echo 0 > /proc/sys/net/ipv4/ip_forward

echo "Firewall Desativado............................. [ OK ]"
}

case "$1" in
"start") iniciar_firewall ;;
"stop") parar_firewall ;;
"restart") parar_firewall; iniciar_firewall;;
*) echo "Use os parametros | start | stop | restart |"
esac

 

squid.conf


#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7	# RFC 4193 local private network range
acl localnet src fe80::/10	# RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 transparent

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%	0
refresh_pattern .               0	20%     4320

 

dhcpd.conf


#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.example
#   see dhcpd.conf(5) man page
#

####Our basic DHCP example configuration

####Our Domain
option domain-name "fpv.local";

####The DNS servers for name resolution
option domain-name-servers 8.8.8.8;

####Our IP Lease time
default-lease-time 600;
max-lease-time 7200;

####Use this to enble / disable dynamic dns updates globally.
ddns-update-style none;

#### This DHCP server is the official DHCP server for the local network.
authoritative;

#### Use this to send dhcp log messages to a different log file (you also

#### have to hack syslog.conf to complete the redirection).
log-facility local7;

#### Our Subnet, IP address Pool and gateway/router
subnet 192.168.1.0 netmask 255.255.255.0 {
 range dynamic-bootp 192.168.1.10 192.168.1.253;
 option broadcast-address 192.168.1.255;
 option routers 192.168.1.254;
}

#### Use this to send dhcp log messages to a different log file (you also

#### have to hack syslog.conf to complete the redirection).
log-facility local7;

#### Our Subnet, IP address Pool and gateway/router
subnet 192.168.1.0 netmask 255.255.255.0 {
 range dynamic-bootp 192.168.1.10 192.168.1.253;
 option broadcast-address 192.168.1.255;
 option routers 192.168.1.254;
}

 

Compartilhar este post


Link para o post
Compartilhar em outros sites

Crie uma conta ou entre para comentar

Você precisar ser um membro para fazer um comentário

Criar uma conta

Crie uma nova conta em nossa comunidade. É fácil!

Crie uma nova conta

Entrar

Já tem uma conta? Faça o login.

Entrar agora





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×