From f21d1473b78999fa2de7d4ce264b5aafe918848b Mon Sep 17 00:00:00 2001 From: SantaSpeen Date: Thu, 21 Apr 2022 18:13:43 +0300 Subject: [PATCH] bugfix --- configs/-opt-dns/db.172 | 8 ++-- configs/-opt-dns/db.192 | 8 ++-- configs/-opt-dns/skill39.db | 9 ++-- configs/config-all.sh | 91 +++++++++++++++++++++++++------------ configs/l-/l-fw.sh | 1 + configs/l-/l-srv.sh | 29 +++++++++++- configs/r-/out-cli.sh | 36 +++++++++++++++ configs/r-/r-cli.sh | 1 - configs/r-/r-fw.sh | 2 +- 9 files changed, 140 insertions(+), 45 deletions(-) create mode 100644 configs/r-/out-cli.sh diff --git a/configs/-opt-dns/db.172 b/configs/-opt-dns/db.172 index a210ff7..b38e4aa 100644 --- a/configs/-opt-dns/db.172 +++ b/configs/-opt-dns/db.172 @@ -2,10 +2,10 @@ ; Configured by Maxim $TTL 604800 @ IN SOA skill39.wsr. root.skill39.wsr. ( - 1, ; Serial - 604800, ; Refresh - 86400, ; Retry - 2419200, ; Expire + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS l-srv.skill39.wsr. diff --git a/configs/-opt-dns/db.192 b/configs/-opt-dns/db.192 index b6b5659..85d9efe 100644 --- a/configs/-opt-dns/db.192 +++ b/configs/-opt-dns/db.192 @@ -2,10 +2,10 @@ ; Configured by Maxim $TTL 604800 @ IN SOA skill39.wsr. root.skill39.wsr. ( - 1, ; Serial - 604800, ; Refresh - 86400, ; Retry - 2419200, ; Expire + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS l-srv.skill39.wsr. diff --git a/configs/-opt-dns/skill39.db b/configs/-opt-dns/skill39.db index 46cccae..7bf7300 100644 --- a/configs/-opt-dns/skill39.db +++ b/configs/-opt-dns/skill39.db @@ -2,10 +2,10 @@ ; Configured by Maxim $TTL 604800 @ IN SOA l-srv.skill39.wsr. root.skill39.wsr. ( - 1, ; Serial - 604800, ; Refresh - 86400, ; Retry - 2419200, ; Expire + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS l-srv.skill39.wsr. @@ -28,3 +28,4 @@ r-srv IN A 192.168.20.10 r-rtr IN A 192.168.10.2 r-cli IN A 192.168.100.100 www IN CNAME r-fw + diff --git a/configs/config-all.sh b/configs/config-all.sh index a1aa0ea..ae61758 100644 --- a/configs/config-all.sh +++ b/configs/config-all.sh @@ -88,12 +88,14 @@ firewall-cmd --permanent --zone=external --add-interface=ens160 firewall-cmd --permanent --zone=trusted --add-interface=ens192 firewall-cmd --permanent --zone=trusted --add-interface=ens224 firewall-cmd --permanent --zone=trusted --add-interface=gre1 +firewall-cmd --permanent --zone=external --add-port=22/tcp +firewall-cmd --permanent --zone=external --add-port=22/udp +firewall-cmd --permanent --zone=external --add-forward-port=port=53:proto=tcp:toport=53:toaddr=192.168.20.10 firewall-cmd --reload # firewall-cmd --permanent --zone=external --add-masquerade # firewall-cmd --permanent --zone=trusted --add-interface=tunnel -# firewall-cmd --permanent --zone=external --add-forward-port=port=80:proto=tcp:toport=80:toaddr=192.168.20.10 # firewall-cmd --permanent --zone=external --add-service=http # firewall-cmd --permanent --zone=external --add-service=https # firewall-cmd --permanent --zone=external --add-service=ssh @@ -152,9 +154,9 @@ iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT -# iptables -t nat -A PREROUTING -i ens256 -p udp --dport 53 -j DNAT --to-destination 172.16.20.10 iptables -t nat -A POSTROUTING -o ens256 -j MASQUERADE -iptables -t nat -A PREROUTING -i ens256 -j DNAT --to-destination 172.16.20.10 +iptables -t nat -A PREROUTING -i ens160 -p udp --dport 53 -j DNAT --to-destination 172.16.20.10 +# iptables -t nat -A PREROUTING -i ens256 -j DNAT --to-destination 172.16.20.10 echo "AllowUsers ssh_p root ssh_c" >> /etc/ssh/sshd_config @@ -304,14 +306,17 @@ exit apt install bind9 nano /etc/bind/named.conf.options -# // /etc/bind/named.conf.options file -# options { -# directory "/var/cache/bind"; -# forwarders { 10.10.10.10; }; -# dnssec-validation no; -# listen-on-v6 { none; }; -# recursion yes; -# }; +// /etc/bind/named.conf.options file +options { + directory "/var/cache/bind"; + forwarders { 10.10.10.10; }; + dnssec-validation no; + listen-on port 53 { any; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + allow-recursion { any; }; + recursion yes; +}; mkdir /opt/dns cp /etc/bind/db.local /opt/dns/skill39.db @@ -327,24 +332,23 @@ systemctl restart apparmor.service nano /etc/bind/named.conf.default-zones -# zone "skill39.wsr" { -# type master; -# allow-transfer { any; }; -# allow-update { 172.16.50.2; }; -# recursion yes; -# file "/opt/dns/skill39.db"; -# }; -# zone "16.172.in-addr.arpa" { -# type master; -# allow-transfer { any; }; -# allow-update { 172.16.50.2; }; -# file "/opt/dns/db.172"; -# }; -# zone "168.192.in-addr.arpa" { -# type master; -# allow-transfer { any; }; -# file "/opt/dns/db.192"; -# }; +zone "skill39.wsr" { + type master; + allow-transfer { any; }; + allow-update { 172.16.50.2; }; + file "/opt/dns/skill39.db"; +}; +zone "16.172.in-addr.arpa" { + type master; + allow-transfer { any; }; + allow-update { 172.16.50.2; }; + file "/opt/dns/db.172"; +}; +zone "168.192.in-addr.arpa" { + type master; + allow-transfer { any; }; + file "/opt/dns/db.192"; +}; nano /opt/dns/skill39.db # ( Файл находится в этой директории ) @@ -368,3 +372,32 @@ yum install bind mkdir /opt/dns chown named:named /opt/dns + + +# R-SRV + +yum install bind + +nano /etc/bind/named.conf.default-zones + +mkdir /opt/dns; chown -R named:named /opt/dns +touch /opt/dns/skill39.db; chown -R named:named /opt/dns/skill39.db +touch /opt/dns/db.172; chown -R named:named /opt/dns/db.172 +touch /opt/dns/db.192; chown -R named:named /opt/dns/db.192 + +zone "skill39.wsr" { + type slave; + masters { 172.16.20.10; }; + file "/opt/dns/skill39.db"; +}; +zone "16.172.in-addr.arpa" { + type slave; + masters { 172.16.20.10; }; + file "/opt/dns/db.172"; +}; +zone "168.192.in-addr.arpa" { + type slave; + masters { 172.16.20.10; }; + file "/opt/dns/db.192"; +}; + diff --git a/configs/l-/l-fw.sh b/configs/l-/l-fw.sh index ff9cb1f..0285374 100644 --- a/configs/l-/l-fw.sh +++ b/configs/l-/l-fw.sh @@ -8,6 +8,7 @@ echo -e "# Work values\n172.16.20.10\tl-srv l-srv.skill39.wsr\n10.10.10.1\tl-fw echo -e "10.10.10.10\tisp" >> $H echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf iptables -F +iptables -t nat -F apt-cdrom add apt install frr iptables-persistent tcpdump ssh nfs-common network-manager curl lynx net-tools vim bind9utils cifs-utils -y diff --git a/configs/l-/l-srv.sh b/configs/l-/l-srv.sh index bdffbf5..6429337 100644 --- a/configs/l-/l-srv.sh +++ b/configs/l-/l-srv.sh @@ -10,7 +10,7 @@ echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf iptables -F apt-cdrom add -apt-get install tcpdump bind9 ssh nfs-common network-manager curl lynx net-tools vim bind9utils cifs-utils -y +apt-get install tcpdump bind9 ssh nfs-common network-manager curl lynx net-tools vim bind9utils cifs-utils dnsutils -y sed -ie "s/^hosts:\t*/hosts:\t\tdns files [NOTFOUND=return] # old:/" /etc/nsswitch.conf SSHC="/etc/ssh/sshd_config" @@ -18,10 +18,35 @@ cp $SSHC $SSHC.old sed -ie 's/#PermitRoot.*/PermitRootLogin yes/' $SSHC nmcli con del id ens192 -nmcli con add con-name ens192 ifname ens192 autoconnect yes type ethernet ip4 172.16.20.10/24 gw4 172.16.20.1 +nmcli con add con-name ens192 ifname ens192 autoconnect yes type ethernet ip4 "172.16.20.10/24" gw4 172.16.20.1 nmcli con mod ens192 +ipv4.dns 172.16.20.10 +ipv4.dns 192.168.20.10 +ipv4.dns-search "skill39.wsr" nmcli con up ens192 ifname ens192 +NMCO="/etc/bind/named.conf.options" +rm $NMCO; touch $NMCO; chown -R bind:bind $NMCO +echo -e "// /etc/bind/named.conf.options file\noptions {\n\tdirectory \"/var/cache/bind\";\n\tforwarders { 10.10.10.10; };\n\tdnssec-validation no;\n\tlisten-on-v6 { none; };\n\trecursion yes;\n};" >> $NMCO + +mkdir /opt/dns +cp /etc/bind/db.local /opt/dns/skill39.db +cp /etc/bind/db.127 /opt/dns/db.172 +cp /etc/bind/db.127 /opt/dns/db.192 +chown -R bind:bind /opt/dns +sed -ie "s/^}$/\n\n # skill39 zones\n \/opt\/dns\/** rw,\n}/" /etc/apparmor.d/usr.sbin.named + +echo -e " +zone \"skill39.wsr\" {\n\ttype master;\n\tallow-transfer { any; };\n\tallow-update { 172.16.50.2; };\n\tfile \"/opt/dns/skill39.db\";\n}; +zone \"16.172.in-addr.arpa\" { \n\ttype master; \n\tallow-transfer { any; };\n\tallow-update { 172.16.50.2; };\n\tfile \"/opt/dns/db.172\";}; +zone \"168.192.in-addr.arpa\" {\n\ttype master; \n\tallow-transfer { any; }; \n\tfile \"/opt/dns/db.192\";\n};" >> /etc/bind/named.conf.default-zones + +nano /opt/dns/skill39.db +# ( -opt-dns ) + +nano /opt/dns/db.172 +# ( -opt-dns ) + +nano /opt/dns/db.192 +# ( -opt-dns ) + systemctl disable chronyd ; systemctl stop chronyd shutdown -r 0 diff --git a/configs/r-/out-cli.sh b/configs/r-/out-cli.sh new file mode 100644 index 0000000..81d90ab --- /dev/null +++ b/configs/r-/out-cli.sh @@ -0,0 +1,36 @@ +HS="/etc/hostname" +sh -c "rm $HS"; touch $HS +echo "OUT-CLI" >> $HS +H="/etc/hosts"; rm $H; touch $H +echo -e "# ${H} file.\n# Configured by Maxim\n\n" >> $H +echo -e "# Default values\n127.0.0.1\tlocalhost\n::1\tip6-localhots ip6-loopback\nff02::1\tip6-allnodes\nff02::2\tip6-allrouters\n" >> $H +echo -e "# Work values\n172.16.20.10\tl-srv l-srv.skill39.wsr\n10.10.10.1\tl-fw l-fw.skill39.wsr\n172.16.50.2\tl-rtr-a l-rtr-a.skill39.wsr\n172.16.55.2\tl-rtr-b l-rtr-b.skill39.wsr\n172.16.200.61\tl-cli-b l-cli-b.skill39.wsr\n20.20.20.5\tout-cli out-cli.skill39.wsr\n20.20.20.100\tr-fw r-fw.skill39.wsr\n192.168.20.10\tr-srv r-srv.skill39.wsr\n192.168.10.2\tr-rtr r-rtr.skill39.wsr\n192.168.100.100\tr-cli r-cli.skill39.wsr">> $H +echo -e "20.20.20.10\tisp" >> $H +echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf +setenforce 0 +sed -ie 's/SELINUX=enforcing /SELINUX=permissive/' /etc/selinux/config; +systemctl stop firewalld && systemctl disable firewalld + +cd /media/; rm -rf * +mkdir CentOS; mkdir cdrom +cd /etc/ +mv yum.repos.d/ yum.repos.d-default/; mkdir yum.repos.d +REPF="/etc/yum.repos.d/CentOS-Media.repo" +touch $REPF +echo -e "# ${REPF} file.\n# Configured by Maxim\n\n[c7-media]\nname=CentOS-$releasever - Media\nbaseurl=file:///media/CentOS/\n\t\tfile:///media/cdrom/\ngpgcheck=1\nenabled=1\ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7" >> $REPF +mount -L "CentOS 7 x86_64" /media/CentOS; mount -L "CDROM" /media/cdrom + +yum install lynx vim net-tools dhclient bash-completion tcpdump curl nfs-utils cifs-utils sshpass bind-utils -y + +sed -ie "s/^hosts:\t*/hosts:\t\tdns files [NOTFOUND=return] # old:/" /etc/nsswitch.conf +SSHC="/etc/ssh/sshd_config" +cp $SSHC $SSHC.old +sed -ie 's/#PermitRoot.*/PermitRootLogin yes/' $SSHC +nmcli con del id ens32 +nmcli con add con-name ens32 ifname ens32 autoconnect yes type ethernet ip4 "20.20.20.5/24" gw4 20.20.20.5 +nmcli con mod ens32 +ipv4.dns 10.10.10.1 +ipv4.dns 20.20.20.100 +ipv4.dns-search "skill39.wsr" +nmcli con up ens32 ifname ens32 + +systemctl disable chronyd ; systemctl stop chronyd +shutdown -r 0 + diff --git a/configs/r-/r-cli.sh b/configs/r-/r-cli.sh index 3cb2ee2..aaaab42 100644 --- a/configs/r-/r-cli.sh +++ b/configs/r-/r-cli.sh @@ -27,7 +27,6 @@ sed -ie "s/^hosts:\t*/hosts:\t\tdns files [NOTFOUND=return] # old:/" /etc/nsswit SSHC="/etc/ssh/sshd_config" cp $SSHC $SSHC.old sed -ie 's/#PermitRoot.*/PermitRootLogin yes/' $SSHC - nmcli con del id ens32 nmcli con add con-name ens32 ifname ens32 autoconnect yes type ethernet ip4 192.168.100.100/24 gw4 192.168.100.1 nmcli con mod ens32 +ipv4.dns 172.16.20.10 +ipv4.dns 192.168.20.10 +ipv4.dns-search "skill39.wsr" diff --git a/configs/r-/r-fw.sh b/configs/r-/r-fw.sh index 69b0987..8d71875 100644 --- a/configs/r-/r-fw.sh +++ b/configs/r-/r-fw.sh @@ -35,7 +35,7 @@ nmcli con del id gre1 nmcli con add con-name ens192 ifname ens192 autoconnect yes type ethernet ip4 "192.168.10.1/30" nmcli con mod ens192 +ipv4.dns 172.16.20.10 +ipv4.dns 192.168.20.10 +ipv4.dns-search "skill39.wsr" -nmcli con add con-name ens224 ifname ens224 autoconnect yes type ethernet ip4 "192.168.20.1/30" +nmcli con add con-name ens224 ifname ens224 autoconnect yes type ethernet ip4 "192.168.20.1/24" nmcli con mod ens224 +ipv4.dns 172.16.20.10 +ipv4.dns 192.168.20.10 +ipv4.dns-search "skill39.wsr" nmcli con add con-name ens160 ifname ens160 autoconnect yes type ethernet ip4 "20.20.20.100/24" gw4 20.20.20.10 nmcli con mod ens160 +ipv4.dns 172.16.20.10 +ipv4.dns 192.168.20.10 +ipv4.dns-search "skill39.wsr"