su apt-get install sudo nano /etc/sudoers |
einfügen:
root ALL=(ALL:ALL) ALL
dede ALL=(ALL) NOPASSWD: ALL |
exit sudo apt-get install ntp cd mkdir .ssh cd .ssh scp c2q:~/.ssh/*.pub . cat *.pub >authorized_keys rm *.pub cd |
nano .bashrc sudo nano /etc/motd |
sudo nano /etc/default/grub |
sudo update-grub |
sudo
bash apt-get install vlan modprobe 8021q vconfig add eth0 42 ifconfig eth0.42 up ifconfig eth0.42 192.168.42.254 netmask 255.255.255.0 |
root@gw:/home/dede# route
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
default fritz.box 0.0.0.0 UG 0 0 0 eth0
192.168.42.0 * 255.255.255.0 U 0 0 0 eth0.42
192.168.178.0 * 255.255.255.0 U 0 0 0 eth0
root@gw:/home/dede# ifconfig
eth0 Link encap:Ethernet Hardware Adresse xx:xx:xx:xx:xx:xx
inet Adresse:192.168.178.78 Bcast:192.168.178.255 Maske:255.255.255.0
[...]
eth0.42 Link encap:Ethernet Hardware Adresse xx:xx:xx:xx:xx:xx
inet Adresse:192.168.42.254 Bcast:192.168.42.255 Maske:255.255.255.0
[...]
nano /etc/modules |
8021q |
nano /etc/network/interfaces |
auto eth0.42 iface eth0.42 inet static address 192.168.42.254 netmask 255.255.255.0 vlan-raw-device eth0 |
reboot |
ssh gw sudo bash |
apt-get install dnsmasq |
nano /etc/dnsmasq.conf |
interface=eth0.42 dhcp-range=eth0.42,192.168.42.50,192.168.42.250,12h |
grep ^[^#] /etc/dnsmasq.conf |
nano /etc/dhcp/dhclient.conf |
prepend domain-name-servers 127.0.0.1;
dhcp-host=64:66:b3:f4:1d:5c, r43a, 192.168.42.50, 24h
dhcp-host=52:54:00:10:4a:88, vl42, 192.168.42.55, 12h
cat /var/lib/misc/dnsmasq.leases |
apt-get install openvpn |
cd /etc/openvpn/ scp dede@tunnel:/etc/openvpn/TrustedRoot.pem . scp dede@tunnel:/etc/openvpn/hideme.conf . scp dede@tunnel:/etc/openvpn/login.auth . nano login.auth |
apt-get install curl |
curl v4.ident.me;echo service openvpn start curl v4.ident.me;echo |
root@gw:/etc/openvpn# route
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
default 10.3.56.195 0.0.0.0 UG 0 0 0 tun0
10.3.56.0 * 255.255.255.0 U 0 0 0 tun0
109.201.137.13 fritz.box 255.255.255.255 UGH 0 0 0 eth0
192.168.42.0 * 255.255.255.0 U 0 0 0 eth0.42
192.168.178.0 * 255.255.255.0 U 0 0 0 eth0
root@gw:/etc/openvpn# ifconfig
eth0 Link encap:Ethernet Hardware Adresse xx:xx:xx:xx:xx:xx
inet Adresse:192.168.178.78 Bcast:192.168.178.255 Maske:255.255.255.0
[...]
eth0.42 Link encap:Ethernet Hardware Adresse xx:xx:xx:xx:xx:xx
inet Adresse:192.168.42.254 Bcast:192.168.42.255 Maske:255.255.255.0
[...]
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
[...]
tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet Adresse:10.3.56.195 P-z-P:10.3.56.195 Maske:255.255.255.0
[...]
IP-Adresse |
Typ |
Interface |
VLAN |
Funktion |
192.168.178.??? |
dynamisch | eth0 |
default |
Verbindung zum restlichen LAN außerhalb von
VLAN42. |
192.168.42.254 |
statisch |
eth0.42 |
42 |
DHCP-Auslieferung an die OpenWrt-Router und
deren Default-Gateway. |
< wechselnd > |
dynamisch |
tun0 |
default | OpenVPN-Tunnel ins Internet. |
nano /etc/sysctl.conf |
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
iptables
-A FORWARD -s 192.168.42.0/24 -i eth0.42 -o eth0 -m
conntrack --ctstate NEW -j REJECT iptables -A FORWARD -s 192.168.42.0/24 -i eth0.42 -o tun0 -m conntrack --ctstate NEW -j ACCEPT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE iptables-save >/etc/iptables.up.rules nano /etc/network/interfaces |
einfügen:
allow-hotplug eth0
iface eth0 inet dhcp
post-up iptables-restore < /etc/iptables.up.rules |
root@gw:/etc/openvpn# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
post-up iptables-restore < /etc/iptables.up.rules
auto eth0.42
iface eth0.42 inet static
address 192.168.42.254
netmask 255.255.255.0
vlan-raw-device eth0
apt-get install bandwidthd |
nano /etc/bandwidthd/bandwidthd.conf |
Start mit:
subnet 192.168.42.0/24
dev "eth0.42"
/etc/init.d/bandwidthd start |
apt-get
install lighttpd |
ln -s /var/lib/bandwidthd/htdocs /var/www/bandwidthd |
http://gw/bandwidthd/index.html
nano /etc/ssh/sshd_config |
Aktivieren mit
PermitRootLogin no
/etc/init.d/ssh restart |
ssh-keygen -t
rsa su dede ssh-keygen -t rsa exit |
apt-get install fail2ban |
nano /etc/fail2ban/jail.conf |
oder im ssh-Abschnitt für die "Anzahl der erlaubten Logon-Fehlversuche bis zur Sperrung"
bantime = 600
an die eigenen Vorstellungen anzupassen.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
sudo tail -f /var/log/fail2ban.log |
apt-get
install vsftpd /etc/init.d/vsftpd stop nano /etc/vsftpd.conf |
anonymous_enable=NO local_enable=YES connect_from_port_20=NO chroot_local_user=YES userlist_deny=NO userlist_enable=YES userlist_file=/etc/vsftpd.user_list |
adduser
ftpuser --ingroup www-data --shell /bin/false --home
/nfs@11w/ftphome --no-create-home nano /etc/shells |
/bin/false |
nano /etc/vsftpd.user_list |
ftpuser |
/etc/init.d/vsftpd start |
reboot |
Im zweiten Schritt wird ein neues VLAN mit der VID "42" und dem VLAN Name "VLAN42" angelegt.
Darin dann die Ports 09 und 10 diesem VLAN als "Untagged" zuweisen und die Ports 02 und 05 als "Tagged":
Somit verlassen alle IP-Pakete an den Ports 09 und 10 (die also Richtung OpenWrt-Router gehen) den Switch ohne VLAN-Tags.