shp

НАСТРОЙКА СЕТИ

ISP:

apt-get install iptables

в /etc/sysctl.conf:

net.ipv4.ip_forward=1

терминал:

sysctl -p

скрипт nano /etc/iptables.sh:

#!/bin/bash
iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
iptables-save > /etc/iptables.rules

в /etc/network/interfaces:

post-up iptables-restore < /etc/iptables.rules

терминал:

chmod 0740 /etc/iptables.sh
./iptables.sh
systemctl restart networking

НЕ ЗАБЫТЬ ПРОПИСАТЬ ГЕТВЕЙ

сделать то же самое на роутерах для серверов

2. Настройка локальных сетей

HQ-RTR:

apt-get install vlan
modprobe 8021q
lsmod | grep 8021q

в /etc/network/interfaces:

auto ens37
iface ens37 inet manual

auto ens37.100
iface ens37.100 inet static
address 192.168.100.1
netmask 255.255.255.240
vlan-raw-device ens37

auto ens37.200
iface ens37.200 inet static
address 192.168.200.1
netmask 255.255.255.240
vlan-raw-device ens37

auto ens37.999
iface ens37.999 inet static
address 192.168.99.1
netmask 255.255.255.248
vlan-raw-device ens37

HQ-SRV:

auto ens33
iface ens33 inet manual

auto ens33.100
iface ens33.100 inet static
address 192.168.100.2
netmask 255.255.255.240
gateway 192.168.100.1
vlan-raw-device ens33

HQ-CLI:

auto ens33
iface ens33 inet manual

auto ens33.200
iface ens33.200 inet dhcp
vlan-raw-device ens33

3. Настройка DHCP

HQ-RTR:

apt-get update
apt-get install -y vlan isc-dhcp-server

/etc/default/isc-dhcp-server:

INTERFACESv4="ens37.200"

/etc/dhcp/dhcpd.conf:

option domain-name "au-team.irpo";
option domain-name-servers 192.168.100.2;

subnet 192.168.200.0 netmask 255.255.255.224 {
range 192.168.200.10 192.168.200.30;
option domain-name-servers 192.168.100.2;
option routers 192.168.200.1;
option subnet-mask 255.255.255.224;
}

терминал:

systemctl restart isc-dhcp-server

HQ-CLI:

modprobe 8021q

/etc/network/interfaces:

auto ens33
iface ens33 inet manual

auto ens33.200
iface ens33.200 inet dhcp
vlan-raw-device ens33

терминал:

ifup ens33.200

4. Создание пользователей

useradd -m -u 2026 sshuser
echo "sshuser:P@ssw0rd" | chpasswd
visudo

visudo:

sshuser ALL=(ALL) NOPASSWD:ALL

5. Настройка SSH

apt-get install ssh

/etc/ssh/sshd_config:

Port 2026
AllowUsers sshuser
MaxAuthTries 2
Banner /etc/issue.net

терминал:

echo "Authorized access only" > /etc/issue.net
systemctl restart sshd

6. IP ТУННЕЛЬ

nano /etc/gre.tun

HQ-RTR:

#!/bin/bash
ip tunnel add gre1 mode gre remote 172.16.2.2 local 172.16.1.2 ttl 255
ip addr add 10.10.10.1/30 peer 10.10.10.2/30 dev gre1
ip link set gre1 up

BR-RTR:

#!/bin/bash
ip tunnel add gre1 mode gre remote 172.16.1.2 local 172.16.2.2 ttl 255
ip addr add 10.10.10.2/30 peer 10.10.10.1/30 dev gre1
ip link set gre1 up

терминал:

chmod 0740 /etc/gre.tun
/etc/gre.tun

в /etc/network/interfaces добавляем постап:

post-up /etc/gre.tun

7. Динамическая маршрутизация

HQ-RTR, BR-RTR:

apt-get install frr

/etc/frr/daemons:

ospfd=yes

терминал:

systemctl restart frr

HQ-RTR:

/etc/frr/frr.conf:

log syslog informational
no ipv6 forwarding
service integrated-vtysh-config
!
interface gre1
ip address 10.10.10.1/30
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 P@ssw0rd
!
router ospf
network 10.10.10.0/30 area 0.0.0.0
network 192.168.100.0/28 area 0.0.0.0
network 192.168.200.0/27 area 0.0.0.0
!
line vty
!

BR-RTR:

/etc/frr/frr.conf:

log syslog informational
no ipv6 forwarding
service integrated-vtysh-config
!
interface gre1
ip address 10.10.10.2/30
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 P@ssw0rd
!
router ospf
network 10.10.10.0/30 area 0.0.0.0
network 192.168.150.0/28 area 0.0.0.0
!
line vty
!

терминал:

systemctl restart frr
vtysh -c "show ip ospf nei"

Статус должен быть full

10. DNS

HQ-SRV:

apt-get install bind9 bind9utils

/etc/bind/named.conf.options:

options {
directory "/var/cache/bind";

forwarders {
8.8.8.8;
8.8.4.4;
};

recursion yes;
allow-query { any; };
listen-on { any; };
allow-recursion { any; };

dnssec-validation auto;
….
};

терминал:

mkdir /etc/bind/zones

nano /etc/bind/zones/db.au-team.irpo:

$TTL 86400
@ IN SOA hq-srv.au-team.irpo. root.au-team.irpo. (
2026022201 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL

@ IN NS hq-srv.au-team.irpo.

hq-srv IN A 192.168.100.2
hq-rtr IN A 192.168.100.1
hq-cli IN A 192.168.200.10
br-srv IN A 192.168.150.2
br-rtr IN A 192.168.150.1
docker IN A 172.16.1.1
web IN A 172.16.2.1

/etc/bind/named.conf.local:

zone "au-team.irpo" {
type master;
file "/etc/bind/zones/db.au-team.irpo";
};

zone "100.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.192.168.100";
};

zone "200.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.192.168.200";
};

/etc/bind/zones/db.192.168.100:

$TTL 86400
@ IN SOA hq-srv.au-team.irpo. root.au-team.irpo. (
2026022201
3600
1800 604800 86400 )

@ IN NS hq-srv.au-team.irpo.

1 IN PTR hq-rtr.au-team.irpo.
2 IN PTR hq-srv.au-team.irpo.

/etc/bind/zones/db.192.168.200:

$TTL 86400
@ IN SOA hq-srv.au-team.irpo. root.au-team.irpo. (
2026022201
3600
1800 604800 86400 )

@ IN NS hq-srv.au-team.irpo.

10 IN PTR hq-cli.au-team.irpo.

проверки текста и применение:

named-checkconf
named-checkzone au-team.irpo /etc/bind/zones/db.au-team.irpo
named-checkzone 100.168.192.in-addr.arpa /etc/bind/zones/db.192.168.100
named-checkzone 200.168.192.in-addr.arpa /etc/bind/zones/db.192.168.200

systemctl restart bind9
systemctl enable bind9

на машинах в /etc/resolv.conf:

nameserver 192.168.100.2

с IP на домен только hq-rtr, hq-srv, hq-cli. Остальные только с домена на IP.

проверка DNS:

nslookup hq-srv.au-team.irpo
nslookup 192.168.100.2

11. Время

timedatectl set-timezone Europe/Moscow

МОДУЛЬ 2

1. контроллер домена

HQ-SRV:

apt-get install samba winbind krb5-config
rm /etc/samba/smb.conf
samba-tool domain provision

systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc

samba-tool group add hq

for i in {1..5}; do
samba-tool user create hquser$i "P@ssw0rd"
samba-tool group addmembers hq hquser$i
done

HQ-CLI /etc/resolv.conf:

nameserver = 192.168.150.2

терминал:

apt-get install realmd sssd adcli

realm discover au-team.irpo
realm join au-team.irpo -U administrator
pam-auth-update --enable mkhomedir
realm permit -g hq@au-team.irpo

visudo:

%hq@au-team.irpo ALL=(ALL) /usr/bin/cat, /usr/bin/grep, /usr/bin/id

2. RAID

добавляем 2 диска на HQ-SRV

reboot
lsblk

apt-get install -y mdadm

mdadm --create --verbose /dev/md0 --level=0 --raid-devices=2 /dev/sdb /dev/sdc
mdadm --detail --scan >> /etc/mdadm/mdadm.conf
cp /etc/mdadm/mdadm.conf /etc/mdadm.conf
update-initramfs -u

fdisk /dev/md0
# Нажать: n
# Нажать: w

mkfs.ext4 /dev/md0

mkdir /raid

В nano /etc/fstab:

/dev/md0 /raid ext4 defaults 0 0

терминал:

mount -a

проверки:

df -h | grep /raid
blkid /dev/md0

3. NFS

HQ-SRV:

apt-get install nfs-kernel-server
mkdir -p /raid/nfs
chown nobody:nogroup /raid/nfs
chmod 777 /raid/nfs

В nano /etc/exports:

/raid/nfs 192.168.200.10/27(rw,sync,no_subtree_check)

терминал:

exportfs -a

HQ-CLI:

apt-get install nfs-common
mkdir -p /mnt/nfs

В nano /etc/fstab:

192.168.100.2:/raid/nfs /mnt/nfs defaults 0 0

терминал:

mount -a

4. CHRONY

ISP:

apt-get install chrony

в nano /etc/chrony/chrony.conf (в конце):

#pool 2.debian.pool.ntp.org iburst
...
pool pool.ntp.org iburst
local stratum 5
allow 0.0.0.0/0

терминал:

systemctl restart chrony

HQ-SRV, HQ-CLI, BR-RTR, BR-SRV:

apt-get install chrony

в nano /etc/chrony/chrony.conf:

#pool 2.debian.pool.ntp.org iburst
...
server 172.16.1.1 iburst

терминал:

systemctl restart chrony
chronyc sources

5. ANSIBLE

BR-SRV:

apt-get install ansible sshpass
mkdir -p /etc/ansible

nano /etc/ansible/ansible.cfg:

[defaults]
inventory = /etc/ansible/hosts
host_key_checking = False

nano /etc/ansible/hosts:

[all:vars]
ansible_password=P@ssw0rd

[routers]
HQ-RTR ansible_host=192.168.100.1 ansible_user=net_admin
BR-RTR ansible_host=192.168.150.1 ansible_user=net_admin

[servers]
HQ-SRV ansible_host=192.168.100.2 ansible_user=sshuser

[clients]
HQ-CLI ansible_host=192.168.200.10 ansible_user=ansible

HQ-SRV, HQ-CLI, HQ-RTR, BR-RTR:

apt-get install openssh-server python3
ssh-keygen -A
systemctl restart ssh
reboot

BR-SRV:

ansible all -m ping

6. DOCKER

BR-SRV:

apt-get install docker.io docker-compose
mkdir -p /mnt/additional
mount /home/user/Загрузки/Additional.iso /mnt/additional

docker load -i /mnt/additional/docker/mariadb_latest.tar
docker load -i /mnt/additional/docker/site_latest.tar

mkdir -p /opt/testapp
cd /opt/testapp

nano docker-compose.yml:

version: '3.8'
services:
 testapp:
 image: site:latest
 container_name: testapp
 ports:
 - "8080:8000"
 depends_on:
 - db
 environment:
  - DB_HOST=db
  - DB_NAME=testdb
   - DB_TYPE=maria
   - DB_USER=test
   - DB_PASS=P@ssw0rd
  - SERVER_PORT=8080
 restart: unless-stopped

 db:
 image: mariadb:10.11
 container_name: db
 environment:
  MYSQL_ROOT_PASSWORD: P@ssw0rd
  MYSQL_DATABASE: testdb
  MYSQL_USER: test
  MYSQL_PASSWORD: P@ssw0rd
 volumes:
  - db_data:/var/lib/mysql
 restart: unless-stopped

volumes:
 db_data:

терминал:

docker-compose up -d
docker ps

7. APACHE2

HQ-SRV:

mkdir -p /mnt/additional
mount /dev/cdrom /mnt/additional

apt-get update
apt-get install -y apache2 mariadb-server php php-mysql

терминал:

mysql -e "CREATE DATABASE webdb;"
mysql -e "CREATE USER 'web'@'localhost' IDENTIFIED BY 'P@ssw0rd';"
mysql -e "GRANT ALL PRIVILEGES ON webdb.* TO 'web'@'localhost';"
mysql -e "FLUSH PRIVILEGES;"

mysql webdb < /mnt/additional/web/dump.sql

rm -f /var/www/html/index.html

cp /mnt/additional/web/index.php /var/www/html/
cp -r /mnt/additional/web/logo.png /var/www/html/

/var/www/html/index.php:

• База данных (db_name или database): webdb
• Пользователь (db_user или username): web
• Пароль (db_pass или password): P@ssw0rd
• Сервер (host): обычно localhost или 127.0.0.1.

systemctl restart apache2

8. ПРОБРОС ПОРТОВ

HQ-RTR:

В nano /etc/network/if-up.d/nat-rules:

#!/bin/bash

iptables -t nat -F
iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE

iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 8080 -j DNAT --to 192.168.100.2:80
iptables -t nat -A POSTROUTING -o ens37.100 -p tcp --dport 80 -j SNAT --to 192.168.100.1
iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 2026 -j DNAT --to 192.168.100.2:2026
iptables -t nat -A POSTROUTING -o ens37.100 -p tcp --dport 2026 -j SNAT --to 192.168.100.1

BR-RTR:

#!/bin/bash

iptables -t nat -F
iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE

iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 8080 -j DNAT --to 192.168.150.2:8080
iptables -t nat -A POSTROUTING -o ens37 -p tcp --dport 8080 -j SNAT --to 192.168.150.1
iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 2026 -j DNAT --to 192.168.150.2:2026
iptables -t nat -A POSTROUTING -o ens37 -p tcp --dport 2026 -j SNAT --to 192.168.150.1

применение:

chmod +x /etc/network/if-up.d/nat-rules
systemctl restart networking

9.NGINX

ISP:

apt-get install nginx

в nano /etc/nginx/sites-available/web:

server {
listen 80;
server_name web.au-team.irpo;

location / {
proxy_pass http://172.16.1.2:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}

в nano /etc/nginx/sites-available/docker:

server {
listen 80;
server_name docker.au-team.irpo;

location / {
proxy_pass http://172.16.2.2:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}

терминал:

ln -s /etc/nginx/sites-available/web /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/docker /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default
nginx -t
systemctl restart nginx

10. АУТЕНТИФИКАЦИЯ

ISP:

apt-get install -y apache2-utils
htpasswd -b -c /etc/nginx/.htpasswd WEB P@ssw0rd

в nano /etc/nginx/sites-available/web:

location / {
# ....
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
}

терминал:

nginx -t
systemctl restart nginx

МОДУЛЬ 3

6. RSYSLOG

HQ-SRV:

apt-get install rsyslog

nano /etc/rsyslog.conf:

module(load="imudp")

input(type="imudp" port="514")

в GLOBAL DIRECTIVES:

$template RemoteLogs,"/opt/%HOSTNAME%/syslog.log"

if ($fromhost-ip != '127.0.0.1') then {

*.* ?RemoteLogs

stop

}

systemctl restart rsyslog

HQ-RTR, BR-RTR, BR-SRV:

apt-get install rsyslog

nano /etc/rsyslog.d/99-remote.conf

вписать:

*.warning @192.168.100.2:514

терминал:

systemctl restart rsyslog

ротация:

nano /etc/logrotate.d/rsyslog-remote:

/opt/*/*.log {

weekly

rotate 4

minsize 10M

compress

missingok

notifempty

create 0640 root root

sharedscripts

postrotate

/usr/lib/rsyslog/rsyslog-rotate

endscript

}

проверка

на клиентах вбиваем:

logger -p user.warning "TEST WARNING"

на HQ-SRV (должны создаться папки клиентов):

ls -l /opt/

ротация:

logrotate -f /etc/logrotate.d/rsyslog-remote

проверка на создание архивов:

ls -l /opt/hq-rtr

ls -l /opt/br-rtr

ls -l /opt/br-srv