1 подписчик

IP-ForwardingOnAltLinux

24 апреля24 апр

13 мин

hostnamectl set-hostname isp.au-team.irpo exec bash mkdir -p /etc/net/ifaces/enp7s2 cat > /etc/net/ifaces/enp7s2/options << EOF TYPE=eth

BOOTPROTO=static

NM_CONTROLLED=no

DISABLED=no

ONBOOT=yes

CONFIG_IPV4=yes

EOF cat > /etc/net/ifaces/enp7s2/ipv4address << EOF 172.16.1.1/28 EOF mkdir -p /etc/net/ifaces/enp7s3 cat > /etc/net/ifaces/enp7s3/options << EOF TYPE=eth

BOOTPROTO=static

NM_CONTROLLED=no

DISABLED=no

ONBOOT=yes

CONFIG_IPV4=yes

hostnamectl set-hostname isp.au-team.irpo exec bash mkdir -p /etc/net/ifaces/enp7s2 cat > /etc/net/ifaces/enp7s2/options << EOF TYPE=eth

BOOTPROTO=static

NM_CONTROLLED=no

DISABLED=no

ONBOOT=yes

CONFIG_IPV4=yes

EOF cat > /etc/net/ifaces/enp7s2/ipv4address << EOF 172.16.1.1/28 EOF mkdir -p /etc/net/ifaces/enp7s3 cat > /etc/net/ifaces/enp7s3/options << EOF TYPE=eth

BOOTPROTO=static

NM_CONTROLLED=no

DISABLED=no

ONBOOT=yes

CONFIG_IPV4=yes

Оглавление

Настройка ISP (провайдер)
1.1. Имя хоста
1.3. Интерфейс к HQ-RTR (enp7s2)

Настройка ISP (провайдер)

1.1. Имя хоста

hostnamectl set-hostname isp.au-team.irpo

exec bash

1.3. Интерфейс к HQ-RTR (enp7s2)

mkdir -p /etc/net/ifaces/enp7s2

cat > /etc/net/ifaces/enp7s2/options << EOF

TYPE=eth
BOOTPROTO=static
NM_CONTROLLED=no
DISABLED=no
ONBOOT=yes
CONFIG_IPV4=yes
EOF

cat > /etc/net/ifaces/enp7s2/ipv4address << EOF

172.16.1.1/28

EOF

1.4. Интерфейс к BR-RTR (enp7s3)

mkdir -p /etc/net/ifaces/enp7s3

cat > /etc/net/ifaces/enp7s3/options << EOF

TYPE=eth
BOOTPROTO=static
NM_CONTROLLED=no
DISABLED=no
ONBOOT=yes
CONFIG_IPV4=yes
EOF

cat > /etc/net/ifaces/enp7s3/ipv4address << EOF

172.16.2.1/28

EOF

1.5. Форвардинг и NAT

echo "net.ipv4.ip_forward = 1" >> /etc/net/sysctl.conf

sysctl -p /etc/net/sysctl.conf

apt-get update

apt-get install -y iptables

iptables -t nat -A POSTROUTING -s 172.16.1.0/28 -o enp7s1 -j MASQUERADE

iptables -t nat -A POSTROUTING -s 172.16.2.0/28 -o enp7s1 -j MASQUERADE

iptables -A FORWARD -s 172.16.1.0/28 -j ACCEPT

iptables -A FORWARD -d 172.16.1.0/28 -j ACCEPT

iptables -A FORWARD -s 172.16.2.0/28 -j ACCEPT

iptables -A FORWARD -d 172.16.2.0/28 -j ACCEPT

iptables-save > /etc/sysconfig/iptables

systemctl enable --now iptables

1.6. Перезапуск сети и проверка

systemctl restart network

ping -c 4 8.8.8.8 # Должен быть ответ, если внешний шлюз работает

1.7. Часовой пояс

apt-get install -y tzdata

timedatectl set-timezone Europe/Moscow

Настройка HQ-RTR

2.1. Имя хоста

hostnamectl set-hostname hq-rtr.au-team.irpo

exec bash

2.2. Интерфейс к ISP (enp7s1)

mkdir -p /etc/net/ifaces/enp7s1

cat > /etc/net/ifaces/enp7s1/options << EOF

TYPE=eth
BOOTPROTO=static
NM_CONTROLLED=no
DISABLED=no
ONBOOT=yes
CONFIG_IPV4=yes
EOF

cat > /etc/net/ifaces/enp7s1/ipv4address << EOF

172.16.1.2/28

EOF

cat > /etc/net/ifaces/enp7s1/ipv4route << EOF

default via 172.16.1.1

EOF

systemctl restart network

После этого попробуйте: ping 172.16.1.1 ping 8.8.8.8

2.3. Локальный интерфейс с VLAN (enp7s2)

modprobe 8021q

mkdir -p /etc/net/ifaces/enp7s2

cat > /etc/net/ifaces/enp7s2/options << EOF

TYPE=eth BOOTPROTO=static CONFIG_IPv4=no NM_CONTROLLED=no DISABLED=no ONBOOT=yes EOF

VLAN 100 (HQ-SRV):

mkdir -p /etc/net/ifaces/enp7s2.100

cat > /etc/net/ifaces/enp7s2.100/options << EOF TYPE=vlan HOST=enp7s2 VID=100 BOOTPROTO=static NM_CONTROLLED=no ONBOOT=yes EOF

cat > /etc/net/ifaces/enp7s2.100/ipv4address << EOF

192.168.100.1/27

EOF

VLAN 200 (HQ-CLI):

mkdir -p /etc/net/ifaces/enp7s2.200

cat > /etc/net/ifaces/enp7s2.200/options << EOF

TYPE=vlan
HOST=enp7s2
VID=200
BOOTPROTO=static
NM_CONTROLLED=no
ONBOOT=yes
EOF

cat > /etc/net/ifaces/enp7s2.200/ipv4address << EOF

192.168.200.1/24

EOF

VLAN 999 (управление):

mkdir -p /etc/net/ifaces/enp7s2.999

cat > /etc/net/ifaces/enp7s2.999/options << EOF

TYPE=vlan
HOST=enp7s2
VID=999
BOOTPROTO=static
NM_CONTROLLED=no
ONBOOT=yes
EOF

cat > /etc/net/ifaces/enp7s2.999/ipv4address << EOF

192.168.99.1/29

EOF

2.4. Форвардинг и NAT

echo "net.ipv4.ip_forward = 1" >> /etc/net/sysctl.conf (либо vim /etc/net/sysctl.conf

sysctl -p /etc/net/sysctl.conf

Временно пропишите рабочий публичный DNS:

echo "nameserver 8.8.8.8" > /etc/resolv.conf

apt-get update

apt-get install -y iptables

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o enp7s1 -j MASQUERADE

iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT

iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT

iptables-save > /etc/sysconfig/iptables

systemctl enable --now iptables

2.6. Пользователь net_admin

mkdir -p /etc/sudoers.d

useradd -m -s /bin/bash net_admin

echo "net_admin:P@ssw0rd" | chpasswd

echo "net_admin ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/net_admin

chmod 440 /etc/sudoers.d/net_admin

2.7. DHCP-сервер для VLAN 200

apt-get update

apt-get install nano dhcp-server –y

nano /etc/dhcp/dhcpd.conf

ddns-update-style none;

subnet 192.168.200.0 netmask 255.255.255.0 { option routers 192.168.200.1; option subnet-mask 255.255.255.0;

option nis-domain "au-team.irpo";
option domain-name "au-team.irpo";
option domain-name-servers 192.168.100.2;

range dynamic-bootp 192.168.200.3 192.168.200.254;
default-lease-time 21600;
max-lease-time 43200;

}

systemctl enable --now dhcpd

2.9. Часовой пояс

apt-get update

apt-get install tzdata -y

timedatectl set-timezone Europe/Moscow

timedatectl status

Настройка BR-RTR

3.1. Имя хоста

hostnamectl set-hostname br-rtr.au-team.irpo

exec bash

3.2. Интерфейс к ISP

mkdir -p /etc/net/ifaces/enp7s1

cat > /etc/net/ifaces/enp7s1/options << EOF

TYPE=eth
BOOTPROTO=static
NM_CONTROLLED=no
DISABLED=no
ONBOOT=yes
CONFIG_IPV4=yes
EOF

cat > /etc/net/ifaces/enp7s1/ipv4address << EOF

172.16.2.2/28

EOF

cat > /etc/net/ifaces/enp7s1/ipv4route << EOF

default via 172.16.2.1

EOF

3.3. Локальный интерфейс (BR-SRV)

mkdir -p /etc/net/ifaces/enp7s2

cat > /etc/net/ifaces/enp7s2/options << EOF

TYPE=eth
BOOTPROTO=static
NM_CONTROLLED=no
DISABLED=no
ONBOOT=yes
CONFIG_IPV4=yes
EOF

cat > /etc/net/ifaces/enp7s2/ipv4address << EOF

192.168.3.1/29

EOF

3.4. Форвардинг и NAT

echo "net.ipv4.ip_forward = 1" >> /etc/net/sysctl.conf

sysctl -p /etc/net/sysctl.conf

Временно пропишите рабочий публичный DNS:

echo "nameserver 8.8.8.8" > /etc/resolv.conf

apt-get update

apt-get install -y iptables

iptables -t nat -A POSTROUTING -s 192.168.3.0/29 -o enp7s1 -j MASQUERADE

iptables -A FORWARD -s 192.168.3.0/29 -j ACCEPT

iptables -A FORWARD -d 192.168.3.0/29 -j ACCEPT

iptables-save > /etc/sysconfig/iptables

systemctl enable --now iptables

3.5. Пользователь net_admin

mkdir -p /etc/sudoers.d

useradd -m -s /bin/bash net_admin

echo "net_admin:P@ssw0rd" | chpasswd

echo "net_admin ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/net_admin

chmod 440 /etc/sudoers.d/net_admin

3.7. Часовой пояс

apt-get update

apt-get install tzdata -y

timedatectl set-timezone Europe/Moscow

timedatectl status

Настройка HQ-SRV

4.1. Имя хоста

hostnamectl set-hostname hq-srv.au-team.irpo

exec bash

4.2. Сеть (VLAN 100)

modprobe 8021q

mkdir -p /etc/net/ifaces/enp7s1

cat > /etc/net/ifaces/enp7s1/options << EOF

TYPE=eth
BOOTPROTO=static
CONFIG_IPv4=no
NM_CONTROLLED=no
DISABLED=no
ONBOOT=yes
EOF

mkdir -p /etc/net/ifaces/enp7s1.100

cat > /etc/net/ifaces/enp7s1.100/options << EOF

TYPE=vlan
HOST=enp7s1
VID=100
BOOTPROTO=static
NM_CONTROLLED=no
ONBOOT=yes
EOF

cat > /etc/net/ifaces/enp7s1.100/ipv4address << EOF

192.168.100.2/27

EOF

cat > /etc/net/ifaces/enp7s1.100/ipv4route << EOF

default via 192.168.100.1

EOF

cat > /etc/net/ifaces/enp7s1.100/resolv.conf << EOF

nameserver 8.8.8.8

EOF

systemctl restart network

ping -c 4 8.8.8.8

4.3. Пользователь sshuser

useradd -u 2026 -m -s /bin/bash sshuser

echo "sshuser:P@ssw0rd" | chpasswd

echo "sshuser ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sshuser

chmod 440 /etc/sudoers.d/sshuser

4.4. SSH-сервер (порт 2026, баннер, ограничения)

apt-get update

apt-get install -y openssh-server

nano /etc/openssh/sshd_config

Измените/добавьте строки:

Port 2026

AllowUsers sshuser

MaxAuthTries 2

Banner /etc/openssh/banner

echo "Authorized access only." > /etc/openssh/banner

systemctl enable --now sshd

4.5. DNS-сервер

apt-get update

apt-get install -y dnsmasq

mv /etc/dnsmasq.conf /etc/dnsmasq.conf.backup

cat > /etc/dnsmasq.conf << EOF

Прослушивать только на внутреннем IP

listen-address=192.168.100.2

Вышестоящий DNS (публичный)

server=8.8.8.8

Локальный домен

domain=au-team.irpo

expand-hosts

Прямые и обратные записи согласно заданию

HQ-RTR (IP в VLAN 100 - 192.168.100.1)

address=/hq-rtr.au-team.irpo/192.168.100.1

ptr-record=1.100.168.192.in-addr.arpa,hq-rtr.au-team.irpo

BR-RTR (локальный адрес 192.168.3.1)

address=/br-rtr.au-team.irpo/192.168.3.1

ptr-record=1.3.168.192.in-addr.arpa,br-rtr.au-team.irpo

HQ-SRV (свой собственный адрес)

address=/hq-srv.au-team.irpo/192.168.100.2

ptr-record=2.100.168.192.in-addr.arpa,hq-srv.au-team.irpo

HQ-CLI (DHCP или статика, здесь укажем ожидаемый адрес 192.168.200.2)

address=/hq-cli.au-team.irpo/192.168.200.2

ptr-record=2.200.168.192.in-addr.arpa,hq-cli.au-team.irpo

BR-SRV

address=/br-srv.au-team.irpo/192.168.3.2

ptr-record=2.3.168.192.in-addr.arpa,br-srv.au-team.irpo

ISP интерфейс в сторону HQ-RTR (docker)

address=/docker.au-team.irpo/172.16.1.1

ptr-record=1.1.16.172.in-addr.arpa,docker.au-team.irpo

ISP интерфейс в сторону BR-RTR (web)

address=/web.au-team.irpo/172.16.2.1

ptr-record=1.2.16.172.in-addr.arpa,web.au-team.irpo

Дополнительные обратные зоны (если нужны)

EOF

systemctl enable --now dnsmasq

systemctl status dnsmasq

Настройте локальный DNS на самом HQ-SRV

echo "nameserver 127.0.0.1" > /etc/net/ifaces/enp7s1.100/resolv.conf

systemctl restart network

cat /etc/resolv.conf

Проверка работы DNS

Проверка A записей

nslookup hq-cli.au-team.irpo 127.0.0.1

nslookup hq-rtr.au-team.irpo 127.0.0.1

nslookup docker.au-team.irpo 127.0.0.1

Проверка PTR записей (обратный запрос)

nslookup 192.168.100.1

nslookup 172.16.1.1

4.6. Часовой пояс

apt-get update

apt-get install tzdata -y

timedatectl set-timezone Europe/Moscow

timedatectl status

Настройка BR-SRV

5.1. Имя хоста

hostnamectl set-hostname br-srv.au-team.irpo

exec bash

5.2. Сеть

mkdir -p /etc/net/ifaces/enp7s1

cat > /etc/net/ifaces/enp7s1/options << EOF

TYPE=eth
BOOTPROTO=static
NM_CONTROLLED=no
DISABLED=no
ONBOOT=yes
CONFIG_IPV4=yes

EOF

cat > /etc/net/ifaces/enp7s1/ipv4address << EOF

192.168.3.2/29

EOF

cat > /etc/net/ifaces/enp7s1/ipv4route << EOF

default via 192.168.3.1

EOF

echo "nameserver 8.8.8.8" > /etc/net/ifaces/enp7s1/resolv.conf

systemctl restart network

ping -c 4 8.8.8.8

5.3. Пользователь sshuser

useradd -u 2026 -m -s /bin/bash sshuser

echo "sshuser:P@ssw0rd" | chpasswd

echo "sshuser ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sshuser

chmod 440 /etc/sudoers.d/sshuser

5.4. SSH-сервер

apt-get update

apt-get install -y openssh-server

nano /etc/openssh/sshd_config

Измените строки:

Port 2026

AllowUsers sshuser

MaxAuthTries 2

Banner /etc/openssh/banner

echo "Authorized access only." > /etc/openssh/banner

systemctl enable --now sshd

5.5. Часовой пояс

apt-get update

apt-get install tzdata -y

timedatectl set-timezone Europe/Moscow

timedatectl status

Настройка HQ-CLI

6.1. Имя хоста

hostnamectl set-hostname hq-cli.au-team.irpo

exec bash

6.2. Сеть через DHCP в VLAN 200

modprobe 8021q

mkdir -p /etc/net/ifaces/enp7s1

cat > /etc/net/ifaces/enp7s1/options << EOF

TYPE=eth
BOOTPROTO=static
CONFIG_IPv4=no
NM_CONTROLLED=no
DISABLED=no
ONBOOT=yes
EOF

mkdir -p /etc/net/ifaces/enp7s1.200

cat > /etc/net/ifaces/enp7s1.200/options << EOF

TYPE=vlan
HOST=enp7s1
VID=200
BOOTPROTO=dhcp
NM_CONTROLLED=no
ONBOOT=yes
EOF

systemctl restart network

ip a show enp7s1.200 # должен получить адрес из 192.168.200.0/24

ping -c 4 8.8.8.8

6.3. Часовой пояс

apt-get update

apt-get install tzdata -y

timedatectl set-timezone Europe/Moscow

timedatectl status

GRE-туннель и OSPF

7.1. Настройка GRE на HQ-RTR

mkdir -p /etc/net/ifaces/gre1

cat > /etc/net/ifaces/gre1/options << EOF

TYPE=iptun
TUNTYPE=gre
TUNLOCAL=172.16.1.2
TUNREMOTE=172.16.2.2
TUNTTL=64
BOOTPROTO=static
NM_CONTROLLED=no
ONBOOT=yes
EOF

cat > /etc/net/ifaces/gre1/ipv4address << EOF

192.168.255.1/30

EOF

systemctl restart network

7.2. Настройка GRE на BR-RTR

mkdir -p /etc/net/ifaces/gre1

cat > /etc/net/ifaces/gre1/options << EOF

TYPE=iptun
TUNTYPE=gre
TUNLOCAL=172.16.2.2
TUNREMOTE=172.16.1.2
TUNTTL=64
BOOTPROTO=static
NM_CONTROLLED=no
ONBOOT=yes
EOF

cat > /etc/net/ifaces/gre1/ipv4address << EOF

192.168.255.2/30

EOF

systemctl restart network

7.3. OSPF (FRR)

На HQ-RTR:

apt-get install -y frr

sed -i 's/ospfd=no/ospfd=yes/' /etc/frr/daemons

cat > /etc/frr/frr.conf << EOF

router ospf

ospf router-id 1.1.1.1

network 192.168.100.0/27 area 0

network 192.168.200.0/24 area 0

network 192.168.99.0/29 area 0

network 192.168.255.0/30 area 0 ! interface gre1 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 P@ssw0rd ! line vty EOF

systemctl enable --now frr

На BR-RTR:

apt-get install -y frr

sed -i 's/ospfd=no/ospfd=yes/' /etc/frr/daemons

cat > /etc/frr/frr.conf << EOF router ospf ospf router-id 2.2.2.2 network 192.168.3.0/29 area 0 network 192.168.255.0/30 area 0 ! interface gre1 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 P@ssw0rd ! line vty EOF

systemctl enable --now frr

vtysh -c "show ip ospf neighbor"