Linux
, , 2015
. . .
, , , , .
, , . , () , - .
. - , .
, Linux. , . . () .
Linux. .
1.
(), .
TCP/IP, . . TCP/IP . - , , , .
(- ) , .
:
1. ,
2. .
() , , . , () . .
, ( , ..), , . . , . , . , (- , , ).
:
1. ( ),
2. (),
3. .
, , , .
, . : . . , , . . . , .
, . , , . . , , () ѻ.
:
1. ,
2. ( ).
, . , . , . .
, . . . . DoS-.
.
, , . :
1. ,
2. ,
3. .
, . . . DNS- ARP-, Novell NetWare SAP-.
. . . LOGOUT Novell NetWare.
. , .
. . DoS-.
:
1. ,
2. .
:
( ) ( ), .
(host) , .
(router) , .
(subnetwork) , , , . , . , .
.
, . , . . .
, . , , . , , .
ISO/OSI, :
1. ,
2. ,
3. ,
4. ,
5. ,
6. ,
7. .
(ISO) ISO 7498, (OSI), . , , 7- OSI. OSI . , ISO/OSI.
.
(sniffing) . , . , , . .
, . .
, .
. 1.1. : (sniffing) .
() , . , , , / .
. 1.2. .
. (.1.3).
. , , , , .
. 1.3. .
, , .
, , 2015
2.
, . , , , .
: 1) , ; 2) , .
, Debian. : Linux, Windows, Mac OS .
. 2.1. .
: eth0 , eth1 .
eth0, IP-, , DHCP- -. .
eth1 IP- 192.168.6.1 255.255.255.0.
.
root:
#sudo su
.
, /etc/network/interfaces nano. :
#nano /etc/network/interfaces
eth0, .
1. eth0 IP- DHCP :
auto eth0
iface eth0 inet dhcp
hwaddress ether 01:02:03:04:05:06
2. eth0 IP-, .
auto eth0
iface eth0 inet static
address A.A.A.A
netmask B.B.B.B
gateway C.C.C.C
dns-nameservers D.D.D.D E.E.E.E
hwaddress ether 01:02:03:04:05:06
X.X.X.X :
A.A.A.A () IP- ,
B.B.B.B ,
C.C.C.C , ,
D.D.D.D E.E.E.E IP- DNS-, .
hwadress ether, eth0 MAC-. , , MAC-.
eth1, . IP-.
auto eth1
iface eth1 inet static
address 192.168.6.1
netmask 255.255.255.0
interfaces, , :
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address A.A.A.A
netmask B.B.B.B
gateway C.C.C.C
dns-nameservers D.D.D.D E.E.E.E
hwaddress ether 01:02:03:04:05:06
auto eth1
iface eth1 inet static
address 192.168.6.1
netmask 255.255.255.0
(Ctrl+O), nano (Ctrl+X).
:
#/etc/init.d/networking restart
. .. DHCP-, IP- .
:
IP- 192.168.6.2
Mask ( ) 255.255.255.0
Gate () 192.168.6.1
DNS- ( ) 192.168.6.1
- :
#ping 192.168.6.1
.
.
dnsmasq, DNS , .
#apt-get install dnsmasq
,
#nslookup mail.ru
:
: UnKnown
Address: 192.168.6.1
: mail.ru
Addresses: 94.100.191.201
94.100.191.204
94.100.191.203
94.100.191.202
, , mail.ru, , .
.
:
#nano /etc/sysctl.conf
net.ipv4.ip_forward=1
# .
nano.
/etc/rc.local :
#nano /etc/rc.local
exit 0
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
eth0. , , eth0.
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -j DROP
iptables -A INPUT -i eth1 -j ACCEPT
, :
#reboot
- mail.ru .
, . . Switch ().
. 2.2. .
DHCP-, IP- . 192.168.6.2, 192.168.6.3, 192.168.6.4 ..
DHCP-, IP- , .
3. DHCP
. DHCP-.
DHCP (. Dynamic Host Configuration Protocol ) , IP- , TCP/IP. -. - DHCP, . , . . DHCP TCP/IP.
-.
root:
#sudo su
.
DHCP-:
#apt-get install isc-dhcp-server
.
, , 192.168.6.0/24. .. 254 .
DHCP-.
#nano /etc/default/isc-dhcp-server
INTERFACES. .. eth1, :
INTERFACES="eth1"
(Ctrl+O), nano (Ctrl+X).
DHCP :
#nano /etc/dhcp/dhcpd.conf
, , ( #) :
authoritative;
, , , .
default-lease-time 600;
max-lease-time 7200;
. IP- 192.168.6.10 192.168.6.254. 255.255.255.0 ( 24 bit). , DNS , IP- eth1 192.168.6.1.
, . 7 .
subnet 192.168.6.0 netmask 255.255.255.0 {
range 192.168.6.10 192.168.6.254;
option domain-name-servers 192.168.6.1;
option domain-name "example.org";
option routers 192.168.6.1;
option broadcast-address 192.168.6.255;
default-lease-time 604800;
max-lease-time 604800;
}
(Ctrl+O), nano (Ctrl+X).
DHCP-
#/etc/init.d/isc-dhcp-server restart
, IP DHCP-. .
IP- , DHCP-. IP- MAC- .
:
#nano /etc/dhcp/dhcpd.conf
dhcpd.conf :
host testhost {
hardware ethernet 00:01:8a:e3:s8:92;
fixed-address 192.168.6.11;
}
, MAC- 00:01:8a:e3:s8:92 IP- 192.168.6.11.
, , (/), :
#nano /var/lib/dhcp/dhcpd.leases
, , 2015
4. - Privoxy
- ( . proxy , ) ( ) , . - - , . - . - . - .
- . :
1. HTTP, ;
2. ;
3. ;
4. ( );
5. - ( TCP/IP);
6. , , HTTP SOCKS- , ;
7. () .
, , , NAT, - , NAT ( , ).
Privoxy - - () , -, cookies, , , , (-).
:
1. , -;
2. .
. 4.1. - .
-.
Linux. Debian 7. -.
root. root:
#sudo su
.
privoxy :
#apt-get install privoxy
Privoxy, :
#rm /etc/privoxy/config
nano:
#nano /etc/privoxy/config
confdir /etc/privoxy
logdir /var/log/privoxy
actionsfile default.action
actionsfile user.action
filterfile default.filter
logfile logfile
debug 4096
debug 8192
user-manual /usr/share/doc/privoxy/user-manual
listen-address 192.168.6.1:8118
toggle 1
enable-remote-toggle 0
enable-edit-actions 0
enable-remote-http-toggle 0
buffer-limit 4096
(Ctrl+O), nano (Ctrl+X).
.
, . nano /etc/apt/apt.conf :
#nano /etc/apt/apt.conf
Acquire::http::proxy "http://192.168.6.1:8118/";
Acquire::https::proxy "https://192.168.6.1:8118/";
Acquire::ftp::proxy "ftp://192.168.6.1:8118/";
(Ctrl+O), nano (Ctrl+X).
. /etc/environment :
#nano /etc/environment
http_proxy="http://192.168.6.1:8118/"
https_proxy="https://192.168.6.1:8118/"
ftp_proxy="ftp://192.168.6.1:8118/"
(Ctrl+O), nano (Ctrl+X).
, - . .
, Privoxy. .
#nano /etc/iptables.up.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A OUTPUT -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -d 192.168.6.1/24 -j ACCEPT
-A OUTPUT -m owner --uid-owner privoxy -j ACCEPT
COMMIT
(Ctrl+O), nano (Ctrl+X).
:
#nano /etc/network/interfaces
:
pre-up iptables-restore < /etc/iptables.up.rules
(Ctrl+O), nano (Ctrl+X).
interfaces, , :
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.6.1
netmask 255.255.255.0
pre-up iptables-restore < /etc/iptables.up.rules
.
#reboot
- 192.168.6.1:8118. 192.168.6.1 8118 , .
-:
1. -, ;
2. , ;
3. , .
-, . : . ?
, , 2015
5. Privoxy.
. - , URL-. - Privoxy, .
, , - , . ( ) , .
. - , , . -. , , , , .
. - , , . , . .
Privoxy .
root. root:
#sudo su
.
etc/privoxy/whitelist.action:
#nano /etc/privoxy/whitelist.action
.
############################################################
# Blacklist
############################################################
{ +block }
/ # Block *all* URLs
############################################################
# Whitelist
############################################################
{ -block }
-----general-----
.*2ip.ru
.*akinator*.*
.*bing.com
.*canonical*.*
.*certifications*.*
.*fsdn*.* # for sourceforge
.*google*.*
.*habrahabr*.*
.*lurkmore*.*
.*mail.ru
.*mailru.su
.*narod*.*
.*opennet*.*
.*rambler*.*
.*sourceforge*.*
.*torproject*.*
.*wiki*.*
.*ya.ru
.*yandex*.*
.*yastatic*.* # for yandex
-----systems-----
.*centos*.*
.*debian*.*
.*fedora*.*
.*freebsd*.*
.*gentoo*.*
.*knoppix*.*
.*linux*.*
.*mandrake*.*
.*mandriva*.*
.*minix*.*
.*openbsd*.*
.*puppy*.*
.*redhat*.*
.*slackware*.*
.*slax*.*
.*solaris*.*
.*suse*.*
.*ubunt*.*
-----programms-----
.*apach*.*
.*comodo*.*
.*denwer.ru
.*mozilla*.*
.*nginx*.*
.*zilla*.*
(Ctrl+O), nano (Ctrl+X).
. Privoxy /etc/privoxy/whitelist.action /etc/privoxy/config:
#nano /etc/privoxy/config
actionsfile whitelist.action
(Ctrl+O), nano (Ctrl+X).
Privoxy:
#service privoxy restart
, , , Privoxy .
, (). - ( ) -, . , , microsoft.com xakep.ru, .
, , , .
, DNS-.
DNS (. Domain Name System ) . IP- ( ).
, DNS , (IP) . , yandex.ru 213.180.204.11. , -, IP- DNS.
DNS- - , , - . , DNS-.
DNS .DNS.
DNS
77.88.8.8
77.88.8.1
77.88.8.88
77.88.8.2
77.88.8.7
77.88.8.3
.
, . . , . .DNS . .DNS , Sophos.
.
. . .DNS .
.
, , , . , - . . .DNS , . Virus Tracker.
.DNS : MetaCert DNS, Norton ConnectSafe, OpenDNS Premium DNS, Comodo Secure DNS.
6. - Privoxy Tor
, Tor . -, Tor.
. 6.1. Tor- .
Tor (. . The Onion Router) . -, , . , .
Tor , , , , TCP. . Tor , , , .
Tor , -. Tor , . Tor . Tor . Tor .
, :
1. Debian 7 , -;
2. .
-.
root. root:
#sudo su
.
(). /etc/apt/sources.list:
#nano /etc/apt/sources.list
deb http://deb.torproject.org/torproject.org wheezy main
(Ctrl+O), nano (Ctrl+X).
, wheezy Linux. Dedian 7 Wheezy, wheezy. Linux - http://deb.torproject.org/torproject.org/.
, , Tor, Vidalia, Privoxy, :
#gpg --keyserver keys.gnupg.net --recv 886DDD89
#gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
#apt-get update
#apt-get install privoxy vidalia deb.torproject.org-keyring
Vidalia debian-tor. .
Privoxy:
#rm /etc/privoxy/config
Privoxy:
#nano /etc/privoxy/config
forward-socks4a / 192.168.6.1:9050 .
confdir /etc/privoxy
logdir /var/log/privoxy
actionsfile default.action
actionsfile user.action
filterfile default.filter
logfile logfile
debug 4096
debug 8192
user-manual /usr/share/doc/privoxy/user-manual
listen-address 192.168.6.1:8118
toggle 1
enable-remote-toggle 0
enable-edit-actions 0
enable-remote-http-toggle 0
buffer-limit 4096
(Ctrl+O), nano (Ctrl+X).
Tor:
#rm /etc/tor/torrc
Tor:
#nano /etc/tor/torrc
SocksPort 192.168.6.1:9050
SocksPolicy accept 192.168.6.0/24
(Ctrl+O), nano (Ctrl+X).
-.
, . nano /etc/apt/apt.conf :
#nano /etc/apt/apt.conf
Acquire::http::proxy "http://192.168.6.1:8118/";
Acquire::https::proxy "https://192.168.6.1:8118/";
Acquire::ftp::proxy "ftp://192.168.6.1:8118/";
(Ctrl+O), nano (Ctrl+X).
. /etc/environment :
#nano /etc/environment
http_proxy="http://192.168.6.1:8118/"
https_proxy="https://192.168.6.1:8118/"
ftp_proxy="ftp://192.168.6.1:8118/"
(Ctrl+O), nano (Ctrl+X).
, Tor. .
#nano /etc/iptables.up.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A OUTPUT -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -d 192.168.6.1/24 -j ACCEPT
-A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
COMMIT
(Ctrl+O), nano (Ctrl+X).
:
#nano /etc/network/interfaces
:
pre-up iptables-restore < /etc/iptables.up.rules
(Ctrl+O), nano (Ctrl+X).
interfaces, , :
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.6.1
netmask 255.255.255.0
pre-up iptables-restore < /etc/iptables.up.rules
.
#reboot
- :
1) 192.168.6.1:8118 HTTP- Privoxy;
2) 192.168.6.1:9050 SOCKS- Tor.
- 8118 9050. -, 8118- 9050- . Tor. , Privoxy Tor. , Tor (parent proxy, forward proxy) Privoxy.
. 6.2. Privoxy Tor.
- , .. HTTP-, SOCKS.
, - Tor, - : , . , IPTables.
, , 2015
7.
() , . , , -: , (), (), (, , ) .
. 7.1. DMZ .
.
, : (WAN), (LAN), . , : , , . , ( ) .
.
, : , . . , , . , ; , , . .
. 7.2. DMZ .
, (. 7.3).
, :
1. Debian 7 , , 2 ;
2. ;
3. - IP- 192.168.6.22.
, 80- - . .
. 7.3. DMZ .
root:
#sudo su
.
-, /etc/rc.local.
#nano /etc/rc.local
:
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -j DROP
iptables -A INPUT -i eth1 -j ACCEPT
, 80- 192.168.6.22 :
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.6.22:80
iptables -A FORWARD -i eth0 -d 192.168.6.22 -p tcp --dport 80 -j ACCEPT
(Ctrl+O), nano (Ctrl+X).
:
#reboot
eth0 80-. , 80 eth0, web- 192.168.6.22. , .
. , .. .
Linux.
. , : , ..
-, , .
nix-.
, , 2015
1. .. . . һ, ., 2009;
2. .. . Firewalls. . ʻ, ., 2008;
3. , . Cisco Secure PIX. , ., 2009;
4. .. . . ., 2008;
5. .. . . һ, ., 2009;
6. , 2008;
7. . . -, 2012;
8. .. . V.-.: ,2010. -640.
9. 9-19. .2007.
10. .. . . 2006. 12-13.
11. .. . .: , 2001. 112 .
12. .. .: ,2006. 94 .
13. : / .., .., .. : , 2003. 119 .
14. (. 13 2012 . -7-4/6@)
15. .. . -:,2012.-188.