В3
Модуль 1
------------------------------------------ISP------------------------------------------
cat > /etc/apt/sources.list.d/alt.list <<EOF
# ftp.altlinux.org (ALT Linux, Moscow)
# ALT Platform 10
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/noarch classic
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/noarch classic
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/noarch classic
rpm http://10.0.50.50/sisa p10/x86_64 classic
rpm http://10.0.50.50/sisa p10/noarch classic
EOF
hostnamectl set-hostname isp; exec bash
if grep -q "^HOSTNAME=" /etc/sysconfig/network 2>/dev/null; then
sed -i "s/^HOSTNAME=.*/HOSTNAME=isp/" /etc/sysconfig/network
else
echo "HOSTNAME=isp" >> /etc/sysconfig/network
fi
mkdir /etc/net/ifaces/enp7s2
mkdir /etc/net/ifaces/enp7s3
echo "TYPE=eth" > /etc/net/ifaces/enp7s2/options
echo "BOOTPROTO=static" >> /etc/net/ifaces/enp7s2/options
cp /etc/net/ifaces/enp7s2/options /etc/net/ifaces/enp7s3/options
echo "172.16.50.1/28" > /etc/net/ifaces/enp7s2/ipv4address
echo "172.16.60.1/28" > /etc/net/ifaces/enp7s3/ipv4address
systemctl restart network
if grep -q "^net.ipv4.ip_forward" /etc/net/sysctl.conf 2>/dev/null; then
sed -i "s/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/" /etc/net/sysctl.conf
else
echo "net.ipv4.ip_forward = 1" >> /etc/net/sysctl.conf
fi
systemctl restart network
apt-get update
apt-get install -y iptables tzdata
iptables -t nat -A POSTROUTING -s 172.16.50.0/28 -o enp7s1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.60.0/28 -o enp7s1 -j MASQUERADE
iptables-save >> /etc/sysconfig/iptables
systemctl enable --now iptables
timedatectl set-timezone Asia/Yakutsk
------------------------------------------HQ-RTR------------------------------------------
enable
configure terminal
hostname hq-rtr
ip domain-name au-team.irpo
write memory
interface vl113
ip nat inside
ip address 192.168.113.1/27
exit
interface vl213
ip nat inside
ip address 192.168.213.1/28
exit
interface vl813
ip nat inside
ip address 192.168.13.1/29
exit
write memory
port te1
service-instance te1/vl113
encapsulation dot1q 113 exact
rewrite pop 1
connect ip interface vl113
exit
service-instance te1/vl213
encapsulation dot1q 213 exact
rewrite pop 1
connect ip interface vl213
exit
service-instance te1/vl813
encapsulation dot1q 813 exact
rewrite pop 1
connect ip interface vl813
exit
exit
write memory
interface isp
ip nat outside
ip address 172.16.50.2/28
exit
ip route 0.0.0.0/0 172.16.50.1
port te0
service-instance te0/isp
encapsulation untagged
connect ip interface isp
exit
exit
write memory
username net_admin
password P@ssw0rd
role admin
exit
write memory
interface tunnel.0
ip address 10.10.10.1/30
ip tunnel 172.16.50.2 172.16.60.2 mode gre
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 P@ssw0rd
exit
write memory
router ospf 1
ospf router-id 10.10.10.1
passive-interface default
no passive-interface tunnel.0
network 10.10.10.0/30 area 0
network 192.168.113.0/27 area 0
network 192.168.213.0/28 area 0
network 192.168.13.0/29 area 0
exit
write memory
ip nat pool VLAN113 192.168.113.1-192.168.113.30
ip nat pool VLAN213 192.168.213.1-192.168.213.14
ip nat pool VLAN813 192.168.13.1-192.168.13.6
ip nat source dynamic inside-to-outside pool VLAN113 overload interface isp
ip nat source dynamic inside-to-outside pool VLAN213 overload interface isp
ip nat source dynamic inside-to-outside pool VLAN813 overload interface isp
write memory
ip pool VLAN213 1
range 192.168.213.2-192.168.213.14
exit
exit
dhcp-server 1
pool VLAN213 1
mask 28
gateway 192.168.213.1
dns 192.168.113.2
domain-name au-team.irpo
exit
exit
interface vl213
dhcp-server 1
exit
write memory
ip name-server 192.168.213.2
ntp timezone utc+9
write memory
------------------------------------------BR-RTR------------------------------------------
enable
configure terminal
hostname br-rtr
ip domain-name au-team.irpo
write memory
interface int1
ip nat inside
ip address 192.168.0.1/28
exit
port te1
service-instance te1/int1
encapsulation untagged
connect ip interface int1
exit
exit
write memory
interface isp
ip nat outside
ip address 172.16.60.2/28
exit
ip route 0.0.0.0/0 172.16.60.1
port te0
service-instance te0/isp
encapsulation untagged
connect ip interface isp
exit
exit
write memory
username net_admin
password P@ssw0rd
role admin
exit
write memory
interface tunnel.0
ip address 10.10.10.2/30
ip tunnel 172.16.60.2 172.16.50.2 mode gre
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 P@ssw0rd
exit
write memory
router ospf 1
ospf router-id 10.10.10.2
passive-interface default
no passive-interface tunnel.0
network 192.168.0.0/28 area 0
network 10.10.10.0/30 area 0
exit
write memory
ip nat pool BR-Net 192.168.0.1-192.168.0.14
ip nat source dynamic inside-to-outside pool BR-Net overload interface isp
write memory
ip name-server 192.168.0.2
ntp timezone utc+9
write memory
------------------------------------------HQ-SRV------------------------------------------
(не забудьте установить vlan-ы)
HQ-SRV - 113
HQ-CLI - 213
#!/bin/bash
cat > /etc/apt/sources.list.d/alt.list <<EOF
# ftp.altlinux.org (ALT Linux, Moscow)
# ALT Platform 10
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/noarch classic
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/noarch classic
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/noarch classic
rpm http://10.0.50.50/sisa p10/x86_64 classic
rpm http://10.0.50.50/sisa p10/noarch classic
EOF
hostnamectl set-hostname hq-srv.au-team.irpo; exec bash
if grep -q "^HOSTNAME=" /etc/sysconfig/network 2>/dev/null; then
sed -i "s/^HOSTNAME=.*/HOSTNAME=hq-srv.au-team.irpo/" /etc/sysconfig/network
else
echo "HOSTNAME=hq-srv.au-team.irpo" >> /etc/sysconfig/network
fi
echo "192.168.113.2/27" > /etc/net/ifaces/enp7s1/ipv4address
echo "default via 192.168.113.1" > /etc/net/ifaces/enp7s1/ipv4route
echo "nameserver 10.0.0.1" > /etc/net/ifaces/enp7s1/resolv.conf
cat > /etc/net/ifaces/enp7s1/options <<EOF
TYPE=eth
BOOTPROTO=static
EOF
systemctl restart network
if ! id sshuser >/dev/null 2>&1; then
useradd -u 2013 sshuser
fi
echo "sshuser:P@ssw0rd" | chpasswd
usermod -aG wheel sshuser || true
grep -q "^sshuser ALL=(ALL:ALL) NOPASSWD: ALL$" /etc/sudoers || echo "sshuser ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
sed -i "s/^#\?Port .*/Port 2013/" /etc/openssh/sshd_config
sed -i "s/^#\?MaxAuthTries .*/MaxAuthTries 2/" /etc/openssh/sshd_config
if grep -q "^#\?Banner " /etc/openssh/sshd_config; then
sed -i "s|^#\?Banner .*|Banner /etc/openssh/banner|" /etc/openssh/sshd_config
else
echo "Banner /etc/openssh/banner" >> /etc/openssh/sshd_config
fi
grep -q "^AllowUsers sshuser$" /etc/openssh/sshd_config || echo "AllowUsers sshuser" >> /etc/openssh/sshd_config
echo "Authorized access only" > /etc/openssh/banner
systemctl restart sshd
apt-get update
apt-get install bind bind-utils -y
printf '%b\n' \
'options {' \
'\tversion "unknown";' \
'\tdirectory "/etc/bind/zone";' \
'\tdump-file "/var/run/named/named_dump.db";' \
'\tstatistics-file "/var/run/named/named.stats";' \
'\trecursing-file "/var/run/named/named.recursing";' \
'\tsecroots-file "/var/run/named/named.secroots";' \
'' \
'\t// disables the use of a PID file' \
'\tpid-file none;' \
'' \
'\t/*' \
'\t * Oftenly used directives are listed below.' \
'\t */' \
'' \
'\tlisten-on { 192.168.113.2; };' \
'\t#listen-on-v6 { none; };' \
'\tdnssec-validation no;' \
'' \
'\trecursion yes;' \
'' \
'\t/*' \
'\t * If the forward directive is set to "only", the server will only' \
'\t * query the forwarders.' \
'\t */' \
'\tforward first;' \
'\tforwarders { 10.0.0.1; };' \
'' \
'\t/*' \
'\t * Specifies which hosts are allowed to ask ordinary questions.' \
'\t */' \
'\tallow-query { any; };' \
'' \
'\t/*' \
'\t * This lets "allow-query" be used to specify the default zone access' \
'\t * level rather than having to have every zone override the global' \
'\t * value. "allow-query-cache" can be set at both the options and view' \
'\t * levels. If "allow-query-cache" is not set then "allow-recursion" is' \
'\t * used if set, otherwise "allow-query" is used if set unless' \
'\t * "recursion no;" is set in which case "none;" is used, otherwise the' \
'\t * default (localhost; localnets;) is used.' \
'\t */' \
'\t//allow-query-cache { localnets; };' \
'' \
'\t/*' \
'\t * Specifies which hosts are allowed to make recursive queries' \
'\t * through this server. If not specified, the default is to allow' \
'\t * recursive queries from all hosts. Note that disallowing recursive' \
'\t * queries for a host does not prevent the host from retrieving data' \
'\t * that is already in the server'\''s cache.' \
'\t */' \
'\t#allow-recursion { any; };' \
'' \
'\t/*' \
'\t * Sets the maximum time for which the server will cache ordinary' \
'\t * (positive) answers. The default is one week (7 days).' \
'\t */' \
'\t//max-cache-ttl 86400;' \
'' \
'\t/*' \
'\t * The server will scan the network interface list every' \
'\t * interface-interval minutes. The default is 60 minutes.' \
'\t * If set to 0, interface scanning will only occur when the' \
'\t * configuration file is loaded. After the scan, listeners will' \
'\t * be started on any new interfaces (provided they are allowed by' \
'\t * the listen-on configuration). Listeners on interfaces that' \
'\t * have gone away will be cleaned up.' \
'\t */' \
'\t//interface-interval 0;' \
'};' \
'' \
'logging {' \
'\t// The default_debug channel has the special property that it only' \
'\t// produces output when the server’s debug level is non-zero. It' \
'\t// normally writes to a file called named.run in the server’s working' \
'\t// directory.' \
'' \
'\t// For security reasons, when the -u command-line option is used, the' \
'\t// named.run file is created only after named has changed to the new' \
'\t// UID, and any debug output generated while named is starting - and' \
'\t// still running as root - is discarded. To capture this output, run' \
'\t// the server with the -L option to specify a default logfile, or the' \
'\t// -g option to log to standard error which can be redirected to a' \
'\t// file.' \
'' \
'\t// channel default_debug {' \
'\t//\tfile "/var/log/named/named.run" versions 10 size 20m;' \
'\t//\tprint-time yes;' \
'\t//\tprint-category yes;' \
'\t//\tprint-severity yes;' \
'\t//\tseverity dynamic;' \
'\t// };' \
'};' \
> /var/lib/bind/etc/options.conf
printf '%s\n' \
'zone "au-team.irpo" {' \
$'\ttype master;' \
$'\tfile "au-team.irpo";' \
'};' \
'' \
'zone "113.168.192.in-addr.arpa" {' \
$'\ttype master;' \
$'\tfile "113.168.192.in-addr.arpa";' \
'};' \
'' \
'zone "213.168.192.in-addr.arpa" {' \
$'\ttype master;' \
$'\tfile "213.168.192.in-addr.arpa";' \
'};' > /var/lib/bind/etc/rfc1912.conf
cp /var/lib/bind/etc/zone/empty /var/lib/bind/etc/zone/au-team.irpo
cp /var/lib/bind/etc/zone/empty /var/lib/bind/etc/zone/113.168.192.in-addr.arpa
cp /var/lib/bind/etc/zone/empty /var/lib/bind/etc/zone/213.168.192.in-addr.arpa
printf '%b\n' \
'$TTL\t1D' \
'@\tIN\tSOA\tau-team.irpo. root.au-team.irpo. (' \
'\t\t\t\t2025062300\t; serial' \
'\t\t\t\t12H\t\t; refresh' \
'\t\t\t\t1H\t\t; retry' \
'\t\t\t\t1W\t\t; expire' \
'\t\t\t\t1H\t\t; ncache' \
'\t\t\t)' \
'\tIN\tNS\tau-team.irpo.' \
'\tIN\tA\t192.168.113.2' \
'hq-srv\tIN\tA\t192.168.113.2' \
'hq-cli\tIN\tA\t192.168.213.2' \
'hq-rtr\tIN\tA\t192.168.113.1' \
'hq-rtr\tIN\tA\t192.168.213.1' \
'hq-rtr\tIN\tA\t192.168.13.1' \
'docker\tIN\tA\t172.16.50.1' \
'web\tIN\tA\t172.16.60.1' \
'br-srv\tIN\tA\t192.168.0.2' \
'br-rtr\tIN\tA\t192.168.0.1' \
> /var/lib/bind/etc/zone/au-team.irpo
printf '%b\n' \
'$TTL\t1D' \
'@\tIN\tSOA\tau-team.irpo. root.au-team.irpo. (' \
'\t\t\t\t2025062300\t; serial' \
'\t\t\t\t12H\t\t; refresh' \
'\t\t\t\t1H\t\t; retry' \
'\t\t\t\t1W\t\t; expire' \
'\t\t\t\t1H\t\t; ncache' \
'\t\t\t)' \
'\tIN\tNS\tau-team.irpo.' \
'1\tIN\tPTR\thq-rtr.au-team.irpo.' \
'2\tIN\tPTR\thq-srv.au-team.irpo.' \
> /var/lib/bind/etc/zone/113.168.192.in-addr.arpa
printf '%b\n' \
'$TTL\t1D' \
'@\tIN\tSOA\tau-team.irpo. root.au-team.irpo. (' \
'\t\t\t\t2025062300\t; serial' \
'\t\t\t\t12H\t\t; refresh' \
'\t\t\t\t1H\t\t; retry' \
'\t\t\t\t1W\t\t; expire' \
'\t\t\t\t1H\t\t; ncache' \
'\t\t\t)' \
'\tIN\tNS\tau-team.irpo.' \
'1\tIN\tPTR\thq-rtr.au-team.irpo.' \
'2\tIN\tPTR\thq-cli.au-team.irpo.' \
> /var/lib/bind/etc/zone/213.168.192.in-addr.arpa
named-checkconf
rndc-confgen > /var/lib/bind/etc/rndc.key
sed -i '6,$d' /var/lib/bind/etc/rndc.key
chown -R root:named /etc/bind/zone/*
systemctl enable --now bind.service
echo "search au-team.irpo" > /etc/net/ifaces/enp7s1/resolv.conf
echo "nameserver 192.168.113.2" >> /etc/net/ifaces/enp7s1/resolv.conf
systemctl restart network
systemctl restart bind
timedatectl set-timezone Asia/Yakutsk
------------------------------------------BR-SRV------------------------------------------
cat > /etc/apt/sources.list.d/alt.list <<EOF
# ftp.altlinux.org (ALT Linux, Moscow)
# ALT Platform 10
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/noarch classic
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/noarch classic
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/noarch classic
rpm http://10.0.50.50/sisa p10/x86_64 classic
rpm http://10.0.50.50/sisa p10/noarch classic
EOF
hostnamectl set-hostname br-srv.au-team.irpo; exec bash
if grep -q "^HOSTNAME=" /etc/sysconfig/network 2>/dev/null; then
sed -i "s/^HOSTNAME=.*/HOSTNAME=br-srv.au-team.irpo/" /etc/sysconfig/network
else
echo "HOSTNAME=br-srv.au-team.irpo" >> /etc/sysconfig/network
fi
echo "192.168.0.2/28" > /etc/net/ifaces/enp7s1/ipv4address
echo "default via 192.168.0.1" > /etc/net/ifaces/enp7s1/ipv4route
echo "nameserver 10.0.0.1" > /etc/net/ifaces/enp7s1/resolv.conf
cat > /etc/net/ifaces/enp7s1/options <<EOF
TYPE=eth
BOOTPROTO=static
EOF
systemctl restart network
if ! id sshuser >/dev/null 2>&1; then
useradd -u 2013 sshuser
fi
echo "sshuser:P@ssw0rd" | chpasswd
usermod -aG wheel sshuser || true
grep -q "^sshuser ALL=(ALL:ALL) NOPASSWD: ALL$" /etc/sudoers || echo "sshuser ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
sed -i "s/^#\?Port .*/Port 2013/" /etc/openssh/sshd_config
sed -i "s/^#\?MaxAuthTries .*/MaxAuthTries 2/" /etc/openssh/sshd_config
if grep -q "^#\?Banner " /etc/openssh/sshd_config; then
sed -i "s|^#\?Banner .*|Banner /etc/openssh/banner|" /etc/openssh/sshd_config
else
echo "Banner /etc/openssh/banner" >> /etc/openssh/sshd_config
fi
grep -q "^AllowUsers sshuser$" /etc/openssh/sshd_config || echo "AllowUsers sshuser" >> /etc/openssh/sshd_config
echo "Authorized access only" > /etc/openssh/banner
systemctl restart sshd
timedatectl set-timezone Asia/Yakutsk
------------------------------------------HQ-CLI------------------------------------------
cat > /etc/apt/sources.list.d/alt.list <<EOF
# ftp.altlinux.org (ALT Linux, Moscow)
# ALT Platform 10
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] ftp://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/noarch classic
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] http://ftp.altlinux.org/pub/distributions/ALTLinux p10/branch/noarch classic
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/x86_64 classic gostcrypto
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/x86_64-i586 classic
#rpm [p10] rsync://ftp.altlinux.org/ALTLinux p10/branch/noarch classic
rpm http://10.0.50.50/sisa p10/x86_64 classic
rpm http://10.0.50.50/sisa p10/noarch classic
EOF
hostnamectl set-hostname hq-cli.au-team.irpo; exec bash
if grep -q "^HOSTNAME=" /etc/sysconfig/network 2>/dev/null; then
sed -i "s/^HOSTNAME=.*/HOSTNAME=hq-cli.au-team.irpo/" /etc/sysconfig/network
else
echo "HOSTNAME=hq-cli.au-team.irpo" >> /etc/sysconfig/network
fi
echo "BOOTPROTO=dhcp" > /etc/net/ifaces/enp7s1/options
echo "TYPE=eth" >> /etc/net/ifaces/enp7s1/options
systemctl restart network
timedatectl set-timezone Asia/Yakutsk
13. Скрипты по пунктам (B3)
Модуль 1. Настройка сетевой инфраструктуры