— — — add repository
— —++—++ — install packages for building sams
/// — go to directory
//github.com/PavelVinogradov/sams2/archive/master.zip — download sams2
— — see catalogs
///-/ — go to the unpacked directory
///-// — editing the file will not work without this
— — getting ready for assembly
/ — getting ready for assembly
— important parameter
— install now everything is installed
Remove generated installer files
//// — create your own config for
/ / — allow entry / /
= — interested in this line temporarily enter credentials
//IP_FQDN/sams2 — login
Database name
Database name
Database host
Database username — use
Password to the root password database
Create a user to access the database
username Database username
//// — edit the config
= — change the password to which you created
///-// — go to the directory
///-// ///-// — make a copy for everyone
///-// /// — copy the startup script
/// — run
— or so run
— add to startup
Install the necessary packages
Allow packet forwarding between network interfaces by specifying the // key in the file =
To simplify, turn off the native one later, if desired, turn it on
Check that by default everything is allowed and there are no rules
Enable the default blocking policy for all incoming and outgoing packets, we can leave outgoing packets as allowed
We can allow incoming ping and check it from LAN
— — —
— — — — —
We can create an intermediate backup copy of the rules
Allow incoming and outgoing packets within existing connections
— — — —
Allow ping outside via host
— — —
In order for packets coming from the locale to work, I need to enable this / outside or
which is simpler in this case, the masquerade rule replacing the source address of packets from the local network with the external address of the host
— — — / —
We can try to keep the rules
It is possible in order to be able to allow — requests to allow passing traffic it works on and
If you want to use your server on the same machine, then step No.
is performed instead of this step
– – – — – / –
But in order not to get up twice, it’s better to make a rule for all the necessary protocols at once
Therefore, I remove the rule c for
and create a rule for many necessary protocols at once, the port numbers of the necessary protocols can be easily googled
As a possible option, we consider port forwarding inside the network, namely
if we want from the Internet, that is, by knocking on an external network card, in my case it will get to some kind of web server
which is located on the local network at the address and listens for requests on the port
then we need to create a port forwarding rule and allow packets passing through the port
– — — — — — — —
If we have another web server in my LAN that uses the same port
then we need to open some other port in my example
and forward connections to it to the required web server by port
We can try to save the rules as a team
In order to allow requests on our server itself, you need to allow it to listen to these requests in
— — — — — / —
It is also necessary to allow all loop traffic as there are programs that use it
those traffic that does not go beyond our server but passes through network interfaces
The server in this configuration will stupidly redirect all -requests through itself to the specified -server
To do this, in its config you need to specify where to send traffic on which port and network card to listen to requests
and if we do not want him to try to resolve the request, tell him to immediately redirect the request
All this is done by editing the file ///
In the current version, it tries to control the demon, but it needs keys for this They can be created with the command
— — //
The uncommented part of the output should be sent to file /// and the commented part to ///
Now you can restart the daemon and check how the server itself and the machines in which it is specified as allow requests
I check the version with the command /// — and make a backup copy of the configuration file
The configuration file /// is very different from version to version, but the parameters in it are the same. In particular, we need to specify
allow access from it
specify the address of the local network card, the port and the transparency option in older versions it is called not but
Restart to apply settings
Now you should remove the old forwarding and ports rule from the rules, for example
— — / — — — —
— — / — — — —
Then create a rule for receiving traffic on the listening port and rules for forwarding incoming requests to this port
— — — / — — — — —
To work with you will have to rebuild
Include in the repository those that start with ///
Update the information about the repositories and install the necessary packages for the build
Create a directory for the assembly, go to it and download everything you need
Customize build settings
Building the package and installing it by installing unresolved dependencies
Create the necessary certificates
— — — — — — —
//// — /// —
Capture packets and allow them
firewall-cmdCreate multi-zone firewall configurations with FirewalldFirewalld, installation and configuration, zones, NAT, port forwardingUsing ipset in CentOS built-in firewall 7vpn pptp centos7
firewall-cmd —zone=public —remove-port=443/tcp —permanentfirewall-cmd —zone=public —remove-port=80/tcp —permanentfirewall-cmd —zone=public —remove-port=22/tcp —permanentfirewall-cmd —zone=public —remove-service=dhcpv6-client —permanent
firewall-cmd —zone=public —add-service=ssh —permanentfirewall-cmd —zone=public —add-service=http —permanentfirewall-cmd —zone=public —add- service=https —permanentfirewall-cmd —zone=public —add-port=3128/tcp —permanent
firewall-cmd —reloadfirewall-cmd —zone=public —list-portsfirewall-cmd —zone=public —list-services
firewall-cmd —zone=external —list-portsfirewall-cmd —zone=external —list-services
firewall-cmd —zone=external —change-interface=enp3s0 —permanentfirewall-cmd —zone=external —remove-service=ssh —permanentfirewall-cmd —get-active-zones
firewall-cmd —zone=external —list-servicesfirewall-cmd —list-allfirewall-cmd —get-servicessystemctl restart firewalld
http://fliplinux.com/ip-cen.html whitelist firewall-cmd —permanent —zone=public —add-source=192.168.100.0/24 firewall-cmd —permanent — -zone=public —add-source=192.168.222.123/32
firewall-cmd —ipset=IP-servers —remove-entry=192.168.20.0/24 —permanent
firewall-cmd —ipset=IP-servers —get-entriesfirewall-cmd —permanent —zone=public —add-rich-rule=’rule source ipset=»IP-servers» service name= «ssh» accept’
firewall-cmd —permanent —zone=public —list-rich-rules
firewall-cmd —direct —permanent —add-rule ipv4 filter FORWARD 0 -i enp3s0 -o enp1s0 -j DROPfirewall-cmd —direct —permanent —add-rule ipv4 filter FORWARD 0 -i enp1s0 -o enp3s0 -j DROP
open Google Playfirewall-cmd —zone=public —add-port=5228/tcp —permanentfirewall-cmd —zone=external —add-port=5228/tcp —permanent
firewall-cmd —reloadsystemctl restart firewalld
/etc/sysconfig/network-scripts/ do not specify GATEWAY in the internal network card (the external card will be the gateway)
nano /etc/resolv.conf# Generated by NetworkManagersearch domain.office.localnameserver 172.16.0.1 # (dns internal card)nameserver 172.16.0.3nameserver xxx.xxx.xxx.xxx (dns from external network card e.g. enp3s0 )
systemctl restart NetworkManager.servicenslookup serv1.domain.office.local
yum -y install squid — install squid systemctl start squid — run systemctl enable squid — enable auto start squid -z — create a folder structure for the cache with the following command
another version of krb5.conf http://xgu.ru/wiki/Squid,_Kerberos_and_LDAP
net ads keytab flush — flush keytab net ads keytab create — create keytab net ads keytab add HTTP — add HTTP principal for proxy or web server net ads keytab list — see what happens
set permissionschown squid:squid /etc/myproxy123.keytabchmod u+rwx,g+rx /etc/myproxy123.keytab
if you forgot the user’s password, you can check it like this: Is there an analogue of SU for Windows
wbinfo -twbinfo -gwbinfo -u
/usr/lib64/squid/basic_ldap_auth -b ‘dc=domain,dc=office,dc=local’
Delete the received ticket with the command: kdestroy
kerberos_ldap_group: ERROR: Error while starting keytab scan : Key table file ‘/etc/krb5.keytab’ not found disinfectionln -s /etc/myproxy123.keytab /etc/krb5.keytab
For automatic authentication through Squid, you need to make the following changes — add the lines KRB5_KTNAME=/etc/myproxy123.keytabexport KRB5_KTNAME to the /etc/sysconfig/squid file and disable the replay cache (to reduce loads) KRB5RCACHETYPE=noneexport KRB5RCACHETYPE
add to /etc/squid/squid.conf
ext_kerberos_ldap_group_acl also works, but you need to set the ipv4 parameter
Configuring squid or how not to buy a paid solutionchildren — the maximum number of processes available to run, startup the number of processes that are always running, idle the maximum queue to the helper when the specified number is exceeded, a new helper process will be started
squid -k checksquid -k parsesquid -k reconfiguresystemctl restart squid
failed to open /var/run/squid.pid:
No such file or directorysudo killall -9 squidsystemctl start squid
errors and logs1. access.log — to record client requests;2. store.log — to record actions with the cache;3. cache.log — for recording errors that occur while working with Squid.
tail -f /var/log/squid/cache.logtail -f /var/log/squid/access.log
Clean up Squidgrep cache_dir /etc/squid/squid.confservice squid stoprm -r /var/spool/squid/*squid -zservice squid start
net.ipv4.ip_forward=0 — otherwise it will be possible to go past squid (set routing and set «no proxy»)
sudo sysctl -psudo sysctl —system
On client machines, the proxy server address must be specified in FQDN format (myproxy123.domain.office.local)
to disable proxy:$ unset http_proxy$ unset https_proxy$ unset ftp_proxy
yum install squidGuard
wget http://www.shallalist.de/Downloads/shallalist.tar.gztar -xvf shallalist.tar.gzmkdir -p /var/squidGuard/BL/manual/nano /var/squidGuard/BL/manual/ domainsnano /var/squidGuard/BL/manual/urls
copy the suspect directory from blacklists.tgz to the BL directory (otherwise it will generate an error when converting to a database)
squidGuard -b -d -C all
chown -R squid:squid /var/squidGuardchown root:squid /etc/squid/squidGuard.confchmod 0640 /etc/squid/squidGuard.confchown -R squid:squid /var/log/squidGuard
to /etc/squid/squid.conf Add: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
logstail -f /var/log/messagestail -f /var/log/squidGuard/squidGuard.log
squid -k rotate # clear logs
if it doesn’t enforce the rules, then disable Selinux ()sestatus temporarily setenforce 0 permanentlyno /etc/selinux/config#SELINUX=enforcingSELINUX=disabledreboot
Changing entries in domain and URL listsExample. Next to the domains.db file in the /var/lib/squiguard/db/webmail folder, create the domains.diff file. We enter a line or several lines into it, one for each entry: -google.com (which means delete this domain from the database) or +google.com (which means add this domain to the database) We issue commands: $ squidGuard -u (update db bases from diff files.In squidguard’s logs, you can see how much has been added/deleted.) $ squid -k reconfigure (reread settings without restarting.) There is no need to delete the domains.diff file or delete entries from it. This file will come in handy during a global database update. And with multiple updates, there is no duplication of records in the database.
