Разворачивание полноценного шлюза с анализатором веб логов DHCP+ iptables + Squid + SAMS

Опубликовано:
#!/bin/bash
#
 
LAN_ADAPTER=p1p1
INET_ADAPTER=p4p1
LOCAL_NET=192.168.0
LOCAL_IP=192.168.0.1
DHCP_RANGE='192.168.0.2 192.168.0.254'
SAMSDB_PASS='mypass'
 
# ----------------------------------------------------
 
# Проверяем наличие прав супер пользователя

if [ "$(whoami &2>/dev/null)" != "root" ] && [ "$(id -un &2>/dev/null)" != "root" ] ; then
  echo "Please, run this as root!"
  exit 1
fi
 
# Обновляемся
apt-get -q -y update
apt-get -q -y upgrade
apt-get -q -y dist-upgrade
 
# Устанавливаем все необходимые пакеты
apt-get -y install unzip make g++ libtool build-essential autoconf automake
apt-get -y install apache2 apache2-doc apache2-utils mysql-server mysql-client libmysqlclient-dev
apt-get -y install bind9 ssl-cert libpcre3 libpcre3-dev isc-dhcp-server squid
apt-get -y install php5 php5-cli php5-common php5-dev php5-mcrypt php5-imagick php5-mysql php5-gd php5-ldap php-fpdf libapache2-mod-php5
 
# опционально
apt-get -y install phpmyadmin
 
# Настроим Apache
sed -i -e '1s/.*/ServerName localhost/' /etc/apache2/apache2.conf
# sed -i -e 's/80/8080/' /etc/apache2/ports.conf
# sed -i -e 's/80/8080/' /etc/apache2/sites-available/default
 
apache2ctl restart
 
# ---------------------------------------------------- Замарочки PHP
 
# Настраиваем сеть
echo "
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
" >> /etc/sysctl.conf
 
echo "
auto $LAN_ADAPTER
iface $LAN_ADAPTER inet static
address $LOCAL_IP
netmask 255.255.255.0" >> /etc/network/interfaces
 
iptables -t nat -A PREROUTING -i $LAN_ADAPTER -p tcp --dport 80 -j DNAT --to-destination $LOCAL_IP:3128
iptables -t nat -A POSTROUTING -o $INET_ADAPTER -j MASQUERADE
iptables -A FORWARD -i $LAN_ADAPTER -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $INET_ADAPTER -m state --state RELATED,ESTABLISHED -j ACCEPT
 
echo '#!/bin/sh
iptables-restore < /etc/firewall.conf ' >> /etc/network/if-up.d/00-iptables
chmod +x /etc/network/if-up.d/00-iptables
iptables-save > /etc/firewall.conf
 
# Настраиваем DHCP
 
echo '
subnet '$LOCAL_NET'.0 netmask 255.255.255.0 {
       option routers '$LOCAL_IP';
       option subnet-mask 255.255.255.0;
       option domain-name-servers '$LOCAL_IP';
       range '$DHCP_RANGE';
}
' >> /etc/dhcp/dhcpd.conf
sed -i -e 's/INTERFACES=""/INTERFACES="'$LAN_ADAPTER'"/' /etc/default/isc-dhcp-server
 
# ------------------------------------------------------
 
mv /etc/squid3/squid.conf /etc/squid3/squid.conf-old
grep -v "^#" /etc/squid3/squid.conf-old | sed -e '/^$/d' >> /etc/squid3/squid.conf
sed -i -e '/acl localhost/ aacl localnet src '$LOCAL_NET'.0/24' /etc/squid3/squid.conf
sed -i -e '/http_access allow localhost/ ahttp_access allow localnet' /etc/squid3/squid.conf
sed -i -e 's/http_port 3128/http_port '$LOCAL_IP':3128 transparent/' /etc/squid3/squid.conf
echo "
visible_hostname serv
always_direct allow all
 
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
pid_filename /var/run/squid3.pid
 
cache_dir ufs /var/spool/squid3 4096 32 512
coredump_dir /var/spool/squid3
maximum_object_size_in_memory 50 MB
maximum_object_size 50 MB
" >> /etc/squid3/squid.conf
 
/etc/init.d/squid3 stop
squid3 -z
ln -s /usr/sbin/squid3 /usr/sbin/squid
 
# Скачиваем собираем и устанавливаем SAMS2
cd /usr/src
wget http://sams2.googlecode.com/files/sams-2.0.0-rc2.tar.bz2
tar xvjf sams-2.0.0-rc2.tar.bz2
cd sams-2.0.0-rc2
 
make -f Makefile.cvs
./configure
 
sed -i -e '6000s/absdir=.*/absdir="/usr/lib"/' libtool
 
make
make install
 
# Настраиваем SAMS2
 
sed -i -e 's/DB_USER=/DB_USER=sams/' /usr/local/etc/sams2.conf
sed -i -e 's/DB_PASSWORD=/DB_PASSWORD='$SAMSDB_PASS'/' /usr/local/etc/sams2.conf
sed -i -e 's/squid/squid3/' /usr/local/etc/sams2.conf
sed -i -e 's|SQUIDCACHEDIR=/usr/local/apache2|SQUIDCACHEDIR=/var/spool/squid3|' /usr/local/etc/sams2.conf
 
# ------------------------------------------------------------------------------------------------------
 
sed -i -e 's/AllowOverride.*/ /' /etc/apache2/conf.d/doc4sams2.conf
sed -i -e 's/AllowOverride.*/ /' /etc/apache2/conf.d/sams2.conf
 
echo '#!/bin/sh -e
 
### BEGIN INIT INFO
# Provides:             sams
# Required-Start:       $local_fs $network $time $remote_fs
# Required-Stop:
# Should-Start:         $named $mysql $squid
# Should-Stop:
# Default-Start:        2 3 4 5
# Default-Stop:         0 1 6
# Short-Description:    Starting sams daemon
# Description:          Squid Account Management System (SAMS)
#  Starting sams management daemon - sams2daemon
### END INIT INFO
#
# Author:       Pavel Vinogradov <Pavel.Vinogradov@nixdev.net>
#
# /etc/init.d/sams2: start and stop the sams daemon
 
SAMSPATH=`cat /usr/local/etc/sams2.conf | grep SAMSPATH | tr "SAMSPATH=" ""`
NAME="sams"
DAEMON=$SAMSPATH/bin/sams2daemon
LOCKFILE=/var/lock/samsd
PIDFILE=/var/run/sams2daemon.pid
RETVAL=0
SAMS_ENABLE=true
test -x $DAEMON || exit 0
if ! [ -x "/lib/lsb/init-functions" ]; then
        . /lib/lsb/init-functions
else
        echo "E: /lib/lsb/init-functions not found, lsb-base (>= 3.0-6) needed"
        exit 1
fi
 
. /etc/default/rcS
case "$1" in
        start)
                if "$SAMS_ENABLE"; then
                        log_daemon_msg "Starting $NAME daemon" "$NAME"
                        if [ -s $PIDFILE ] && kill -0 $(cat $PIDFILE) >/dev/null 2>&1; then
                                log_progress_msg "apparently already running"
                                log_end_msg 0
                                exit 0
                        fi
 
                        start-stop-daemon --start --quiet --background
                                --pidfile $PIDFILE
                                --exec $DAEMON
                        RETVAL=$?
                        [ $RETVAL -eq 0 ] && touch "$LOCKFILE"
                        log_end_msg $RETVAL
                else
                        [ "VERBOSE" != no ] && log_warning_msg "$NAME daemon not enabled, not starting. Please read /usr/share/doc/sams2/README.Debian"
                fi
        ;;
 
        stop)
                if "$SAMS_ENABLE"; then
                        log_daemon_msg "Stopping $NAME daemon" "$NAME"
                        start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE
                        RETVAL=$?
                        [ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
                        log_end_msg $RETVAL
                else
                        [ "VERBOSE" != no ] && log_warning_msg "$NAME daemon not enabled, not stoping..."
                fi
 
        ;;
 
        restart|force-reload)
                /etc/init.d/sams2 stop
                /etc/init.d/sams2 start
        ;;
 
        *)
                echo "Usage: ${0##*/} {start|stop|restart}"
                RETVAL=1
        ;;
esac' >> /etc/init.d/sams2
 
chmod -R 777 /etc/init.d/sams2
chmod +x /etc/init.d/sams2
update-rc.d sams2 start 99 2 3 4 5 . stop 1 0 1 6 .
 
chown -R www-data:www-data /usr/local/share/sams2/
chown -R www-data:www-data /usr/local/etc/sams2.conf
chmod -R 777 /usr/local/share/sams2
 
/etc/init.d/apache2 restart
/etc/init.d/squid3 restart
 
exit 0

Понравилась статья, расскажи о ней друзьям, нажми кнопку!