Outils pour utilisateurs
technique:referentiel:chd-stg2-ng
Différences
Ci-dessous, les différences entre deux révisions de la page.
| Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
|
technique:referentiel:chd-stg2-ng [2018/04/09 17:24] 127.0.0.1 modification externe |
technique:referentiel:chd-stg2-ng [2018/05/12 12:22] (Version actuelle) admin |
||
|---|---|---|---|
| Ligne 24: | Ligne 24: | ||
| update-grub | update-grub | ||
| - | apt install all-knowing-dns apache2 arping bind9 binutils borgbackup dnsutils fail2ban git gt5 htop iftop iotop iperf iperf3 mtr-tiny nmap ntp nullmailer psmisc rsync screen strace sysstat tcpdump tree unzip vim | + | apt install all-knowing-dns apache2 arping bind9 binutils borgbackup dnsutils fail2ban git gt5 htop iftop iotop iperf iperf3 libapache2-mod-php mtr-tiny nmap ntp nullmailer psmisc rsync screen strace sudo sysstat tcpdump tree unzip vim |
| </code> | </code> | ||
| Ligne 44: | Ligne 44: | ||
| # The primary network interface | # The primary network interface | ||
| auto eth0 | auto eth0 | ||
| - | iface eth0 inet static | ||
| - | address 172.16.0.253 | ||
| - | netmask 255.255.0.0 | ||
| - | gateway 172.16.0.254 | ||
| - | up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0 | ||
| - | |||
| # Public adresses | # Public adresses | ||
| iface eth0 inet static | iface eth0 inet static | ||
| address 185.131.40.2 | address 185.131.40.2 | ||
| - | netmask 255.255.255.255 | + | netmask 255.255.255.0 |
| + | gateway 185.131.40.1 | ||
| + | # accept_dad=0 après que l'interface soit conifugrée en v4 mais avant | ||
| + | # qu'elle soit configurée en v6 (ça marche pas si on met ça en pre-up | ||
| + | # dans la section inet6) | ||
| + | up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0 | ||
| + | # Allumer le firewall avant d econfigurer les IP publiques | ||
| + | up iptables-restore < /etc/network/iptables.conf | ||
| + | up ip6tables-restore < /etc/network/ip6tables.conf | ||
| iface eth0 inet6 static | iface eth0 inet6 static | ||
| Ligne 60: | Ligne 62: | ||
| up ip -6 r r default via fe80::31 dev $IFACE src 2a03:a0a0::2 | up ip -6 r r default via fe80::31 dev $IFACE src 2a03:a0a0::2 | ||
| + | # Admin network overlay | ||
| + | iface eth0 inet static | ||
| + | address 172.16.0.253 | ||
| + | netmask 255.255.0.0 | ||
| + | |||
| # ns3 all-knowing-dns - reverse DNS IPv6 | # ns3 all-knowing-dns - reverse DNS IPv6 | ||
| iface eth0 inet static | iface eth0 inet static | ||
| address 185.131.40.3 | address 185.131.40.3 | ||
| - | netmask 255.255.255.255 | + | netmask 255.255.255.0 |
| iface eth0 inet6 static | iface eth0 inet6 static | ||
| address 2a03:a0a0::3 | address 2a03:a0a0::3 | ||
| netmask 64 | netmask 64 | ||
| + | </file> | ||
| + | |||
| + | <file bash /etc/network/ip6tables.conf> | ||
| + | # Generated by ip6tables-save v1.6.0 on Sun Apr 22 17:12:21 2018 | ||
| + | *filter | ||
| + | :INPUT DROP [0:0] | ||
| + | :FORWARD ACCEPT [0:0] | ||
| + | :OUTPUT ACCEPT [0:0] | ||
| + | # Accepter tout le traffic local, tous les paquets ICMP et les connexions déjà établies | ||
| + | -A INPUT -i lo -j ACCEPT | ||
| + | -A INPUT -i eth0 -p ipv6-icmp -j ACCEPT | ||
| + | -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED -j ACCEPT | ||
| + | # Accepter tous les paquets depuis les IP d'admin (en overlay sur le L2 public en aval de stg) | ||
| + | -A INPUT -s fe80::/16 -i eth0 -j ACCEPT | ||
| + | # Accepter SSH depuis partout | ||
| + | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | ||
| + | # Accepter les requêtes DNS depuis partout | ||
| + | -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT | ||
| + | -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT | ||
| + | # Accepter les requêtes web depuis partout | ||
| + | -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT | ||
| + | # Accepter le serveur Munin | ||
| + | #-A INPUT -s XXX -i eth0 -p tcp -m tcp --dport 4949 -j ACCEPT | ||
| + | # Accepter les connexions à AirControl 2 depuis certaines IP (pas open sur le net car pas secure) | ||
| + | #-A INPUT -s XXX -i eth0 -p tcp -m multiport --dports 443,9081 -j ACCEPT | ||
| + | -A INPUT -m limit --limit 5/min -j LOG --log-prefix "ipt6input: " --log-level 7 | ||
| + | COMMIT | ||
| + | # Completed on Sun Apr 22 17:12:21 2018 | ||
| + | </file> | ||
| + | <file bash /etc/network/iptables.conf> | ||
| + | # Generated by iptables-save v1.6.0 on Sun Apr 22 16:55:29 2018 | ||
| + | *filter | ||
| + | :INPUT DROP [0:0] | ||
| + | :FORWARD ACCEPT [0:0] | ||
| + | :OUTPUT ACCEPT [0:0] | ||
| + | # Accepter tout le traffic local, tous les paquets ICMP et les connexions déjà établies | ||
| + | -A INPUT -i lo -j ACCEPT | ||
| + | -A INPUT -i eth0 -p icmp -j ACCEPT | ||
| + | -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED -j ACCEPT | ||
| + | # Accepter tous les paquets depuis les IP d'admin (en overlay sur le L2 public en aval de stg) | ||
| + | -A INPUT -s 172.16.0.0/12 -i eth0 -j ACCEPT | ||
| + | # Accepter SSH depuis partout | ||
| + | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | ||
| + | # Accepter les requêtes DNS depuis partout | ||
| + | -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT | ||
| + | -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT | ||
| + | # Accepter les requêtes web depuis partout | ||
| + | -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT | ||
| + | # Accepter le serveur Munin | ||
| + | -A INPUT -s 185.61.116.41/32 -i eth0 -p tcp -m tcp --dport 4949 -j ACCEPT | ||
| + | # Accepter les connexions à AirControl 2 depuis certaines IP (pas open sur le net car pas secure) | ||
| + | # 185.131.40.0/23 Adhérents CHD | ||
| + | # 86.71.33.140 aDSL lpouzenc | ||
| + | # 62.212.116.203 aDSL nerim cyril | ||
| + | # 109.190.62.22 aDSL ovh cyril | ||
| + | # 185.61.116.37 sortie vpn prosoluce | ||
| + | -A INPUT -s 185.131.40.0/23,86.71.33.140,62.212.116.203,109.190.62.22,185.61.116.37 -i eth0 -p tcp -m multiport --dports 443,9081 -j ACCEPT | ||
| + | -A INPUT -m limit --limit 5/min -j LOG --log-prefix "ipt4input: " --log-level 7 | ||
| + | COMMIT | ||
| + | # Completed on Sun Apr 22 16:55:29 2018 | ||
| </file> | </file> | ||
| Ligne 575: | Ligne 642: | ||
| <code> | <code> | ||
| + | cd /opt | ||
| wget https://dl.ubnt.com/aircontrol2/aircontrol-v2.1-180316-1259-unix64.bin | wget https://dl.ubnt.com/aircontrol2/aircontrol-v2.1-180316-1259-unix64.bin | ||
| chmod +x aircontrol-v2.1-180316-1259-unix64.bin | chmod +x aircontrol-v2.1-180316-1259-unix64.bin | ||
| Ligne 589: | Ligne 657: | ||
| * Compte super-utilisateur : ''admin'' / ***** | * Compte super-utilisateur : ''admin'' / ***** | ||
| * Compte invité : ''ubnt'' / ***** | * Compte invité : ''ubnt'' / ***** | ||
| + | |||
| + | Une fois le serveur démarré utiliser le client AirContorl 2 pour continuer la configuration (via le compte "admin") : | ||
| + | |||
| + | * Control panel > Server settings | ||
| + | * ServerName : chd-stg2 | ||
| + | * IP list (comma separated) : 172.16.0.253,185.131.40.2,2a03:a0a0::2 | ||
| + | * HTTPS port 443 | ||
| + | * Check for Beta/RC/GA airControl Update : décoché | ||
| + | * Control Panel > Firmwares | ||
| + | * Upload XM/XW/AF5 et WA | ||
| + | |||
| + | <file bash /opt/Ubiquiti/AirControl2/pgsql/data/pg_hba.conf> | ||
| + | # "local" is for Unix domain socket connections only | ||
| + | local all all ident | ||
| + | local all all md5 | ||
| + | # IPv4 local connections: | ||
| + | host all all 127.0.0.1/32 md5 | ||
| + | # IPv6 local connections: | ||
| + | host all all ::1/128 md5 | ||
| + | </file> | ||
| + | |||
| + | <file bash /root/ac2-database.sh> | ||
| + | #!/bin/sh | ||
| + | sudo -u postgres /opt/Ubiquiti/AirControl2/pgsql/bin/pg_dump ac2 | /root/pg-COPY-line-count.pl | ||
| + | </file> | ||
| + | |||
| + | <file perl /root/pg-COPY-line-count.pl> | ||
| + | #!/usr/bin/env perl | ||
| + | |||
| + | use strict; | ||
| + | use warnings; | ||
| + | |||
| + | my $t='(header)'; | ||
| + | my $l=0; | ||
| + | my $c=0; | ||
| + | |||
| + | while (<STDIN>) { | ||
| + | if ( $_ =~ /^COPY (.*) FROM stdin;$/ ) { | ||
| + | $a = int(($c / $l) + 0.5); | ||
| + | print "$t : $l lines (average : $a chars)\n"; | ||
| + | $t=$1; | ||
| + | $l=0; | ||
| + | $c=0; | ||
| + | } else { | ||
| + | $l=$l+1; | ||
| + | $c=$c+length($_); | ||
| + | } | ||
| + | } | ||
| + | $a = int(($c / $l) + 0.5); | ||
| + | print "$t : $l lines (average : $a chars)\n"; | ||
| + | </file> | ||
| + | |||
| + | <file bash /root/.netrc> | ||
| + | machine priv.chd.sx login api password XXXXXXXXXXX | ||
| + | </file> | ||
| + | |||
| + | <file bash /etc/cron.daily/etat_reseau> | ||
| + | #!/bin/sh | ||
| + | wget -O /var/www/html/etat_reseau/index.html https://priv.chd.sx/api/gen_etat_reseau.php | ||
| + | </file> | ||
| + | |||
| + | <code bash> | ||
| + | cd /root | ||
| + | mkdir git | ||
| + | cd git | ||
| + | git clone root@chd.sx:/var/git/chd_gestion | ||
| + | git clone root@chd.sx:/var/git/chd_openwrt | ||
| + | </code> | ||
| + | |||
| + | |||
| + | ===== OpenWRT / LEDE / mise à jour routeur ===== | ||
| + | <code bash> | ||
| + | cd ~/git/chd_openwrt/maj | ||
| + | cp config.default.php config.php | ||
| + | vim config.php | ||
| + | |||
| + | ln -s /root/git/chd_openwrt/build-openwrt.sh /usr/local/bin/ | ||
| + | ln -s /root/git/chd_openwrt/build-openwrt-dev.sh /usr/local/bin/ | ||
| + | |||
| + | chown www-data: /var/cache/build-openwrt* | ||
| + | apt install git-core build-essential libssl-dev libncurses5-dev zlib1g-dev unzip gawk subversion manpages-dev- | ||
| + | </code> | ||
| ===== TODO ===== | ===== TODO ===== | ||
| <code> | <code> | ||
| - | reinstall ssh://root@chd.sx/var/git/chd_openwrt.git | + | documenter le contenu de /var/www/html non git'é |
| configurer munin/multiping | configurer munin/multiping | ||
| netconsole config | netconsole config | ||
| - | apt remove --purge isc-dhcp-dhclient isc-dhcp-common | ||
| backup borg | backup borg | ||
| mailer + mail alert (smartmontools/logcheck ?) | mailer + mail alert (smartmontools/logcheck ?) | ||
| </code> | </code> | ||
technique/referentiel/chd-stg2-ng.1523287493.txt.gz · Dernière modification: 2018/04/09 17:24 par 127.0.0.1
Outils de la page
