Cah Pacitan Bloging

Kisah di akhir bulan agustus 2007, pulang kerja jam 18 sore gitu. Diminta bantuan ama temen tuk bantuin betulin komputer server proxnya dia yang tiba tiba hang mulu ya udah deh janjian abis magrib karena badan lelah baru deh abis isya aku caw sambil coba cari software proxy for windows.

Ampe di tempat wah ketemu dengan pc yang acak acakan karena dah di oprek dan yang bikin pousing lagi penuh dengan debu yang paling aku kurang sreg kalau orang jorok karena ane paling attention ke kebersihan bukankah kebersihan itu sebagian dari iman dan sehat yang pasti.

Sambil ngobrol tanya masalahnya knapa katanya blue screen  kalau  windows di nyalain  trus  windows  di install  lagi dan program proxynya di  install back  blue lagi wah  ketahuan sekarang  ternyata yang bikin blue itu program itu . Padahal tadinya  asumsinya  hardisk atau memory dan parahnya  temenku itu  langsung main beli hd  baru  gak dengerin advice aku sih.

Ya udah malam itu nego aku tawarkan pakai linux dia gak mau padahal linux bakalan stabil banget kalau tuk server internet gareway gitu.

Kepetusuan tetap di dia lah ….gimanapun ane just ikutin aza yang penting ada fullusnya h uehheheheee. 

Setelah sekian lama ngoprek gak ketemu, akhirnya ketemu juga masalah dengan perintah ini di iptables client akhirnya bisa browse ke semua internet gak kayak kemaren ke block kalau browshing ke email dan juga gak isa chatt.

iptables -F
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp –dport 80 -j
REDIRECT –to 3128

and juga perlu di inget

echo "1" > /proc/sys/net/ipv4/ip_forward

thanks friends all 

Ada banyak cara untuk menghubungkan komputer klien ke internet,
Bisa pake iptables (Untuk Masquerade atau untuk transparent proxy)

Ini untuk masquerade …

#iptables -t nat -F

#iptables -t nat -A POSTROUTING -s 192.168.29.133/255.255.255.0
-o eth1 -j MASQUERADE
#iptables-save > /etc/sysconfig/iptables

Klu untuk Transparent proxy ..
#iptables -t nat -A PREROUTING -p tcp -m tcp –dport 80 -j
REDIRECT –to-ports 3128

echo "1" > /proc/sys/net/ipv4/ip_forward

service iptables save

# vi /etc/squid/squid.conf (Lokasi file Konfigurasi Squid)
/* Tambah Line */
httpd_accel_host [iphost]
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_user_host_header on

/* Tambah lagi di bagian acl nya */

acl client src 192.168.29.133
http_access allow client

/etc/shorewall/rules

#Aol accessACCEPT         
lan128     inet    tcp     1701,5190,5191,5192,5193,11523
   
# MSN MessengerACCEPT         
lan128     inet    tcp     1863
   
# Yahoo MessengerACCEPT         
lan128     inet    tcp     5050,5000,5001,5100ACCEPT         
lan128     inet    udp     5000:5010

http://lists.shorewall.net/pipermail/shorewall-users/
2004-May/012815.html

 

Scope

In the following files, the "PROTO" or "PROTOCOL" column may contain "ipp2p":

/etc/shorewall/tcrules

/etc/shorewall/accounting

/etc/shorewall/rules (Recommend that you place the rules in the ESTABLISHED section of that file).

When the PROTO or PROTOCOL column contains "ipp2p" then the DEST PORT(S) or PORT(S) column may contain a recognized ipp2p option; for a list of the options and their meaning, at a root prompt type:

iptables -m ipp2p –help

You must not include the leading "–" on the option; Shorewall will supply those characters for you. If you do not include an option then "ipp2p" is assumed (Shorewall will generate "-m ipp2p –ipp2p").

Example 2 in the ipp2p documentation recommends the following iptables rules:

Let’s examine the above rules more carefully.

The individual packets of a P2P data stream do not all carry tell-tale signs that are identifiable as being a particular P2P application. So simply asking the ipp2p match code to mark each individual packet isn’t enough because only those packets that carry these tell-tale signs will be marked. Fortunately, Netfilter provides a different type of mark — the Connection Mark which is associated with the entry in the conntrack table rather that with the individual packet. You can see connection mark values with the shorewall show connections command:

gateway:/etc/test# shorewall show connection

Connection marks are persistent — that is, once a connection mark is set it retains its value until the connection is terminated.

Netfilter provides features to:

The strategy employed in the above rules is to mark the connection of each P2P session with a mark value of 1. That way, each packet that is part of the session can be marked using the ‘Restore’ function and can be classified accordingly.

These are implemented in the /etc/shorewall/tcrules file as follows:

#MARK                SOURCE        DEST        PROTO        PORT(S)        CLIENT     USER    TEST
#                                                                          PORT(S)
RESTORE:P            -             -           tcp
CONTINUE:P           -             -           tcp          -              -          -       !0
1:P                  -             -           ipp2p        ipp2p
SAVE:P               -             -           tcp          -              -          -       1
1:12                 -             eth0        -            -              -          -       1
2:12                 -             eth1        -            -              -          -       1   

These rules do exactly the same thing as their counterparts described above.

One change that I recommend –do your marking in the FORWARD chain rather than in the PREROUTING chain:

#MARK                SOURCE        DEST        PROTO        PORT(S)        CLIENT     USER    TEST
#                                                                          PORT(S)
RESTORE:F            -             -           tcp
CONTINUE:F           -             -           tcp          -              -          -       !0
1:F                  -             -           ipp2p        ipp2p
SAVE:F               -             -           tcp          -              -          -       1
1:12                 -             eth0        -            -              -          -       1
2:12                 -             eth1        -            -              -          -       1   

Kemungkinan di /etc/shorewall/interface coba ganti yang net jadi dhcp bukan eth0…

kalau ndak lihat seperti ini

#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp
loc eth1 detect

Example

Example 1:

Suppose you have eth0 connected to a DSL modem and eth1 connected to your local network and that your local subnet is 192.168.1.0/24. The interface gets it’s IP address via DHCP from subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using eth2.

Your entries for this setup would look like:

#ZONE   INTERFACE  BROADCAST         OPTIONS 

net        eth0          206.191.149.223  dhcp 

loc         eth1          192.168.1.255      

dmz      eth2           192.168.2.255

Example 2:

The same configuration without specifying broadcast addresses is:

#ZONE   INTERFACE BROADCAST        OPTIONS 

net        eth0         detect                 dhcp 

loc         eth1         detect 

dmz       eth2         detect

Example 3:

You have a simple dial-in system with no ethernet connections.

#ZONE   INTERFACE BROADCAST        OPTIONS net        ppp0         -

FILES

/etc/shorewall/interfaces

Contoh 1
dalam 1 network dengan penggunaan bandwidth total tidak dibatasi terdapat beberapa komputer dengan
klasifikasi sebagai berikut

    * admin, server dengan bandwidth unlimited
    * staff dengan bandwidth 1,5 kbytes/sec, bila file yang diakses melebihi 64Kbte
    * umum dengan bandwidth 1 kbytes/sec, bila file yang diakses melebihi 32 Kbyte

acl all src 0.0.0.0/0.0.0.0
acl admin src 192.168.1.250/255.255.255.255
acl server src 192.168.1.251/255.255.255.255
acl umum src 192.168.1.0/255.255.255.0
acl staff src 192.168.1.1 192.168.1.111 192.168.1.2 192.168.1.4 192.168.1.71
   
delay_pools 3
   
delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow admin
delay_access 1 allow server
delay_access 1 deny all
   
delay_class  2 1
delay_parameters 2 1500/64000
delay_access 2 allow staf
delay_access 2 deny all
   
delay_class  3 1
delay_parameters 3 1000/32000
delay_access 3 allow umum
delay_access 3 deny all

Cara mencobanya paling mudah adalah dengan menggunakan donlot manajer semacam DAP,
GetRight maka akan terlihat bandwidth sudah dibatasi.
Contoh 2

Delay pools juga dapat digunakan untuk membatasi donlot file untuk extensi tertentu.
Gunakan ACL url_regex untuk mengatasi hal ini.
Contoh dibawah digunakan untuk membatasi donlot file multimedia hingga 1 kByte/sec.

acl multimedia url_regex -i \.mp3$ \.rm$ \.mpg$ \.mpeg$ \.avi$ \.dat$
delay_pools 1
delay_class 1 1
delay_parameters 1 1000/16000
delay_access 1 allow multimedia
delay_access 1 deny ALL

Contoh 3 dari forum.linux.or.id

bagaimana caranya membuat delay pools untuk membatasi download di siang hari untuk
15 klient sedangkan malam harinya lost asumsi jamnya ( 10:00 - 21:00)

acl LTIME time SMTWHFA 10:00-21:00
   
acl download url_regex -i ftp \.exe$ \.mp3$ \.mp4$ \.tar.gz$ \.gz$ \.tar.bz2$ \.rpm$ \.zip$ \.rar$
acl download url_regex -i \.avi$ \.mpg$ \.mpeg$ \.rm$ \.iso$ \.wav$ \.mov$ \.dat$ \.mpe$ \.mid$
acl download url_regex -i \.midi$ \.rmi$ \.wma$ \.wmv$ \.ogg$ \.ogm$ \.m1v$ \.mp2$ \.mpa$ \.wax$
acl download url_regex -i \.m3u$ \.asx$ \.wpl$ \.wmx$ \.dvr-ms$ \.snd$ \.au$ \.aif$ \.asf$ \.m2v$
acl download url_regex -i \.m2p$ \.ts$ \.tp$ \.trp$ \.div$ \.divx$ \.mod$ \.vob$ \.aob$ \.dts$
acl download url_regex -i \.ac3$ \.cda$ \.vro$ \.deb$
   
delay_pools 1
   
delay_class 1 1
delay_parameters 1 3000/3000
delay_access 1 allow download TIME
delay_access 1 deny all

Berikut ini contoh konfigurasi squid.conf yang sudah dilengkapi dengan bandwidth limitter.
http_port 8080
icp_port 3130
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_mem 64 MB

ipcache_size 1024
ipcache_low 90
ipcache_high 95

cache_dir ufs /usr/local/squid/cache 5000 16 256
cache_effective_user squid
cache_effective_group squid

cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
cache_store_log /usr/local/squid/logs/store.log

dns_nameservers 202.154.190.19

request_header_max_size 10 KB
request_body_max_size 1 MB

client_lifetime 1 day

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl uol src 202.154.191.0/24 192.168.10.0/24 90.7.1.0/24
acl kompdemo src 202.154.191.230/255.255.255.255
acl kantor 202.154.191.229/255.255.255.255
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow uol localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access allow uol localhost
http_access deny all
maximum_object_size 3000 KB
store_avg_object_size 50 KB

cache_mgr admin@ungaran-online.net
cache_effective_user squid
cache_effective_group squid

visible_hostname proxy.ungaran-online.net
og_icp_queries off
buffered_logs on
delay_pools 2

delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow uol
delay_access 1 allow localhost
delay_access 1 deny all

delay_class 2 1
delay_parameters 2 1500/64000
delay_access 2 allow kompdemo
delay_access 2 allow kantor
delay_access 2 deny all

 
step by step instalasi

1. Installing Squid
You can install Squid using Ports but you can’t play with configure options, so I’ll cover the steps to install from a tarball.

You can download the Squid source from http://www.squid-cache.org./ The lastest version is squid-2.4.STABLE6-src.tar.gz. Run the following commands as root.

# cd /path/to/tarball
# tar zxvf squid-2.4.STABLE6-src.tar.gz
# cd squid-2.4.STABLE6
# ./configure –enable-delay-pools –enable-ipf-transparent \
–enable-storeio=diskd,ufs –enable-storeio=diskd,ufs \
–disable-ident-lookups –enable-snmp –enable-removal-policies
# make all
# make install

The explaination of configure script options are below:
–enable-delay-pools - Enable delay pools to limit bandwidth usage.

You need to enable the option in order to use Squid to limit bandwith usage. It will give fair bandwith usage for everybody. In my case, I don’t want one person sucking all of the available bandwidth by downloading a big movie, causing others to suffer.

–enable-ipf-transparent - Enable Transparent Proxy support for systems using IP Filter network address redirection.

With this option, you don’t have to configure the client’s browser proxy setting. Also it is a good way to force the client to use the proxy everytime.

–enable-storeio=diskd,ufs - Enable diskd

Improve disk I/O performance. According to the Squid FAQ, if you enable diskd you can gain a 400% increase of perfomance. However, you would need to recompile the kernel because your operating system must support message queues and shared memory.

–enable-removal-policies - Build support for the list of removal policies.

By default, Squid uses LRU, but there are two better policies: GDSF and LFUDA. See the Squid config for a more detailed explanation.

–disable-ident-lookups - This allows you to remove code that performs Ident (RFC 931) lookups.

Not really important. By the way, if you do transparent proxy, ident lookups won’t work.

–enable-snmp

Optional: enable this and you can monitor Squid with mrtg or rrdtool. How to do this is outside of this article’s scope. Perhaps in my next one.

2. Edit Squid Configuration File /usr/local/squid/etc/squid.conf

# Need for transparent proxy
# You need to –enable-ipf-transparent
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

# Physical memory / 3
cache_mem 128 MB
# Max out Squid I/O perfomance, 15 GB cache and use Squid special diskd but you need to recompile the kernel
# To use disk you need to –enable-storeio=diskd,ufs
# Reasonable values for Q1 and Q2 are 72 and 64, respectively.
# Q1 value must bigger Q2
cache_dir diskd /usr/local/squid/cache 15360 16 256 Q1=72 Q2=64

# You can use normal ufs instead
#cache_dir ufs /usr/local/squid/cache 15360 16 256

# I dont want to log anything
# The reason is to save some expensive I/O operation.
cache_access_log /dev/null
cache_store_log none
cache_log /dev/null

# Cache replacement policy
# The heap GDSF policy optimizes object-hit rate by keeping smaller popular
# objects in cache, so it has a better chance of getting a hit. It achieves a
# lower byte hit rate than LFUDA, though, since it evicts larger (possibly popular)
# objects.
# The heap LFUDA ( Least Frequently Used with Dynamic Aging ) policy keeps
# popular objects in cache regardless of their size and thus optimizes byte hit
# rate at the expense of hit rate since one large, popular object will prevent
# many smaller, slightly less popular objects from being cached.
# You need to –enable-removal-policies
cache_replacement_policy GDSF

# Standard Access List
# I have two subnets, one for student and another one for admin
# Modify this according to your network
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl outgoing src 192.168.10.2/255.255.255.255
acl student src 192.168.0.0/255.255.255.0
acl admin src 192.168.1.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager
http_access allow localhost
http_access allow outgoing
http_access allow student
http_access allow admin
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

icp_access allow localhost
icp_access allow student
icp_access allow admin
icp_access deny all

# Avoid caching cgi scripts
acl QUERY urlpath_regex cgi-bin
no_cache deny QUERY

acl magic_words1 url_regex -i 192.168
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov

# Delay Pool
# For delay pool, you need to –enable-delay-pools
delay_pools 2

# I have ADSL 2Mbits line
# 2 mbits == 256 kbytes per second
# 256 KB/s, 5 KB/s
# It means 256 KB/s bandwith for the whole network, but 5 KB/s for each node, which is fair for everybody
delay_class 1 2
delay_parameters 1 256000/256000 5000/256000
delay_access 1 allow magic_words2
delay_access 1 allow student
delay_access 1 allow admin

# -1/-1 means that there are no limits for local traffic.
delay_class 2 2
delay_parameters 2 -1/-1 -1/-1
delay_access 2 allow magic_words1

# Cancel download if file is bigger than 1MB
reply_body_max_size 1024 KB

# snmp stuff
acl snmppublic snmp_community public
snmp_access allow snmppublic localhost
snmp_access deny all

# Change to your domain
# visible_hostname yourdomain.domain.com
# cache_mgr yourname@youremail.com

3. Create cache dir and create swap

# mkdir /usr/local/squid/cache
# chown nobody:nogroup cache
# /usr/local/squid/bin/squid -k parse
# /usr/local/squid/bin/squid -z

4. Configure transparent proxy with ipfilter
4.1 Edit /etc/rc.conf

# add these lines to enable ipfilter
ipfilter_enable="YES"
ipnat_enable="YES"
ipmon_enable="YES"
ipfs_enable="YES"

4.2 Edit /etc/ipnat.rules

# add this line
# I assume rl0 is your internal nic
# Redirect everything else to squid on port 3128
rdr rl0 0/0 port 80 -> 127.0.0.1 port 3128 tcp

5. Reconfigure kernel for squid diskd support
Consult the Freebsd Handbook for recompiling the kernel and add the following lines. Your kernel must have:

options SYSVMSG

You can set the parameters in the kernel as follows. This is just an example. Make sure the values are appropriate for your system:
options MSGMNB=8192 # max # of bytes in a queue
options MSGMNI=40 # number of message queue identifiers
options MSGSEG=512 # number of message segments per queue
options MSGSSZ=64 # size of a message segment
options MSGTQL=2048 # max messages in system

The following is the explanation of the kernel options from the Squid FAQ:

The messages between Squid and diskd are 32 bytes for 32-bit CPUs and 40 bytes for 64-bit CPUs. Thus, MSGSSZ should be 32 or greater. You may want to set it to a larger value, just to be safe.

We’ll have two queues for each cache_dir, one in each direction. So, MSGMNI needs to be at least two times the number of cache_dir’s.

I’ve found that 75 messages per queue is about the limit of decent performance. If each diskd message consists of just one segment (depending on your value of MSGSSZ), then MSGSEG should be greater than 75.

MSGMNB and MSGTQL affect how many messages can be in the queues at one time. Diskd messages shouldn’t be more than 40 bytes, but let’s use 64 bytes to be safe. MSGMNB should be at least 64*75. I recommend rounding up to the nearest power of two, or 8192.

MSGTQL should be at least 75 times the number of cache_dir’s that you’ll have.

Also you can tweak the kernel by commenting out unnecessary lines in the kernel config to gain extra perfomance. Then recompile the kernel.

6. Create start-up script /usr/local/etc/rc.d/squid.sh

#!/bin/sh

echo -n ‘ Squid ‘

case "$1" in
start)
/usr/local/squid/bin/squid -D
;;
stop)
/usr/local/squid/bin/squid -k shutdown
;;
restart)
/usr/local/squid/bin/squid -k reconfigure
;;
*)
echo "Usage: `basename $0` {start|stop|restart}"
;;
esac

7. All Done!
References

FreeBSD - http://www.freebsd.org/
Squid Web Proxy Cache - http://www.squid-cache.org/
Configuration Manual for Squid 2.4 Stable x - http://squid.visolve.com/
Linux Documentation Project - Bandwidth Limiting HOWTO - http://www.linuxdoc.org/
Do-It-Yourself Caching: Squid 2.3 - http://www.bsdtoday.com/2000/February/Tutorials28.html
IP Filter Based Firewalls HOWTO - http://www.obfuscation.org/ipf/ipf-howto.html

Andi Salimun
18 Jul 2002

 
Squid transparent proxy
Posted May 5, 2003
To set up squid as a transparent proxy using FreeBSD…

Install FreeBSD. Set up NAT or whatever, and install this machine as your gateway.

Log in as root.

Install squid from ports.

cd /usr/ports/www/squid && make install
Move cache directory to /tmp.

mkdir /tmp/squid
mv /usr/local/squid/cache /tmp/squid/cache
ln -s /tmp/squid/cache /usr/local/squid/
Set up a "squid" user account.

pw useradd squid -d /nonexistent -s /usr/bin/true
chown -R squid:squid /tmp/squid/cache /usr/local/squid/logs
Edit /usr/local/etc/squid/squid.conf

# diff squid.conf.default squid.conf
474a475
> cache_mem 48 MB
524a526
> maximum_object_size_in_memory 128 KB
670a673
> cache_dir ufs /usr/local/squid/cache 200 64 128
982a986
> #redirect_program /usr/local/libexec/adzap
1311a1316
> request_body_max_size 4 MB
1753c1758,1759
< #http_access allow our_networks
—
> acl our_networks src 10.129.0.0/16 199.60.150.0/24
> http_access allow our_networks
1937a1944
> cache_mgr YOUR@EMAIL.ADDRESS.HERE
1953a1961,1962
> cache_effective_user squid
> cache_effective_group squid
1963a1973
> visible_hostname YOUR.HOST.NAME.HERE
2051a2062,2063
> httpd_accel_host virtual
> httpd_accel_port 0
2080a2093
> httpd_accel_with_proxy on
2100a2114
> httpd_accel_uses_host_header on
2540a2555,2556
> header_access Via deny all
> header_access X-Forwarded-For deny all
Create the cache directories.

squid -z
Start squid.

/usr/local/etc/rc.d/squid.sh start
Enable firewall and transparent proxy support in kernel. Example using FreeBSD 4:

cd /usr/src/sys/i386/conf
cp -i GENERIC MYKERNEL
cat <<EOF >>MYKERNEL
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT # if you intend to use NAT
EOF
config MYKERNEL
cd ../../compile/MYKERNEL
make depend && make && make install && reboot
Make sure squid is listening on port 3128.

ps axw | grep squid
netstat -a -n | grep -w 3128
Redirect all HTTP traffic passing through the machine to squid.

echo firewall_type=/etc/firewall.local >>/etc/rc.conf
cat <<EOF >>/etc/firewall.local
fwd YOUR.IP.ADDR.HERE,3128 tcp from not me to any 80
EOF
Watch the log file as you load web pages.

tail -f /usr/local/squid/logs/access.log

sumber http://teamsupport.blogspot.com/2006/07/squidconf-dilengkapi-dengan-bandwidth.html

Konfigurasi Network Interface
Dalam Implementasi Router PC
Pada linux Redhat semua komunikasi jaringan terjadi antara interface (NIC) yang telah dikonfigurasi dan peralatan jaringan fisik yang terkoneksi dengan computer.

1. File Scrip Interface
File konfigurasi untuk antarmuka jaringan dan scrip untuk mengaktifkannya terdapat didalam direktori /etc/sysconfig/network-scripts. Secara default pada redhat didalam direktori ini dan direktori lainya terdapat tiga jenis file yaitu : file –file interface configuration, script-script interface control dan file –fole network function, bekerja bersama sama dengan sedemikian rupa hingga linux dapat menggunakan berbagai peralatan jaringan

• File Konfigurasi Interface

Adalah file yang sangat penting yang digunakan oleh redhat untuk konfigurasi jaringan. Pemahaman terhadap peran file – file ini didalam jaringan akan sangat bermanfaat pada waktu mengatur secare keleluruhan
File tersebut adalah
1. /etc/host untuk meresolve hostname yang tidak dapat diresolve dengan cara lain sebagai contoh ip localhost.
2. /etc/resolv.conf untuk menentukan IP address dari DNS server dan pencarian domain. Dan file ini dibaca pada saat boo.
3. /etc/sysconfig/network untuk menentukan informasi routing dalam host untuk semua antarmuka.
4. /etc/sysconfig/network-scripts/ifcfg<nama-interface> digunakan untuk file yang terdapat pada satu file.

 Intreface Ethernet
Satu lagi file antar muka yang cukup popular adalah ifcfg-eth0, yang menandai network interface card (NIC atau Ethernet Card) pertama yang tedapat pada system. Dalam system yang mempunyai Ethernet lebih dari satu maka akan menampilkan nomor nomor sesuai dengan jumlah NIC.
Berikut ini adalah contoh file ifcfg-eth0 untuk system yang menggunakan IP addresstetap

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
NETWORK=192.168.0.0
NETMASK=255.255.255.0
IPADDR=192.168.0.254
USERCTL=no

Nilai – nilai yang ditulis didalam file konfigurasi interface dapat diubah sesuai dengan kebutuhan. Sehingga contoh file ifcfg-eth0 untuk antar muka yang menggunakan DHCP terlihat sedikit berbeda karena informasi IP address disediakan oleh DHCP sever:

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes

Selain cara diatas anda bisa menggunakan tool GUI diantaranya adalah tool Network Configuration

Parameter yang ada dalam file configuration
1. BOOTPROTO=<protocol>, dimana <protocol> adalah sebagai berikut :

• none :tidak ada protocol boot time yang disediakan
• bootp : menggunakan protocol boop
• dhcp : menggunakan protocol boot DHCP

2. BROADCAST=<address>dimana <address>merupakan alamat broadcast.
3. DEVICE=<number> dimana <name> adalah nama peralatan fisik ( bukan dinamis seperti peralatan PPP yang dialokasikan oleh ISP dan berupa nama logis).
4. DNS{1,2}=<address>dimana <address> adalah nama alamat name server yang diletakan pada file /etc/resolv.conf jika direktif PEERDNS diset menjadi yes
5. IPADDR=<address> dimana <address> adalah alamat IP yang akan digunakan oleh Ethernet
6. NETMASK=<mask> diaman <mask> adalah nilai subnetmask
7. NETWORK=<address> dimana <address>adalah IP address jaringan
8. ONBOOT=<answer> dimana <answer> adalah salah satu dibawah ini :

• yes = peralatan ini aktif saat boot
• no = peralatan ini tidak diaktifkan pada saat boot

9. PEERDNS=<answer> dimana <answer> adalah nilai salah satu dibawah ini :

• yes = memodifikasi /etc/resolv.conf jika diaktifkan dns set. jika anda menggunakan dhcp maka yes merupakan defaultnya
• no = tidak memodifikasi /etc/resolv.conf

10. SRCADDR =<address> dimana <address> adalah source yang ditentukan untuk paket luar
11. USERTL=<answer> adalah <answer> adalah salah satu nilai berikut :

• yes = user non root diijinkan mengatur peralatan lain
• no = user non root tidak diijinkan mengatur perlatan

2. Praktek Jaringan Router static
1. Periksa peralatan dalam PC harus mempunyai 2 buah eth0 atau eth1 dan dapat berfungsi dengan baik.
2. Masuk keterminal dan masuk sebagi user root
3. Periksa apakah NIC dapat terbaca dan dapat menempilkan informasi dengan cars sebagai berikut :
#dmesg |grep eth

4. Dengan menggunakan teks editor yang ada lakukan pengesetan sebagai berikut :
# vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
NETWORK=192.168.0.0
NETMASK=255.255.255.0
IPADDR=192.168.0.254
USERCTL=no

Seting pula eth1
# vi /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
NETWORK=10.252.0.0
NETMASK=255.255.255.0
IPADDR=10.252.0.254
USERCTL=no

Ket :
Jika sudah masuk ke vi / vim ingin mengedit tekan i lakukan pengeditan terhadap kedua file tersebut. Jika sudah dilakukan pengeditan simpan dan keluar dengan menekan Esc :wq

5. Aktifkan forward dengan megedit file scripts yang telah ada /etc/sysconfig/network sehingga dapat terdapat basis sebagai berikut :

FORWARD_IPV4=true
Jika tidak ada lakukan dibawah ini
6. Jika mau mengedit file yang telah ada /etc/sysctl.conf dan anda tinggal mengubah nilai false menjadi true.

net.ipv4.ipforward=1

7. Lakukan pengecekan apakah forward sudah berhasil atau belum dan nilainya harus 1.

#cat /proc/sys/net/ipv4/ip_forward

8. Jika belum lakukan restar terhadap konfigurasi tersebut

#/etc/init.d/network restart

9. Cek ulang apakah sudah berhasil atau belum
10. Selamat mencoba !!!!!!!!!!!!!!!!!!!!!!!!!

Sumber http://salinstm.wordpress.com/2007/05/02/belajar-router-static-dengan-redhat/

Jaringan speedy –> server gateway –> switch –> client  (masih rawan masalah keamanan kan?)

Dengan keterangan seumpamanya:
IP speddy 192.168.16.13 *masuk di eth0 server gateway* (nantinya akan di NAT) IP local yang akan aq buat untuk klien2nya (192.168.31.0/24 netmask 255.255.255.0)
IP server gateway aq buat (192.168.31.1) *di eth2*
Habis itu aq set di server gatewaynya biar bisa NAT dari IP yg dikasih spidi ke network local (192.168.31.0/24). Pertama yang aq lakuin memastikan terlebih dahulu ipforwarding pada linux sudah jalan (ini dibutuhkan untuk memforward IP dari segment local ke IP yg dikasih spidi)dengan perintah pada console linux (menu –> console):
#sudo sysctl –p
Tanda “#” menunjukkan anda login sebagai root.($ su).Akan tampil (kernel.printk = 4 4 1 7 net.ipv4.ip_forward = 1) bila sudah aktif.
cara ngaktifinnya, rubah script pada file sysctl.conf yang ada di /etc. caranya:
#gedit /etc/ sysctl.conf
Tambahkan baris script seperti ini: “net.ipv4.ip_forward = 1” tanpa tanda petik, lalu save. setelah itu coba jalankan perintah sudo sysctl –p lagi.
# sudo sysctl –p
dan keluar tampilan seperti ini.
kernel.printk = 4 4 1 7 net.ipv4.ip_forward = 1
selanjutnya menset NAT (pada iptable). perintahnya:
#sudo iptables -t nat -A POSTROUTING -s 192.168.31.0/24 -o eth0 -j SNAT –to-source 192.168.16.13
yang kira2 maksudnya begini, lemparkan semua ip dalam network 192.168.31.0/24 pada eth0 dengan metode postrouting dan dibuatkan static NAT menuju ke IP 192.168.16.13
lalu cek hasil pekerjaan dengan mengetikkan
#iptables -L -t nat
terus muncul seperti ini. target prot opt source destination SNAT O
O –192.168.31.0/24   anywhere   to:192.168.16.13
wah dah ada tuh static NAT nya.
sekarang setting di eth2 dengan ip 192.168.31.1
#ifconfig eth2 192.168.31.1 netmask 255.255.255.0
lalu saya set di client . ip addresnya 192.168.31.2 netmask 255.255.255.0 dengan gateway 192.168.31.1 netmask idem.

 

Sumber http://cilonk.blogspot.com/2007/06/mensharing-speedy-ke-klien.html