FreeBSD
Раздача интернета через mpd и подсчетом трафика utm c pf
- Подробности
- Категория: FreeBSD
- Опубликовано 06.05.2014 12:55
- Автор: 1111
- Просмотров: 2229
Имеем freebsd7.3
Нужно установить и настроить
1. Utm5
-создание базы
-настройка utm5.cfg
-настройка dynashape.cfg
-настройка radius5.cfg
-настройка rfw5.cfg
-настройка web5.cfg
2. Устанавливаем MPD5
настраиваем /usr/local/etc/mpd5/mpd.conf
3. DNS BIND
-настройка /var/named/etc/namedb/named.conf
4. PF
-настройка /etc/pf.conf
Устанавливаем utm5
Требования utm5 что бы стояли вот эти пакеты:
openssl;
gettext;
libiconv;
libxslt;
libxml2;
rrdtool;
MySQL 5.0.x.
Ставим openssl
cd /usr/ports/security/openssl
make install clean
cd /usr/ports/devel/gettext
make install clean
cd /usr/ports/converters/libiconv
make install clean
cd /usr/ports/textproc/libxslt
make install clean
cd /usr/ports/textproc/libxml2
make install clean
cd /usr/ports/databases/rrdtool
make install clean
Устанавливаем apache
cd /usr/ports/www/apache22
make config
ставим галочку напротив MySQL включив его поддержку в сборку
make install
после удачной установки добавляем в ee /etc/rc.conf
apache22_enable=»YES»
hostname="ваше доменное имя"
перезагружаем систему и заходим на http://ваш домен или ип адрес сервера
и если вы все правильно сделали должна появится надпись it works!
cd /usr/ports/databases/mysql50-server
make install clean
После установки добавляем в /etc/rc.conf
mysql_enable=»YES»
Скачиваем utm5 с сайта производителя, закидываем на сервер и устанавливаем
pkg_add utm5-2.1.xxx.tgz
Создание базы данных
На UNIX системах следует создать базу данных и выполнить в SQL команды по созданию таблиц и вводу некоторых предопределенных значений, перечисленные в файле UTM5_MYSQL.sql (для MySQL) или UTM5_PG.sql (для PostgreSQL). В простейшем случае это достигается следующим образом.
Для MySQL (рекомендуется использовать кодировку UTF-8 по умолчанию, или указывать её при создании базы):
|
mysql -e "create database UTM5 DEFAULT CHARACTER SET=utf8;" |
|
mysql UTM5 |
Создание индексов
Для создания индексов баз данных на UNIX системах выполните в SQL команды из файла UTM5_indexes.sql, что в простейшем случае достигается следующим образом:
Для MySQL:
|
mysql -f UTM5 |
Активация лицензионного ключа
Для активации лицензионного ключа необходимо выполнить команду
mysql UTM5
При создании индексов возможны некритические ошибки (например, попытки удаления объектов, которые уже были удалены); их можно игнорировать.
Если все предыдущие команды были выполнены успешно, запустите ядро биллинговой системы командой
|
/usr/local/etc/rc.d/utm5_core.sh start |
Проверяем чего не хватает
ldd /netup/utm5/bin/utm5_core
Дальше рассматриваем ситуацию с уже работающей базой, заведенными тарифами и пользователями на рабочем сервере и его перенос с помощью
скрипта от netup
/netup/utm5/bin/utm5_backup.sh
создаем backup базы и переносим как указано здесь
https://infoitcom.ru/index.php/freebsd/117-prenos-bazy-utm5-2-1-007-v-utm5-2-1-008
Так как у нас авторизация клиентов происходит на сервере посредством подключения к vpn серверу, ставим mpd 5
Устанавливаем mpd5
cd /usr/ports/net/mpd5
make install clean
ee /etc/syslog.conf
*.* /var/log/mpd.log
touch /var/log/mpd.log
/etc/rc.d/syslogd reload
ee /etc/rc.conf
mpd_enable="YES"
/usr/local/etc/rc.d/mpd5 start
Создаем
touch /usr/local/etc/mpd5/mpd.conf
Редактируем
ee /usr/local/etc/mpd5/mpd.conf
startup:
set user admin password admin
set user admin password user
set web self 192.168.3.1 5066
set web enable auth
set web open
set console self 127.0.0.1 5067
set console open
set netflow peer 127.0.0.1 9996
default:
load pptp_server
pptp_server:
# Create bundle template
create bundle template B
set bundle disable compression
set bundle disable encryption
set iface disable on-demand
set iface disable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set iface enable netflow-in
set iface enable netflow-out
set ipcp ranges 1.1.1.1/32 1.0.0.0/16
set ipcp yes vjcomp
# set ipcp dns 192.168.3.1
set ipcp dns 192.168.3.1
set ipcp nbns 192.168.3.1
# Create link template
create link template L pptp
set link action bundle B
set link enable peer-as-calling
set link disable multilink
set link yes acfcomp protocomp
set link no chap pap eap
set link enable chap
load radius
set link keep-alive 10 60
set link mtu 1500
set link mru 1500
# set pptp self 192.168.3.1,192.168.5.1
# set pptp self 192.168.3.1,192.168.3.1
set link enable incoming
radius:
set radius server 127.0.0.1 password 1812 1813 # пароль к радиус серверу
set radius retries 3
set radius timeout 3
set radius me 127.0.0.1
set auth enable radius-auth
set auth disable internal
set auth disable radius-acct
set radius enable message-authentic
Редактируем
ee /netup/utm5/radius5.cfg
##
## /netup/utm5/radius5.cfg
## UTM5 RADIUS server configuration file
##
## =============================================================================
## MAIN RADIUS SERVER PARAMETERS
## =============================================================================
## core_host
## Description: IP address of a host running the utm5_core
## Possible values: an IP address
## Required field.
core_host=127.0.0.1
## core_port
## Description: UTM5 core listening port. Equal to stream_bind_port parameter
## in utm5.cfg.
## Possible values: an integer from 1 to 65534
## Required field.
core_port=12758
## radius_login
## Description: A system user login to access the UTM5 core.
## Possible values:
## Default value: radius
radius_login=radius
## radius_password
## Description: A system user password to access the UTM5 core.
## Possible values:
## Default value: radius
radius_password=password # тот что указывали в mpd.conf
## radius_ssl_type
## Description: SSL connection type. If 'none' is set, the connection
## is unencrypted.
## Possible values: tls1, ssl3, none
## Default value: none
#radius_ssl_type=none
## radius_acct_host
## Description: IP address of the host receiving Accounting-Requests.
## Possible values: interface IP address or 0.0.0.0
## Default value: 0.0.0.0
## radius_acct_port
## Description: Port of the host receiving Accounting-Requests.
## Possible values: an integer from 1 to 65534
## Default value: 1813
## radius_auth_host
## Description: IP address of the host receiving Access-Requests.
## Possible values: interface IP address or 0.0.0.0
## Default value: 0.0.0.0
radius_auth_host=127.0.0.1
## radius_auth_port
## Description: Port of the host receiving Access-Requests.
## Possible values: an integer from 1 to 65534
## Default value: 1812
radius_auth_port=1812
## radius_auth_mppe
## Description: Enables MPPE 128 bit key generation used for authorization
## via MS-CHAP-v2 protocol.
## Possible values: enable
## Default value: the keys are not generated
radius_auth_mppe=enable
## radius_auth_vap
## Description: If the value is set, authorization of blocked users, whose
## logins are set in IP traffic service link, is disallowed.
## Possible values: 1
## Default value: authorization is allowed
#radius_auth_vap=1
## radius_ippool_acct_timeout
## Description: A time interval during which the IP address is labeled as
## occupied after sending Access-Accept.
## Possible values: time in seconds
## Default value: 30
## radius_ippool_timeout
## Description: A time interval during which the IP address is labeled as
## occupied after receiving Accounting-Start.
## Possible values: time in seconds
## Default value: The address is labeled as occupied until coming of the
## Stop packet
## radius_auth_null
## Description: If enabled, the RADIUS server authorizes requests without
## User-Password(2) attribute, if the user's password, defined in the
## service link, is empty.
## Possible values: yes, enable
## Default value: authorization without a password is not performed
#radius_auth_null=yes
## radius_auth_h323_remote_address
## Description: If enabled, then telephone calls authentication is performed
## using h323-remote-address(9;23) attribute value, but not using
## User-Name(1) attribute. The attribute value is used as a login.
## Possible values: enable, on, yes
## Default value: replacement of login with h323-remote-address is not
## performed
## radius_nas_port_vpn
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the IP traffic service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: Checking against NAS-Port-Type for the IP traffic service
## link is not performed
## radius_nas_port_dialup
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the Dial-up service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: checking against NAS-Port-Type for the Dial-up service link
## is not performed
## radius_nas_port_tel
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the Telephony service
## link. Several values can be set.
# Possible values: a positive integer
## Default value: checking against NAS-Port-Type for the Telephony service
## link is not performed
## radius_card_autoadd
## Description: If 'yes' is set, the automatic registration of users is
## enabled via the RADIUS server using prepaid cards. In this case in the
## Login field a user enters the card number and in the Password field - the
## PIN code. In case of the Telephony service, in the Login field it is
## entered the PIN code or its first part and the remainder is used as a
## password.
## Possible values: yes, on, enable
## Default value: automatic registration is not performed
radius_card_autoadd=yes
## send_xpgk_ep_number
## Description: If this option is enabled, for the Telephony service, when a
## user is being authorized, in Access-Accept it is transmitted the
## Cisco-AVPair(9;1) attribute with the value:
## xpgk-ep-number=.
## Possible values:
## Default value: telephone numbers are not transmitted in affirmative replies
## to authorization requests
## send_h323_ivr_in
## Description: If this option is enabled, for the Telephony service, when a
## user is being authorized, in Access-Accept it is transmitted the
## Cisco-AVPair(9;1) attribute with the value: h323-ivr-in=terminal-alias:
## .
## Possible values:
## Default value: telephone numbers are not transmitted in affirmative replies
## to authorization requests
## enable_fast_telephony
## Description: This option enables the rapid mechanism for determination of
## directions and zones when rating telephone calls. In this case templates
## for telephone directions must contain the digits from 0 to 9 and the
## symbols: ^ $ + )( |.
## Possible values: enable, yes
## Default value: the default mechanism for determination of zone/direction
## is used
## h323_origin_reject
## Description: Sets zero cost for Accounting-Requests in which the
## h323-call-origin(9;26) attribute equals the value of this parameter.
## Possible values:
## Default value: unset
#h323_origin_reject=originate {answer|callback|etc}
## interim_update_interval
## Description: Enables session control mechanism using Interim-Update
## packets. The value is transmitted in the Acct-Interim-Interval(85)
## attribute of the Access-Accept packet.
## Possible values: time in seconds, more than 61
## Default value: the default session closure control mechanism is used
## radius_default_session_timeout
## Description: A value of the Session-Timeout(27) attribute transmitted in
## Access-Accept for the IP traffic service link.
## Possible values: a positive integer
## Default value: 86400
## radius_callback_avpair_enable
## Description: Enables transmission of the Cisco-AVPair(9;1) attribute with
## the value lcp:callback-dialstring=
##
## ':'-symbol.
## Possible values:
## Default value: unset
## radius_acct_rewrite_login_answer
## Description: If the value of the h323-call-origin(9;26) attribute is
## 'originate', then setting this parameter enables replacing of the login
## with the value of the h323-remote-address(9;23) attribute when processing
## Accounting-Request packets.
## Possible values: enable, on, true
## Default value: unset
## radius_acct_rewrite_login_originate
## Description: If the value of the h323-call-origin(9;26) attribute is
## 'answer', then setting this parameter enables replacing of the login with
## the value of the h323-remote-address(9;23) attribute when processing
## Accounting-Request packets.
## Possible values: enable, on, true
## Default value: unset
## =============================================================================
## LOGGING (valid if logfile rotation is enabled)
## =============================================================================
## log_level
## Description: Logging level.
## Possible values: 0, 1, 2, 3
## Default value: 1
## log_file_main
## Description: Main logfile path.
## Possible values:
## Default value: STDERR
log_file_main=/netup/utm5/log/radius.log
## log_file_debug
## Description: Debug logfile path.
## Possible values:
## Default value: STDERR
log_file_debug=/netup/utm5/log/radius.log
## log_file_critical
## Description: Critical logfile path.
## Possible values:
## Default value: STDERR
## rotate_logs
## Description: Enables rotation of logfiles.
## Possible values: yes, on, enable
## Default value: rotation is disabled
rotate_logs=yes
## max_logfile_size
## Description: Maximum logfile size. When logfile size reaches this limit,
## a rotation is performed.
## Possible values: a size in bytes
## Default value: 10485760
max_logfile_size=16777216
## max_logfile_count
## Description: Maximum number of logfiles to retain. Valid if logfile rotation
## is on.
## Default value: not limited
max_logfile_count=5
Переходим к настройке фаэрвола pf и настроек rfw5.cfg
добавляем
ee /etc/rc.conf
pf_enable="YES"
вносим изменения в rfw5.cfg
##
## /netup/utm5/rfw5.cfg
## UTM5 RFW configuration file
##
## =============================================================================
## MAIN PARAMETERS
## =============================================================================
## rfw_name
## Description: Name of UTM5 rfw by which it is identified when connecting to
## the UTM5 core. The same value must be set in the 'Name' field in the list
## of firewalls in UTM_Admin.
## Possible values:
## Required field
rfw_name=bill
## core_host
## Description: IP address of the host running UTM5 core.
## Possible values:
## Required field
core_host=127.0.0.1
## core_port
## Description: Port where UTM5 core is listening to Stream.
## Possible values: an integer from 1 to 65534
## Required field
core_port=12758
## rfw_login
## Description: Login used to access to the UTM5 core.
## Required field.
rfw_login=init
## rfw_password
## Description: Password used to access to the UTM5 core.
## Required field.
rfw_password=password #ваш пароль
## firewall_type
## Description: Firewall type. Must conform with the 'Type' parameter of the
## firewall with the corresponding name.
## Possible values: local, cisco
## Default value: local
firewall_type=local
## rfw_ssl_type
## Description: SSL connection type. If 'none' is set, the connection is
## unencrypted.
## Possible values: tls1, ssl3, none
## Default value: none
rfw_ssl_type=none
## =============================================================================
## PARAMETERS THAT ARE VALID WHEN firewall_type=local
## =============================================================================
### firewall_path
## Description: Path to the executable file that performs firewall management.
## Possible values:
## Required field
firewall_path=/sbin/pfctl
#firewall_path=/sbin/ipfw
# sudo_path
## Description: Sudo program path.
## Possible values:
## Default value:
#sudo_path=/usr/bin/sudo
## dont_fork
## Description: If set, firewall rules are applied one-by-one. Recommended when
## using iptables.
## Possible values: yes, enable, true
## Default value:
#dont_fork=yes
## =============================================================================
## PARAMETERS THAT ARE VALID WHEN firewall_type=cisco
## =============================================================================
## cisco_ip
## Description: IP address the commands are sent to via rsh protocol.
## Possible values:
## Required field
#cisco_ip=10.0.0.1
## =============================================================================
## LOGGING
## =============================================================================
## log_level
## Description: Logging level.
## Possible values: 0, 1, 2, 3
## Default value: 1
log_level=3
## log_file_main
## Description: Main logfile path.
## Possible values:
## Default value: STDERR
log_file_main=/netup/utm5/log/rfw.log
## log_file_debug
## Description: Debug logfile path.
## Possible values:
## Default value: STDERR
log_file_debug=/netup/utm5/log/rfw.log
## log_file_critical
## Description: Critical logfile path.
## Possible values:
## Default value: STDERR
log_file_critical=/netup/utm5/log/rfw.log
## rotate_logs
## Description: Enables logfile rotation.
## Possible values: yes, on, enable
## Default value: disabled
## max_logfile_count
## Description: Maximum number of logfiles to retain. Valid if logfile rotation
## is on.
## Possible values: a positive integer
## Default value: not limited
## max_logfile_size
## Description: Maximum logfile size. When logfile size reaches this limit, a
## rotation is performed. Valid if logfile rotation is on.
## Possible values:
## Default value: 10485760
## pid_file
## Description: PID file path.
## Possible values:
## Default value: /var/run/utm5_rfw.pid
## =============================================================================
## MISCELLANEOUS
## =============================================================================
## OBSOLETE. NOT RECOMMENDED TO USE
## Description and default values for these parameters are not provided.
## firewall_flush_cmd
## Possible values:
#firewall_flush_cmd=/usr/sbin/iptables -F
## core_timeout
## Possible values: 5
sync_flags=enable:disable