Recently in *Nix Category
A dedicated programmer, known as mmm123, in the hacki forum released source and binary files that will emulate the PIX525.
./pixemu -net nic,vlan=1,macaddr=00:aa:00:00:02:01 -net tap,vlan=1,script=if1up -net nic,vlan=2,macaddr=00:aa:00:00:02:02 -net tap,vlan=2,script=if2up -serial stdio -m 128 FLASH[root@dynamips pixemu_public2007-04-11_bin]# ./pixemu -net nic,vlan=1,macaddr=00:aa:00:00:02:01 -net tap,vlan=1,script=if1up -net nic,vlan=2,macaddr=00:aa:00:00:02:02 -net tap,vlan=2,script=if2up -serial stdio -m 128 FLASH
Could not open '/dev/kqemu' - QEMU acceleration layer not activated
Values read from ini file::
serial=12345678 (305419896)
image="pix"
key=0,0,0,0
image file read 18374703 bytes, @100000
128MB RAMTotal NICs found: 2
i82559 Ethernet at irq 11 MAC: 00aa.0000.0201
i82559 Ethernet at irq 9 MAC: 00aa.0000.0202
BIOS Flash=am29f400b @ 0xd8000
Could not determine the file system type. Data in the flash will be lost.Initializing flashfs...
flashfs[7]: Checking block 0... checksum (61666 != 61425)
flashfs[7]: erasing block 0...done.
flashfs[7]: Checking block 1...block number was (0)
.
.
.
flashfs[7]: flashfs fsck took 3 seconds.
flashfs[7]: Initialization complete.Need to burn loader....
Erasing sector 0...[OK]
Burning sector 0...[OK]INFO: Unable to read firewall mode from flash
Writing default firewall mode (single) to flash
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000This activation key is not valid, use default settings only
--------------------------------------------------------------------------
. .
| |
||| |||
.|| ||. .|| ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
--------------------------------------------------------------------------Cisco PIX Security Appliance Software Version 7.2(1)
Copyright (c) 1996-2006 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706Type help or '?' for a list of available commands.
pixfirewall>
pixfirewall> en
Password:
pixfirewall# sh verCisco PIX Security Appliance Software Version 7.2(1)
Compiled on Wed 31-May-06 14:45 by root
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"pixfirewall up 52 secs
Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB0: Ext: Ethernet0 : address is 00aa.0000.0202, irq 9
1: Ext: Ethernet1 : address is 00aa.0000.0201, irq 11
The Running Activation Key is not valid, using default settings:Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Disabled
VPN-3DES-AES : Disabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : UnlimitedThis platform has a Restricted (R) license.
需要在 Linux 的系统上玩 还不知道能不能在 cygwin 下编译 -- 作者认为希望不大
困了,明天有时间跑下虚拟机,唔,是个让人留口水的好东西哇!
Linux下的VPN
Client拨号
本文介绍的是基于RPM的安装设置,用Source的可以Skip
步骤一:使你的Linux支持MPPE
a.Dell的
Matt Domsch 做了一个RPM包,支持所谓DKMS(Dynamic Kernel Module
Support)
下载并安装
# rpm --install dkms-2.0.5-1.noarch.rpm
b.加载MPPE模块支持(之前请确认你的Linux已经安装好Kernel-Source)
# rpm --install kernel_ppp_mppe-0.0.5-2dkms.noarch.rpm
c.测试是否成功
# modprobe ppp-compress-18 && echo success
步骤二:安装拨号客户端
a. 安装 ppp
RPM
包
这是RedHat9的,http://poptop.sourceforge.net上其它版本Linux的RPM,请各取所需。没有的就下载SRPM
#
rpm -ivh ppp-2.4.3-4.rhl9.i386.rpm
Note:之前请安装libpcap-0.7.2-1.i386.rpm
,其它版本的比如Trustix Linux可以先卸载原来的libpcap,从RH9的安装光盘上安装好libpcap-0.7.2-1.i386.rpm
后,再安装ppp
b.安装pptp的客户端
# rpm --install pptp-1.6.0-1.i386.rpm
步骤三:设置
a. vi /etc/ppp/chap-secrets
#client server Password IP Address
test * 12345 *
test为VPN的用户名,12345为密码
b. vi /etc/ppp/options.pptp
确定该文件中有require-mppe-128
c. vi /etc/ppp/peers/pptp
建立拨号脚本文件
pty "pptp a.b.c.d --nolaunchpppd" #a.b.c.d-VPN服务器地址
name test # test-VPN用户名
remotename PPTP
file /etc/ppp/options.pptp # 配置文件所在位置
ipparam pptp
d. 拨号
vi vpn.sh
pppd call pptp logfd 2 nodetach
chmod 700 vpn.sh
我们在RedHat Linux9下,利用iptables和squid配合,来建立透明代理服务器
一、squid的安装配置
首先,我们在www.squid-cache.org下载squid的2.5稳定版(STABLE
Version),squid-2.5.STABLE6.tar.gz,得到原文件后,开始我们的编译与配置:
tar xzvf squid-2.5.STABLE6.tar.gz # 解开压缩包到当前目录
cd squid-2.5.STABLE6
#改变路径到squid-2.5.STABLE6
vi src/dnsserver.c
编辑dnsserver.c文件,查找字符串"if (32 ==
i)",把32改成"64"
这样做的目的就是加大dnsserver子进程的最大并发数,如果不修改的话,默认的最大并发数为32,代理的机器较多的话,DNS的查询就会较变慢,影响访问速度。
编译squid
./configure --prefix=/usr/local/squid --enable-arp-acl
--enable-default-err-language="Simplify_Chinese" --enable-snmp
--enable-underscores --enable-ssl --enable-linux-netfilter --enable-icmp
--disable-internal-dns
下面一个个来解释编译选项的作用
--prefix=/usr/local/squid -->
指定squid的安装路径为/usr/local/squid
--enable-arp-acl --> 打开地址解析协议(Address
Resolution
Protocol,ARP)支持,也就是把IP地址转换为相应的MAC地址的协议,这样我们就可以让squid基于MAC地址来做上网的控制,这个选项是关键
--enable-default-err-language="Simplify_Chinese"
--> 把简体中文设置为默认的出错页面语言
--enable-snmp -->
打开squid的SNMP(简单网络管理协议)协议的支持
--enable-underscores -->
使squid支持带下划线的网址,默认的,squid是不支持类似于www.acx_cn.com这样的URL的
--enable-ssl -->
打开SSL的支持
--enable-linux-netfilter -->
使squid支持linux-netfilter,也就是iptables,不过这一项开不开似乎关系不大
--enable-icmp -->
打开icmp协议的支持
--disable-internal-dns --> 禁用squid内置的DNS支持
编译完成后,运行
make;make install
这样,squid就安装好了
为了配置成透明网关,我们需要修改squid的配置文件squid.conf
cd
/usr/local/squid/etc
vi squid.conf
添加以下四行
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
并且修改dns_children 5 为 dns_children 50
redirect_children 5
改为redirect_children 50 # redirect就是网页的重定向
dns_nameservers 202.96.209.5
202.103.96.133 #添加DNS服务器地址
保存退出
接下来,我们要开始运行squid了
cd /usr/local/squid
chown -R nobody.nobody var #
改变/usr/local/squid/var目录的用户及用户组为nobody,使得下面squid在创建cache目录的时候有相应的权限
/usr/local/squid/sbin/squid
-z # 创建cache目录
/usr/local/squid/sbin/squid -D
而后,用netstat
-ln查看系统的监听端口,出现如下两行,那么说明squid就运行起来了,3128是squid的默认监听端口,如果没有在squid.conf文件中修改http_port
3128的话
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:3130
0.0.0.0:*
二、iptables的修改
接着,我们来修改iptables规则,使之成为透明网关
在iptables的规则中添加一句
/sbin/iptables
-t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports
3128
把来自eth1(内网)的目标端口为80的封包转发到本机的3128端口,也就是squid的监听端口,实现对http的控制与访问日志的纪录
编辑/etc/sysctl.conf,将net.ipv4.ip_forward=0 该为net.ipv4.ip_forward=1,保存修改。其目的是允许LINUX内核做IP包的转发:允许IP数据包从一个网络接口穿越到另一个网络接口,只有这样,系统才具有充当包过滤防火墙的条件
至此,我们完成了squid+iptables的透明代理的设置
三、访问控制
最后,我们开始squid的ACL(访问控制列表)的设置,即上网的权限控制
vi
/usr/local/squid/etc/squid.conf
默认的是禁止一切访问
http_access deny all
我们来对ACL做修改
ACL的格式如下:
acl name type value1 value2 ...
For Example:
# time Control
acl working_time time MTWHF 7:00-11:00 # MTWHF
指周一到周五,MTWHF分别是周一(Monday)...周五(Friday)的英文名的首字母,7:00-11:00 就是上午7点到11点时间段
acl
working_time time MTWHF 12:30-17:00 # time 部分指的是该acl类型为time类
#User Control
# acl name arp
是指该acl类型为arp,即MAC地址的控制,后面可跟00:E0:4C:46:73:28这样的MAC地址,也可以跟文本文件,文本文件中的MAC地址要一个一行。
acl
PH-Advance arp '/usr/local/squid/etc/FN-Advance.txt' #
FN-Advance.txt为财务部的开通上网机器的MAC地址列表文件
acl PH-Detail arp
'/usr/local/squid/etc/FN-Detail.txt' # FN-Advance.txt为财务部一般人员机器的MAC地址列表文件
acl
test arp 00:E0:4C:46:73:28 # 指定test的MAC地址
http_access allow FN-Advance
#允许MAC地址符合FN-Advance中记载的机器可以不受限制地上网
http_acccess deny working_time #
禁止其他人员在上班时段上网
http_access allow FN-Detail !working_time #
允许其他人员在非上班时段上网
http_access deny all # 禁止其他所有访问
保存退出,重启squid使修改生效
/usr/local/squid/sbin/squid -k reconfigure
Client: Win2000 Pro/Server SP4 , WinXP SP2
Server所需要的东东
www.kernel.org
kernel: linux-2.6.10.tar.bz2
http://www.polbox.com/h/hs001/
kernel_patch: linux-2.6.10-mppe-mppc-1.2.patch.gz
pppd: ppp-2.4.3.tar.gz
pppd_patch: ppp-2.4.3-mppe-mppc-1.1.patch.gz
pptpd: pptpd-1.2.3.tar.gz
为了方便起见,可以把它们放在同一个目录下
我不喜欢用RPM方式安装,所以都是用的源码方式编译安装
一、先给内核打补丁
# tar zjvf linux-2.6.10.tar.bz2
# gunzip linux-2.6.10-mppe-mppc-1.2.patch.gz
# patch -p0 -i linux-2.6.10-mppe-mppc-1.2.patch
# ln -s linux-2.6.10 linux
# cd linux
# make menuconfig
Device Drivers -> Networking Support->
把 "PPP support" 编进内核,你也可作为模块编译
PPP Support for async serial ports
PPP Support for sync tty ports
PPP Deflate compression
Microsoft PPP compression/encryption (MPPC/MPPE)"
Cryptographic options
把 "Cryptographic API" 编进内核,你也可作为模块编译
确保SHA1 和 ARC4 支持已经选上
SHA1 digest algorithm
ARC4 cipher algorithm
保存配置文件,退出
编译内核
make all modules modules_install install
修改/etc/modprobe.conf (2.4的Kernel请修改/etc/modules.conf)
重启,进入2.6.10
二、安装PPP
安装之前先用 rpm -qa |grep ppp 看一下是否系统有安装RH9自带的ppp-2.4.1-10
如果有的话, 用 rpm -e 卸载先,可能还有依赖关系,依次卸载,如
#rpm -e rp-pppoe-3.5-2
#rpm -e wvdial-1.53-9
#rpm -e ppp-2.4.1-10# tar xzvf ppp-2.4.3.tar.gz
# gunzip ppp-2.4.3-mppe-mppc-1.1.patch
# patch -p0 -i ppp-2.4.3-mppe-mppc-1.1.patch
# cd ppp-2.4.3
# ./configure
# make; make install
三、安装 pptpd
#tar xzvf pptpd-1.2.3.tar.gz
# ./configure
# make; make install
相关的配置文件
/etc/pptpd.conf # pptpd的基本配置文件
/etc/ppp/options.pptpd # VPN拨号选项
/etc/ppp/chap-secrets # 用户名和密码信息
/etc/modules.conf # 模块加载信息 (2.4的Kernel请修改/etc/modules.conf)
vi /etc/pptpd.conf
ppp /usr/local/sbin/pppd #指定pppd的路径
option /etc/ppp/options.pptpd # 指定option 文件位置
localip 192.168.1.3 #同服务器的LAN地址
remoteip 192.168.1.230-239 #分配給客户端的ip,本例范围从192.168.1.230到192.168.1.239。
您也可以单独指定某个地址或者多段地址,用逗号隔开
如在192.168.1.230-239,192.168.1.254
vi /etc/ppp/options.pptpd
name *
lock
mtu 1450
mru 1450
proxyarp
auth
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
deflate 0
# Handshake Auth Method - 加密协议类型
+chap
+mschap-v2
# Data Encryption Methods
mppe required,stateless
其它详细说明请参见 man pppd 或者 man pptpd
vi /etc/ppp/chap-secrets
#client server Password IP Address
test * 12345 *
因为密码是明文显示的,最好能修改文件权限,使root作为owner和chmod 700
vi /etc/modules.conf
alias char-major-108 ppp_generic
alias /dev/ppp ppp_generic
alias tty-ldisc-3 ppp_async
alias tty-ldisc-14 ppp_synctty
alias ppp-compress-18 ppp_mppe_mppc
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
重新启动
# reboot
在我这里 alias ppp-compress-18 ppp_mppe_mppc 好像没用,只好手动加载
# modprobe ppp_mppe_mppc
确认内核支持
strings `which pppd`|grep -i mppe|wc --lines
30
###大于等于30就行#####
[strings `which pppd`|grep -i mppc|wc --lines
7
#### 不为 0 #####
dmesg | grep MPPE
MPPE/MPPC encryption/compression module registered
启动pptpd
# /usr/local/sbin/pptpd
Mar 17 23:07:32 localhost pptpd[4471]: MGR: Manager process started
Mar 17 23:07:32 localhost pptpd[4471]: MGR: Maximum of 10 connections available
设置客户端连接,"安全"里面选择自定义,如图所示,这里取决于你在option.pptpd里面的设置
Mar 17 23:09:59 localhost pptpd[4473]: CTRL: Client 192.168.1.136 control connection started
Mar 17 23:09:59 localhost pptpd[4473]: CTRL: Starting call (launching pppd, opening GRE)
Mar 17 23:09:59 localhost pppd[4474]: pppd 2.4.3 started by root, uid 0
Mar 17 23:09:59 localhost pppd[4474]: Using interface ppp0
Mar 17 23:09:59 localhost pppd[4474]: Connect: ppp0 <--> /dev/pts/1
Mar 17 23:10:02 localhost pptpd[4473]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Mar 17 23:10:02 localhost pppd[4474]: MPPC/MPPE 128-bit stateless compression enabled
Mar 17 23:10:04 localhost pppd[4474]: found interface eth0 for proxy arp
Mar 17 23:10:04 localhost pppd[4474]: local IP address 192.168.1.3
Mar 17 23:10:04 localhost pppd[4474]: remote IP address 192.168.1.230
OK,成功
