Marcelo Lopes Santana

Create USB partitions
# cfdisk /dev/sda# mkfs.ext3 /dev/sda1

Mount the sda1 partition where will be installed the basic dist.# mount -t ext3 /dev/sda1 /media/usb

Install the basic debian with debootstrap: # debootstrap etch /media/usb http://ftp.br.debian.org/debian

Copy your source.list :
# cp /etc/apt/sources.list /media/usb/etc/apt/

Install the grub in the /dev/sda:
# grub-install –recheck /dev/sda
…
(fd0) /dev/fd0
(hd0) /dev/hda
(hd1) /dev/sda

Copy your grub configurations:
# mkdir -p /media/usb/boot/grub
# cp /boot/grub/* /media/usb/boot/grub

Set up the grub boot:
# grub
grub> root (hd1,0) # define the first partition of the pen driver as root
grub> setup (hd1) # install the GRUB in the MBR
grub> quit

Change the roor dir to the USB:
# chroot /media/usb

All commands below are in the USB pen driver as root dir.
Update the list of the packages:
# aptitude update

Install the grub:
# aptitude install grub

Install the kernel image:
# aptitude install kernel-image
Create a symbolic link to the current kernel image?

You are attempting to install an initrd kernel image …
This will not work unless you have configured your boot x loader to use initrd. …
Do you want to abort now?

Update the grub and configure the menu.lst with the new kernel:
# update-grub

# vim /boot/grub/menu.lst
—
## ## End Default Options ##

title Debian GNU/Linux, kernel 2.6.18-4-686
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-4-686 root=/dev/sda1 ro
initrd /boot/initrd.img-2.6.18-4-686
savedefault

title Debian GNU/Linux, kernel 2.6.18-4-686 (single-user mode)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-4-686 root=/dev/sda1 ro single
initrd /boot/initrd.img-2.6.18-4-686
savedefault

### END DEBIAN AUTOMAGIC KERNELS LIST
—

Set the fstab:
# vim /etc/fstab
—
# /etc/fstab: static file system information.
#
#
proc /proc proc defaults 0 0
/dev/sda1 / ext3 defaults,errors=remount-ro 0 1
/dev/sda2 none swap sw 0 0
—

Set the hostname:
# vim /etc/hostname
—
usb
—

Configure the network:
# vim /etc/network/interfaces
—
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.

auto eth0
iface eth0 inet dhcp
—

Configura all basic configurations:
# dpkg-reconfigure -a
1 - Do you want system wide readable home directories?
2 - Packages that use debconf for configuration share a common look and feel. You can select the type of user interface they use.
Interface to use: Dialog
3 - Debconf prioritizes the questions it asks you. Pick the lowest priority of question you want to see:
Ignore questions with a priority less than: high
4 - Should man and mandb be installed 'setuid man'? No
5 - Enable shadow passwords?

6 - Create users and password.

7 - Running 'tzconfig' to set this system's timezone.
Your current time zone is set to Unknown
Do you want to change that? [n]: y

choose your locale at the menu.
2
Manaus

Exit from USB:
ragner-desktop:/# exit

Umount the USB pen driver with the new dist:
ragner-desktop:/media/usb# cd

ragner-desktop:~# umount /media/usb
umount: /media/usb: device is busy

If occur the error above:
ragner-desktop:~# ps -ef | grep root
…
root 20007 1 0 08:48 ? 00:00:00 /usr/sbin/cron
…
ragner-desktop:~# kill -9 20007

ragner-desktop:~# umount /media/usb

Reboot our system:
# init 6

Set the BIOS to do the boot by the USB pen driver.

Autor: Ragner Magalhaes

http://ragnermagalhaes.blogspot.com/2007/05/installing-really-debian-linux-in-usb.html 

3G CLARO COM MODEM MD300

vim /etc/udev/rules.d/50-md300modem.rules
COLOQUE O CÓDIGO:
#
#ACTION!=”add”, GOTO=”3G_End”
#BUS==”usb”, SYSFS{idProduct}==”1000″, SYSFS{idVendor}==”0fd1″, PROGRAM=”/bin/sh -c ‘echo 3 > /sys/%p/device/bConfigurationValue’”
#LABEL=”3G_End”

ACTION!=”add”, GOTO=”3G_End”
BUS==”usb”, SYSFS{idProduct}==”d0cf”, SYSFS{idVendor}==”0fce”, NAME=”modem” PROGRAM=”/bin/sh -c ‘echo 3 > /sys/%p/device/bConfigurationValue’”
LABEL=”3G_End”

/etc/init.d/udev restart

edite o
/etc/wvdial.conf e coloque

[Dialer Defaults]
Init1 = ATZ
Init2 = AT+CFUN=1
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Init4 = AT+CGDCONT=1,”IP”,”bandalarga.claro.com.br”
Modem Type = USB Modem
Baud = 460800
New PPPD = yes
Modem = /dev/ttyACM0
ISDN = 0
Phone = *99***1#
Password = claro
Username = claro

A linha Init2 = AT+CFUN=1 é faz com que o modem funcione corretamente, pois esse modem necessita que o rádio esteja habilitado para efetuar a conexão, sem ela o modem efetua o procedimento de conexão e a conexao cai logo em seguida. (thanks to leleobhz pela dica.. vc é meu heroi.)

Update 2: Substitua a linha:

Init2 = AT+CFUN=1 #(modo automático de busca por rede)

para Init2 = AT+CFUN=6 #( forçar conectar na rede 3G)

ou Init2 = AT+CFUN=5 #( forçar conectar na rede EDGE (rede 2.5G))

Depois é só conectar com qualquer discador: utilizando wvdial no konsole

Fonte: laudecioliveira.org
Mais informações:
http://laudecioliveira.org/blog/?p=70

Vale a pena dar uma olhada.. ou ouvida..

#Apaga a classe root.
 tc qdisc del root dev eth0

##Criação das classes em eth0
 tc qdisc add dev eth0 root handle 1: htb default 30

##Definicao das classes filhas
 tc class add dev eth0 parent 1: classid 1:1 htb rate 1000kbit ceil 1000kbit
 tc class add dev eth0 parent 1:1 classid 1:10 htb rate 700kbit ceil 1000kbit prio 1
 tc class add dev eth0 parent 1:1 classid 1:20 htb rate 200kbit ceil 1000kbit prio 2
 tc class add dev eth0 parent 1:1 classid 1:30 htb rate 100kbit ceil 1000kbit prio 3

##Otimiza a disputa das filas com sqf
 tc qdisc add dev eth0 parent 1:10 handle 10: sfq quantum 1514 perturb 10
 tc qdisc add dev eth0 parent 1:20 handle 20: sfq quantum 1514 perturb 10
 tc qdisc add dev eth0 parent 1:30 handle 30: sfq quantum 1514 perturb 10

#Marca pacotes
 iptables -t mangle -A PREROUTING -p tcp -m multiport –dport 443,25,110 -j MARK –set-mark 1
 iptables -t mangle -A PREROUTING -p tcp -m multiport –sport 443,25,110 -j MARK –set-mark 1

 iptables -t mangle -A PREROUTING -p icmp -d 189.84.20.51 -j MARK –set-mark 1
 iptables -t mangle -A PREROUTING -p icmp -s 189.84.20.51 -j MARK –set-mark 1
 iptables -t mangle -A PREROUTING -p udp -d 189.84.20.51 -j MARK –set-mark 1
 iptables -t mangle -A PREROUTING -p udp -s 189.84.20.51 -j MARK –set-mark 1
 iptables -t mangle -A PREROUTING -p tcp -d 189.84.20.51 -j MARK –set-mark 1
 iptables -t mangle -A PREROUTING -p tcp -s 189.84.20.51 -j MARK –set-mark 1

#Pacotes com tamanho até 60000 bytes em http na porta 80 tcp
 iptables -t mangle -A PREROUTING -p tcp -m tcp –dport 80 -m length –length 1:60000 -j MARK –set-mark 1
 iptables -t mangle -A PREROUTING -p tcp -m tcp –sport 80 -m length –length 1:60000 -j MARK –set-mark 1

#Pacotes icmp
 iptables -t mangle -A PREROUTING -p icmp -j MARK –set-mark 2
 iptables -t mangle -A PREROUTING -p udp -j MARK –set-mark 2

#Classifica os pacotes para caírem em suas respectivas classes criadas
 iptables -t mangle -A POSTROUTING -o eth0 -m mark –mark 1 -j CLASSIFY –set-class 1:10
 iptables -t mangle -A POSTROUTING -o eth0 -m mark –mark 2 -j CLASSIFY –set-class 1:20
 iptables -t mangle -A POSTROUTING -o eth0 -m mark –mark 3 -j CLASSIFY –set-class 1:30 [Ler o artigo completo →]

Imagine um cenário onde teremos uma interface de rede voltada para o roteador de saída(INTERNET) com o ip 192.168.100.2
eem eth1 para rede 192.168.254.0/24 em eth0 para rede local.
Segue um exemplode firewall para esta situação.

Módulos necessários:

iptable_nat
ip_tables
ipt_state
ip_conntrack
ip_conntrack_ftp
ipt_multiport
ip_nat_ftp
iptable_mangle
ipt_tos
ipt_limit
ipt_ttl
iptable_filter
ipt_MASQUERADE
ipt_LOG
#ipt_layer7
nf_nat
iptable_mangle
xt_string
ts_kmp
xt_MARK
xt_mark
xt_CONNMARK

######## SCRIPT DE FIREWALL #################

#!/bin/bash
################################ Limpa tables e seta variaveis do kernel ############################
echo "Iniciando firewall.."
echo "Limpando tabelas e setando variaveis do kernel.."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

### Variaveis ###
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_source_route

### Seta Politicas de privacidade ###
echo "Setando politicas de privacidade.."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Abre a interface de loopback.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

########################## SNAT - COMPARTILHAMENTO ########################
echo "Habilitando compartilhamento.."
iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -j SNAT –to-source 192.168.100.2

–> ########################## Seta prioridades TOS ########################## echo "Dando prioridades TOS para portas e ips importantes.." PRIO="20 21 25 53 80 110 137 139 445 443 8046 20000" IPSPRIO="192.168.10.0/24 192.168.3.0/24" for i in $PRIO; do  echo " -Prioridade para porta $i tcp/udp"  iptables -t mangle -A PREROUTING -p tcp –dport $i -j TOS –set-tos 16  iptables -t mangle -A PREROUTING -p udp –dport $i -j TOS –set-tos 16  iptables -t mangle -A PREROUTING -p tcp –sport $i -j TOS –set-tos 16  iptables -t mangle -A PREROUTING -p udp –sport $i -j TOS –set-tos 16 done for i in $IPSPRIO; do   echo " -Dada prioridade para ip $i"   iptables -t mangle -A PREROUTING -s $i -j TOS –set-tos 16   iptables -t mangle -A PREROUTING -d $i -j TOS –set-tos 16   iptables -t mangle -A PREROUTING -p icmp -s $i -j TOS –set-tos 16   iptables -t mangle -A PREROUTING -p icmp -d $i -j TOS –set-tos 16 done ##################### Bloqueio de sites por string ################## echo "Fazendo bloqueio por palavras.." PALAVRAS="putaria putas gays playboy superiorpics" for i in $PALAVRAS; do   echo " -Bloqueio feito para a string $i"   iptables -t mangle -A FORWARD -p tcp –dport 80 -m string –string "$i" –algo kmp  -j DROP done ################### Libera serviços para este roteador ############# echo "Liberando portas de servicos a para esse roteador.." PORTSALLOW="53 80 123 8046 8081 8082 20000 4445 5550" for i in $PORTSALLOW; do   iptables -A INPUT -p tcp –dport $i -j ACCEPT   iptables -A INPUT -p udp –dport $i -j ACCEPT   iptables -A INPUT -p tcp –sport $i -j ACCEPT   iptables -A INPUT -p udp –sport $i -j ACCEPT done ############################### REDIRECIONAMENTO DE PORTAS ############### echo "Redirecionando portas da internet para micros da rede interna.." EXTIP="192.168.100.2"  iptables -A PREROUTING -t nat -i eth1 -p tcp -d $EXTIP –dport 8081 -j DNAT –to 192.168.10.5:80 iptables -A PREROUTING -t nat -i eth1 -m multiport -p tcp -d $EXTIP –dport 4550,5550,3650,3550,90 -j DNAT –to 192.168.254.31 iptables -A PREROUTING -t nat -i eth1 -m multiport -p udp -d $EXTIP –dport 4550,5550,3650,3550,90 -j DNAT –to 192.168.254.31 ######################Protege contra pacotes danificados e alguns ataques ## PROTECOES # —————————————————— # CONTRA TROJANS echo "Bloqueando contra trojans e logando pacotes.." iptables -N TROJAN iptables -A TROJAN -j LOG –log-prefix '** TROJANS E WORMS **' –log-level debug iptables -A FORWARD -p tcp –dport 666 -j TROJAN iptables -A FORWARD -p tcp –dport 4000 -j TROJAN iptables -A FORWARD -p tcp –dport 6000 -j TROJAN iptables -A FORWARD -p tcp –dport 6006 -j TROJAN iptables -A FORWARD -p tcp –dport 16660 -j TROJAN iptables -A FORWARD -p tcp –dport 135 -i eth1 -j TROJAN iptables -A FORWARD -p tcp –dport 137 -i eth1 -j TROJAN iptables -A FORWARD -p tcp –dport 139 -i eth1 -j TROJAN iptables -A FORWARD -p udp –dport 69 -i eth1 -j TROJAN iptables -A TROJAN -j DROP ####### #BLOQUEIA PING EM EXCESSO echo "Bloqueando ping flood.." iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT iptables -A INPUT -p icmp –icmp-type echo-request -j DROP # Libera pacotes tcp e udp de conexoes ja estabelecidas ou relacionadas iptables -A FORWARD -i eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT ### Bloqueia Tudo Que chega a esse roteador e bloqueia FORWARD para rede interna ####################### echo "Bloquando tudo que restou.." iptables -A INPUT -p tcp -j DROP iptables -A INPUT -p udp -j DROP iptables -A FORWARD -i eth1 -p tcp -j DROP iptables -A FORWARD -i eth1 -p udp -j DROP echo "Firewall iniciando!"

Caros grandes amigos colegas alunos irmãos,

  Segue o resumão dos comandos linux da matéria dada….

[Ler o artigo completo →]

Os administradores utilizam programas como Nagios, whatsup e derivados para monitorar a rede, vai aí uma dica de um programa bem parecido com o whatsup, nao tao completo mas bem prático como o whatsup e menos burocrático como o nagios.

Para quem quiser testar… vaí aí o tal do ceops 

–>                                                                   Requisitos - nmap > 2.54BETA30 - gtk >= 1.2.0 - gnome - gnome-xml >= 1.8.0 - glib >= 1.2.0 - glib-devel >= 1.2.0 - imlib >= 1.9.0 - imlib-devel >= 1.9.0 - libpthread - libgnome-devel - gnome-libs-devel - libpng-devel - esound-devel - gnomecanvas-devel - libxml-devel     Instalação no  Debian   # aptitude install sux   # aptitude install cheops-ng Como utilizar: Como root em modo grafico, cheops-agent & coloca o cheops-agent em background Para rodar o programa: Cheops-ng Site do projeto: http://cheops-ng.sourceforge.net/  

Desktop, a parte mais atrativa para usuários comuns, que adoram as firulas e os visuais mais irados de telas e aplicativos que chamam a atenção pela facilidade e gratuidade do uso. Com certeza, quando tratamos de visual, o Linux dá um show aparte, não quero nem comentar a respeito do MAC OS X leopard, simplesmente fantástico!

[Ler o artigo completo →]