Собираем полноценный роутер на основе Linux Debian. Ubuntu 10.10

   Итак нам понадобиться следующие пакеты: dhcp3-server (isc-dhcp-server), bind9. У меня более глубокая мысль, как реализовать дополнительный контроль над трафиком, потому я буду использовать еще и прокси сервера havp (проверка на вирусы http), squid (для ограничения доступа к интернет по паролю) и dansguardian.
   Начнем по порядку.

1. Общая настройка сети. Включаем шлюз. sudo gedit /etc/sysctl.conf  >>> редактируем строчку net.ipv4.ip_forward=1
2. Сразу ставим необходимые в дальнейшем пакеты: sudo apt-get install bind9 dhcp3-server squid3 sarg havp clamav dansguardian
3. Приступим к настройки службы DNS. Открываем файл настройки: sudo gedit /etc/bind/named.conf.options далее копируем следующий конфиг и сохраняем: 

options {

      directory "/var/cache/bind";

      listen-on port 53 {

            192.168.1.1;

      };

      forwarders {

              ДНС_СЕРВЕР_ПРОВАЙДЕРА_1;                #вписываем адреса DNS серверов

              ДНС_СЕРВЕР_ПРОВАЙДЕРА_2;                #можно и более 2-х указать

              };

      };

logging {

category lame-servers {null; };

category edns-disabled { null; };

};

     4. Запускаем DNS сервер. sudo /etc/init.d/bind9 start

     5. Правим sudo gedit /etc/resolv.conf таким образом чтобы все DNS запросы система пропускала через свой же DNS сервер: Удаляем все записи и вписываем свой DNS сервер:

nameserver 127.0.0.1

     6. Настроим squid с функцией прозрачного прокси.


http_port 3128 transparent
icp_port 0
cache_peer 127.0.0.1 parent 22 0 no-query no-digest no-netdb-exchange default
cache_peer_access 127.0.0.1 allow all
cache_access_log /var/spool/squid3/access.log
cache_log /var/spool/squid3/cache.log
cache_store_log /var/spool/squid3/store.log
cache_mgr l.tema@mail.ru
cache_mem 256 MB
cache_dir ufs /var/spool/squid3 2048 16 256
maximum_object_size 2 MB


acl loc src 127.0.0.1


acl pc1 arp 00:21:91:21:a6:xx
acl pda arp 00:13:e0:6f:24:xx


acl nogroup  src 192.168.1.10-192.168.1.20


acl Scan_HTTP proto HTTP
never_direct allow Scan_HTTP


http_access allow loc
http_access allow pc1
http_access allow pda
http_access allow nogroup
http_access deny all


delay_pools 4 #ВСЕ пулы, которые планируем использовать
delay_class 1 2
delay_class 2 2
delay_class 3 2
delay_class 4 2
delay_access 1 allow pc1
delay_access 1 deny all
delay_access 2 allow pda
delay_access 2 deny all
delay_access 3 allow nogroup
delay_access 3 deny all
delay_access 4 allow loc
delay_access 4 deny all
delay_parameters 1 12800000/12800000 1280000/1280000 # 1 Mb/s
delay_parameters 2 12800000/12800000 1280000/1280000
delay_parameters 3 128000/128000 64000/64000
delay_parameters 4 32000/32000 31000/31000


visible_hostname darvin.info-lan.me
error_directory /usr/share/squid3/errors/Russian-1251


   sudo /etc/init.d/squid3 reload/start/stop/restart

     7. Создаем файл с правилами NAT:

sudo gedit /etc/iptables.rules следующего содержания:

# Generated by iptables-save v1.3.6 on Tue May 6 21:15:27 2008

*nat

:PREROUTING ACCEPT [1521:139658]

:POSTROUTING ACCEPT [10:1372]

:OUTPUT ACCEPT [66:5753]

-A PREROUTING -d ! 192.168.1.0/255.255.255.0 -i wlan0 -p tcp -m multiport --dports 80,8080 -j DNAT --to-destination 192.168.1.1:3128

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

    8. Чтобы эти правила загружались автоматически при подключении к сети, правим файл: sudo gedit /etc/network/interfaces добавляем строчку: pre-up iptables-restore /etc/iptables.rules

    9. Ещё нам нужен DHCP сервер. Конфиг sudo gedit /etc/dhcp3/dhcpd.conf

ddns-update-style none;
option domain-name "darvin.info-lan.me";
option domain-name-servers 192.168.1.1;
default-lease-time 42300;
max-lease-time 84600;
log-facility local7;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.20;
option routers 192.168.1.1;
}
host pda { 
hardware ethernet 00:13:e0:6f:24:xx; 
fixed-address 192.168.1.99; 
}
host pc {
hardware ethernet 00:21:91:21:a6:xx;
fixed-address 192.168.1.98;
}

   Укажем сервису, с каким портом работать: sudo gedit /etc/default/dhcp3-server

INTERFACES="wlan0"

sudo /etc/init.d/dhcp3-server restart


В конце настроим анализ логов squid:
   sudo gedit /etc/sarg/sarg.conf



# sarg.conf
#
# TAG:  language 
# Available languages:
# Bulgarian_windows1251
# Catalan
# Czech
# Czech_UTF8
# Dutch
# English
# French
# German
# Greek
# Hungarian
# Indonesian
# Italian
# Japanese
# Latvian
# Polish
# Portuguese
# Romanian
# Russian_koi8
# Russian_UTF-8
# Russian_windows1251
# Serbian
# Slovak
# Spanish
# Turkish
#
language English


# TAG:  access_log file
#       Where is the access.log file
#       sarg -l file
#
access_log /var/spool/squid3/access.log


# TAG: graphs yes|no
# Use graphics where is possible.
#           graph_days_bytes_bar_color blue|green|yellow|orange|brown|red
#
graphs yes
graph_days_bytes_bar_color orange


# TAG:  graph_font
#       The full path to the TTF font file to use to create the graphs. It is required
#       if graphs is set to yes.
#
#graph_font /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf


# TAG: title
# Especify the title for html page.
#
title "Squid User Access Reports"


# TAG: font_face
# Especify the font for html page.
#
font_face Tahoma,Verdana,Arial


# TAG: header_color
# Especify the header color
#
header_color darkblue


# TAG: header_bgcolor
# Especify the header bgcolor
#
header_bgcolor blanchedalmond


# TAG: font_size
# Especify the text font size
#
font_size 9px


# TAG: header_font_size
# Especify the header font size
#
#header_font_size 9px


# TAG: title_font_size
# Especify the title font size
#
#title_font_size 11px


# TAG: background_color
# TAG: background_color
# Html page background color
#
background_color white


# TAG: text_color
# Html page text color
#
text_color #000000


# TAG: text_bgcolor
# Html page text background color
#
text_bgcolor lavender


# TAG: title_color
# Html page title color
#
title_color green


# TAG: logo_image
# Html page logo.
#
#logo_image none


# TAG: logo_text
# Html page logo text.
#
#logo_text ""


# TAG: logo_text_color
# Html page logo texti color.
#
#logo_text_color #000000


# TAG: logo_image_size
# Html page logo image size. 
#       width height
#
#image_size 80 45


# TAG: background_image
# Html page background image
#
#background_image none


# TAG:  password
#       User password file used by Squid authentication scheme
#       If used, generate reports just for that users.
#
#password none


# TAG:  temporary_dir
#       Temporary directory name for work files
#       sarg -w dir
#
temporary_dir /tmp


# TAG:  output_dir
#       The reports will be saved in that directory
#       sarg -o dir
#
#output_dir /var/www/html/squid-reports
output_dir /var/www/sarg


# TAG:  output_email
#       Email address to send the reports. If you use this tag, no html reports will be generated.
#       sarg -e email
#
#output_email none


# TAG:  resolve_ip yes/no
#       Convert ip address to dns name
#       sarg -n
resolve_ip 


# TAG:  user_ip yes/no
#       Use Ip Address instead userid in reports.
#       sarg -p
user_ip no


# TAG:  topuser_sort_field field normal/reverse
#       Sort field for the Topuser Report.
#       Allowed fields: USER CONNECT BYTES TIME
#
topuser_sort_field BYTES reverse


# TAG:  user_sort_field field normal/reverse
#       Sort field for the User Report.
#       Allowed fields: SITE CONNECT BYTES TIME
#
user_sort_field BYTES reverse


# TAG:  exclude_users file
#       users within the file will be excluded from reports.
#       you can use indexonly to have only index.html file.
#
exclude_users /etc/sarg/exclude_users


# TAG:  exclude_hosts file
#       Hosts, domains or subnets will be excluded from reports.
#
#       Eg.: 192.168.10.10   - exclude ip address only
#            192.168.10.0/24 - exclude full C class
#            s1.acme.foo     - exclude hostname only
#            *.acme.foo      - exclude full domain name
#
exclude_hosts /etc/sarg/exclude_hosts


# TAG:  useragent_log file
#       useragent.log file patch to generate useragent report.
#
#useragent_log none


# TAG:  date_format
#       Date format in reports: e (European=dd/mm/yy), u (American=mm/dd/yy), w (Weekly=yy.ww)
#       
date_format u


# TAG:  per_user_limit file MB
#       Saves userid on file if download exceed n MB.
#       This option allow you to disable user access if user exceed a download limit.
#       
#per_user_limit none


# TAG: lastlog n
#      How many reports files must be keept in reports directory.
#      The oldest report file will be automatically removed.
#      0 - no limit.
#
lastlog 0


# TAG: remove_temp_files yes
#      Remove temporary files: geral, usuarios, top, periodo from root report directory.
#
remove_temp_files yes


# TAG: index yes|no|only
#      Generate the main index.html.
#      only - generate only the main index.html
#
index yes


# TAG: index_tree date|file
#      How to generate the index.
#
index_tree file


# TAG: overwrite_report yes|no
#      yes - if report date already exist then will be overwrited.
#       no - if report date already exist then will be renamed to filename.n, filename.n+1
#
overwrite_report yes


# TAG: records_without_userid ignore|ip|everybody
#      What can I do with records without user id (no authentication) in access.log file ?
#
#      ignore - This record will be ignored.
#          ip - Use ip address instead. (default)
#   everybody - Use "everybody" instead.
#
records_without_userid ip


# TAG: use_comma no|yes
#      Use comma instead point in reports.
#      Eg.: use_comma yes => 23,450,110
#           use_comma no  => 23.450.110
#
use_comma yes


# TAG: mail_utility mail|mailx
#      Mail command to use to send reports via SMTP
#
mail_utility mailx


# TAG: topsites_num n
#      How many sites in topsites report.
#
topsites_num 100


# TAG: topsites_sort_order CONNECT|BYTES A|D
#      Sort for topsites report, where A=Ascendent, D=Descendent
#
topsites_sort_order CONNECT D


# TAG: index_sort_order A/D
#      Sort for index.html, where A=Ascendent, D=Descendent
#
index_sort_order D


# TAG: exclude_codes file
#      Ignore records with these codes. Eg.: NONE/400
#
exclude_codes /etc/sarg/exclude_codes


# TAG: replace_index string
#      Replace "index.html" in the main index file with this string
#      If null "index.html" is used 
#
#replace_index


# TAG: max_elapsed milliseconds
#      If elapsed time is recorded in log is greater than max_elapsed use 0 for elapsed time.
#      Use 0 for no checking 
#
#max_elapsed 0
# 8 Hours
max_elapsed 28800000


# TAG: report_type type
#      What kind of reports to generate.
#      topusers            - users, sites, times, bytes, connects, links to accessed sites, etc
#      topsites   - site, connect and bytes report
#      sites_users   - users and sites report
#      users_sites   - accessed sites by the user report
#      date_time   - bytes used per day and hour report
#      denied   - denied sites with full URL report
#      auth_failures       - autentication failures report
#      site_user_time_date - sites, dates, times and bytes report
#      downloads           - downloads per user report
#
#      Eg.: report_type topsites denied 
#
#report_type topusers topsites sites_users users_sites date_time denied auth_failures site_user_time_date downloads
report_type topusers topsites sites_users users_sites date_time denied auth_failures site_user_time_date downloads


# TAG: usertab filename
#      You can change the "userid" or the "ip address" to be a real user name on the reports.
#      Table syntax:
# userid name   or   ip address name
#      Eg:
# SirIsaac Isaac Newton
# vinci Leonardo da Vinci
# 192.168.10.1 Karol Wojtyla
#      
#      Each line must be terminated with '\n'
#
usertab /etc/sarg/usertab


# TAG: long_url yes|no
#      If yes, the full url is showed in report.
#      If no, only the site will be showed
#
#      YES option generate very big sort files and reports.
#
long_url no


# TAG: date_time_by bytes|elap
#      Date/Time reports will use bytes or elapsed time?
#
date_time_by bytes


# TAG: charset name
#      ISO 8859 is a full series of 10 standardized multilingual single-byte coded (8bit)
#      graphic character sets for writing in alphabetic languages
#      You can use the following charsets:
# Latin1 - West European
# Latin2 - East European 
# Latin3 - South European 
# Latin4 - North European 
# Cyrillic 
# Arabic 
# Greek 
# Hebrew 
# Latin5 - Turkish 
# Latin6
# Windows-1251
# Japan
# Koi8-r
# UTF-8
#
charset Latin1


# TAG: user_invalid_char "&/"
#      Records that contain invalid characters in userid will be ignored by Sarg.
#
#user_invalid_char "&/"


# TAG: privacy yes|no
#      privacy_string "***.***.***.***"
#      privacy_string_color blue
#      In some countries the sysadm cannot see the visited sites by a restrictive law.
#      Using privacy yes the visited url will be changes by privacy_string and the link
#      will be removed from reports.
#
#privacy no
#privacy_string "***.***.***.***"
#privacy_string_color blue


# TAG: include_users "user1:user2:...:usern"
#      Reports will be generated only for listed users.
#
#include_users none


# TAG: exclude_string "string1:string2:...:stringn"
#      Records from access.log file that contain one of listed strings will be ignored.
#
#exclude_string none


# TAG: show_successful_message yes|no
#      Shows "Successful report generated on dir" at end of process.
#
show_successful_message no


# TAG: show_read_statistics yes|no
#      Shows some reading statistics.
#
show_read_statistics no


# TAG: topuser_fields
#      Which fields must be in Topuser report.
#
topuser_fields NUM DATE_TIME USERID CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE


# TAG: user_report_fields
#      Which fields must be in User report.
#
user_report_fields CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE


# TAG: bytes_in_sites_users_report yes|no
#      Bytes field must be in Site & Users Report ?
#
#bytes_in_sites_users_report no


# TAG: topuser_num n
#      How many users in topsites report. 0 = no limit
#
topuser_num 0


# TAG: datafile file
#      Save the report results in a file to populate some database
#
#datafile none


# TAG: datafile_delimiter ";"
#      ascii character to use as a field separator in datafile
#
#datafile_delimiter ";"


# TAG: datafile_fields all
#      Which data fields must be in datafile
#      user;date;time;url;connect;bytes;in_cache;out_cache;elapsed
#
#datafile_fields user;date;time;url;connect;bytes;in_cache;out_cache;elapsed


# TAG: datafile_url ip|name
#      Saves the URL as ip or name in datafile
#
#datafile ip


# TAG: weekdays
#      The weekdays to take account ( Sunday->0, Saturday->6 )
# Example:
#weekdays 1-3,5
# Default:
#weekdays 0-6


# TAG: hours
#      The hours to take account
# Example:
#hours 7-12,14,16,18-20
# Default:
#hours 0-23


# TAG: dansguardian_conf file
#      DansGuardian.conf file path
#      Generate reports from DansGuardian logs.
#      Use 'none' to disable it.
#      dansguardian_conf /usr/dansguardian/dansguardian.conf
#
#dansguardian_conf none


# TAG: dansguardian_ignore_date on|off
#      'on'  must use the record even the date range is different from the used in squid access.log file.
#      'off' must use the record only if the date range is in the irange used in squid access.log file.
#
#dansguardian_ignore_date off


# TAG: squidguard_conf file
#      path to squidGuard.conf file
#      Generate reports from SquidGuard logs.
#      Use 'none' to disable.
#      You can use sarg -L filename to use an alternate squidGuard log.
#      squidguard_conf /usr/local/squidGuard/squidGuard.conf
#
#squidguard_conf /etc/squid/squidGuard.conf


# TAG: squidguard_ignore_date on|off
#      Use 'on'  use the record even the date range is different from the used squid access.log file.
#      Use 'off' use the record only if the date range is in the used squid access.log file.
#
#squidguard_ignore_date off


# TAG: squidguard_log_format
#      Format string SquidGuard logs.
#      REJIK       #year#-#mon#-#day# #hour# #list#:#tmp# #ip# #user# #tmp#/#tmp#/#url#/#end#
#      SQUIDGUARD  #year#-#mon#-#day# #hour# #tmp#/#list#/#tmp#/#tmp#/#url#/#tmp# #ip#/#tmp# #user# #end#
#squidguard_log_format #year#-#mon#-#day# #hour# #tmp#/#list#/#tmp#/#tmp#/#url#/#tmp# #ip#/#tmp# #user# #end#


# TAG: show_sarg_info yes|no
#      shows sarg information and site path on each report bottom
#
#show_sarg_info yes


# TAG: show_sarg_logo yes|no
#      shows sarg logo
#
#show_sarg_logo yes


# TAG: parsed_output_log directory
#      Saves the processed log in a sarg format after parsing the squid log file.
#      This is a way to dump all of the data structures out, after parsing from 
#      the logs (presumably this data will be much smaller than the log files themselves),
#      and pull them back in for later processing and merging with data from previous logs.
#
#parsed_output_log none


# TAG: parsed_output_log_compress /bin/gzip|/usr/bin/bzip2|nocompress
#      Command to run to compress sarg parsed output log. It may contain
#      options (such as -f to overwrite existing target file). The name of
#      the file to compresse is provided at the end of this
#      command line. Don't forget to quote things appropriately.
#
#parsed_output_log_compress /bin/gzip


# TAG: displayed_values bytes|abbreviation
#      how the values will be displayed in reports.
#      eg. bytes   -  209.526
#          abbreviation -  210K
#
#displayed_values bytes


# Report limits
# TAG: authfail_report_limit n
# TAG: denied_report_limit n
# TAG: siteusers_report_limit n
# TAG: squidguard_report_limit n
# TAG: user_report_limit n
# TAG: dansguardian_report_limit n
# TAG: download_report_limit n
#      report limits (lines).
#      '0' no limit
#
#authfail_report_limit 10
#denied_report_limit 10
#siteusers_report_limit 0
#squidguard_report_limit 10
#dansguardian_report_limit 10
#user_report_limit 10
#user_report_limit 50


# TAG: www_document_root dir
#     Where is your Web DocumentRoot
#     Sarg will create sarg-php directory with some PHP modules:
#     - sarg-squidguard-block.php - add urls from user reports to squidGuard DB
#
#www_document_root /var/www/html


# TAG: block_it module_url
#     This tag allow you to pass urls from user reports to a cgi or php module,
#     to be blocked by some Squid acl
#
#     Eg.: block_it /sarg-php/sarg-block-it.php
#     sarg-block-it is a php that will append a url to a flat file.
#     You must change /var/www/html/sarg-php/sarg-block-it to point to your file
#     in $filename variable, and chown to a httpd owner.
#
#     sarg will pass http://module_url?url=url
#
#block_it none


# TAG: external_css_file path
#     This tag allow internal sarg css override.
#     Sarg use theses style classes:
#     .body body class
# .info sarg information class, align=center
# .title title class, align=center
# .header header class, align:left
# .header2 header class, align:right
# .header3 header class, align:right
# .text text class, align:left
# .data table text class, align:right
# .data2 table text class, align:right, border colors
# .link   link class
#
#     There is a sample in /usr/local/sarg/etc/css.tpl
#
#external_css_file none


# TAG: user_authentication yes|no
#     Allow user authentication in User Reports using .htaccess
#     Parameters:  
# AuthUserFile - where the user password file is
# AuthName - authentication realm. Eg "Members Only"
# AuthType - authenticaion type - basic
# Require - authorized users to see the report.
#                                          %u - user report
#
# user_authentication no
# AuthUserFile /usr/local/sarg/passwd
# AuthName "SARG, Restricted Access"
# AuthType Basic
# Require user admin %u


# TAG: download_suffix "suffix,suffix,...,suffix"
#    file suffix to be considered as "download" in Download report.
#    Use 'none' to disable.    
#
download_suffix "zip,arj,bzip,gz,ace,doc,iso,adt,bin,cab,com,dot,drv$,lha,lzh,mdb,mso,ppt,rtf,src,shs,sys,exe,dll,mp3,avi,mpg,mpeg"


# TAG: ulimit n
#    The maximum number of open file descriptors to avoid "Too many open files" error message.
#    You need to run sarg as root to use ulimit tag.
#    If you run sarg with a low privilege user, set to 'none' to disable ulimit
#
#ulimit 20000


# TAG: ntlm_user_format username|domainname+username
#      NTLM users format.
#
#ntlm_user_format domainname+username


# TAG: realtime_refresh_time num sec
#      How many time to auto refresh the realtime report
#      0 = disable
#
# realtime_refresh_time 3


# TAG: realtime_access_log_lines num
#      How many last lines to get from access.log file 
#
# realtime_access_log_lines 1000


# TAG: realtime_types: GET,PUT,CONNECT,ICP_QUERY,POST
#      Which records must be in realtime report.
#
# realtime_types GET,PUT,CONNECT  


# TAG: realtime_unauthenticated_records: ignore|show
#      What to do with unauthenticated records in realtime report.
#
# realtime_unauthenticated_records: show


# TAG: byte_cost value no_cost_limit
#      Cost per byte.
#      Eg. byte_cost 0.01 100000000
#           per byte cost      = 0.01
#           bytes with no cost = 100 Mb
#      0 = disable
#
# byte_cost 0.01 50000000


# TAG: squid24 on|off
#      Compatilibity with squid version <= 2.4 when using emulate_http_log on
#
# squid24 off