Network Address Translation atau yang biasa disebut NAT adalah suatu metode untuk menghubungkan lebih dari satu komputer ke jaringan internet dengan menggunakan suatu alamat IP.
NAT (Network Address Translation)
#!/bin/sh
# variable
IPT=/sbin/iptables
INPUT=”$IPT -A INPUT “
FORWARD=”$IPT -A FORWARD “
MASQ=”$IPT -t nat -A POSTROUTING -j MASQUERADE “
# cleaning up
$IPT -F
$IPT -t nat -F
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
if [ "$1" = "stop" ]; then
echo “firewall reset”
exit 0
fi
# default policy
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# INPUT access
$INPUT -j ACCEPT -p tcp -m state –state ESTABLISHED,RELATED
$INPUT -j ACCEPT -s 127.0.0.0/8 -d 0/0
$INPUT -j ACCEPT -s 192.168.x.y/24 -d 0/0
$INPUT -j ACCEPT -s 10.10.10.0/24 -d 0/0
$INPUT -j ACCEPT -s 10.100.100.0/24 -d 0/0
$INPUT -j ACCEPT -s 0/0 -p udp -m multiport –sport 13,37,53,123,631,3130
$INPUT -j ACCEPT -s 0/0 -p udp -m multiport –dport 13,37,53,123,631,3130
$INPUT -j ACCEPT -s 0/0 -p tcp -m multiport –sport 13,20,21,22,25,37,53,80,123,443,631,3128,3130,8080,10000
$INPUT -j ACCEPT -s 0/0 -p tcp -m multiport –dport 13,20,21,22,25,37,53,80,123,443,631,10000
# FORWARD access
#$FORWARD -j DROP -o eth0 -s 10.10.10.0/24 -d 0/0 -p tcp -m multiport –dport 80,443
$FORWARD -j ACCEPT -i eth1 -o eth0 -s 10.10.10.0/24 -d 0/0
# MASQUERADE access
$MASQ -s 10.10.10.0/24 -d 0/0 -o eth0 -p tcp -m multiport –dport 80,443
$MASQ -s 10.10.10.0/24 -d 0/0 -o eth0
SQUID
a. Buka dan edit file /etc/squid/squid.conf
#Default:
# none
#cache_peer proxy.lipi.go.id parent 3128 3130 no-query default login=PASS
cache_peer proxy.lipi.go.id parent 3128 3130 no-query default login=PASS
acl jakarta dstdomain puslit.lipi.go.id
always_direct allow jakarta
acl to_internet dst 0.0.0.0/0
acl lipi_intra dst 192.168.0.0/16
always_direct allow lipi_intra
never_direct allow to_internet
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl dalam src 10.10.10.0/24
http_access allow dalam
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
http_access allow localhost
b. Hidupkan squid dengan perintah /etc/init.d/squid/start
c. Cek konfigurasi
DNS (Domain Name Server)
a. buka file /etc/bind/named.conf.options
options {
# directory “/var/cache/bind”;
directory “/etc/bind/zona-puslit”;
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0′s placeholder.
forwarders {
192.168.0.2;
192.168.0.10;
};
auth-nxdomain no; # conform to RFC1035
};
b. buka file /etc/ bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include “/etc/bind/zones.rfc1918″;
include “/etc/bind/puslit.lipi.go.id”;
c. buat file /etc/bind/
zone “puslit.lipi.go.id” {
type master;
file “/etc/bind/zona-puslit/puslit.lipi.go.id.data”;
};
zone “x.168.168.in-addr.arpa” {
type master;
file “/etc/bind/zona-teori/192.168.x.data”;
};
d. buat directory /etc/bind/zona-puslit
e. buat pada dir /etc/bind/zona-puslit buat file 192.168.x.data
$TTL 604800
@ IN SOA server.puslit.lipi.go.id. admin.puslit.lipi.go.id. (
2007010303 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS 192.168.x.x
$ORIGIN x.168.192.in-addr.arpa.
2 PTR server.puslit.lipi.go.id.
3 PTR web.puslit.lipi.go.id
f. buat pada dir /etc/bind/zona-puslit buat file puslit.lipi.go.id.data
;
; BIND data file for benk.org
;
$TTL 1440
@ IN SOA server.puslit.lipi.go.id. admin.puslit.lipi.go.id. (
2006120100 ; Serial
3H ; Refresh
1H ; Retry
1D ; Expire
6H) ; Negative Cache TTL
;
@ IN NS server.puslit.lipi.go.id.
$ORIGIN puslit.lipi.go.id.
gateway IN A 192.168.x.1
@ IN A 192.168.x.2
www IN A 192.168.x.2
server IN A 192.168.x.2
data IN A 192.168.x.2
proxy IN A 192.168.x.2
g. buka file /etc/resolv.conf
search puslit.lipi.go.id
nameserver 127.0.0.1
nameserver 192.168.x.x
nameserver 192.168.0.10
h. buka dan edit file /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.x.x server.puslit.lipi.go.id server
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
i. hidupkan bind9 dgn perintah /etc/init.d/bind9 start
j. cek konfigurasi
VIRTUAL HOST
a. buat file /etc/apache2/site-availables/puslit.lipi.go.id
<VirtualHost 192.168.x.x:80>
ServerAdmin admin@puslit.lipi.go.id
ServerName intra.puslit.lipi.go.id
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2′s default start page
# in /apache2-default/, but still have / go to the right place
RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /icons/ “/usr/share/apache2/icons/”
<Directory “/usr/share/apache2/icons”>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alias /doc/ “/usr/share/doc/”
<Directory “/usr/share/doc/”>
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
#Include /etc/squirrelmail/apache.conf
</VirtualHost>
b. buat file /etc/apache2/site-availables/data.puslit.lipi.go.id
<VirtualHost 192.168.x.x:80>
ServerAdmin admin@puslit.lipi.go.id
ServerName data.puslit.lipi.go.id
DocumentRoot /home/data/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/data/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2′s default start page
# in /apache2-default/, but still have / go to the right place
RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /icons/ “/usr/share/apache2/icons/”
<Directory “/usr/share/apache2/icons”>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alias /doc/ “/usr/share/doc/”
<Directory “/usr/share/doc/”>
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
#Include /etc/squirrelmail/apache.conf
</VirtualHost>
c. Buat shortcut di dalam directory /etc/apache2/site-enable untuk alamat virtual host.
d. Buat dan edit file /etc/apache2/NameVirtualHost
NameVirtualHost 192.168.x.x:80
e. Hidupkan apache2 dengan perintah /etc/init.d/apache2 start
f. Cek konfigurasi
