NAT (Network Address Translation)

Network Address Translation atau yang biasa disebut NAT

adalah suatu metode untuk menghubungkan lebih dari satu
komputer ke jaringan internet dengan menggunakan suatu alamat IP.

NAT (Network Address Translation)

#!/bin/sh

# variable

IPT=/sbin/iptables

INPUT=”$IPT -A INPUT “

FORWARD=”$IPT -A FORWARD “

MASQ=”$IPT -t nat -A POSTROUTING -j MASQUERADE “

# cleaning up

$IPT -F

$IPT -t nat -F

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

if [ "$1" = "stop" ]; then

echo “firewall reset”

exit 0

fi

# default policy

$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT ACCEPT

# INPUT access

$INPUT -j ACCEPT -p tcp -m state –state ESTABLISHED,RELATED

$INPUT -j ACCEPT -s 127.0.0.0/8 -d 0/0

$INPUT -j ACCEPT -s 192.168.x.y/24 -d 0/0

$INPUT -j ACCEPT -s 10.10.10.0/24 -d 0/0

$INPUT -j ACCEPT -s 10.100.100.0/24 -d 0/0

$INPUT -j ACCEPT -s 0/0 -p udp -m multiport –sport 13,37,53,123,631,3130

$INPUT -j ACCEPT -s 0/0 -p udp -m multiport –dport 13,37,53,123,631,3130

$INPUT -j ACCEPT -s 0/0 -p tcp -m multiport –sport 13,20,21,22,25,37,53,80,123,443,631,3128,3130,8080,10000

$INPUT -j ACCEPT -s 0/0 -p tcp -m multiport –dport 13,20,21,22,25,37,53,80,123,443,631,10000

# FORWARD access

#$FORWARD -j DROP -o eth0 -s 10.10.10.0/24 -d 0/0 -p tcp -m multiport –dport 80,443

$FORWARD -j ACCEPT -i eth1 -o eth0 -s 10.10.10.0/24 -d 0/0

# MASQUERADE access

$MASQ -s 10.10.10.0/24 -d 0/0 -o eth0 -p tcp -m multiport –dport 80,443

$MASQ -s 10.10.10.0/24 -d 0/0 -o eth0

SQUID

a. Buka dan edit file /etc/squid/squid.conf

#Default:

# none

#cache_peer proxy.lipi.go.id parent 3128 3130 no-query default login=PASS

cache_peer proxy.lipi.go.id parent 3128 3130 no-query default login=PASS

acl jakarta dstdomain puslit.lipi.go.id

always_direct allow jakarta

acl to_internet dst 0.0.0.0/0

acl lipi_intra dst 192.168.0.0/16

always_direct allow lipi_intra

never_direct allow to_internet

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl dalam src 10.10.10.0/24

http_access allow dalam

# Example rule allowing access from your local networks. Adapt

# to list your (internal) IP networks from where browsing should

# be allowed

#acl our_networks src 192.168.1.0/24 192.168.2.0/24

#http_access allow our_networks

http_access allow localhost

b. Hidupkan squid dengan perintah /etc/init.d/squid/start

c. Cek konfigurasi

DNS (Domain Name Server)

a. buka file /etc/bind/named.conf.options

options {

# directory “/var/cache/bind”;

directory “/etc/bind/zona-puslit”;

// If there is a firewall between you and nameservers you want

// to talk to, you might need to uncomment the query-source

// directive below. Previous versions of BIND always asked

// questions using port 53, but BIND 8.1 and later use an unprivileged

// port by default.

query-source address * port 53;

// If your ISP provided one or more IP addresses for stable

// nameservers, you probably want to use them as forwarders.

// Uncomment the following block, and insert the addresses replacing

// the all-0’s placeholder.

forwarders {

192.168.0.2;

192.168.0.10;

};

auth-nxdomain no; # conform to RFC1035

};

b. buka file /etc/ bind/named.conf.local

//

// Do any local configuration here

//

// Consider adding the 1918 zones here, if they are not used in your

// organization

//include “/etc/bind/zones.rfc1918″;

include “/etc/bind/puslit.lipi.go.id”;

c. buat file /etc/bind/

zone “puslit.lipi.go.id” {

type master;

file “/etc/bind/zona-puslit/puslit.lipi.go.id.data”;

};

zone “x.168.168.in-addr.arpa” {

type master;

file “/etc/bind/zona-teori/192.168.x.data”;

};

d. buat directory /etc/bind/zona-puslit

e. buat pada dir /etc/bind/zona-puslit buat file 192.168.x.data

$TTL 604800

@ IN SOA server.puslit.lipi.go.id. admin.puslit.lipi.go.id. (

2007010303 ; Serial

604800 ; Refresh

86400 ; Retry

2419200 ; Expire

604800 ) ; Negative Cache TTL

;

@ IN NS 192.168.x.x

$ORIGIN x.168.192.in-addr.arpa.

2 PTR server.puslit.lipi.go.id.

3 PTR web.puslit.lipi.go.id

f. buat pada dir /etc/bind/zona-puslit buat file puslit.lipi.go.id.data

;

; BIND data file for benk.org

;

$TTL 1440

@ IN SOA server.puslit.lipi.go.id. admin.puslit.lipi.go.id. (

2006120100 ; Serial

3H ; Refresh

1H ; Retry

1D ; Expire

6H) ; Negative Cache TTL

;

@ IN NS server.puslit.lipi.go.id.

$ORIGIN puslit.lipi.go.id.

gateway IN A 192.168.x.1

@ IN A 192.168.x.2

www IN A 192.168.x.2

server IN A 192.168.x.2

data IN A 192.168.x.2

proxy IN A 192.168.x.2

g. buka file /etc/resolv.conf

search puslit.lipi.go.id

nameserver 127.0.0.1

nameserver 192.168.x.x

nameserver 192.168.0.10

h. buka dan edit file /etc/hosts

127.0.0.1 localhost.localdomain localhost

192.168.x.x server.puslit.lipi.go.id server

# The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

ff02::3 ip6-allhosts

i. hidupkan bind9 dgn perintah /etc/init.d/bind9 start

j. cek konfigurasi

VIRTUAL HOST

a. buat file /etc/apache2/site-availables/puslit.lipi.go.id

ServerAdmin admin@puslit.lipi.go.id

ServerName intra.puslit.lipi.go.id

DocumentRoot /var/www/

Options FollowSymLinks

AllowOverride None

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

# This directive allows us to have apache2’s default start page

# in /apache2-default/, but still have / go to the right place

RedirectMatch ^/$ /apache2-default/

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn

CustomLog /var/log/apache2/access.log combined

ServerSignature On

Alias /icons/ “/usr/share/apache2/icons/”

Options Indexes MultiViews

AllowOverride None

Order allow,deny

Allow from all

Alias /doc/ “/usr/share/doc/”

Options Indexes MultiViews FollowSymLinks

AllowOverride None

Order deny,allow

Deny from all

Allow from 127.0.0.0/255.0.0.0 ::1/128

#Include /etc/squirrelmail/apache.conf

b. buat file /etc/apache2/site-availables/data.puslit.lipi.go.id

ServerAdmin admin@puslit.lipi.go.id

ServerName data.puslit.lipi.go.id

DocumentRoot /home/data/

Options FollowSymLinks

AllowOverride None

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

# This directive allows us to have apache2’s default start page

# in /apache2-default/, but still have / go to the right place

RedirectMatch ^/$ /apache2-default/

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn

CustomLog /var/log/apache2/access.log combined

ServerSignature On

Alias /icons/ “/usr/share/apache2/icons/”

Options Indexes MultiViews

AllowOverride None

Order allow,deny

Allow from all

Alias /doc/ “/usr/share/doc/”

Options Indexes MultiViews FollowSymLinks

AllowOverride None

Order deny,allow

Deny from all

Allow from 127.0.0.0/255.0.0.0 ::1/128

#Include /etc/squirrelmail/apache.conf

c. Buat shortcut di dalam directory /etc/apache2/site-enable untuk alamat virtual host.

d. Buat dan edit file /etc/apache2/NameVirtualHost

NameVirtualHost 192.168.x.x:80

e. Hidupkan apache2 dengan perintah /etc/init.d/apache2 start

f. Cek konfigurasi