# Tell anaconda we're doing a fresh install and not an upgrade
install
text
reboot
# Use the cdrom for the package install
cdrom
lang en_US.UTF-8
keyboard us
skipx
# You'll need a DHCP server on the network for the new install to be reachable via SSH
network --device eth0 --bootproto dhcp
# Set the root password below !! Remember to change this once the install has completed !!
rootpw xxxx
# Enable iptables, but allow SSH from anywhere
#firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --disabled
services --enabled=sshd,httpd,squid,qlproxy,iptables
#--disabled=iptables
timezone --utc Asia/Jakarta
# Storage partitioning and formatting is below. We use LVM here.
bootloader --location=mbr --driveorder=sda --append=" rhgb creashkernel=auto quiet"
zerombr
clearpart --all
part /boot --fstype ext4 --size=250
part pv.2 --size=5000 --grow
volgroup VolGroup00 --pesize=32768 pv.2
logvol / --fstype ext4 --name=LogVol00 --vgname=VolGroup00 --size=1024 --grow
logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=256 --grow --maxsize=512
# Defines the repo we created
repo --name="internet filter" --baseurl=file:///mnt/source --cost=100
%post
echo 1 > /proc/sys/net/ipv4/ip_forward
/bin/sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
# ssl database
/usr/lib/squid/ssl_crtd -c -s /var/spool/squid_ssldb
chown -R squid:squid /var/spool/squid
#create file
cat > /etc/squid/download << EOF_download
\.mpg$
\.mpeg$
\.wmv$
\.avi$
\.iso$
\.rm$
\.wav$
\.mov$
\.dat$
\.mid$
\.mp3$
\.mp4$
\.tar.gz$
\.gz$
\.gz$
\.rpm$
\.zip$
\.rar$
\.m3u$
\.asx$
\.wpl$
\.wmx$
\.dvr-ms$
\.snd$
\.au$
\.aif$
\.asf$
\.m2v$
\.ac3$
\.cda$
\.vro$
\.deb$
\.mkv$
EOF_download
cat > /etc/squid/admin << EOF_admin
#
EOF_admin
cat > /etc/squid/broken_sites << EOF_broken
.permatanet.com
.microsoft.com
.windowsupdate.com
.microsoftonline.com
EOF_broken
# squid conf
cat > /etc/squid/squid.conf << EOF_squid
visible_hostname proxy32b
forwarded_for delete
via on
icp_port 0
pid_filename /var/run/squid.pid
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8001-8003
acl CONNECT method CONNECT
#acl unrestricted_hosts src "/etc/squid/user/unrestricted"
#acl file_dilarang url_regex -i "/etc/squid/user/file_dilarang"
#
http_access allow CONNECT SSL_ports
http_access allow Safe_ports
http_access allow localhost manager
http_access allow localnet
#
#acl whitelist dstdomain whitelist "/etc/squid/whitelist"
#always_direct allow whitelist
http_port 8001
#http_port 8002 intercept
#https_ports 8003 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/certificate/ipeka.org.private cert=/certificate/ipeka.org.cert
#
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid/squid_ssldb -M 4MB
sslcrtd_children 50
sslproxy_capath /certificate
sslproxy_cafile /certificate/ipeka.org.private
acl broken_sites dstdomain "/etc/squid/broken_sites"
ssl_bump none broken_sites
#ssl_bump none localhost
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service qlproxy1 reqmod_precache bypass=1 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=1 icap://127.0.0.1:1344/respmod
acl qlproxy_icap_edomains dstdomain "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_domains.conf"
acl qlproxy_icap_etypes rep_mime_type "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_contenttypes.conf"
#
adaptation_access qlproxy1 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_etypes
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
#
cache_effective_user squid
cache_effective_group squid
cache_mem 10 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size_in_memory 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 1000 16 256
cache allow all
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
coredump_dir /var/spool/squid
#
acl download url_regex -i "/etc/squid/download"
acl admin src "/etc/squid/admin"
#acl management src "/etc/squid/management"
acl staff src 192.168.0.0/16
#
delay_pools 2
delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow admin
#delay_access 1 allow admin management
delay_access 1 deny all
delay_class 2 2
delay_parameters 2 -1/-1 32000/20000000
delay_access 2 allow staff
delay_access 2 deny all
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .
EOF_squid
cat > /etc/httpd/conf.d/wsgi.conf << EOF_load_WSGI
#[Desktop Entry]
LoadModule wsgi_module modules/mod_wsgi.so
WSGISocketPrefix /var/run/wsgi
EOF_load_WSGI
#iptables
cat > /etc/sysconfig/iptables.script << EOF_iptables_script
/sbin/iptables -F
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8001 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8002 -j/sbin/ ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8003 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
EOF_iptables_script
#
/sbin/service iptables save
chmod 700 /etc/sysconfig/iptables.script
cat >> /etc/rc.local << EOF_rclocal
/etc/sysconfig/iptables.script
EOF_rclocal
%end
reboot --eject
No comments:
Post a Comment