Servidor slackware+nocat+squid

marvinoliveiras
(usa Slackware)

Enviado em 12/09/2012 - 15:58h

Boa tarde, estou aprendendo sobre linux e estou enfrentando um problema ao tentar configurar um servidor para compartilhamento de internet com proxy e autenticação através do uso do squid e do nocat, o problema é que acho que o nocat não está iniciando, já o inclui para iniciar na inicialização do SO usando o arquivo rc.nocat:

#!/bin/sh

NC=/usr/loca/nocat/gw

export PERL5LIB=$NC/lib:$PERL5LIB

export NOCAT=$NC/nocat.conf

case "$1" in

   start)

      echo "Starting the NoCat gateway ..."

      $NC/bin/gateway

      ;;

   stop)

      echo "Stopping the NoCat gateway ..."

      killall gateway 2>/dev/null

   restart)

      $0 stop

      sleep 1

      $0 start

      ;;

   *)

      echo "Usage: $0 {start|stop|restart}"

      exit 1

esac 

Quando digito o comando para iniciá-lo ele apresenta a sequinte mensagem: Usage: /etc/rc.d/rc.nocat {start|stop|restart}

tentei encontrar um arquivo de log que podesse me ajudar e não encontrei, estou seguindo esse tutorial:
http://www.vivaolinux.com.br/artigo/NoCatAuth-Construindo-um-firewall-gateway-autenticado?pagina=6

ele iniciou ou não??

renato_pacheco
(usa Debian)

Enviado em 12/09/2012 - 16:03h

Vc executou-o assim: /etc/rc.d/rc.nocat start?

marvinoliveiras
(usa Slackware)

Enviado em 12/09/2012 - 16:09h

exatamente Renato

renato_pacheco
(usa Debian)

Enviado em 12/09/2012 - 16:23h

Hum... se vc copiou corretamente o script, tem um erro: o caminho do executável pode estar errado. Veja q está escrito NC=/usr/loca/nocat/gw. Se este for o caminho, acredito q o certo seria NC=/usr/local/nocat/gw. Verifique se o executável está lá msm...

marvinoliveiras
(usa Slackware)

Enviado em 12/09/2012 - 16:29h

o conteúdo do diretório é esse:

bin/ htdocs/ lib/ nocat.conf pgp/

renato_pacheco
(usa Debian)

Enviado em 12/09/2012 - 16:48h

Então tá certo. Basta, então, adicionar o l q ficou faltando na linha.

marvinoliveiras
(usa Slackware)

Enviado em 12/09/2012 - 16:58h

em que parte???

marvinoliveiras
(usa Slackware)

Enviado em 12/09/2012 - 17:05h

já havia corrigido isso antes

renato_pacheco
(usa Debian)

Enviado em 12/09/2012 - 17:09h

Olhe se o executável existe (/usr/local/nocat/gw/bin/gateway). Execute-o na mão pra saber se roda direito.

marvinoliveiras
(usa Slackware)

Enviado em 12/09/2012 - 17:23h

me retornou esse erro:


/usr/local/nocat/gw/bin/gateway start

[2012-09-12 17:12:37] Resetting firewall.

[2012-09-12 17:12:37] Detected InternalDevice 'eth1'

[2012-09-12 17:12:37] Detected ExternalDevice 'eth0'

[2012-09-12 17:12:37] Detected LocalNetwork '192.168.1.0/255.255.255.0'

iptables v1.4.12.2:

The "nat" table is not intended for filtering, the use of DROP is therefore inhi                                             bited.





Try `iptables -h' or 'iptables --help' for more information.

iptables v1.4.12.2:

The "nat" table is not intended for filtering, the use of DROP is therefore inhi                                             bited.





Try `iptables -h' or 'iptables --help' for more information.

Bad argument `192.168.1.254'

Try `iptables -h' or 'iptables --help' for more information.

 

renato_pacheco
(usa Debian)

Enviado em 12/09/2012 - 17:28h

O q isso faz, afinal? Pelo q vi, ele registra algumas regras d iptables no sistema. Tem algum arquivo d config desse aplicativo?

marvinoliveiras
(usa Slackware)

Enviado em 12/09/2012 - 17:44h

esse aplicativo faz a função de mediar o tráfego da internet, deixando que só acessem pessoas logadas, inclusive ele possibilita o uso do squid transparente, acho que ele é usando até mesmo no Myauth.

o /usr/local/nocat/gw/nocat.conf

###### gateway.conf -- NoCatAuth Gateway Configuration.

#

# Format of this file is: <Directive> <Value>, one per

#   line. Trailing and leading whitespace is ignored. Any

#   line beginning with a punctuation character is assumed to

#   be a comment.



###### General settings.

#

# See the bottom of this file for options for logging to syslog.

#

# Log verbosity -- 0 is (almost) no logging. 10 is log

#   everything. 5 is probably a safe middle road.

#

Verbosity       10



##### Gateway application settings.

#

# GatewayName -- The name of this gateway, to be optionally displayed

#   on the splash and status pages. Any short string of text will do.

#

GatewayName	ServNet Camara



##

#

# GatewayMode -- Determines the mode of operation of the gateway. Possible

#   values are:

#   

#   Captive	- Allow authentication against an auth service. LEGACY.

#   Passive	- Like Captive, but YOU MUST USE THIS if your gateway 

#                   is behind a NAT. Will work anyway if not. *RECOMMENDED*.

#   Open	- Simply require a user to view a splash page and accept 

#		    a use agreement.

#

# If Captive or Passive Mode is set, you will need to have values set for

#   AuthServiceAddr, AuthServiceURL, and LogoutURL. You will want to leave a

#   short value for LoginTimeout (probably <600).

#

# If Open Mode is set, you will need to have values set for SplashForm,

#   HomePage, and possibly DocumentRoot (or provide an absolute path for

#   SplashForm).  Also, you will want to set a large value for LoginTimeout

#   (probably >3600).

#

GatewayMode	Passive



##

# GatewayLog -- Optional.  If unset, messages will go to STDERR.

#

GatewayLog	/usr/local/nocat/gw/nocat.log



##

# LoginTimeout - Number of seconds after a client's last

#   login/renewal to terminate their connection. Probably

#   don't want to set this to less than 60 or a lot of 

#   bandwidth is likely to get consumed by the client's

#   renewal attempts. Defaults to 300 seconds.

#

# For Captive Mode, you want to set this to something

#   fairly short (like 10 minutes) to prevent connection

#   spoofing

#

LoginTimeout	 86400



# For Open Mode portals, you probably want to comment out

#   the preceding and set LoginTimeout to 

#   something large (like 86400, for one notification

#   per day).

#

# LoginTimeout	86400



###### Open Portal settings.

#

##

# HomePage -- The authservice's notion of a default

#   redirect.

#

HomePage	http://www.camaradebarreiras.ba.gov.br



# DocumentRoot -- Where all of the application templates (including

#   SplashPage) are hiding. Can be different from Apache's DocumentRoot.

#

DocumentRoot	/usr/local/nocat/gw/htdocs



# SplashForm -- Form displayed to users on capture.

#

SplashForm	splash.html



# StatusForm -- Page displaying status of logged in users.

#

StatusForm	status.html





###### Active/Passive Portal settings.

#

##

# TrustedGroups - A list of groups registered with the auth server

#   that a user may claim membership in order to gain Member-class

#   access through this portal. The default magic value "Any" indicates

#   that a member of *any* group is granted member-class access from

#   this gateway..

#

# TrustedGroups	NoCat NYCWireless PersonalTelco

#

TrustedGroups Any



##

# Owners - Optional.  List all local "owner" class users here, separated 

#   by spaces.  Owners typically get full bandwidth, and unrestricted

#   access to all network resources.

#

# Owners rob@nocat.net schuyler@nocat.net



##

# AuthServiceAddr - Required, for captive mode. Must be set to the address of

#   your authentication service. You must use an IP address

#   if DNS resolution isn't available at gateway startup.

#

# AuthServiceAddr 208.201.239.21

#

AuthServiceAddr	192.168.1.254



##

# AuthServiceURL - HTTPS URL to the login script at the authservice. 

#

AuthServiceURL  https://$AuthServiceAddr/cgi-bin/login



##

# LogoutURL - HTTP URL to redirect user after logout.

#

LogoutURL	https://$AuthServiceAddr/logout.html



### Network Topology

#

# ExternalDevice - Required if and only if NoCatAuth can't figure it out

#   from looking at your routing tables and picking the interface

#   that carries the default route. Must be set to the interface

#   connected to the Internet. Usually 'eth0' or 'eth1'

#   under Linux, or maybe even 'ppp0' if you're running

#   PPP or PPPoE.

#

ExternalDevice	eth0



##

# InternalDevice - Required if and only if you have ethernet devices

#   on your gateway besides your wireless device and your 'Net connection.

#   Must be set to the interface connected to your local network, normally

#   your wireless card. In Linux, some wireless devices are named 'wvlan0'

#   or 'wlan0' rather than 'ethX'.

#

InternalDevice	eth1



##

# LocalNetwork - Required if and only if NoCatAuth can't figure out

#   the network address of your local (probably wireless) network,

#   given your InternalDevice(s). Must be set to the network

#   address and net mask of your internal network. You

#   can use the number of bits in the netmask (e.g. /16, /24, etc.)

#   or the full x.x.x.x specification.

#

# LocalNetwork	10.0.1.0/24



##

# DNSAddr - Optional. *If* you choose not to run DNS on your internal network,

#   specify the address(es) of one or more domain name server on the Internet

#   that wireless clients can use to get out. Should be the same DNS that your

#   DHCP server hands out. If left blank, NoCatAuth will presume that you

#   want to use whatever nameservers are listed in /etc/resolv.conf.

#

# DNSAddr 111.222.333.444



##

# AllowedWebHosts - Optional.  List any domains that you would like to

#   allow web access (TCP port 80 and 443) BEFORE logging in (this is the

#   pre-'skip' stage, so be careful about what you allow.)

#

# AllowedWebHosts	nocat.net



##

# RouteOnly - Required only if you DO NOT want your gateway to act as a NAT. 

#   Uncomment this only if you're running a strictly routed network, and

#   don't need the gateway to enable NAT for you.

#

# RouteOnly	1



##

# IgnoreMAC - Set this if and only if the NoCat gateway isn't directly

#   connected (or bridged at Layer 2) to your internal (usually wireless)

#   network. In that event, the gateway won't be able to match clients based

#   on MAC address, and will fall back to using IPs only. This is 

#   theoretically less secure, as IP addresses are usually easier to spoof

#   than MAC addresses, so don't use this unless you know what you're doing.

#

# IgnoreMAC	1



##

# MembersOnly - Optional.  Uncomment this if you want to disable public

#   access (i.e. unauthenticated 'skip' button access).  You'll also want to

#   point AuthServiceURL somewhere that doesn't include a skip button (like

#   at your own Auth server.)

#

# MembersOnly	1



##

# IncludePorts - Optional.  Specify TCP ports to allow access to when 

#   public class users login.  All others will be denied.

#

#   For a list of common services and their respective port numbers, see 

#   your /etc/services file. Depending on your firewall, you might even

#   be able to specify said services here, instead of using port numbers.

#

# IncludePorts    22 80 443



##

# ExcludePorts - Optional.  Specify TCP ports to denied access to when

#   public class users login.  All others will be allowed.

#

#   Note that you should use either IncludePorts or ExcludePorts, but not

#   both.  If neither is specified, access is granted to all ports to

#   public class users.

#

#   You should *always* exclude port 25, unless you want to run an portal

#   for wanton spam sending. Users should have their own way of sending

#   mail. It sucks, but that's the way it is. Comment this out *only if*

#   you're using IncludePorts instead.

#

# ExcludePorts 23 25 111

#

ExcludePorts    25



####### Syslog Options -- alter these only if you want NoCat to log to the

#        system log!

#

# Log Facility - syslog or internal.  Internal sends log messages

#    using the GatewayLog or STDERR if GatewayLog is unset.  Syslog

#    sends all messages to the system log.

#

# LogFacility	internal



##

# SyslogSocket - inet or unix.  Inet connects to an inet socket returned

#    by getsrvbyname().  Unix connects to a unix domain socket returned by 

#    _PATH_LOG in syslog.ph (typically /dev/log).  Defaults to unix.

#

# SyslogSocket unix



##

# SyslogOptions - Zero or more of the words pid, ndelay, cons, nowait

#    Defaults to "cons,pid". 

#

# SyslogOptions cons,pid



##

# SyslogPriority - The syslog class of message to use:  In decreasing importance,

#    the typical priorities are EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO, 

#    and DEBUG.  Defaults to INFO.

#

# SyslogPriority INFO



##

# SyslogFacility - The facility used to log messages.  Defaults to user.

# SyslogFacility user



##

# SyslogIdent - The ident of the program that is calling syslog.  This will

#    be prepended to every log entry made by NoCat.  Defaults to NoCat.

#

# SyslogIdent NoCat



###### Other Common Gateway Options. (stuff you probably won't have to change)

#

# ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,

#   open and close the firewall. You probably don't need to

#   change these.

#

# ResetCmd	initialize.fw

# PermitCmd	access.fw permit $MAC $IP $Class 

# DenyCmd	access.fw deny $MAC $IP $Class 



##

# GatewayPort - The TCP port to bind the gateway 

#   service to. 5280 is de-facto standard for NoCatAuth.

#   Change this only if you absolutely need to.

#

GatewayPort     5280



##

# PGPKeyPath -- The directory in which PGP keys are stored.

#   NoCat tries to find this in the pgp/ directory above

#   the bin/ parent directory. Set this only if you put it

#   somewhere that NoCat doesn't expect.

#

PGPKeyPath	/usr/local/nocat/gw/pgp



##

# MessageVerify -- Shell command to verify a PGP signed

#   message. The actual message is delivered to the

#   command's standard input. NoCat tries to find gpg

#   and gpgv in your path. Set these only if you need to find 

#   them elsewhere.

#

# GpgvPath	/usr/bin/gpgv

#

# MessageVerify	$GpgvPath --homedir=$PGPKeyPath 2>/dev/null



##

#

# IdleTimeout -- How often to check the ARP cache, in seconds,

#   for expiration of idle clients.

#

# MaxMissedARP -- How many times a client can be missing from

#   the ARP cache before we assume they've gone away, and log them

#   out. Set to 0 to disable logout based on ARP cache expiration.

# 

# MaxMissedARP	2

#

# IdleTimeout   300



### Fin!



 

o /usr/local/nocat/authserv/nocat.conf

###### authserv.conf -- NoCatAuth Authentication Service Configuration.

#

# Format of this file is: <Directive> <Value>, one per

#   line. Trailing and leading whitespace is ignored. Any

#   line beginning with a punctuation character is assumed to

#   be a comment.



###### General settings.

#

# Log verbosity -- 0 is (almost) no logging. 10 is log

#   everything. 5 is probably a safe middle road.

#

Verbosity       10



##

# PGPKeyPath -- The directory in which PGP keys are stored.

#   NoCat tries to find this in the pgp/ directory above

#   the bin/ parent directory. Set this only if you put it

#   somewhere that NoCat doesn't expect.

#

PGPKeyPath	/usr/local/nocat/authserv/pgp





###### Authservice-specific settings.

#

# HomePage -- The authservice's notion of a default

#   redirect.

#

HomePage	http://www.camaradebarreiras.ba.gov.br



# DocumentRoot -- Where all of the application templates (including

#   SplashPage) are hiding. Can be different from Apache's DocumentRoot.

#

DocumentRoot	/usr/local/nocat/authserv/htdocs



##### Authservice authentication source.

#

# DataSource -- specifies what to authenticate against.

#   Possible values are DBI, Passwd, LDAP, RADIUS, PAM, Samba, IMAP, NIS.

#

DataSource	DBI



##

# Auth service database settings.

#

# If you select DataSource DBI, then Database, DB_User, and DB_Password

#   are required.

#

# Database is a DBI-style data source specification.

#

# For postgres support:

# Database	dbi:Pg:dbname=nocat

#

# For mysql support:

Database	dbi:mysql:database=nocat

DB_User		root

DB_Passwd	MINHASENHA





## LDAP support. Requires Net::LDAP & IO::Socket::SSL to be installed from the CPAN.

#

# If you select DataSource LDAP, all of the following settings are required:

#

#    LDAP_Host - DNS name or IP Address of LDAP directory

#    LDAP_Base - the LDAP container for searching and creating users

#    LDAP_Admin_User - the fully distinguished name of the administrative user

#	NOTE: this user must be able to create users in the container specified above

#    LDAP_Admin_PW - the admin users password

#    LDAP_Hash_Passwords - Yes or No

#       - if passwords are to be MD5 hashed before being set in the directory

#    LDAP_Search_as_Admin - Yes or No

#       - "Yes" if all operations are to be done as the admin user, "No" if

#	    everything but creation should be done as anonymous

#    LDAP_Filter - Attribute name containing user's ID, email address 

#	or username.

#

# This version of LDAP.pm has been updated and tested against a Novell eDirectory

# LDAP server.  The login "unique ID" - the e-mail address - is stored as an

# attribute of the user, and the "name" provided by the user is used as the

# directory object name.

#

# Please send bug reports and patches.

#

# Still with this release, the admin tools don't fully work with LDAP support at

# the moment.

#

# LDAP_Host		ldap.mydomain.com

# LDAP_Base		ou=myContainer,o=universe

# LDAP_Admin_User	cn=LDAPAdmin,o=universe

# LDAP_Admin_PW		ldapAdminSecret

# LDAP_Hash_Passwords	Yes

# LDAP_Search_as_Admin	Yes

# LDAP_Filter		mail



## RADIUS support. Requires Authen::Radius to be installed from the CPAN.

#

# Right now, this support is totally experimental. Please send bug reports

# and patches. The admin tools don't fully work with RADIUS support at the moment.

#

# The RADIUS_Host may by in a number of different formats and is required:

#

#   RADIUS_Host radius.nocat.net

#   RADIUS_Host radius1.nocat.net,radius2.nocat.net,radius3.nocat.net

#   RADIUS_Host radius1.nocat.net:1645,radius2.nocat.net:1812,radius3.nocat.net

#

# The previous three examples are 1 host and multiple hosts (can be any number of

# hosts separated by a comma) and finally with ports provided after a colon.  (If

# no port number is supplied, it uses the Authen::Radius default of the radius 

# service in /etc/services or 1645.  Mixing entries with and without ports is 

# fine.)  These examples require a RADIUS_Secret in the format:

#

# RADIUS_Secret	sHHHH

#

# The other format is to use the RADIUS_Host with a secret after

# the hostname seperated by a * such as the examples below.  This 

# allows for different secrets on different hosts.

#

# RADIUS_Host radius1.nocat.net*secret1,radius2.nocat.net*secret2,radius3.nocat.net*secret3

#

# Alternatively, ports can also be used on any number of entries.  

# If the secret is not present, it uses the RADIUS_Secret.

#

# RADIUS_Host radius1.nocat.net:1645*secret1,radius2.nocat.net:1812,radius3.nocat.net*secret3

#

# RADIUS_TimeOut is optional and defaults to the Authen::Radius 

# default timeout.

#

# RADIUS_TimeOut 5

#

# Finally, RADIUS_Order controls the order in which RADIUS

# servers are used.  The acceptable values are "Ordered" 

# (the default) and Random (which will share the load 

# among the servers.

#

# RADIUS_Order Random

#     **** End RADIUS Configuration ****





## PAM support. Requires Authen::PAM to be installed from the CPAN.

#

# Make sure you have an /etc/pam.d/nocat or nocat line(s) in your /etc/pam.conf.

# See etc/pam.conf from this distribution for an example. The PAM_Service

# directive controls which PAM service NoCat attempts to authenticate against,

# but we don't recommend changing it unless you really know what you're doing

# with PAM. It defaults to "nocat". The admin tools don't work with PAM support

# at the moment.

#

# PAM_Service	nocat



## Samba support. Requires Authen::Smb to be installed from the CPAN.

#

# Samba_PDC and Samba_Domain are required. Samba_BDC is optional.

#

# Samba_Domain	MyWorkgroup

# Samba_PDC	MyPrimaryDomainController

# Samba_BDC	MyBackupDomainController



## IMAP support. Requires Net::IMAP::Simple to be installed from the CPAN.

#

# IMAP_Server is required. The admin tools don't work with this auth method.

#

# IMAP_Server	imap.yourdomain.net

# (or more likely:)

# IMAP_Server	localhost



## NIS support. Requires Net::NIS to be installed from the CPAN.

#

# The admin tools don't work with this auth source, surprise.

#

# DataSource NIS



## Alternately, you can use the Passwd data source. 

#

# UserFile	    /usr/local/nocat/authserv/etc/passwd

# GroupUserFile	    /usr/local/nocat/authserv/etc/group

# GroupAdminFile    /usr/local/nocat/authserv/etc/groupadm

#

# The format of these files is as follows:

#

# In UserFile, each line is of the form <username>:<password>, where the

#   password is an MD5 digest of the user's actual password.

#

# In GroupUserFile and GroupAuthFile, each line is of the form 

#   <group>:<user1>,<user2>,<user3>,...

#

# The UserFile may be updated with the bin/admintool script included in this

# distribution.



###### Auth service user table settings.

#

# UserTable names the table containing the user ID data.

#

# UserIDField names the column containing the ID that the

#    client uses to uniquely identifying themselves, i.e. their

#    e-mail address or username.

#

# UserPasswdField stores the user's MD5-hashed password.

#

# UserAuthField is deprecated and will go away.

#

UserTable	member

UserIDField	login

UserPasswdField pass

UserAuthField   status

UserStampField	created



GroupTable      network

GroupIDField    network

GroupAdminField admin



####### Auth service web application settings.

#

# MinPasswdLength -- Enforced minimum user password length.

#   Not much other checking is done on the user's p/w.

#

MinPasswdLength	6



# MessageSign -- shell command to sign an auth notification

#   with. The message to be signed is written to the

#   command's standard in, and the signed message is read

#   from standard out.

#

# GpgPath	/usr/bin/gpg

#

# MessageSign	$GpgPath --clearsign --homedir=$PGPKeyPath -o-



# LocalGateway -- If you run auth service on the same subnet 

#   (or host) as the gateway you need to specify the hostname 

#   of the gateway. Otherwise omit it.  (Requires Net::Netmask)

#

# LocalGateway    192.168.1.7



# Auth service template names. See the individual templates

#   for details on what each one does.

#

LoginForm	login.html

LoginOKForm	login_ok.html

FatalForm	fatal.html

ExpiredForm	expired.html

RenewForm	renew.html

PassiveRenewForm renew_pasv.html



RegisterForm	register.html

RegisterOKForm	register_ok.html

RegisterFields	name url description



UpdateForm	update.html

UpdateFields	url description



###### Auth service user messages. Should be self-explanatory.

#

LoginGreeting   Greetings! Welcome to the NoCat Network.

LoginMissing    Please fill in all fields!

LoginBadUser    That e-mail address is unknown. Please try again.

LoginBadPass	That e-mail and password do not match. Please try again.

LoginBadStatus  Sorry, you are not a registered co-op member.



RegisterGreeting    Welcome! Please enter the following information to register.

RegisterMissing	    Name, E-mail, and password fields must be filled in.

RegisterUserExists  Sorry, that e-mail address is already taken. Are you already registered?

RegisterBadUser	    The e-mail address provided appears to be invalid. Did you spell it correctly?

RegisterInvalidPass All passwords must be at least six characters long.

RegisterPassNoMatch The passwords you provided do not match. Please try again.

RegisterSuccess	    Congratulations, you have successfully registered.



UpdateGreeting	    Enter your E-mail and password to update your info.

UpdateBadUser	    That e-mail address is unknown. Please try again.

UpdateBadPass	    That e-mail and password do not match. Please try again.

UpdateInvalidPass   New passwords must be at least six characters long.

UpdatePassNoMatch   The new passwords you provided do not match. Please try again.

UpdateSuccess	    Congratulations, you have successfully updated your account.



###### Fin.