Debian Proxy Server for Mikrotik BIND9

1. Install Bind9 FQDN DNS Server for Local cache Dns Server
2.  
3. apt-get -y install bind9 dnsutils
4.  
5. /etc/init.d/bind9 stop
6.  
7. Konfigurasi Bind Server
8.  
9. Penambahan zone domain – untuk mengecek domain server bisa gunakan hostname -d
10.  
11. 1. Edit /etc/bind/named.conf.local
12.  
13. cp /etc/bind/named.conf.local /etc/bind/named.conf.local_; rm /etc/bind/named.conf.local
14. touch /etc/bind/named.conf.local
15. nano /etc/bind/named.conf.local
16.  
17. paste konfigurasi ini dengan sebelumnya mengganti hade.war.net dengan output dari command hostname -d
18.  
19. zone "hade.war.net" {
20. type master;
21. file "/etc/bind/db.hade.war.net";
22. };
23.  
24. zone "3.168.192.in-addr.arpa" {
25. type master;
26. file "/etc/bind/3.168.192.in-addr.arpa.rev";
27. };
28.  
29. include "/etc/bind/zones.rfc1918";
30.  
31. logging {
32. category lame-servers {null; };
33. category edns-disabled { null; };
34. };
35.  
36. Save file. Exit.
37.  
38. 2. Edit /etc/bind/zones.rfc1918 untuk menghapus blok ip yang kita gunakan sebagai ip private
39.  
40. nano /etc/bind/zones.rfc1918
41.  
42. karena saya hanya menggunakan blok ip 192.168.0.0/16 maka yang saya delete adalah line ini :
43.  
44. zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
45.  
46. 3. penambahan Dns resolver . Untuk Raptor Cache karena menggunakan google public dns maka konfigurasinya seperti di bawah :
47.  
48. nano /etc/bind/named.conf.options
49.  
50. options {
51. directory "/var/cache/bind";
52.  
53. // Transmit requests to 192.168.3.1 if
54. // this server doesn't know how to resolve them
55. forward only;
56. forwarders { 8.8.8.8; 8.8.4.4; };
57.  
58. auth-nxdomain no; # conform to RFC1035
59. // max-cache-size
60. max-cache-size 30M;
61. listen-on-v6 { any; };
62. listen-on { 127.0.0.1; 192.168.3.1; };
63.  
64. // Do not transfer the zone information to the secondary DNS
65. allow-transfer { none; };
66.  
67. // Do not make public version of BIND
68. version none;
69. };
70.  
71.  
72. Save file. Exit.
73.  
74. 4. Edit resolv.conf
75. di ubuntu 12.04 ke atas yang terinstall paket resolvconf secara default ,
76.  
77. ada 2 cara yaitu
78.  
79. 1. bila ip server diset DHCP edit /etc/resolvconf/resolv.conf.d/head dengan menambah line ini
80.  
81. search hade.war.net
82. nameserver 127.0.0.1
83. nameserver 8.8.8.8
84. nameserver 8.8.4.4
85.  
86. dan mendelete line ini di /etc/network/interfaces
87. dns-nameservers IP_SERVER
88. dns-search hade.war.net
89.  
90. 2. bila anda menggunakan setting static ip bisa dengan hanya mengedit bagian /etc/network/interfaces
91. dns-nameservers IP_SERVER
92. dns-search hade.war.net
93.  
94. diubah
95. dns-nameservers 127.0.0.1
96. dns-nameservers 8.8.8.8
97. dns-nameservers 8.8.4.4
98. dns-search hade.war.net
99.  
100. 5. bagian zone.
101.  
102. nano /etc/bind/db.hade.war.net
103.  
104. ; BIND data file for hade.war.net
105. ;
106. $TTL 3h
107. @ IN SOA ns1.hade.war.net. [email protected]. (
108. 1 ; Serial
109. 3h ; Refresh after 3 hours
110. 1h ; Retry after 1 hour
111. 1w ; Expire after 1 week
112. 1h ) ; Negative caching TTL of 1 day
113. ;
114. @ IN NS ns1.hade.war.net.
115.  
116. hade.war.net. IN MX 10 mail.hade.war.net.
117. hade.war.net. IN A 192.168.3.2
118. ns1 IN A 192.168.3.2
119. ns2 IN A 192.168.3.1
120. www IN CNAME hade.war.net.
121. mail IN A 192.168.3.2
122. ftp IN CNAME hade.war.net.
123. ; EOF
124.  
125.  
126. nano /etc/bind/3.168.192.in-addr.arpa.rev
127.  
128. ; BIND reverse data file for 3.168.192.in-addr.arpa
129. ;
130. $TTL 604800
131. 3.168.192.in-addr.arpa. IN SOA ns1.hade.war.net. [email protected]. (
132. 1 ; Serial
133. 3h ; Refresh after 3 hours
134. 1h ; Retry after 1 hour
135. 1w ; Expire after 1 week
136. 1h ) ; Negative caching TTL of 1 day
137. ;
138. 3.168.192.in-addr.arpa. IN NS ns1.hade.war.net.
139. 3.168.192.in-addr.arpa. IN NS ns2.hade.war.net.
140. 2.3.168.192.in-addr.arpa. IN PTR hade.war.net.
141. ; EOF
142.  
143. Untuk mengetahui apakah terdapat error di konfigurasi bisa kita coba dengan debug bind
144. /usr/sbin/named -g
145.  
146. Perbaikan error
147. - general: error: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
148.  
149. touch /var/cache/bind/managed-keys.bind
150. chown bind:bind /var/cache/bind/managed-keys.bind
151.  
152. Perbaikan error
153. - none:0: open: /etc/bind/rndc.key: permission denied
154.  
155. Tambahkan baris ini di /etc/bind/named.conf
156. include "/etc/bind/rndc.key";
157.  
158. chown root:bind /etc/bind/rndc.key
159. chmod 640 /etc/bind/rndc.key
160.  
161. Error port 953 tambahkan
162. - masih di file named.conf :
163.  
164. controls {
165. inet 127.0.0.1 port 953
166. allow { 127.0.0.1; } keys { "rndc-key"; };
167. };
168.  
169. create /etc/bind/rndc.conf
170. -rndc.conf :
171. options {
172. default-key "rndc-key";
173. default-server 127.0.0.1;
174. default-port 953;
175. };
176.  
177.  
178. If it still doesn't work, maybe you could re-create your key with rndc-confgen.
179.  
180. http://www.linuxquestions.org/questions/linux-networking-3/dns-rndc-service-errror-229950/
181.  
182. rndc-confgen > /etc/bind/rndc.conf
183.  
184. this generated a rndc.conf
185. -------------------------------------------
186. # Start of rndc.conf
187. key "rndc-key" {
188. algorithm hmac-md5;
189. secret "B2/eIUdqZzQxLES2EcnYBA==";
190. };
191.  
192. options {
193. default-key "rndc-key";
194. default-server 127.0.0.1;
195. default-port 953;
196. };
197. # End of rndc.conf
198.  
199. # Use with the following in named.conf, adjusting the allow list as needed:
200. # key "rndc-key" {
201. # algorithm hmac-md5;
202. # secret "B2/eIUdqZzQxLES2EcnYBA==";
203. # };
204. #
205. # controls {
206. # inet 127.0.0.1 port 953
207. # allow { 127.0.0.1; } keys { "rndc-key"; };
208. # };
209. # End of named.conf
210. ----------------------------------------------------------------------------------
211.  
212. # rndc status
213.  
214. Let’s restart Bind to activate our latest changes.
215.  
216. /etc/init.d/bind9 restart
217.  
218. Finally, let’s test our new domain and DNS entries.
219.  
220. Tuning Up
221.  
222. # ulimit -HSn 65536
223.  
224. echo 65536 > /proc/sys/fs/file-max
225. echo "* soft nofile 65536" >> /etc/security/limits.conf
226. echo "* hard nofile 65536" >> /etc/security/limits.conf
227. echo "root soft nofile 65536" >> /etc/security/limits.conf
228. echo "root hard nofile 65536" >> /etc/security/limits.conf
229. echo "proxy soft nofile 65536" >> /etc/security/limits.conf
230. echo "proxy hard nofile 65536" >> /etc/security/limits.conf
231.  
232. tune2fs -m 1.0 /dev/sda5
233. tune2fs -m 1.0 /dev/sda6
234. tune2fs -m 1.0 /dev/sda7
235.  
236. If you need to know your drives labels type the following:
237.  
238. df -T | awk '{print $1,$2,$NF}' | grep "^/dev"
239.  
240.  
241. tune2fs -o journal_data_writeback /dev/sda5
242. tune2fs -o journal_data_writeback /dev/sda6
243. tune2fs -o journal_data_writeback /dev/sda7
244.  
245. nano /etc/fstab
246. /cache-1 ext4 noatime,barrier=0,nodiratime,relatime,errors=remount-ro,data=writeback 0 0
247. /cache-2 ext4 noatime,barrier=0,nodiratime,relatime,errors=remount-ro,data=writeback 0 0
248. /cache-3 ext4 noatime,barrier=0,nodiratime,relatime,errors=remount-ro,data=writeback 0 0
249.  
250. nano /etc/sysctl.p
251. edit dengan menghilangkan #
252. net.ipv4.conf.default.rp_filter=1
253. net.ipv4.conf.all.rp_filter=1
254. net.ipv4.tcp_syncookies=1
255. net.ipv4.ip_forward=1
256. sysctl -w net.netfilter.nf_conntrack_udp_timeout=10
257.  
258. apt-get -y install webmin squid squid-cgi squid-common squidclient calamaris
259.  
260. chown -R proxy.proxy /cache-1
261. chown -R proxy.proxy /cache-2
262. chown -R proxy.proxy /cache-3
263.  
264. http://pastebin.com/vSnX8gQa
265.  
266. /etc/init.d/squid stop
267. squid -f /etc/squid/squid.conf -z && /etc/init.d/squid start
268.  
269. iptables -F
270. iptables -X
271. iptables -t nat -F
272. iptables -t nat -X
273. iptables -t mangle -F
274. iptables -t mangle -X
275. iptables -P INPUT ACCEPT
276. iptables -P OUTPUT ACCEPT
277. iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 53 -j ACCEPT
278. iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 53 -j ACCEPT
279. iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT
280. iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 3228 -j ACCEPT
281. iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -d –dport 80 -j REDIRECT –to-port 3228
282. iptables-save
283.  
284. " NOTE : for LUSCA
285. apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && apt-get -y install squid squidclient squid-cgi gcc build-essential sharutils ccze libzip-dev automake1.9
286. cd ../home
287. wget http://proxy-ku.googlecode.com/files/LUSCA_FMI.tar.gz && tar -xzvf LUSCA_FMI.tar.gz && cd LUSCA_FMI/ && make distclean
288. ./configure --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid --localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-http-gzip --enable-async-io=24 --with-aufs-threads=24 --with-pthreads --enable-storeio=aufs --enable-linux-netfilter --enable-arp-acl --enable-epoll --enable-removal-policies=heap --with-aio --with-dl --enable-snmp --enable-delay-pools --enable-htcp --enable-cache-digests --disable-unlinkd --enable-large-cache-files --with-large-files --enable-err-languages=English --enable-default-err-language=English --with-maxfd=65536
289. make
290. make install
291.  
292. http://www.indowebster.com/download/files/squid_lusca_fmi
293.  
294. chmod +x /etc/init.d/squid && /etc/init.d/squid stop
295. chown proxy:proxy /cache && chmod 777 /cache chown proxy:proxy /etc/squid/storeurl.pl && chmod 777 /etc/squid/storeurl.pl && chmod +x /etc/init.d/squid
296. /etc/init.d/squid stop
297. squid -f /etc/squid/squid.conf -z && /etc/init.d/squid restart
298.  
299. apt-get install acpid