TP réalisation réseau complet IPv6 avec : routeurs (linux, Cisco) ; liaisons Ethernet ; DNS ; DHCP ; HTTP ; Proxy tranparent ; radvd ; samba ; mail

De Wiki de Romain RUDIGER
Aller à : navigation, rechercher

Participants : Benoît FARRE, Romain RÜDIGER, Nicolas Turpault, Alexandre Germonneau, Julien Bonnec, Jonathan Pares, Mohamed Zeineddine, Sylvain David et Benjamin Poncelet.

Période : 12/08.

Le réseau

Ce Rapport présente tous les aspects d'un réseau IPv6 que nous avons imaginé.

Vous trouverez dans un premier temps un schéma complet du réseau ainsi qu'une description de celui-ci. Dans un second temps la description de la réalisation de chaque partie de ce réseau avec :

  • description des fonctionnalités de cette partie ;
  • description de la mise en place de cette partie :
  • script(s) ;
  • fichier(s) de configuration ;
  • problèmes éventuels rencontrés.
  • conclusion.

Schéma du réseau

Description du réseau

Ce réseau consiste en la mise en place de deux zones (1: 192.168.11.0/24 2001:660:551:1::1/64 et 2: 192.168.22.0/24 2001:660:551:2::1/64). Les machines de ces deux zones sont reliées respectivement à un commutateur ayant deux VLAN (une pour chaque zone).

Les 2 zones sont reliées entre-elles par un liaison Ethernet enter les PC11 et PC12 au travers de deux routeurs Cisco 2621.

Il est possible aux zones d'effectuer une navigation sur Internet (HTTP et HTTPS) en passant par un proxy transparent installé sur les routeurs frontaux des zones (PC11 et PC12).

Les deux zones offrent des services de bases : DHCP, HTTP, Samba, Mail, Jabber.

Il serait tout à fait possible d'imaginer que ces deux zones sont en fait deux entreprises distinctes et que toutes les machines constituent une partie du réseau public "Internet". Il faudrait bien sûr affecter des adresses IP publiques aux zones.

La mise en place

Configuration des routeurs Cisco 2621

Les routeurs sont en IPv4 car l'IOS est trop ancienne : 12.2. Un tunnel IPv6 to IPv4 sera donc utilisé entre les routeurs frontaux (PC11 et PC12).

Cisco Zone1

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Zone1
!
enable secret 5 $1$XShK$AAwtpZjbJEkh/w6Zqud9V.
enable password cisco
!
ip subnet-zero
!
interface FastEthernet0/0
 description Link to Zone1
 ip address 192.168.2.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Zone1 to Zone2
 ip address 10.0.0.2 255.255.255.252
 duplex auto
 speed auto
!
no ip classless
ip route 192.168.1.0 255.255.255.252 10.0.0.1
ip route 192.168.11.0 255.255.255.0 192.168.2.2
ip route 192.168.22.0 255.255.255.0 10.0.0.1
ip http server
ip pim bidir-enable
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password cisco
 login
!
end

Cisco Zone2

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Zone2
!
enable password 7 14141B180F0B
!
ip subnet-zero
!
!
no ip domain-lookup
!
ip multicast auto-enable
!
!
!
interface FastEthernet0/0
 description Link to Zone2
 ip address 192.168.1.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Zone2 to Zone1
 ip address 10.0.0.1 255.255.255.252
 duplex auto
 speed auto
!
no ip classless
ip route 192.168.2.0 255.255.255.252 10.0.0.2
ip route 192.168.11.0 255.255.255.0 10.0.0.2
ip route 192.168.22.0 255.255.255.0 192.168.1.2
no ip http server
no ip pim bidir-enable
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password cisco
 login
!
end

Configuration des routeurs frontaux des zones 1 et 2 (Linux)

Routeur Zone1

Description des interfaces :

  • eth0 : vers proxy Internet de Polytech
inet 192.168.0.11/24
  • eth1 : vers Zone1
inet 192.168.11.254/24
  • eth2 : vers Cisco FastEthernet 0/0
inet 192.168.2.2/30
inet6 2001:660:551:1::1/64

Voici les commandes pour la configuration IPv4 :

ip addr add 192.168.2.2/30 dev eth2
ip link set up eth2
ip ro add 192.168.2.0/30 dev eth2
ip ro add 192.168.1.0/30 via 192.168.2.1 dev eth2
ip ro add 192.168.22.0/24 via 192.168.2.1 dev eth2
ip addr add 192.168.11.254/24 dev eth1
ip link set up eth1
ip ro add 192.168.11.0/24 dev eth1

Tunnel IPv6

On crée un tunnel ipv6 vers ipv4 :

ip tunnel add tun6to4 mode sit ttl 100 remote 192.168.1.2 local 192.168.2.2
ip link set dev tun6to4 up
ip -6 a add 2001:660:551:91::1/64 dev tun6to4
ip route a 2001:660:551:2::/64 dev tun6to4

Le tunnel a une adresse ipv4 et une adresse ipv6 côté zone 2 : 192.168.1.2 et 2001:660:551:91::1

Routes

Routes IPv4 :

192.168.2.0/30 dev eth2  scope link
192.168.1.0/30 via 192.168.2.1 dev eth2
192.168.22.0/24 via 192.168.2.1 dev eth2
192.168.0.0/24 dev eth0  scope link
192.168.11.0/24 dev eth1  proto kernel  scope link  src 192.168.11.254
default via 192.168.0.253 dev eth0

Routes IPv6 :

2001:660:551:1::/64 dev eth1  metric 256  expires 21334106sec mtu 1500 advmss 1440 hoplimit 4294967295
2001:660:551:2::/64 dev tun6to4  metric 1024  expires 21325815sec mtu 1480 advmss 1420 hoplimit 4294967295
2001:660:551:91::/64 via :: dev tun6to4  metric 256  expires 21325697sec mtu 1480 advmss 1420 hoplimit 4294967295
fe80::/64 dev eth2  metric 256  expires 21322611sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1  metric 256  expires 21325564sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev tun6to4  metric 256  expires 21325677sec mtu 1480 advmss 1420 hoplimit 4294967295
fe80::/64 dev eth0  metric 256  expires 21326298sec mtu 1500 advmss 1440 hoplimit 4294967295

Radvd

Voici le fichier de conf de radvd :

  • /etc/radvd.conf
interface eth1
{
                AdvSendAdvert on;
                AdvLinkMTU 1280;
                MaxRtrAdvInterval 300;
                prefix 2001:660:551:1::/64
                {
                        AdvOnLink on;
                        AdvAutonomous on;
                        AdvRouterAddr on;
                };
};

Proxy transparent (HTTP/DNS)

script perl par Rémi LEHN en écoute sur la boucle local port tcp 3130 :

#!/usr/bin/perl
#

use HTTP::Daemon;
use HTTP::Status;
use LWP::UserAgent;
use URI;

my $ua = LWP::UserAgent->new;
$ua->timeout(10);
$ENV{'http_proxy'} = 'http://172.19.1.12:3128/';
$ENV{'HTTP_PROXY'} = $ENV{'http_proxy'};
$ua->env_proxy;

my $d = HTTP::Daemon->new(LocalPort => 3130) || die;

print "Please contact me at: <URL:", $d->url, ">\n";

while (my $c = $d->accept) {
    if(!(my $pid = fork)) {
      while (my $req = $c->get_request) {

          my $uri = new URI($req->uri);
          unless(length($uri->scheme) > 0) {
            $req->uri('http://'.$req->header('Host').$req->uri);
          }

          warn "--- Requête : ---\n".$req->as_string."-----\n";

          my $res = $ua->request($req);

          warn "--- Réponse : --- ".$res->status_line." ---\n\n";
        
          $c->send_response($res);
      }
      exit(0);
    }
    $c->close;
    undef($c);
}

Règles Iptables :

# Generated by iptables-save v1.3.6 on Fri Dec 12 13:01:29 2008
*filter
:INPUT ACCEPT [24601:3758018]
:FORWARD ACCEPT [703:93642]
:OUTPUT ACCEPT [42842:18556631]
-A OUTPUT -s 192.168.11.0/255.255.255.0 -o eth0 -j DROP 
-A OUTPUT -s 192.168.22.0/255.255.255.0 -o eth0 -j DROP 
-A OUTPUT -s 192.168.1.0/255.255.255.252 -o eth0 -j DROP 
-A OUTPUT -s 192.168.2.0/255.255.255.252 -o eth0 -j DROP 
COMMIT
# Completed on Fri Dec 12 13:01:29 2008
# Generated by iptables-save v1.3.6 on Fri Dec 12 13:01:29 2008
*nat
:PREROUTING ACCEPT [290:40184]
:POSTROUTING ACCEPT [176:12497]
:OUTPUT ACCEPT [308:20117]
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "DNAT dns vers dns.polytech.univ-nantes.prive" -j DNAT --to-destination 172.19.0.4:53 
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "DNAT dns vers dns.polytech.univ-nantes.prive" -j DNAT --to-destination 172.19.0.4:53 
-A PREROUTING -p tcp -m multiport --dports 80,443 -m comment --comment "DNAT http/https vers proxy local (port tcp 3130)" -j REDIRECT --to-ports 3130 
-A POSTROUTING -o eth0 -p udp -m udp --dport 53 -j MASQUERADE 
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 53 -j MASQUERADE 
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 80 -j MASQUERADE 
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 443 -j MASQUERADE 
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 3128 -j MASQUERADE 
COMMIT

Routeur Zone2

Description des interfaces :

  • eth0 : vers Cisco FastEthernet 0/0
inet 192.168.1.2/30
  • eth1 : vers proxy Internet de Polytech
inet 192.168.0.116/24
  • eth2 : vers Zone2
inet 192.168.22.254/24 scope global eth2
inet6 2001:660:551:2::1/64 scope global

Tunnel IPv6

On crée un tunnel ipv6 vers ipv4 :

ip tunnel add tun6to4 mode sit ttl 100 remote 192.168.2.2 local 192.168.1.2
ip link set dev tun6to4 up
ip -6 a add 2001:660:551:91::2/64 dev tun6to4
ip route a 2001:660:551:1::/64 dev tun6to4

Le tunnel a une adresse ipv4 et une adresse ipv6 côté zone 2 : 192.168.1.2 et 2001:660:551:91::2

Routes

Routes IPv4 :

192.168.2.0/30 via 192.168.1.1 dev eth0
192.168.11.0/24 via 192.168.1.1 dev eth0
192.168.1.0/30 dev eth0  proto kernel  scope link  src 192.168.1.2
192.168.0.0/24 dev eth1  scope link
192.168.22.0/24 dev eth2  proto kernel  scope link  src 192.168.22.254
default via 192.168.0.253 dev eth1

Routes IPv6 :

2001:660:551:1::/64 dev tun6to4  metric 1024  expires 21326138sec mtu 1480 advmss 1420 hoplimit 4294967295
2001:660:551:2::/64 dev eth2  metric 1024  expires 21326148sec mtu 1500 advmss 1440 hoplimit 4294967295
2001:660:551:91::/64 via :: dev tun6to4  metric 256  expires 21325960sec mtu 1480 advmss 1420 hoplimit 4294967295
fe80::/64 dev eth0  metric 256  expires 21324847sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth2  metric 256  expires 21325942sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev tun6to4  metric 256  expires 21325960sec mtu 1480 advmss 1420 hoplimit 4294967295
fe80::/64 dev eth1  metric 256  expires 21326504sec mtu 1500 advmss 1440 hoplimit 4294967295

Radvd

Version : 1.1-1 Voici la configuration :

interface eth2
{
   AdvSendAdvert on;
   prefix 2001:660:551:2::/64
   {
	   AdvOnLink on; 
	   AdvAutonomous on; 
	   AdvRouterAddr on; 
   };
};

Proxy transparent (HTTP/DNS)

Voir le script perl du routeur Zone1. Les régles IPtables :

# Generated by iptables-save v1.3.6 on Fri Dec 12 13:01:29 2008
*filter
:INPUT ACCEPT [24601:3758018]
:FORWARD ACCEPT [703:93642]
:OUTPUT ACCEPT [42842:18556631]
-A OUTPUT -s 192.168.11.0/255.255.255.0 -o eth1 -j DROP 
-A OUTPUT -s 192.168.22.0/255.255.255.0 -o eth1 -j DROP 
-A OUTPUT -s 192.168.1.0/255.255.255.252 -o eth1 -j DROP 
-A OUTPUT -s 192.168.2.0/255.255.255.252 -o eth1 -j DROP 
COMMIT
# Completed on Fri Dec 12 13:01:29 2008
# Generated by iptables-save v1.3.6 on Fri Dec 12 13:01:29 2008
*nat
:PREROUTING ACCEPT [290:40184]
:POSTROUTING ACCEPT [176:12497]
:OUTPUT ACCEPT [308:20117]
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "DNAT dns vers dns.polytech.univ-nantes.prive" -j DNAT --to-destination 172.19.0.4:53 
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "DNAT dns vers dns.polytech.univ-nantes.prive" -j DNAT --to-destination 172.19.0.4:53 
-A PREROUTING -p tcp -m multiport --dports 80,443 -m comment --comment "DNAT http/https vers proxy local (port tcp 3130)" -j REDIRECT --to-ports 3130 
-A POSTROUTING -o eth1 -p udp -m udp --dport 53 -j MASQUERADE 
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 53 -j MASQUERADE 
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE 
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 443 -j MASQUERADE 
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 3128 -j MASQUERADE 
COMMIT

Securité IPTABLES/netfilter

Voici les quelques règles Iptables pour faire de la sécurité de "base" Le script des règles IPtables :

# Security configuration script

# World Interface
IPTABLES=iptables
EXT=eth2
# Local Interface
LOCAL=eth1
LOCAL_IP=192.168.11.0/24
# polytech interface
INTERNET=eth0

iptables -F
iptables -X
#iptables -N

# Default policy: DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A FORWARD -p icmp  --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp  -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
# Accept requests from World to Local only for those destination ports
iptables -A FORWARD -p tcp -i $EXT -o $LOCAL -d $LOCAL_IP --dport 53 -m state --state ! INVALID -j ACCEPT # DNS request accept
iptables -A FORWARD -p tcp -i $EXT -o $LOCAL -d $LOCAL_IP -m multiport --destination-ports 25,993,143 -m state --state ! INVALID -j ACCEPT # Mail request accept
iptables -A FORWARD -p tcp -i $EXT -o $LOCAL -d $LOCAL_IP --dport 80 -m state --state ! INVALID -j ACCEPT # HTTP request accept
iptables -A FORWARD -p tcp -i $EXT -o $LOCAL -d $LOCAL_IP --dport 139 -m state --state ! INVALID -j ACCEPT # Samba request accept
#iptables -A FORWARD -p tcp -i $EXT -o $LOCAL -d $LOCAL_IP -m multiport --destination-ports 67,68 -j ACCEPT # DHCP request accept
iptables -A FORWARD -p tcp -i $EXT -o $LOCAL -d $LOCAL_IP --dport 5222 -m state --state ! INVALID -j ACCEPT # Jabber request accept
iptables -A FORWARD -p tcp -i $EXT -o $LOCAL -d $LOCAL_IP --dport 22 -m state --state ! INVALID -j ACCEPT # Jabber request accept

# Accept replys
iptables -A FORWARD -p tcp -i $LOCAL -o $EXT -s $LOCAL_IP --dport 53 -m state --state ! INVALID -j ACCEPT # DNS request accept
iptables -A FORWARD -p tcp -i $LOCAL -o $EXT -s $LOCAL_IP -m multiport --destination-ports 25,993,143 -m state --state ! INVALID -j ACCEPT # Mail request accept
iptables -A FORWARD -p tcp -i $LOCAL -o $EXT -s $LOCAL_IP --dport 80 -m state --state ! INVALID -j ACCEPT # HTTP request accept
iptables -A FORWARD -p tcp -i $LOCAL -o $EXT -s $LOCAL_IP --dport 139 -m state --state ! INVALID -j ACCEPT # Samba request accept
#iptables -A FORWARD -p tcp -i $LOCAL -o $EXT -s $LOCAL_IP -m multiport --destination-ports 67,68 -j ACCEPT # DHCP request accept
iptables -A FORWARD -p tcp -i $LOCAL -o $EXT -s $LOCAL_IP --dport 5222 -m state --state ! INVALID -j ACCEPT # Jabber request accept
iptables -A FORWARD -p tcp -i $LOCAL -o $EXT -s $LOCAL_IP -m multiport --destination-ports 20,21 -m state --state ! INVALID -j ACCEPT # FTP request accept
iptables -A FORWARD -p tcp -i $LOCAL -o $EXT -s $LOCAL_IP --dport 22 -m state --state ! INVALID -j ACCEPT # SSH request accept

# INPUT rules
iptables -A INPUT -p tcp -i $EXT -s 192.168.1.2 --dport 22 -m state --state ! INVALID -j ACCEPT # SSH request accept
iptables -A INPUT -p tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT # SSH request accept

# OUTPUT rules
iptables -A OUTPUT -p tcp -o $EXT -d 192.168.1.2 --sport 22  -m state --state ! INVALID -j ACCEPT # SSH request accept
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT # SSH request accept
iptables -A FORWARD -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

# =================================================
#  blocking Agobot W32
# =================================================

#${IPTABLES} -t filter -A INPUT -p tcp --dport 135 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A INPUT -p tcp --dport 135 -j DROP
#${IPTABLES} -t filter -A OUTPUT -p tcp --dport 135 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A OUTPUT -p tcp --dport 135 -j DROP
${IPTABLES} -t filter -A FORWARD -p tcp --dport 135 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A FORWARD -p tcp --dport 135 -j DROP
#${IPTABLES} -t filter -A INPUT -p tcp --dport 139 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A INPUT -p tcp --dport 139 -j DROP
#${IPTABLES} -t filter -A OUTPUT -p tcp --dport 139 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A OUTPUT -p tcp --dport 139 -j DROP
${IPTABLES} -t filter -A FORWARD -p tcp --dport 139 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A FORWARD -p tcp --dport 139 -j DROP
#${IPTABLES} -t filter -A INPUT -p tcp --dport 445 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A INPUT -p tcp --dport 445 -j DROP
#${IPTABLES} -t filter -A OUTPUT -p tcp --dport 445 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A OUTPUT -p tcp --dport 445 -j DROP
${IPTABLES} -t filter -A FORWARD -p tcp --dport 445 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A FORWARD -p tcp --dport 445 -j DROP
#${IPTABLES} -t filter -A INPUT -p tcp --dport 1025 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A INPUT -p tcp --dport 1025 -j DROP
#${IPTABLES} -t filter -A OUTPUT -p tcp --dport 1025 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A OUTPUT -p tcp --dport 1025 -j DROP
${IPTABLES} -t filter -A FORWARD -p tcp --dport 1025 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A FORWARD -p tcp --dport 1025 -j DROP
#${IPTABLES} -t filter -A INPUT -p tcp --dport 2745 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A INPUT -p tcp --dport 2745 -j DROP
#${IPTABLES} -t filter -A OUTPUT -p tcp --dport 2745 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A OUTPUT -p tcp --dport 2745 -j DROP
${IPTABLES} -t filter -A FORWARD -p tcp --dport 2745 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A FORWARD -p tcp --dport 2745 -j DROP
#${IPTABLES} -t filter -A INPUT -p tcp --dport 3127 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A INPUT -p tcp --dport 3127 -j DROP
#${IPTABLES} -t filter -A OUTPUT -p tcp --dport 3127 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A OUTPUT -p tcp --dport 3127 -j DROP
${IPTABLES} -t filter -A FORWARD -p tcp --dport 3127 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A FORWARD -p tcp --dport 3127 -j DROP
#${IPTABLES} -t filter -A INPUT -p tcp --dport 6129 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A INPUT -p tcp --dport 6129 -j DROP
#${IPTABLES} -t filter -A OUTPUT -p tcp --dport 6129 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A OUTPUT -p tcp --dport 6129 -j DROP
${IPTABLES} -t filter -A FORWARD -p tcp --dport 6129 -j LOG --log-level alert --log-prefix firewall_anobot_w32
${IPTABLES} -t filter -A FORWARD -p tcp --dport 6129 -j DROP

# Internet Stuff
iptables -t filter -A OUTPUT -s 192.168.0.0/255.255.255.0 -o eth0 -j ACCEPT
iptables -t filter -A INPUT -d 192.168.0.11 -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "DNAT dns vers dns.polytech.univ-nantes.prive" -j DNAT --to-destination 172.19.0.4:53 
iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -m comment --comment "DNAT dns vers dns.polytech.univ-nantes.prive" -j DNAT --to-destination 172.19.0.4:53 
iptables -t nat -A PREROUTING -p tcp -m multiport --dports 80,443 -m comment --comment "DNAT http/https vers proxy local (port tcp 3130)" -j REDIRECT --to-ports 3130 
iptables -t nat -A POSTROUTING -o eth0 -p udp -m udp --dport 53 -j MASQUERADE 
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport 53 -j MASQUERADE 
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport 80 -j MASQUERADE 
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport 443 -j MASQUERADE 
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport 3128 -j MASQUERADE

Configuration des services

DNS

Zone1

named.conf

include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

zone "zone1.prive" {
	type master;
	notify yes;
	file "/etc/bind/db.zone1.prive";
	forwarders{};
};

zone "11.168.192.in-addr.arpa" {
	type master;
	file "/etc/bind/db.zone1.prive.inv";
	forwarders{};
};

named.conf.options

options {
	directory "/var/cache/bind";
forwarders {
	192.168.22.1;
	172.19.0.4;
};
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
};

db.zone1.prive

$TTL    604800
@ IN SOA ns1.zone1.prive. root.zone1.prive.  (
   200811082  ; Serial  -> N° de série à incrémenter à chaque modif
              ;            de ce fichier. Ce N° est utilisé par les
              ;            serveurs esclaves pour lui indiquer qu'il
              ;            doit mettre à jour sa base. Par commodité
              ;            ce n° est une date à l'envers.
   604800     ;Refresh ->  A l'expiration du délai Refresh exprimé en
              ;            secondes, le serveur excalve va entrer en
              ;            communication avec le maitre et si il ne
              ;            le trouve pas, il fera une nouvelle
              ;            tentative au bout du délai Retry et si au
              ;            bout du délai Expire il considerera que le
              ;            serveur n'est plus disponible.
   86400      ; Retry
   2419200    ; Expire
   604800 )   ; Minimum -> Durée de vie minimum du cache en secondes

;** Pour le master
	NS	ns1.zone1.prive.		;Nom du serveur
;**	NS	ns2.zone1.prive.		;Nom du serveur dns esclave
ns1	A	192.168.11.3                ;Serveur de noms master
ns1	HINFO	"DNS master" "test ns1" ;Infos

;** Les lignes suivantes définissent la table entre les noms et les IP
mail         A       192.168.11.5
routeur         A       192.168.11.254
www             A       192.168.11.8
www	AAAA	 2001:660:551:1:21b:21ff:fe0a:751a
	MX 20 mail.zone1.prive.

db.zone1.prive.inv

$TTL    604800
@       IN      SOA     ns1.zone1.prive. root.zone1.prive.  (
	20081008
	604800
	86400
	2419200
	604800 )

	NS      ns1.zone1.prive.
;**	NS      ns2.zone1.prive.

254	PTR     routeur.zone1.prive.
3	PTR	ns1.zone1.prive.
;**5	PTR	ns2.zone1.prive.
8	PTR	www.zone1.prive.

Zone2

named.conf

include "/etc/bind/named.conf.options";
 
zone "zone2.prive" {
type master;
notify yes;
file "/etc/bind/db.zone2.prive";
	forwarders{};
};
				 
 zone "22.168.192.in-addr.arpa" {
       type master;
       notify yes;
       file "/etc/bind/db.zone2.prive.inv";
       forwarders{};
 };

named.conf.options

options{
   # allow-transfer { 192.168.22.2; };
   forwarders
   {
	192.168.11.3;
   };
   listen-on-v6 { any; };
};


db.zone2.prive

$TTL	604800
@	IN	SOA	ns1.zone2.prive. ns2.zone2.prive. (
		6		; Serial
		604800		; Refresh
		86400		; Retry
		2419200		; Expire
		604800 )	; Negative Cache TTL
;
 
	NS	ns1.zone2.prive.
	NS	ns2.zone2.prive.
 
ns1	A	192.168.22.1                  
ns1	HINFO	"NS ZONE2" "Debian Testing"  ;Info complèmentaire
 
 
web	A	192.168.22.8
dhcp	A	192.168.22.6
mail	A	192.168.22.4
ns2	A	192.168.22.2
jabber	A	192.168.22.14
mailv6	AAAA	2001:660:551:2:21a:a0ff:fed9:d040
	MX	20 mail.zone2.prive.

db.zone2.prive.inv

$TTL    604800
@ 	IN      SOA     ns1.zone2.prive. ns2.zone2.prive.  (
		20041122        
		604800        
		86400        
		2419200        
		604800 )      
 
	NS	ns1.zone2.prive.  
1	PTR	ns1.zone2.prive.
2	PTR     ns2.zone2.prive.
8	PTR	web.zone2.prive.
4	PTR	mail.zone2.prive.
6	PTR	dhcp.zone2.prive.

DHCP

Zone1

ip addr add 192.168.11.3/24 dev eth0
ip route add default via 192.168.11.254 dev eth0

resolv.conf

search zone1.prive
nameserver 192.168.11.3

dhcp.conf

authoritative;

 option domain-name "zone1.prive";
 option domain-name-servers 192.168.11.3;
 option routers 192.168.11.254;

  default-lease-time 600;
  max-lease-time 7200;
  subnet 192.168.11.0 netmask 255.255.255.0 {
        range 192.168.11.100 192.168.11.150;
}

Zone2

ip addr add 192.168.22.6/24 dev eth0
ip route add default via 192.168.22.254 dev eth0

resolv.conf

search zone2.prive
nameserver 192.168.22.1

dhcp.conf

authoritative;

 option domain-name "zone2.prive";
 option domain-name-servers 192.168.22.1, 192.168.22.2;
 option routers 192.168.22.254;

  default-lease-time 600;
  max-lease-time 7200;
  subnet 192.168.22.0 netmask 255.255.255.0 {
        range 192.168.22.100 192.168.22.150;
}

host ns1.zone2.prive  {
hardware ethernet 00:1a:a0:d9:d4:97;
fixed-address 192.168.22.1;
}

host web.zone2.prive  {
hardware ethernet 00:1a:a0:d9:d0:46;
fixed-address 192.168.22.8;
}

host ns2.zone2.prive  {
hardware ethernet 00:1a:a0:da:54:8e;
fixed-address 192.168.22.2;
}

host mail.zone2.prive {
hardware ethernet 00:1a:a0:d9:d0:40;
fixed-address 192.168.22.4;
}
host jabber.zone2.prive {
hardware ethernet 00:1a:a0:d9:d0:97;
fixed-address 192.168.22.14;
}

MAIL

Nous avons utilisé Postfix (SMTP) et courier-imap (IMAP).

Configuration mail IPv6

Configuration de Postfix /etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=no
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache


myhostname = PC4
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = PC4
relayhost =
mynetworks = [2001:660:551:1::]/64 [::1]/128
inet_interfaces = [2001:660:551:1:21a:a0ff:fed9:d040] [::1]
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = ipv6
smtp_bind_address6 = 2001:660:551:1:21a:a0ff:fed9:d040
home_mailbox=Maildir/

Configuration de IMAP courier /etc/courier/imapd

##VERSION: $Id: imapd.dist.in,v 1.38 2006/02/24 02:15:07 mrsam Exp $
#
# imapd created from imapd.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
#  Copyright 1998 - 2006 Double Precision, Inc.  See COPYING for
#  distribution information.
#
#  This configuration file sets various options for the Courier-IMAP server
#  when used with the couriertcpd server.
#  A lot of the stuff here is documented in the manual page for couriertcpd.
#
#  NOTE - do not use \ to split long variable contents on multiple lines.
#  This will break the default imapd.rc script, which parses this file.
#
##NAME: ADDRESS:0
#
#  Address to listen on, can be set to a single IP address.
#
# ADDRESS=127.0.0.1

ADDRESS=0

##NAME: PORT:1
#
#  Port numbers that connections are accepted on.  The default is 143,
#  the standard IMAP port.
#
#  Multiple port numbers can be separated by commas.  When multiple port
#  numbers are used it is possible to select a specific IP address for a
#  given port as "ip.port".  For example, "127.0.0.1.900,192.68.0.1.900"
#  accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
#  The previous ADDRESS setting is a default for ports that do not have
#  a specified IP address.

PORT=143

##NAME: AUTHSERVICE:0
#
#  It's possible to authenticate using a different 'service' parameter
#  depending on the connection's port.  This only works with authentication
#  modules that use the 'service' parameter, such as PAM.  Example:
#
#  AUTHSERVICE143=imap
#  AUTHSERVICE993=imaps

##NAME: MAXDAEMONS:0
#
#  Maximum number of IMAP servers started
#

MAXDAEMONS=40

##NAME: MAXPERIP:0
#
#  Maximum number of connections to accept from the same IP address

MAXPERIP=20

##NAME: PIDFILE:0
#
#  File where couriertcpd will save its process ID
#

PIDFILE=/var/run/courier/imapd.pid

##NAME: TCPDOPTS:0
#
# Miscellaneous couriertcpd options that shouldn't be changed.
#

TCPDOPTS="-nodnslookup -noidentlookup"

##NAME: LOGGEROPTS:0
#
# courierlogger(1) options.                                        
#

LOGGEROPTS="-name=imapd"

##NAME: DEFDOMAIN:0
#
# Optional default domain. If the username does not contain the         
# first character of DEFDOMAIN, then it is appended to the username.
# If DEFDOMAIN and DOMAINSEP are both set, then DEFDOMAIN is appended
# only if the username does not contain any character from DOMAINSEP.
# You can set different default domains based on the the interface IP
# address using the -access and -accesslocal options of couriertcpd(1).

#DEFDOMAIN="@example.com"

##NAME: IMAP_CAPABILITY:1
#
# IMAP_CAPABILITY specifies what most of the response should be to the
# CAPABILITY command.
#
# If you have properly configured Courier to use CRAM-MD5, CRAM-SHA1, or
# CRAM-SHA256 authentication (see INSTALL), set IMAP_CAPABILITY as follows:
#
# IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
#

Configuration mail IPv4

Configuration de postfix /etc/postfix/main.cf

myhostname = mail.zone1.prive
inet_protocols = all
mail_spool_directory = /var/mail
inet_interfaces = 192.168.11.5 127.0.0.1 ::1
mydestination = $myhostname, localhost.$mydomain
mynetworks = 192.168.11.0/24
disable_dns_lookups = no
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no

Configuration de courier imap /etc/courier/imapd

##VERSION: $Id: imapd.dist.in,v 1.38 2006/02/24 02:15:07 mrsam Exp $
#
# imapd created from imapd.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
#  Copyright 1998 - 2006 Double Precision, Inc.  See COPYING for
#  distribution information.
#
#  This configuration file sets various options for the Courier-IMAP server
#  when used with the couriertcpd server.
#  A lot of the stuff here is documented in the manual page for couriertcpd.
#
#  NOTE - do not use \ to split long variable contents on multiple lines.
#  This will break the default imapd.rc script, which parses this file.
#
##NAME: ADDRESS:0
#
#  Address to listen on, can be set to a single IP address.
#
# ADDRESS=127.0.0.1

ADDRESS=0

##NAME: PORT:1
#
#  Port numbers that connections are accepted on.  The default is 143,
#  the standard IMAP port.
#
#  Multiple port numbers can be separated by commas.  When multiple port
#  numbers are used it is possible to select a specific IP address for a
#  given port as "ip.port".  For example, "127.0.0.1.900,192.68.0.1.900"
#  accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
#  The previous ADDRESS setting is a default for ports that do not have
#  a specified IP address.

PORT=143

##NAME: AUTHSERVICE:0
#
#  It's possible to authenticate using a different 'service' parameter
#  depending on the connection's port.  This only works with authentication
#  modules that use the 'service' parameter, such as PAM.  Example:
#
#  AUTHSERVICE143=imap
#  AUTHSERVICE993=imaps

##NAME: MAXDAEMONS:0
#
#  Maximum number of IMAP servers started
#

MAXDAEMONS=40

##NAME: MAXPERIP:0
#
#  Maximum number of connections to accept from the same IP address

MAXPERIP=20

##NAME: PIDFILE:0
#
#  File where couriertcpd will save its process ID
#

PIDFILE=/var/run/courier/imapd.pid

##NAME: TCPDOPTS:0
#
# Miscellaneous couriertcpd options that shouldn't be changed.
#

TCPDOPTS="-nodnslookup -noidentlookup"

##NAME: LOGGEROPTS:0
#
# courierlogger(1) options.                                        
#

LOGGEROPTS="-name=imapd"

##NAME: DEFDOMAIN:0
#
# Optional default domain. If the username does not contain the         
# first character of DEFDOMAIN, then it is appended to the username.
# If DEFDOMAIN and DOMAINSEP are both set, then DEFDOMAIN is appended
# only if the username does not contain any character from DOMAINSEP.
# You can set different default domains based on the the interface IP
# address using the -access and -accesslocal options of couriertcpd(1).

#DEFDOMAIN="@example.com"

##NAME: IMAP_CAPABILITY:1
#
# IMAP_CAPABILITY specifies what most of the response should be to the
# CAPABILITY command.
#
# If you have properly configured Courier to use CRAM-MD5, CRAM-SHA1, or
# CRAM-SHA256 authentication (see INSTALL), set IMAP_CAPABILITY as follows:
#
# IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"

Samba Zone1

#======================= Global Settings =======================

[global]

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 1000

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = user

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam

   obey pam restrictions = yes

;   guest account = nobody
   invalid users = root

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
;   unix password sync = no

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

   socket options = TCP_NODELAY


#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = yes

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
   writable = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# Restrict access to home directories 
# to the one of the authenticated user
# This might need tweaking when using external authentication schemes
   valid users = %S

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   public = no
   writable = no
   create mode = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
;   write list = root, @ntadmin


[web]
path = /etc/apache2/htdocs
valid users = silr
browseable = yes
writeable = yes
create mask = 0644
directory mask = 0755

HTTP Zone1

#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see 
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo_log"
# with ServerRoot set to "/etc/apache2" will be interpreted by the
# server as "/etc/apache2/logs/foo_log".

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk.  If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
#
ServerRoot "/etc/apache2"

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#

<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User daemon
Group daemon

</IfModule>
</IfModule>

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
ServerAdmin you@example.com

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/etc/apache2/htdocs"

#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories). 
#
# First, we configure the "default" to be a very restrictive set of 
# features.  
#
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/etc/apache2/htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.2/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all

</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "logs/access_log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to 
    # exist in your server's namespace, but do not anymore. The client 
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts. 
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/etc/apache2/cgi-bin/"

</IfModule>

<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock logs/cgisock
</IfModule>

#
# "/etc/apache2/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/etc/apache2/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

#
# DefaultType: the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig conf/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile conf/magic

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# EnableMMAP and EnableSendfile: On systems that support it, 
# memory-mapping or the sendfile syscall is used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted 
# filesystems or if support for these functions is otherwise
# broken on your system.
#
#EnableMMAP off
#EnableSendfile off

# Supplemental configuration
#
# The configuration files in the conf/extra/ directory can be 
# included to add extra features or to modify the default configuration of 
# the server, or you may simply copy their contents here and change as 
# necessary.

# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf

# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf

# Language settings
#Include conf/extra/httpd-languages.conf

# User home directories
#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf

# Virtual hosts
#Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf

# Various default settings
#Include conf/extra/httpd-default.conf

# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Jabber Zone2

Nous avons aussi mis en place un serveur de messagerie instantannée. Le protocole utilisé est XMPP (ou Jabber), un ensemble de protocoles standards ouverts de l'IETF de messagerie instantanée et de présence, et plus généralement une architecture décentralisée d'échange de données. Jabber est également un système de collaboration en quasi-temps-réel et d'échange multimédia via Jingle, dont la VoIP (téléphonie sur Internet), la visioconférence et l'échange de fichiers sont des exemples d'applications.

Plusieurs solutions de mise en place sont disponibles comme ejabberd ou openfire. Nous avons choisi d'installer ejabberd.


Étapes d'installation

  1. Installation du paquetage (ici pour Debian et dérivées) : apt-get install ejabberd
  2. Éditer le fichier de configuration /etc/ejabberd/ejabberd.cfg.
  3. Ajout des administrateurs pour gérer le serveur Jabber. On modifie la section Admin user en la complétant de cette manière : {acl, admin, {user, "nom_utilisateur", "le_domaine"}}.. Nous avons choisi jonathan et jabber pour, respectivement, nom_utilisateur et le_domaine. Attention : ejabberd ne semble pas apprécier les domaines en majuscules !
  4. Définition du domaine donné au serveur jabber. On modifie le fichier de configuration en changeant la déclaration {hosts, ["localhost"]} par la déclaration {hosts, ["jabber"]}.
  5. On redémarre le service : /etc/init.d/ejabberd restart
  6. On ajoute le compte admin créé dans le fichier de configuration soit à l'aide d'un client XMPP, soit par l'intermédiaire de la commande suivante : ejabberdctl register utilisateur domaine mon_mot_de_passe soit : ejabberdctl register jonathan jabber silr2k
  7. Ensuite, on peut se connecter à l'interface web de gestion par l'adresse suivante : http://nom_ou_ip_de_la_mahcine:5280/admin. L’identifiant devant être complet (ici jonathan@jabber) et le mot de passe étant celui indiqué lors de la création du compte avec ejabberdctl ou le client XMPP.

L'installation de base est terminée ! Ensuite, on peut régler à notre convenance le serveur (ajouts d'utilisateurs par exemple) par l'intermédiaire de l'interface web d'administration. Après le fonctionnement est bien sûr conforme aux réseaux XMPP que nous connaissons !

Conclusion