Sunteți pe pagina 1din 50



Moo Trader IT Infrastructure

Publish Date: 1 Sep 2012 This written guide is for videos 3, 4, 5 of my guide for a virtual trading infrastructure. There are five videos in the series. The playlist is here


Part 3
Video guide available here:

Steps to configure a CentOS router/firewall

Install CentOS 6.3 x64
Download the ISO from or I use CentOS-6.3-x86_64-bin-DVD1.iso theres a torrent link there also for a faster download.

Create VM
Create your VM as shown in the video in Part 3 here:









10 | P a g e

11 | P a g e

Boot VM and install CentOS

12 | P a g e

13 | P a g e

14 | P a g e

15 | P a g e

16 | P a g e Check the MAC addresses you configured in vSphere Client. In my example The external network is

Internal network is

Configure each network card

Click Edit

17 | P a g e

18 | P a g e

19 | P a g e

Click Apply

20 | P a g e Now edit the internal interface

21 | P a g e

Click Apply

22 | P a g e Click Close, Next.

23 | P a g e

24 | P a g e

25 | P a g e Click Write changes to disk

26 | P a g e

27 | P a g e

28 | P a g e

29 | P a g e Click Reboot

30 | P a g e

Login, and shut down the machine and take a Snapshot.

31 | P a g e

32 | P a g e

Power on Connect via Putty

Click Yes

33 | P a g e

Check network interfaces are up and running

34 | P a g e

Update packages
yum update

This will update your packages to the latest version

Check network settings


Make sure that your adapters are set up correctly, note down which is internal, external and DMZ/Wireless if you use a third.

Install download tool

yum install wget

Install rpmforge
Download the files
wget wget

Import the key

rpm --import RPM-GPG-KEY.dag.txt

Check the package

rpm -K rpmforge-release-0.5.2-2.el6.rf.i686.rpm

Install the package

rpm -ivh rpmforge-release-0.5.2-2.el6.rf.i686.rpm

Install nano editor

yum install nano

Check the package is enabled

nano /etc/yum.repos.d/rpmforge.repo

check its enabled

[rpmforge] name = RHEL $releasever - - dag baseurl =$basearch/rpmforge mirrorlist = #mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge enabled = 1 protect = 0

35 | P a g e
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag gpgcheck = 1

36 | P a g e

Part 4
Video guide available here:

Configure internal network interface

nano /etc/sysconfig/network-scripts/ifcfg-eth1

edit the file so it looks like this. Your HWADDR and UUID will be different. There may be other minor differences.
DEVICE="eth1" BOOTPROTO="static" ONBOOT=yes TYPE="Ethernet" UUID="2915807d-57a3-4c1b-a67e-96c3d10043f7" HWADDR=00:0C:29:5B:2D:17 IPADDR= DNS1= DNS2= DNS3= IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="eth1 internal"

Install Shorewall
Take a VMware snapshot
In case you mess this bit up

Install pre-requisites
Shorewall has some dependencies that are not resolved by the rpm package. You will need to install bc, perl and the perl-Digest-SHA1 package.
yum install bc perl perl-Digest-SHA1

Download the packages

Refer to for more info
wget wget

Download the key 37 | P a g e

Install the key

rpm --import shorewall.gpg.key

Install the core package

rpm -ivh shorewall-core-

Install the main package

rpm -ivh shorewall-

Check that shorewall is there

cd /etc/shorewall/ ls lha

Make copies of the config files were going to change in case we need to revert, and for future reference.
cp zones zones.orig cp shorewall.conf shorewall.conf.orig cp rules rules.orig cp policy policy.orig cp masq masq.orig cp interfaces interfaces.orig

Configure the firewall

Edit the zones file
nano zones

This file may differ from my setup, refer to the documentation You will probably use the two-interface configuration, so I will show you how to set that up. Heres my file
# Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at

38 | P a g e
# # ############################################################################### #ZONE # fw net loc firewall ipv4 ipv4 TYPE OPTIONS IN OPTIONS OUT OPTIONS

nano interfaces

Add the following lines

net loc eth0 eth1 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 tcpflags,nosmurfs,routefilter,logmartians

Configure policy
nano policy

Add these lines

loc net loc $FW net all $FW all ACCEPT DROP ACCEPT ACCEPT info


Configure masquerading
nano masq


Edit shorewall.conf so that the firewall is enabled at startup

nano shorewall.conf


39 | P a g e To

Any other setups, look at the docs, theyre pretty good. Configure your files as shown in the guide on that two-interface page.

Check your firewall config

shorewall check

Should get something like this with no errors

Checking... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Checking /usr/share/shorewall/action.Drop for chain Drop... Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... Checking /usr/share/shorewall/action.Invalid for chain Invalid... Checking /usr/share/shorewall/action.NotSyn for chain NotSyn... Checking /usr/share/shorewall/action.Reject for chain Reject... Checking /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Adding rules for DHCP Checking TCP Flags filtering... Checking Kernel Route Filtering... Checking Martian Logging... Checking Accept Source Routing... Checking /etc/shorewall/tcrules... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall/rules... Checking /etc/shorewall/conntrack... Checking MAC Filtration -- Phase 2...

40 | P a g e
Applying Policies... Shorewall configuration verified

Start your firewall for the first time

shorewall start

Should get this:

Compiling... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Compiling /usr/share/shorewall/action.Drop for chain Drop... Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... Compiling /usr/share/shorewall/action.Invalid for chain Invalid... Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... Compiling /usr/share/shorewall/action.Reject for chain Reject... Compiling /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Adding rules for DHCP Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling Accept Source Routing... Compiling /etc/shorewall/tcrules... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules... Compiling /etc/shorewall/conntrack... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix...

41 | P a g e
Creating iptables-restore input... Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall.... Initializing... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Accept Source Routing... Setting up Proxy ARP... Preparing iptables-restore input... Running /sbin/iptables-restore... IPv4 Forwarding Enabled Processing /etc/shorewall/start ... Processing /etc/shorewall/started ... done.

Test your connection at this stage and configure one of your machines to use your new firewall as the gateway. It should work.

If it doesnt, then it is likely either ifcfg-eth0, ifcfg-eth1 or you have muddled up your internal with external interfaces. Check your /etc/shorewall/interfaces file. Check the output of ifconfig matches the network interfaces you have set up in VMware vSphere client.

Take a snapshot
We will take a snapshot now before moving on to the caching proxy server installation.

Proxy server installation

yum install squid

Done! Backup config file

cp /etc/squid/squid.conf /etc/squid/squid.conf.orig

Configure firewall to redirect local traffic to the proxy

nano /etc/shorewall/rules

Proxy server by default listens on port 3128. Add these lines /etc/shorewall/rules file

42 | P a g e
ACCEPT REDIRECT $FW loc net 3128 tcp tcp www www

Configure squid
nano /etc/squid/squid.conf

Change line
http_port 3128

http_port 3128 intercept

Depending on what your local network range is, you will need to comment out some possible internal networks in squid.conf. Mine looks like this:
# Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src #acl localnet src # RFC1918 possible internal network # RFC1918 possible internal network

#acl localnet src # RFC1918 possible internal network #acl localnet src fc00::/7 #acl localnet src fe80::/10 # RFC 4193 local private network range # RFC 4291 link-local (directly plugged) machines

Restart shorewall and start squid

shorewall restart service squid start

In your test machine, make sure you can still access the internet when it is pointed to this firewall as the gateway. All should be well. Squid can be configured in a variety of ways depending on your setup. I recommend you read the documentation. The default config options may not be optimal. You may want to change or add the following options:
Cache_mem Maximum_object_size_in_memory Maximum_object_size

And others.

Enable autostart of shorewall and squid

To see what services begin at startup, type 43 | P a g e

Will look like this:

auditd crond ip6tables iptables lvm2-monitor netconsole netfs network postfix rdisc restorecond rsyslog saslauthd shorewall squid sshd udev-post 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 1:off 1:off 1:off 1:off 1:on 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:on 2:on 2:on 2:on 2:on 2:on 2:off 2:off 2:on 2:on 2:off 2:off 2:on 2:off 2:on 2:off 2:on 2:on 3:on 3:on 3:on 3:on 3:on 3:off 3:on 3:on 3:on 3:off 3:off 3:on 3:off 3:on 3:off 3:on 3:on 4:on 4:on 4:on 4:on 4:on 4:off 4:on 4:on 4:on 4:off 4:off 4:on 4:off 4:on 4:off 4:on 4:on 5:on 5:on 5:on 5:on 5:on 5:off 5:on 5:on 5:on 5:off 5:off 5:on 5:off 5:on 5:off 5:on 5:on 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off

Shorewall should already be configured, but squid wont be.

chkconfig squid on

Squid will now start on boot.

Take a snapshot
We will take a snapshot now before moving on to the content filter installation. If you dont want a content filter, then you can skip this step. If you have kids on your network, you might want to install and configure this, or use as a content filter. I use both.

Install content filter

This step can be skipped if you dont want a content filter.
yum install dansguardian

Reconfigure firewall
You will need to point your firewall to dansguardian now instead of squid. The flow is

44 | P a g e listens on port 8080, so we need to change the firewall.


nano /etc/shorewall/rules

REDIRECT loc 3128 tcp www

REDIRECT loc 8080 tcp www

Configure dansguardian
Dansguardian comes with a lot of config files and blacklist files. Im not going into it in depth here, theres plenty of info on the internet about it. Dansguardian should work with the default config, but it is setup for a primary school and will be over-eager in blocking. Change the naughtiness level to from 50 to a higher number. I use 150. Before we do that, lets copy our original files.
cp /etc/dansguardian/dansguardian.conf /etc/dansguardian/dansguardian.conf.orig cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian/dansguardianf1.conf.orig

Dansguardian allows you to have different settings in the dansguardianf1, dansguardianf2 file, etc. I only use one, lets edit dansguardianf1.conf
nano /etc/dansguardian/dansguardianf1.conf

Change the line

Naughtynesslimit = 50

Naughtynesslimit = 150

Yes, the dansguardian developers cant spell. Start dansguardian

service dansguardian start

Test your connection. Try a dodgy site, it should be blocked. There are various exception files which you can configure, have a look through and read the docs if you want to tune it to your needs. Finally,
chkconfig dansguardian on

Take a snapshot
We will take a snapshot now before moving on to the DNS/DHCP installation.

45 | P a g e

DNS/DHCP Server config

You can use industry standard software for this, but they are quite large and tricky to set up. The main ones are BIND9, and ISC DHCP. I use dnsmasq instead as it is easier for me to set up. You can use the heavier weight ones if you like, but you dont need to for home/soho use.
yum install dnsmasq

IMPORTANT: Before starting this, make sure any other DHCP and DNS servers are stopped on your network. Competing DHCP servers on a network dont work very well.

DHCP is configured using the dnsmasq.conf file. If you want to use DHCP reservations then use the /etc/ethers file. This will give out the same IP address every time for the MAC address specified. For info on configuring dnsmasq, go to My config file looks like this:
# these options were copied from ClearOS config bogus-priv cache-size=5000 conf-dir=/etc/dnsmasq.d dhcp-authoritative dhcp-lease-max=1000 domain-needed domain=localdomain expand-hosts no-negcache strict-order user=nobody

# For debugging purposes, log each DNS query as it passes through. log-queries

# Log lots of extra information about DHCP transactions. log-dhcp

DHCP options are in /etc/dnsmasq.d/dhcp.conf My file looks like this

dhcp-option=eth1,1, dhcp-option=eth1,3, dhcp-option=eth1,6,,,

46 | P a g e
dhcp-option=eth1,15,localdomain dhcp-option=eth1,28, dhcp-range=eth1,,,12h read-ethers

This file doesnt exist by default, you will need to create it. option 1 is the netmask to give option 3 is the default gateway set this to option 6 are the DNS servers to give out. option 15 is the domain suffix option 28 is the broadcast address dhcp-range is the range of ip addresses that dynamic IPs will be given out. Read-ethers tells dnsmasq to read the /etc/ethers file My /etc/ethers file looks like this
# see man ethers for syntax 00:1b:2f:d5:f6:78 00:0c:29:cd:6f:18

Etc for each MAC address on your network. I have about 25 lines in here.

DNS setup
The DNS is read from the /etc/hosts file. Make sure this is set up how you want. Mine looks like this: localhost.localdomain localhost carbon.localdomain carbon hydrogen.localdomain hydrogen helium.localdomain helium lithium.localdomain lithium beryllium.localdomain boron.localdomain boron nitrogen.localdomain nitrogen oxygen.localdomain oxygen flourine.localdomain flourine neon.localdomain neon magnesium.localdomain magnesium

47 | P a g e Finally,
chkconfig dnsmasq on

Shut down your server and take another snapshot. Boot it up and test it with a client using DHCP. It should all work.

48 | P a g e

Part 5
Video guide available here:

Install the service
Yum install ntp

Backup the config file

cp /etc/ntp.conf /etc/ntp.conf.orig

A the top of the file add

tinker panic 0

In the server section you can add your preferred NTP servers near your location. Start the service,
service ntpd start

Start at boot
chkconfig ntpd on

Documentation here Add the webmin repo
nano /etc/yum.repos.d/webmin.repo

And add these lines

[Webmin] name=Webmin Distribution Neutral #baseurl= mirrorlist= enabled=1

Download the key


Import the key

rpm --import jcameron-key.asc

Update the repos

yum update

Install the software 49 | P a g e
yum install webmin

When its installed you should be able to access it like so http://flourine.localdomain:10000/ You will get a screen similar to this in your browser

50 | P a g e