Steps To Configure A CentOS Router

http://keymoo.
info/trading
Moo Trader IT Infrastructure

Publish Date: 1 Sep 2012 This written guide is for videos 3, 4, 5 of my guide for a virtual trading infrastructure. There are five videos in the series. The playlist is here http://www.youtube.com/playlist?list=PL0EE3D21CC70F0541
1|Page
http://keymoo.info/trading
Part 3
Video guide available here: http://youtu.be/iBqjabVnfY0
Steps to configure a CentOS router/firewall

Install CentOS 6.3 x64
Download the ISO from http://www.centos.org/ or http://mirror.centos.org/centos/6/isos/x86_64/ I use CentOS-6.3-x86_64-bin-DVD1.iso theres a torrent link there also for a faster download.
Create VM
Create your VM as shown in the video in Part 3 here:
2|Page
3|Page
4|Page
5|Page
6|Page
7|Page
8|Page
9|Page
10 | P a g e
11 | P a g e
Boot VM and install CentOS
12 | P a g e
13 | P a g e
14 | P a g e
15 | P a g e
16 | P a g e
http://keymoo.info/trading Check the MAC addresses you configured in vSphere Client. In my example The external network is
Internal network is
Configure each network card
Click Edit
17 | P a g e
18 | P a g e
19 | P a g e
Click Apply
20 | P a g e
http://keymoo.info/trading Now edit the internal interface
21 | P a g e
Click Apply
22 | P a g e
http://keymoo.info/trading Click Close, Next.
23 | P a g e
24 | P a g e
25 | P a g e
http://keymoo.info/trading Click Write changes to disk
26 | P a g e
27 | P a g e
28 | P a g e
29 | P a g e
http://keymoo.info/trading Click Reboot
30 | P a g e
Login, and shut down the machine and take a Snapshot.
31 | P a g e
32 | P a g e
Power on Connect via Putty http://www.putty.org/
Click Yes
33 | P a g e
Check network interfaces are up and running
34 | P a g e
Update packages
yum update
This will update your packages to the latest version
Check network settings

ifconfig
Make sure that your adapters are set up correctly, note down which is internal, external and DMZ/Wireless if you use a third.
Install download tool

yum install wget
Install rpmforge
Download the files
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm wget http://apt.sw.be/RPM-GPG-KEY.dag.txt
Import the key

rpm --import RPM-GPG-KEY.dag.txt
Check the package

rpm -K rpmforge-release-0.5.2-2.el6.rf.i686.rpm
Install the package

rpm -ivh rpmforge-release-0.5.2-2.el6.rf.i686.rpm
Install nano editor

yum install nano
Check the package is enabled

nano /etc/yum.repos.d/rpmforge.repo
check its enabled

[rpmforge] name = RHEL $releasever - RPMforge.net - dag baseurl = http://apt.sw.be/redhat/el6/en/$basearch/rpmforge mirrorlist = http://apt.sw.be/redhat/el6/en/mirrors-rpmforge #mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge enabled = 1 protect = 0
35 | P a g e
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag gpgcheck = 1
36 | P a g e
Part 4
Video guide available here: http://youtu.be/gRIYIDyXQQY
Configure internal network interface

nano /etc/sysconfig/network-scripts/ifcfg-eth1
edit the file so it looks like this. Your HWADDR and UUID will be different. There may be other minor differences.
DEVICE="eth1" BOOTPROTO="static" ONBOOT=yes TYPE="Ethernet" UUID="2915807d-57a3-4c1b-a67e-96c3d10043f7" HWADDR=00:0C:29:5B:2D:17 IPADDR=10.0.0.9 DNS1=10.0.0.6 DNS2=208.67.222.222 DNS3=208.67.220.220 IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="eth1 internal"
Install Shorewall
Take a VMware snapshot
In case you mess this bit up
Install pre-requisites
Shorewall has some dependencies that are not resolved by the rpm package. You will need to install bc, perl and the perl-Digest-SHA1 package.
yum install bc perl perl-Digest-SHA1
Download the packages

Refer to http://shorewall.net/download.htm for more info
wget http://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-4.5.7.1-1.el5.noarch.rpm wget http://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-core-4.5.7.11.el5.noarch.rpm
Download the key 37 | P a g e
wget https://lists.shorewall.net/shorewall.gpg.key
Install the key

rpm --import shorewall.gpg.key
Install the core package

rpm -ivh shorewall-core-4.5.7.1-1.el5.noarch.rpm
Install the main package

rpm -ivh shorewall-4.5.7.1-1.el5.noarch.rpm
Check that shorewall is there

cd /etc/shorewall/ ls lha
Make copies of the config files were going to change in case we need to revert, and for future reference.
cp zones zones.orig cp shorewall.conf shorewall.conf.orig cp rules rules.orig cp policy policy.orig cp masq masq.orig cp interfaces interfaces.orig
Configure the firewall

Edit the zones file
nano zones
This file may differ from my setup, refer to the documentation http://shorewall.net/GettingStarted.html You will probably use the two-interface configuration, so I will show you how to set that up. http://shorewall.net/two-interface.htm Heres my file
# Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at
38 | P a g e
# http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE # fw net loc firewall ipv4 ipv4 TYPE OPTIONS IN OPTIONS OUT OPTIONS
nano interfaces
Add the following lines

net loc eth0 eth1 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 tcpflags,nosmurfs,routefilter,logmartians
Configure policy
nano policy
Add these lines

loc net loc $FW net all $FW all ACCEPT DROP ACCEPT ACCEPT info
# THE FOLLOWING POLICY MUST BE LAST all all REJECT info
Configure masquerading
nano masq
Add
eth0 10.0.0.0/8
Edit shorewall.conf so that the firewall is enabled at startup

nano shorewall.conf
Change
STARTUP_ENABLED=No
39 | P a g e
http://keymoo.info/trading To
STARTUP_ENABLED=Yes
Any other setups, look at the docs, theyre pretty good. Configure your files as shown in the guide on that two-interface page.
Check your firewall config

shorewall check
Should get something like this with no errors

Checking... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Checking /usr/share/shorewall/action.Drop for chain Drop... Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... Checking /usr/share/shorewall/action.Invalid for chain Invalid... Checking /usr/share/shorewall/action.NotSyn for chain NotSyn... Checking /usr/share/shorewall/action.Reject for chain Reject... Checking /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Adding rules for DHCP Checking TCP Flags filtering... Checking Kernel Route Filtering... Checking Martian Logging... Checking Accept Source Routing... Checking /etc/shorewall/tcrules... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall/rules... Checking /etc/shorewall/conntrack... Checking MAC Filtration -- Phase 2...
40 | P a g e
Applying Policies... Shorewall configuration verified
Start your firewall for the first time

shorewall start
Should get this:

Compiling... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Compiling /usr/share/shorewall/action.Drop for chain Drop... Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... Compiling /usr/share/shorewall/action.Invalid for chain Invalid... Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... Compiling /usr/share/shorewall/action.Reject for chain Reject... Compiling /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Adding rules for DHCP Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling Accept Source Routing... Compiling /etc/shorewall/tcrules... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules... Compiling /etc/shorewall/conntrack... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix...
41 | P a g e
Creating iptables-restore input... Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall.... Initializing... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Accept Source Routing... Setting up Proxy ARP... Preparing iptables-restore input... Running /sbin/iptables-restore... IPv4 Forwarding Enabled Processing /etc/shorewall/start ... Processing /etc/shorewall/started ... done.
Test your connection at this stage and configure one of your machines to use your new firewall as the gateway. It should work.
Troubleshooting
If it doesnt, then it is likely either ifcfg-eth0, ifcfg-eth1 or you have muddled up your internal with external interfaces. Check your /etc/shorewall/interfaces file. Check the output of ifconfig matches the network interfaces you have set up in VMware vSphere client.
Take a snapshot
We will take a snapshot now before moving on to the caching proxy server installation.
Proxy server installation

yum install squid
Done! Backup config file

cp /etc/squid/squid.conf /etc/squid/squid.conf.orig
Configure firewall to redirect local traffic to the proxy

nano /etc/shorewall/rules
Proxy server by default listens on port 3128. Add these lines /etc/shorewall/rules file
42 | P a g e
ACCEPT REDIRECT $FW loc net 3128 tcp tcp www www
Configure squid
nano /etc/squid/squid.conf
Change line
http_port 3128
to
http_port 3128 intercept
Depending on what your local network range is, you will need to comment out some possible internal networks in squid.conf. Mine looks like this:
# Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 #acl localnet src fe80::/10 # RFC 4193 local private network range # RFC 4291 link-local (directly plugged) machines
Restart shorewall and start squid

shorewall restart service squid start
Test
In your test machine, make sure you can still access the internet when it is pointed to this firewall as the gateway. All should be well. Squid can be configured in a variety of ways depending on your setup. I recommend you read the documentation. The default config options may not be optimal. You may want to change or add the following options:
Cache_mem Maximum_object_size_in_memory Maximum_object_size
And others.
Enable autostart of shorewall and squid

To see what services begin at startup, type 43 | P a g e
Chkconfig
Will look like this:

auditd crond ip6tables iptables lvm2-monitor netconsole netfs network postfix rdisc restorecond rsyslog saslauthd shorewall squid sshd udev-post 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 1:off 1:off 1:off 1:off 1:on 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:on 2:on 2:on 2:on 2:on 2:on 2:off 2:off 2:on 2:on 2:off 2:off 2:on 2:off 2:on 2:off 2:on 2:on 3:on 3:on 3:on 3:on 3:on 3:off 3:on 3:on 3:on 3:off 3:off 3:on 3:off 3:on 3:off 3:on 3:on 4:on 4:on 4:on 4:on 4:on 4:off 4:on 4:on 4:on 4:off 4:off 4:on 4:off 4:on 4:off 4:on 4:on 5:on 5:on 5:on 5:on 5:on 5:off 5:on 5:on 5:on 5:off 5:off 5:on 5:off 5:on 5:off 5:on 5:on 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off
Shorewall should already be configured, but squid wont be.

chkconfig squid on
Squid will now start on boot.
Take a snapshot
We will take a snapshot now before moving on to the content filter installation. If you dont want a content filter, then you can skip this step. If you have kids on your network, you might want to install and configure this, or use OpenDNS.org as a content filter. I use both.
Install content filter

This step can be skipped if you dont want a content filter.
yum install dansguardian
Reconfigure firewall
You will need to point your firewall to dansguardian now instead of squid. The flow is
internet->firewall->dansguardian->squid->client
44 | P a g e
http://keymoo.info/trading listens on port 8080, so we need to change the firewall.
dansguardian
nano /etc/shorewall/rules
Change
REDIRECT loc 3128 tcp www
To
REDIRECT loc 8080 tcp www
Configure dansguardian
Dansguardian comes with a lot of config files and blacklist files. Im not going into it in depth here, theres plenty of info on the internet about it. Dansguardian should work with the default config, but it is setup for a primary school and will be over-eager in blocking. Change the naughtiness level to from 50 to a higher number. I use 150. Before we do that, lets copy our original files.
cp /etc/dansguardian/dansguardian.conf /etc/dansguardian/dansguardian.conf.orig cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian/dansguardianf1.conf.orig
Dansguardian allows you to have different settings in the dansguardianf1, dansguardianf2 file, etc. I only use one, lets edit dansguardianf1.conf
nano /etc/dansguardian/dansguardianf1.conf
Change the line

Naughtynesslimit = 50
To
Naughtynesslimit = 150
Yes, the dansguardian developers cant spell. Start dansguardian

service dansguardian start
Test your connection. Try a dodgy site, it should be blocked. There are various exception files which you can configure, have a look through and read the docs if you want to tune it to your needs. Finally,
chkconfig dansguardian on
Take a snapshot
We will take a snapshot now before moving on to the DNS/DHCP installation.
45 | P a g e
DNS/DHCP Server config

You can use industry standard software for this, but they are quite large and tricky to set up. The main ones are BIND9, and ISC DHCP. I use dnsmasq instead as it is easier for me to set up. You can use the heavier weight ones if you like, but you dont need to for home/soho use.
yum install dnsmasq
IMPORTANT: Before starting this, make sure any other DHCP and DNS servers are stopped on your network. Competing DHCP servers on a network dont work very well.
DHCP
DHCP is configured using the dnsmasq.conf file. If you want to use DHCP reservations then use the /etc/ethers file. This will give out the same IP address every time for the MAC address specified. For info on configuring dnsmasq, go to http://www.thekelleys.org.uk/dnsmasq/doc.html My config file looks like this:
# these options were copied from ClearOS config bogus-priv cache-size=5000 conf-dir=/etc/dnsmasq.d dhcp-authoritative dhcp-lease-max=1000 domain-needed domain=localdomain expand-hosts no-negcache strict-order user=nobody
# For debugging purposes, log each DNS query as it passes through. log-queries
# Log lots of extra information about DHCP transactions. log-dhcp
DHCP options are in /etc/dnsmasq.d/dhcp.conf My file looks like this

dhcp-option=eth1,1,255.255.255.0 dhcp-option=eth1,3,10.0.0.9 dhcp-option=eth1,6,10.0.0.9,208.67.222.222,208.67.220.220
46 | P a g e
dhcp-option=eth1,15,localdomain dhcp-option=eth1,28,10.0.0.255 dhcp-range=eth1,10.0.0.100,10.0.0.254,12h read-ethers
This file doesnt exist by default, you will need to create it. option 1 is the netmask to give option 3 is the default gateway set this to 10.0.0.9 option 6 are the DNS servers to give out. option 15 is the domain suffix option 28 is the broadcast address dhcp-range is the range of ip addresses that dynamic IPs will be given out. Read-ethers tells dnsmasq to read the /etc/ethers file My /etc/ethers file looks like this
# see man ethers for syntax 00:1b:2f:d5:f6:78 10.0.0.2 00:0c:29:cd:6f:18 10.0.0.6
Etc for each MAC address on your network. I have about 25 lines in here.
DNS setup
The DNS is read from the /etc/hosts file. Make sure this is set up how you want. Mine looks like this:
127.0.0.1 10.0.0.6 localhost.localdomain localhost carbon.localdomain carbon
10.0.0.1 hydrogen.localdomain hydrogen 10.0.0.2 helium.localdomain helium 10.0.0.3 lithium.localdomain lithium 10.0.0.4 beryllium.localdomain 10.0.0.5 boron.localdomain boron 10.0.0.7 nitrogen.localdomain nitrogen 10.0.0.8 oxygen.localdomain oxygen 10.0.0.9 flourine.localdomain flourine 10.0.0.10 neon.localdomain neon 10.0.0.12 magnesium.localdomain magnesium
47 | P a g e
http://keymoo.info/trading Finally,
chkconfig dnsmasq on
Shut down your server and take another snapshot. Boot it up and test it with a client using DHCP. It should all work.
48 | P a g e
Part 5
Video guide available here: http://youtu.be/4EFnSJS5FWQ
NTP
Install the service
Yum install ntp
Backup the config file

cp /etc/ntp.conf /etc/ntp.conf.orig
A the top of the file add

tinker panic 0
In the server section you can add your preferred NTP servers near your location. Start the service,
service ntpd start
Start at boot
chkconfig ntpd on
Webmin
Documentation here http://www.webmin.com/rpm.html Add the webmin repo
nano /etc/yum.repos.d/webmin.repo
And add these lines

[Webmin] name=Webmin Distribution Neutral #baseurl=http://download.webmin.com/download/yum mirrorlist=http://download.webmin.com/download/yum/mirrorlist enabled=1
Download the key

wget http://www.webmin.com/jcameron-key.asc
Import the key

rpm --import jcameron-key.asc
Update the repos

yum update
Install the software 49 | P a g e
yum install webmin
When its installed you should be able to access it like so http://flourine.localdomain:10000/ You will get a screen similar to this in your browser
50 | P a g e

Steps To Configure A CentOS Router

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Steps To Configure A CentOS Router

Încărcat de

Drepturi de autor:

Formate disponibile

http://keymoo.

Moo Trader IT Infrastructure

Steps to configure a CentOS router/firewall

Boot VM and install CentOS

Configure each network card

http://keymoo.info/trading Now edit the internal interface

http://keymoo.info/trading Click Close, Next.

http://keymoo.info/trading Click Write changes to disk

http://keymoo.info/trading Click Reboot

Login, and shut down the machine and take a Snapshot.

Power on Connect via Putty http://www.putty.org/

Check network interfaces are up and running

This will update your packages to the latest version

Check network settings

Install download tool

Import the key

Check the package

Install the package

Install nano editor

Check the package is enabled

check its enabled

Configure internal network interface

Download the packages

Download the key 37 | P a g e

Install the key

Install the core package

Install the main package

Check that shorewall is there

Configure the firewall

Add the following lines

Add these lines

# THE FOLLOWING POLICY MUST BE LAST all all REJECT info

Edit shorewall.conf so that the firewall is enabled at startup

Check your firewall config

Should get something like this with no errors

Start your firewall for the first time

Should get this:

Proxy server installation

Done! Backup config file

Configure firewall to redirect local traffic to the proxy

Restart shorewall and start squid

Enable autostart of shorewall and squid

Will look like this:

Shorewall should already be configured, but squid wont be.

Squid will now start on boot.

Install content filter

http://keymoo.info/trading listens on port 8080, so we need to change the firewall.

Change the line

Yes, the dansguardian developers cant spell. Start dansguardian

DNS/DHCP Server config

# Log lots of extra information about DHCP transactions. log-dhcp

DHCP options are in /etc/dnsmasq.d/dhcp.conf My file looks like this

Backup the config file

A the top of the file add

And add these lines

Download the key

Import the key

Update the repos

Install the software 49 | P a g e

S-ar putea să vă placă și