Sunteți pe pagina 1din 50

http://keymoo.

info/trading

Moo Trader IT Infrastructure


Publish Date: 1 Sep 2012 This written guide is for videos 3, 4, 5 of my guide for a virtual trading infrastructure. There are five videos in the series. The playlist is here http://www.youtube.com/playlist?list=PL0EE3D21CC70F0541

1|Page

http://keymoo.info/trading

Part 3
Video guide available here: http://youtu.be/iBqjabVnfY0

Steps to configure a CentOS router/firewall


Install CentOS 6.3 x64
Download the ISO from http://www.centos.org/ or http://mirror.centos.org/centos/6/isos/x86_64/ I use CentOS-6.3-x86_64-bin-DVD1.iso theres a torrent link there also for a faster download.

Create VM
Create your VM as shown in the video in Part 3 here:

2|Page

http://keymoo.info/trading

3|Page

http://keymoo.info/trading

4|Page

http://keymoo.info/trading

5|Page

http://keymoo.info/trading

6|Page

http://keymoo.info/trading

7|Page

http://keymoo.info/trading

8|Page

http://keymoo.info/trading

9|Page

http://keymoo.info/trading

10 | P a g e

http://keymoo.info/trading

11 | P a g e

http://keymoo.info/trading

Boot VM and install CentOS

12 | P a g e

http://keymoo.info/trading

13 | P a g e

http://keymoo.info/trading

14 | P a g e

http://keymoo.info/trading

15 | P a g e

http://keymoo.info/trading

16 | P a g e

http://keymoo.info/trading Check the MAC addresses you configured in vSphere Client. In my example The external network is

Internal network is

Configure each network card

Click Edit

17 | P a g e

http://keymoo.info/trading

18 | P a g e

http://keymoo.info/trading

19 | P a g e

http://keymoo.info/trading

Click Apply

20 | P a g e

http://keymoo.info/trading Now edit the internal interface

21 | P a g e

http://keymoo.info/trading

Click Apply

22 | P a g e

http://keymoo.info/trading Click Close, Next.

23 | P a g e

http://keymoo.info/trading

24 | P a g e

http://keymoo.info/trading

25 | P a g e

http://keymoo.info/trading Click Write changes to disk

26 | P a g e

http://keymoo.info/trading

27 | P a g e

http://keymoo.info/trading

28 | P a g e

http://keymoo.info/trading

29 | P a g e

http://keymoo.info/trading Click Reboot

30 | P a g e

http://keymoo.info/trading

Login, and shut down the machine and take a Snapshot.

31 | P a g e

http://keymoo.info/trading

32 | P a g e

http://keymoo.info/trading

Power on Connect via Putty http://www.putty.org/

Click Yes

33 | P a g e

http://keymoo.info/trading

Check network interfaces are up and running

34 | P a g e

http://keymoo.info/trading

Update packages
yum update

This will update your packages to the latest version

Check network settings


ifconfig

Make sure that your adapters are set up correctly, note down which is internal, external and DMZ/Wireless if you use a third.

Install download tool


yum install wget

Install rpmforge
Download the files
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm wget http://apt.sw.be/RPM-GPG-KEY.dag.txt

Import the key


rpm --import RPM-GPG-KEY.dag.txt

Check the package


rpm -K rpmforge-release-0.5.2-2.el6.rf.i686.rpm

Install the package


rpm -ivh rpmforge-release-0.5.2-2.el6.rf.i686.rpm

Install nano editor


yum install nano

Check the package is enabled


nano /etc/yum.repos.d/rpmforge.repo

check its enabled


[rpmforge] name = RHEL $releasever - RPMforge.net - dag baseurl = http://apt.sw.be/redhat/el6/en/$basearch/rpmforge mirrorlist = http://apt.sw.be/redhat/el6/en/mirrors-rpmforge #mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge enabled = 1 protect = 0

35 | P a g e

http://keymoo.info/trading
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag gpgcheck = 1

36 | P a g e

http://keymoo.info/trading

Part 4
Video guide available here: http://youtu.be/gRIYIDyXQQY

Configure internal network interface


nano /etc/sysconfig/network-scripts/ifcfg-eth1

edit the file so it looks like this. Your HWADDR and UUID will be different. There may be other minor differences.
DEVICE="eth1" BOOTPROTO="static" ONBOOT=yes TYPE="Ethernet" UUID="2915807d-57a3-4c1b-a67e-96c3d10043f7" HWADDR=00:0C:29:5B:2D:17 IPADDR=10.0.0.9 DNS1=10.0.0.6 DNS2=208.67.222.222 DNS3=208.67.220.220 IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="eth1 internal"

Install Shorewall
Take a VMware snapshot
In case you mess this bit up

Install pre-requisites
Shorewall has some dependencies that are not resolved by the rpm package. You will need to install bc, perl and the perl-Digest-SHA1 package.
yum install bc perl perl-Digest-SHA1

Download the packages


Refer to http://shorewall.net/download.htm for more info
wget http://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-4.5.7.1-1.el5.noarch.rpm wget http://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-core-4.5.7.11.el5.noarch.rpm

Download the key 37 | P a g e

http://keymoo.info/trading
wget https://lists.shorewall.net/shorewall.gpg.key

Install the key


rpm --import shorewall.gpg.key

Install the core package


rpm -ivh shorewall-core-4.5.7.1-1.el5.noarch.rpm

Install the main package


rpm -ivh shorewall-4.5.7.1-1.el5.noarch.rpm

Check that shorewall is there


cd /etc/shorewall/ ls lha

Make copies of the config files were going to change in case we need to revert, and for future reference.
cp zones zones.orig cp shorewall.conf shorewall.conf.orig cp rules rules.orig cp policy policy.orig cp masq masq.orig cp interfaces interfaces.orig

Configure the firewall


Edit the zones file
nano zones

This file may differ from my setup, refer to the documentation http://shorewall.net/GettingStarted.html You will probably use the two-interface configuration, so I will show you how to set that up. http://shorewall.net/two-interface.htm Heres my file
# Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at

38 | P a g e

http://keymoo.info/trading
# http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE # fw net loc firewall ipv4 ipv4 TYPE OPTIONS IN OPTIONS OUT OPTIONS

nano interfaces

Add the following lines


net loc eth0 eth1 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 tcpflags,nosmurfs,routefilter,logmartians

Configure policy
nano policy

Add these lines


loc net loc $FW net all $FW all ACCEPT DROP ACCEPT ACCEPT info

# THE FOLLOWING POLICY MUST BE LAST all all REJECT info

Configure masquerading
nano masq

Add
eth0 10.0.0.0/8

Edit shorewall.conf so that the firewall is enabled at startup


nano shorewall.conf

Change
STARTUP_ENABLED=No

39 | P a g e

http://keymoo.info/trading To
STARTUP_ENABLED=Yes

Any other setups, look at the docs, theyre pretty good. Configure your files as shown in the guide on that two-interface page.

Check your firewall config


shorewall check

Should get something like this with no errors


Checking... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Checking /usr/share/shorewall/action.Drop for chain Drop... Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... Checking /usr/share/shorewall/action.Invalid for chain Invalid... Checking /usr/share/shorewall/action.NotSyn for chain NotSyn... Checking /usr/share/shorewall/action.Reject for chain Reject... Checking /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Adding rules for DHCP Checking TCP Flags filtering... Checking Kernel Route Filtering... Checking Martian Logging... Checking Accept Source Routing... Checking /etc/shorewall/tcrules... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall/rules... Checking /etc/shorewall/conntrack... Checking MAC Filtration -- Phase 2...

40 | P a g e

http://keymoo.info/trading
Applying Policies... Shorewall configuration verified

Start your firewall for the first time


shorewall start

Should get this:


Compiling... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Compiling /usr/share/shorewall/action.Drop for chain Drop... Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... Compiling /usr/share/shorewall/action.Invalid for chain Invalid... Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... Compiling /usr/share/shorewall/action.Reject for chain Reject... Compiling /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Adding rules for DHCP Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling Accept Source Routing... Compiling /etc/shorewall/tcrules... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules... Compiling /etc/shorewall/conntrack... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix...

41 | P a g e

http://keymoo.info/trading
Creating iptables-restore input... Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall.... Initializing... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Accept Source Routing... Setting up Proxy ARP... Preparing iptables-restore input... Running /sbin/iptables-restore... IPv4 Forwarding Enabled Processing /etc/shorewall/start ... Processing /etc/shorewall/started ... done.

Test your connection at this stage and configure one of your machines to use your new firewall as the gateway. It should work.

Troubleshooting
If it doesnt, then it is likely either ifcfg-eth0, ifcfg-eth1 or you have muddled up your internal with external interfaces. Check your /etc/shorewall/interfaces file. Check the output of ifconfig matches the network interfaces you have set up in VMware vSphere client.

Take a snapshot
We will take a snapshot now before moving on to the caching proxy server installation.

Proxy server installation


yum install squid

Done! Backup config file


cp /etc/squid/squid.conf /etc/squid/squid.conf.orig

Configure firewall to redirect local traffic to the proxy


nano /etc/shorewall/rules

Proxy server by default listens on port 3128. Add these lines /etc/shorewall/rules file

42 | P a g e

http://keymoo.info/trading
ACCEPT REDIRECT $FW loc net 3128 tcp tcp www www

Configure squid
nano /etc/squid/squid.conf

Change line
http_port 3128

to
http_port 3128 intercept

Depending on what your local network range is, you will need to comment out some possible internal networks in squid.conf. Mine looks like this:
# Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network # RFC1918 possible internal network

#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 #acl localnet src fe80::/10 # RFC 4193 local private network range # RFC 4291 link-local (directly plugged) machines

Restart shorewall and start squid


shorewall restart service squid start

Test
In your test machine, make sure you can still access the internet when it is pointed to this firewall as the gateway. All should be well. Squid can be configured in a variety of ways depending on your setup. I recommend you read the documentation. The default config options may not be optimal. You may want to change or add the following options:
Cache_mem Maximum_object_size_in_memory Maximum_object_size

And others.

Enable autostart of shorewall and squid


To see what services begin at startup, type 43 | P a g e

http://keymoo.info/trading
Chkconfig

Will look like this:


auditd crond ip6tables iptables lvm2-monitor netconsole netfs network postfix rdisc restorecond rsyslog saslauthd shorewall squid sshd udev-post 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 0:off 1:off 1:off 1:off 1:off 1:on 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:off 1:on 2:on 2:on 2:on 2:on 2:on 2:off 2:off 2:on 2:on 2:off 2:off 2:on 2:off 2:on 2:off 2:on 2:on 3:on 3:on 3:on 3:on 3:on 3:off 3:on 3:on 3:on 3:off 3:off 3:on 3:off 3:on 3:off 3:on 3:on 4:on 4:on 4:on 4:on 4:on 4:off 4:on 4:on 4:on 4:off 4:off 4:on 4:off 4:on 4:off 4:on 4:on 5:on 5:on 5:on 5:on 5:on 5:off 5:on 5:on 5:on 5:off 5:off 5:on 5:off 5:on 5:off 5:on 5:on 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off

Shorewall should already be configured, but squid wont be.


chkconfig squid on

Squid will now start on boot.

Take a snapshot
We will take a snapshot now before moving on to the content filter installation. If you dont want a content filter, then you can skip this step. If you have kids on your network, you might want to install and configure this, or use OpenDNS.org as a content filter. I use both.

Install content filter


This step can be skipped if you dont want a content filter.
yum install dansguardian

Reconfigure firewall
You will need to point your firewall to dansguardian now instead of squid. The flow is
internet->firewall->dansguardian->squid->client

44 | P a g e

http://keymoo.info/trading listens on port 8080, so we need to change the firewall.

dansguardian

nano /etc/shorewall/rules

Change
REDIRECT loc 3128 tcp www

To
REDIRECT loc 8080 tcp www

Configure dansguardian
Dansguardian comes with a lot of config files and blacklist files. Im not going into it in depth here, theres plenty of info on the internet about it. Dansguardian should work with the default config, but it is setup for a primary school and will be over-eager in blocking. Change the naughtiness level to from 50 to a higher number. I use 150. Before we do that, lets copy our original files.
cp /etc/dansguardian/dansguardian.conf /etc/dansguardian/dansguardian.conf.orig cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian/dansguardianf1.conf.orig

Dansguardian allows you to have different settings in the dansguardianf1, dansguardianf2 file, etc. I only use one, lets edit dansguardianf1.conf
nano /etc/dansguardian/dansguardianf1.conf

Change the line


Naughtynesslimit = 50

To
Naughtynesslimit = 150

Yes, the dansguardian developers cant spell. Start dansguardian


service dansguardian start

Test your connection. Try a dodgy site, it should be blocked. There are various exception files which you can configure, have a look through and read the docs if you want to tune it to your needs. Finally,
chkconfig dansguardian on

Take a snapshot
We will take a snapshot now before moving on to the DNS/DHCP installation.

45 | P a g e

http://keymoo.info/trading

DNS/DHCP Server config


You can use industry standard software for this, but they are quite large and tricky to set up. The main ones are BIND9, and ISC DHCP. I use dnsmasq instead as it is easier for me to set up. You can use the heavier weight ones if you like, but you dont need to for home/soho use.
yum install dnsmasq

IMPORTANT: Before starting this, make sure any other DHCP and DNS servers are stopped on your network. Competing DHCP servers on a network dont work very well.

DHCP
DHCP is configured using the dnsmasq.conf file. If you want to use DHCP reservations then use the /etc/ethers file. This will give out the same IP address every time for the MAC address specified. For info on configuring dnsmasq, go to http://www.thekelleys.org.uk/dnsmasq/doc.html My config file looks like this:
# these options were copied from ClearOS config bogus-priv cache-size=5000 conf-dir=/etc/dnsmasq.d dhcp-authoritative dhcp-lease-max=1000 domain-needed domain=localdomain expand-hosts no-negcache strict-order user=nobody

# For debugging purposes, log each DNS query as it passes through. log-queries

# Log lots of extra information about DHCP transactions. log-dhcp

DHCP options are in /etc/dnsmasq.d/dhcp.conf My file looks like this


dhcp-option=eth1,1,255.255.255.0 dhcp-option=eth1,3,10.0.0.9 dhcp-option=eth1,6,10.0.0.9,208.67.222.222,208.67.220.220

46 | P a g e

http://keymoo.info/trading
dhcp-option=eth1,15,localdomain dhcp-option=eth1,28,10.0.0.255 dhcp-range=eth1,10.0.0.100,10.0.0.254,12h read-ethers

This file doesnt exist by default, you will need to create it. option 1 is the netmask to give option 3 is the default gateway set this to 10.0.0.9 option 6 are the DNS servers to give out. option 15 is the domain suffix option 28 is the broadcast address dhcp-range is the range of ip addresses that dynamic IPs will be given out. Read-ethers tells dnsmasq to read the /etc/ethers file My /etc/ethers file looks like this
# see man ethers for syntax 00:1b:2f:d5:f6:78 10.0.0.2 00:0c:29:cd:6f:18 10.0.0.6

Etc for each MAC address on your network. I have about 25 lines in here.

DNS setup
The DNS is read from the /etc/hosts file. Make sure this is set up how you want. Mine looks like this:
127.0.0.1 10.0.0.6 localhost.localdomain localhost carbon.localdomain carbon

10.0.0.1 hydrogen.localdomain hydrogen 10.0.0.2 helium.localdomain helium 10.0.0.3 lithium.localdomain lithium 10.0.0.4 beryllium.localdomain 10.0.0.5 boron.localdomain boron 10.0.0.7 nitrogen.localdomain nitrogen 10.0.0.8 oxygen.localdomain oxygen 10.0.0.9 flourine.localdomain flourine 10.0.0.10 neon.localdomain neon 10.0.0.12 magnesium.localdomain magnesium

47 | P a g e

http://keymoo.info/trading Finally,
chkconfig dnsmasq on

Shut down your server and take another snapshot. Boot it up and test it with a client using DHCP. It should all work.

48 | P a g e

http://keymoo.info/trading

Part 5
Video guide available here: http://youtu.be/4EFnSJS5FWQ

NTP
Install the service
Yum install ntp

Backup the config file


cp /etc/ntp.conf /etc/ntp.conf.orig

A the top of the file add


tinker panic 0

In the server section you can add your preferred NTP servers near your location. Start the service,
service ntpd start

Start at boot
chkconfig ntpd on

Webmin
Documentation here http://www.webmin.com/rpm.html Add the webmin repo
nano /etc/yum.repos.d/webmin.repo

And add these lines


[Webmin] name=Webmin Distribution Neutral #baseurl=http://download.webmin.com/download/yum mirrorlist=http://download.webmin.com/download/yum/mirrorlist enabled=1

Download the key


wget http://www.webmin.com/jcameron-key.asc

Import the key


rpm --import jcameron-key.asc

Update the repos


yum update

Install the software 49 | P a g e

http://keymoo.info/trading
yum install webmin

When its installed you should be able to access it like so http://flourine.localdomain:10000/ You will get a screen similar to this in your browser

50 | P a g e