Documente Academic
Documente Profesional
Documente Cultură
info/trading
1|Page
http://keymoo.info/trading
Part 3
Video guide available here: http://youtu.be/iBqjabVnfY0
Create VM
Create your VM as shown in the video in Part 3 here:
2|Page
http://keymoo.info/trading
3|Page
http://keymoo.info/trading
4|Page
http://keymoo.info/trading
5|Page
http://keymoo.info/trading
6|Page
http://keymoo.info/trading
7|Page
http://keymoo.info/trading
8|Page
http://keymoo.info/trading
9|Page
http://keymoo.info/trading
10 | P a g e
http://keymoo.info/trading
11 | P a g e
http://keymoo.info/trading
12 | P a g e
http://keymoo.info/trading
13 | P a g e
http://keymoo.info/trading
14 | P a g e
http://keymoo.info/trading
15 | P a g e
http://keymoo.info/trading
16 | P a g e
http://keymoo.info/trading Check the MAC addresses you configured in vSphere Client. In my example The external network is
Internal network is
Click Edit
17 | P a g e
http://keymoo.info/trading
18 | P a g e
http://keymoo.info/trading
19 | P a g e
http://keymoo.info/trading
Click Apply
20 | P a g e
21 | P a g e
http://keymoo.info/trading
Click Apply
22 | P a g e
23 | P a g e
http://keymoo.info/trading
24 | P a g e
http://keymoo.info/trading
25 | P a g e
26 | P a g e
http://keymoo.info/trading
27 | P a g e
http://keymoo.info/trading
28 | P a g e
http://keymoo.info/trading
29 | P a g e
30 | P a g e
http://keymoo.info/trading
31 | P a g e
http://keymoo.info/trading
32 | P a g e
http://keymoo.info/trading
Click Yes
33 | P a g e
http://keymoo.info/trading
34 | P a g e
http://keymoo.info/trading
Update packages
yum update
Make sure that your adapters are set up correctly, note down which is internal, external and DMZ/Wireless if you use a third.
Install rpmforge
Download the files
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm wget http://apt.sw.be/RPM-GPG-KEY.dag.txt
35 | P a g e
http://keymoo.info/trading
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag gpgcheck = 1
36 | P a g e
http://keymoo.info/trading
Part 4
Video guide available here: http://youtu.be/gRIYIDyXQQY
edit the file so it looks like this. Your HWADDR and UUID will be different. There may be other minor differences.
DEVICE="eth1" BOOTPROTO="static" ONBOOT=yes TYPE="Ethernet" UUID="2915807d-57a3-4c1b-a67e-96c3d10043f7" HWADDR=00:0C:29:5B:2D:17 IPADDR=10.0.0.9 DNS1=10.0.0.6 DNS2=208.67.222.222 DNS3=208.67.220.220 IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="eth1 internal"
Install Shorewall
Take a VMware snapshot
In case you mess this bit up
Install pre-requisites
Shorewall has some dependencies that are not resolved by the rpm package. You will need to install bc, perl and the perl-Digest-SHA1 package.
yum install bc perl perl-Digest-SHA1
http://keymoo.info/trading
wget https://lists.shorewall.net/shorewall.gpg.key
Make copies of the config files were going to change in case we need to revert, and for future reference.
cp zones zones.orig cp shorewall.conf shorewall.conf.orig cp rules rules.orig cp policy policy.orig cp masq masq.orig cp interfaces interfaces.orig
This file may differ from my setup, refer to the documentation http://shorewall.net/GettingStarted.html You will probably use the two-interface configuration, so I will show you how to set that up. http://shorewall.net/two-interface.htm Heres my file
# Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at
38 | P a g e
http://keymoo.info/trading
# http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE # fw net loc firewall ipv4 ipv4 TYPE OPTIONS IN OPTIONS OUT OPTIONS
nano interfaces
Configure policy
nano policy
Configure masquerading
nano masq
Add
eth0 10.0.0.0/8
Change
STARTUP_ENABLED=No
39 | P a g e
http://keymoo.info/trading To
STARTUP_ENABLED=Yes
Any other setups, look at the docs, theyre pretty good. Configure your files as shown in the guide on that two-interface page.
40 | P a g e
http://keymoo.info/trading
Applying Policies... Shorewall configuration verified
41 | P a g e
http://keymoo.info/trading
Creating iptables-restore input... Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall.... Initializing... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Accept Source Routing... Setting up Proxy ARP... Preparing iptables-restore input... Running /sbin/iptables-restore... IPv4 Forwarding Enabled Processing /etc/shorewall/start ... Processing /etc/shorewall/started ... done.
Test your connection at this stage and configure one of your machines to use your new firewall as the gateway. It should work.
Troubleshooting
If it doesnt, then it is likely either ifcfg-eth0, ifcfg-eth1 or you have muddled up your internal with external interfaces. Check your /etc/shorewall/interfaces file. Check the output of ifconfig matches the network interfaces you have set up in VMware vSphere client.
Take a snapshot
We will take a snapshot now before moving on to the caching proxy server installation.
Proxy server by default listens on port 3128. Add these lines /etc/shorewall/rules file
42 | P a g e
http://keymoo.info/trading
ACCEPT REDIRECT $FW loc net 3128 tcp tcp www www
Configure squid
nano /etc/squid/squid.conf
Change line
http_port 3128
to
http_port 3128 intercept
Depending on what your local network range is, you will need to comment out some possible internal networks in squid.conf. Mine looks like this:
# Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 #acl localnet src fe80::/10 # RFC 4193 local private network range # RFC 4291 link-local (directly plugged) machines
Test
In your test machine, make sure you can still access the internet when it is pointed to this firewall as the gateway. All should be well. Squid can be configured in a variety of ways depending on your setup. I recommend you read the documentation. The default config options may not be optimal. You may want to change or add the following options:
Cache_mem Maximum_object_size_in_memory Maximum_object_size
And others.
http://keymoo.info/trading
Chkconfig
Take a snapshot
We will take a snapshot now before moving on to the content filter installation. If you dont want a content filter, then you can skip this step. If you have kids on your network, you might want to install and configure this, or use OpenDNS.org as a content filter. I use both.
Reconfigure firewall
You will need to point your firewall to dansguardian now instead of squid. The flow is
internet->firewall->dansguardian->squid->client
44 | P a g e
dansguardian
nano /etc/shorewall/rules
Change
REDIRECT loc 3128 tcp www
To
REDIRECT loc 8080 tcp www
Configure dansguardian
Dansguardian comes with a lot of config files and blacklist files. Im not going into it in depth here, theres plenty of info on the internet about it. Dansguardian should work with the default config, but it is setup for a primary school and will be over-eager in blocking. Change the naughtiness level to from 50 to a higher number. I use 150. Before we do that, lets copy our original files.
cp /etc/dansguardian/dansguardian.conf /etc/dansguardian/dansguardian.conf.orig cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian/dansguardianf1.conf.orig
Dansguardian allows you to have different settings in the dansguardianf1, dansguardianf2 file, etc. I only use one, lets edit dansguardianf1.conf
nano /etc/dansguardian/dansguardianf1.conf
To
Naughtynesslimit = 150
Test your connection. Try a dodgy site, it should be blocked. There are various exception files which you can configure, have a look through and read the docs if you want to tune it to your needs. Finally,
chkconfig dansguardian on
Take a snapshot
We will take a snapshot now before moving on to the DNS/DHCP installation.
45 | P a g e
http://keymoo.info/trading
IMPORTANT: Before starting this, make sure any other DHCP and DNS servers are stopped on your network. Competing DHCP servers on a network dont work very well.
DHCP
DHCP is configured using the dnsmasq.conf file. If you want to use DHCP reservations then use the /etc/ethers file. This will give out the same IP address every time for the MAC address specified. For info on configuring dnsmasq, go to http://www.thekelleys.org.uk/dnsmasq/doc.html My config file looks like this:
# these options were copied from ClearOS config bogus-priv cache-size=5000 conf-dir=/etc/dnsmasq.d dhcp-authoritative dhcp-lease-max=1000 domain-needed domain=localdomain expand-hosts no-negcache strict-order user=nobody
# For debugging purposes, log each DNS query as it passes through. log-queries
46 | P a g e
http://keymoo.info/trading
dhcp-option=eth1,15,localdomain dhcp-option=eth1,28,10.0.0.255 dhcp-range=eth1,10.0.0.100,10.0.0.254,12h read-ethers
This file doesnt exist by default, you will need to create it. option 1 is the netmask to give option 3 is the default gateway set this to 10.0.0.9 option 6 are the DNS servers to give out. option 15 is the domain suffix option 28 is the broadcast address dhcp-range is the range of ip addresses that dynamic IPs will be given out. Read-ethers tells dnsmasq to read the /etc/ethers file My /etc/ethers file looks like this
# see man ethers for syntax 00:1b:2f:d5:f6:78 10.0.0.2 00:0c:29:cd:6f:18 10.0.0.6
Etc for each MAC address on your network. I have about 25 lines in here.
DNS setup
The DNS is read from the /etc/hosts file. Make sure this is set up how you want. Mine looks like this:
127.0.0.1 10.0.0.6 localhost.localdomain localhost carbon.localdomain carbon
10.0.0.1 hydrogen.localdomain hydrogen 10.0.0.2 helium.localdomain helium 10.0.0.3 lithium.localdomain lithium 10.0.0.4 beryllium.localdomain 10.0.0.5 boron.localdomain boron 10.0.0.7 nitrogen.localdomain nitrogen 10.0.0.8 oxygen.localdomain oxygen 10.0.0.9 flourine.localdomain flourine 10.0.0.10 neon.localdomain neon 10.0.0.12 magnesium.localdomain magnesium
47 | P a g e
http://keymoo.info/trading Finally,
chkconfig dnsmasq on
Shut down your server and take another snapshot. Boot it up and test it with a client using DHCP. It should all work.
48 | P a g e
http://keymoo.info/trading
Part 5
Video guide available here: http://youtu.be/4EFnSJS5FWQ
NTP
Install the service
Yum install ntp
In the server section you can add your preferred NTP servers near your location. Start the service,
service ntpd start
Start at boot
chkconfig ntpd on
Webmin
Documentation here http://www.webmin.com/rpm.html Add the webmin repo
nano /etc/yum.repos.d/webmin.repo
http://keymoo.info/trading
yum install webmin
When its installed you should be able to access it like so http://flourine.localdomain:10000/ You will get a screen similar to this in your browser
50 | P a g e