kc0arf 68 Posting Virtuoso Team Colleague

Intro

In one of the Forums, the question was asked on how to setup a RedHat 9 server so that it manages network connectivity within the home, and provide services to Windoze clients.

This tutorial will address how to setup a RedHat 9 Server that will Firewall and provide services to a variety of clients. I'll also talk about Webmin and other services available in the RedHat / Fedora domain. I will also use Linux terms... a daemon serves the function of a Windoze Service.

This tutorial will assume you have worked with computers before, and have some exposure to Linux. The beginner should not attempt this, as much greater detail would be required to explain all of these steps. A Beginner would be much better off with a book... I suggest the Yellow/Black Wiley books in the Unlimited series for RedHat 9, or Fedora Core.

Preparation

Decide what your computer is going to do. If it is strictly a firewall / DNS server, then the computer can be lightweight -- 128 MB RAM, 5 GB hard disk, 2 network cards. If you would like the box to do more, then plan accordingly. If it is going to be a network server, plus be used for workstation functions, then go for 512 MB RAM and 20 GB hard drive space. Plan with some room to grow.

(My particular box is 512 MB Ram Pentium III 550 MHz with 300 GB Hard drive).


Linux Installation

Before we get too deep, you should all be aware that RedHat 9 is no longer serviced by RedHat... any bugs that are found since last fall remain in the OS, unless privately patched outside of official RH sources. Consider going to Fedora Core 3. What we are doing here should work with Fedora, but as I have not upgraded myself yet, I may be in for some mystery.

First, prepare your hardware, and install RH / Fedora Linux. I personally choose Custom, and go through the options. Make sure you have IPTABLES selected, along with BIND (DNS), and WEBMIN. If you are going to be like me, and have other services such as Samba (Windoze networking), DHCPD (DHCP daemon), Netatalk (Macintosh Networking), and Apache (webservice). You will also be given the chance to partition your drives... I usually do them manually, and offer 1GB for / (root), 3 GB for /home, 2.5 GB for /var, 1 GB for /tmp, and 5 GB for /usr, and the balance for /backup. You will need to think of what scheme is best for your particular installation. I have a /backup because I write tar scripts to read off the other partitions, and store them on /backup.

For the firewall question, I answer "medium", as I will be modifying it later. For the network questions, make selections fitting your environment, and write them down.

Install RH, and reboot a few times to ensure the sytem is stable and installed properly. Correct any mistakes, or any services that are not loading properly. Plug in the cable modem into one ethernet card, and your local connection into a hub/switch. If you have a wireless device, or one of those things with a built in firewall, do not plug this connection into that port.


FIREWALL Setup

There are a few varietys of working with the firewall: some are found using WEBMIN, some are written by hand, and others can be found on these pages, or in other locations on the internet.

If you are going to use another firewall solution, skip the rest of this section.

First, you need to determine which ethernet device (ethx) is going to the internet, and which one to your local hub. Use the /sbin/ifconfig command to determine the status. Write that information down. Typically, the internet connection is DHCP, and the local network will be static for this address.

Next, go into /etc/init.d and copy the existing iptables files into a backup folder:

mkdir iptables.bak
mv iptables* iptables.bak/.

It will complain that it cannot move the directory into itself. :)

Here is a copy of my firewall code. I did not write it directly... it was pieced together from various sources on the internet. Note that my box has three network cards in it. Cut and paste this code into a file called /etc/init.d/iptables and modify it for your own use. The firewall code also contains the command to tell the Linux Kernel to utilize packet forwarding.

[christian@astro init.d]$ cat iptables
#!/bin/sh
#

#########################
##   THIS IS FOR ASTRO 
#########################

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
# your LAN's IP range and localhost IP. /24 means to only use the first 24 
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0

# ASTRO:  ETH2 is internet, ETH0 is 10.10,  ETH1 is 192.168, and AX is 172

#### LAN IP is internal
LAN_IP="10.10.1.1/8"
LAN_BCAST_ADRESS="255.0.0.0/8"
LAN_IFACE="eth0"

#### LAN2 is IP internal
LAN2_IP="192.168.1.1/24"
LAN2_BCAST_ADRESS="255.255.255.0/24"
LAN2_IFACE="eth1"

#### LAN3 is the Packet Network
LAN3_IP="172.16.0.1/16"
LAN3_BCAST_ADRESS="255.255.0.0/16"
LAN3_IFACE="ax0"

#### This is the local looper
LO_IFACE="lo"
LO_IP="127.0.0.1/8"

##### This is the connection to the cable modem
INET_IFACE="eth2"

# Define JarJar, the Citrix Box
# CITRIX_IP="10.10.1.22"

IPTABLES="/sbin/iptables"

##########
# Load all required IPTables modules
# Needed to initially load modules
/sbin/depmod -a

# Adds some iptables targets like LOG, REJECT and MASQUARADE.
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

# Support for owner matching
# /sbin/modprobe ipt_owner

# Support for connection tracking of FTP and IRC.
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

# Enable ip_forward, this is critical since it is turned off as default in Linux.
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
# echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable simple IP Forwarding and Network Address Translation
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

########
# SECTION ONE
# Bad TCP packets we don't want
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
########

########
# SECTION TWO
# Accept the packets we actually want to forward
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN2_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN3_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

# Adjustments for 2003 Server
$IPTABLES -A FORWARD -p tcp --dport 3389 
$IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 3389

# Citrix Modifications.  A sample of how to forward and log them.
# First Log, then go
# $IPTABLES -A FORWARD -j LOG -p tcp --syn --dport 1494 --log-level DEBUG --log-prefix "Sec2 Citrix Attach"
# $IPTABLES -A FORWARD -j ACCEPT -p tcp --syn --dport 1494
# $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "Sec2: IPT  packet died: "
######

##### Set default policies for the INPUT, FORWARD and OUTPUT chains
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

##### Create separate chains for ICMP, TCP and UDP to traverse
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpin_packets

##### The allowed chain for TCP connections
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

# ICMP rules
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#########
# THE ACTUAL INCOMING FIREWALL, SORTED BY PORT NUMBER
#########

# ftp switch
# Default not to allow external FTP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j DROP

# SSH Switch
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j ACCEPT

# For Telnet Default not to allow external Telnet
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 23 -j ACCEPT

# Mail configures
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j LOG
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j ACCEPT

# For DNS  (External because I serve my Grandma)
$IPTABLES -A udpin_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT

# Drop BootP packets from the internet.  I do not serve others.
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 67 -j DROP

# For Webpages
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j ACCEPT

# For POP3 (External so that I can check email outside)
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j ACCEPT
$IPTABLES -A udpin_packets -p UDP -s 0/0 --source-port 110 -j ACCEPT

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j DROP
$IPTABLES -A udpin_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT

# For SSL (Secure Web)
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j ACCEPT
$IPTABLES -A udpin_packets -p UDP -s 0/0 --source-port 443 -j ACCEPT


## Explicit drops of Samba ports
## I do not allow ANY Microsoft activity from the outside.
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 139 -j DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 445 -j DROP
$IPTABLES -A udpin_packets -p UDP -s 0/0 --dport 139 -j DROP
$IPTABLES -A udpin_packets -p UDP -s 0/0 --dport 445 -j DROP

# Microsoft SQL 1434 bug Jan 27, 2003
$IPTABLES -A udpin_packets -p UDP -s 0/0 --dport 1434 -j DROP

# For appletalk on internet
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 548 -j ACCEPT


###############
# PREROUTING chain.

# Do some checks for obviously spoofed IP's 
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 127.0.0.1/8 -j DROP

# Area added by Christian for Citrix box
# $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE --dport 6200 -j DNAT --to-destination $CITRIX_IP:1494
# $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE --dport 6200 -j DNAT --to-destination $CITRIX_IP:1494

#####
# SECTION 5
# INPUT chain

# Take care of bad TCP  packets that we don't want
# Uncomment next line to log things...
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Rules for incoming packets from the internet
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpin_packets

####
# SECTION 7
# Rules for special networks not part of the Internet

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN2_IFACE -d $LAN2_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN3_IFACE -d $LAN3_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN2_IFACE -d $LAN2_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN3_IFACE -d $LAN3_IP -j ACCEPT

# Need this one for sendmail to work on internal email setups.
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

####
# SECTION 8
# OUTPUT chain
#
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

# Rule Test to drop Microsoft packets outbound from server.
# Want to stop Samba Advertising
$IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --dport 139 -j DROP
$IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --dport 445 -j DROP
$IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --dport 32875 -j DROP
$IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --source-port 32875 -j DROP
$IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --dport 137 -j DROP

# Stop the Microsoft packets on the 10.x network
# $IPTABLES -A OUTPUT -p UDP -o $LAN_IFACE --dport 139 -j DROP
# $IPTABLES -A OUTPUT -p UDP -o $LAN_IFACE --dport 137 -j DROP

# Stop the Microsoft packets on the LO
$IPTABLES -A OUTPUT -p UDP -o $LO_IFACE --dport 137 -j DROP
$IPTABLES -A OUTPUT -p UDP -o $LO_IFACE --dport 139 -j DROP

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN2_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN3_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

The above code will need to be modified for your own personal use. If you do not need some of the ports opened that I have enabled, be sure to -j DROP them. Also note that each one of those commands should be on one line. EVERY command starts with $IPTABLES once the variables are completed... so watch out for weird word-wraps.


Un-Firewall

The following batch file will reset the firewall, so that all interfaces are "wide-open".

[christian@astro init.d]$ cat iptables_flush
#!/bin/bash
#
# This is the flusher program for iptables.
#

# Configurations
IPTABLES="/sbin/iptables"


$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Reset the default NAT policies

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

# Flush all the rules in the filter and nat tables

$IPTABLES -F
$IPTABLES -t nat -F

# Erase all changes that are not defaulted at all

$IPTABLES -X
$IPTABLES -t nat -X

# END

Reboot your computer a few times, and make sure that the networking works from the linux box to the outside world. Open a few web pages. Check your email. If something doesn't work, test it after running iptables_flush. If it works, then your firewall is blocking something. It may take a few swipes to get it all working perfectly.


DNS Installation

Once your firewall is established, you can work to provide DNS services to your computer. I did this using webmin.

Open up a browser on your linux workstation, and point to http://localhost:10000

You should see a login box. Login as root, and type in your password. Once inside webmin, click on the Servers button, and find the BIND/DNS server. Create yourself a Master Zone, and then within it, define your Address, Mail Server, and Name Server records. If you need direct instructions, search on the web for them. Be sure to hit the "Apply Changes" button on the bottom of the page to restart the daemon. When you are done with the DNS configurations, tap the "Apply Changes" button on the main DNS page to restart the daemon.


Samba Daemon

You can use WEBMIN and/or SWAT to configure Samba, the Windoze filesharing and printing service. Samba supports both workgroup and domain configurations, and while I am not sure it will make a great Domain Controller, it does well as a member server in my environment, and permissions flow rather smoothly, as long as the passwords remain synchronized.


Apache Daemon

WEBMIN may be used to configure your Apache webserver environment. I have used Apache to make some of my websites SSL only; other people that I know have used it to create and manage multi-homed addressing information. This tool works really well if you want to customize access control on your apache directories.


Netatalk Daemon

Unfortunately, Netatalk is not configurable from WEBMIN. There is an older module out there for it, but the new Netatalk (3.x) has many new options that Webmin will not understand. Best to work with the online documentation at sourceforge concerning netatalk configuration.


DHCPD Daemon

DHCPD is a DHCP server, and is configurable from WEBMIN. Use this if you would like to configure your computer to serve other workstations on the network. Be sure to click the "Network Interface" button on the main screen, and DO NOT serve to addresses on the internet. Your ISP may give you a lot of grief if you incorrectly configure this setup. You could cause a lot of problems. Only serve on your internal network.


WU-FTP or ProFTPD Daemon?

WU-FTP is the older Washington University FTP Daemon that has some security concerns; it is no longer installed by default. ProFTP is the new FTP Daemon installed, and it works well.

I create Linux workstations internally, however, and like to build them from the network interface (not all have CD-ROMS, so I make the boot disk, and install using the FTP method. I have the .iso disks extracted locally, and they all install quickly from the network via FTP without me needing to insert the next disk). I found out that ProFTPD doesn't like RH installs using this method, so i have returned to WU-FTP which works fine. I firewall FTP out from the outside network, so others cannot connect to me.


Conclusion

Hopefully, this gives our readers ideas on how to install, and configure their RH / Fedora network servers. While not exhaustive on the instructions (hey, I could write a book on it ya know!), it was my goal to inform the reader on what can be done, and where to go to look for configuration settings.

If any of you have questions on what I have written, please submit a question to the Linux forums; do not add questions to this topic post.

If you have corrections, please add them below, and we can correct the post!

Enjoy the new year!

Christian

REV 0: Jan 1, 2005

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.