Requirements
A server with 2 Ethernet cards
We then configure the 2 Ethernet cards such that one card will be located within your LAN while the other is configured with your internet gateway. In my set up, Eth 0 is on my LAN while Eth 1 connects directly to the internet. you can use the Network configuration Tool (Gnome)
System->Administration->Network
Eth 0 will use the router as its DNS and Gateway
Eth 1 will use the internet routers DNS and Gateway
Make sure that Bind DNS server and Squid are installed. you can install this by running the command
$ yum install bind squid
We then configure the Squid Proxy as follows(root privileges -su):
//# service servicename status
The above command checks the status of a service.
The squid configuration file can be dited by the following command using the gedit editor
# gedit /etc/squid/squid.conf
Backup the squid configuration file by using the following command. Maintain this file as your failsafe in case yoou mess up your configurations
# cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
the above file is restored with the following command
# cp /etc/squid/squid.conf.bak /etc/squid/squid.conf
Confirm for right IP addresses in the following section of the squid configuration files
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl lan src 192.168.32.0/19 10.0.0.0/16
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
The bolded section above are the address of your internet routers network and those of your switch LAN(just in case they are different, though it can have one source.
To start squid service:
# service squid start
or to restart the squid service:
# service squid restart
Thats all for Squid.
Now for the BIND DNS resolver
Start the BIND service if its not running
$service bind start
# gedit /etc/named.conf
in gedit, copy the above file to a new file. Do not edit the file you opened. All changes should be made on the new file. After making your changes, save the file as /etc/named.conf
//
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
listen-on port 53 { 127.0.0.1; 10.0.0.1; 192.168.32.2; 192.168.32.250;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.32.0/19; 10.0.0.0/16; 192.168.32.250;};
recursion yes;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "lan" {
match-clients { localhost; 10.0.0.0/16; 192.168.32.0/19;}; // our network
recursion yes;
zone "domain" {
type master;
file "master.local.domain";
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
};
changes should be made in the bolded areas.
restart the bind service
# service named restart
Thats all for the BIND server.
Now to the most important area, the iptables.
List the nat table; the rest are mangle-used for bridging- and the default filter which you can easily configure via the GUI.
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
redirect all incoming traffic to the squid proxy
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
All outgoing traffic to the internet
# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.32.2
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:192.168.32.2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Additional Info about invalid rules
To edit(delete) invalid rules in your iptables
invalid rule on iptable filter FORWARD Chain
# iptables -t filter -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
list the rule on a specific chain(FORWARD)
# iptables -t filter -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
delete the rule; usage table-chain-rule_number(filter-FORWARD-1)
# iptables -t filter -D FORWARD 1
check the iptable settings for the nat table as shown in previous documentation above.
Restart the iptables service
#service iptables restart
For easier configuration of all the above, use the webmin tool
Monitoring your LAN traffic
This tools enable you to monitor traffic and give you logs. IPtraf offers live monitoring while ntop enalbles you to monitor various things like:
- sites visited
- network load
- network flow
to install them
IPtraf
# yum install iptraf
to run
$iptraf
Ntop
To Install
#yum install ntop
To configure
#ntop
To start service
#service ntop start
To use
http://localhost:3000
(username admin password; password you configured
Enjoy your networking.
No comments:
Post a Comment