Friday, July 24, 2009

Configuring your network with Fedora Linux DNS/Squid Transparent Proxy

This is a guide for setting up your network using fedora Linux as a DNS/Proxy server. This guide assumes that you have a router/switch that acts as a DHCP router.
Requirements
A server with 2 Ethernet cards

We then configure the 2 Ethernet cards such that one card will be located within your LAN while the other is configured with your internet gateway. In my set up, Eth 0 is on my LAN while Eth 1 connects directly to the internet. you can use the Network configuration Tool (Gnome)
System->Administration->Network
Eth 0 will use the router as its DNS and Gateway
Eth 1 will use the internet routers DNS and Gateway

Make sure that Bind DNS server and Squid are installed. you can install this by running the command
$ yum install bind squid

We then configure the Squid Proxy as follows(root privileges -su):
//# service servicename status
The above command checks the status of a service.
The squid configuration file can be dited by the following command using the gedit editor
# gedit /etc/squid/squid.conf

Backup the squid configuration file by using the following command. Maintain this file as your failsafe in case yoou mess up your configurations
# cp /etc/squid/squid.conf /etc/squid/squid.conf.bak

the above file is restored with the following command
# cp /etc/squid/squid.conf.bak /etc/squid/squid.conf

Confirm for right IP addresses in the following section of the squid configuration files

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl lan src 192.168.32.0/19 10.0.0.0/16
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
The bolded section above are the address of your internet routers network and those of your switch LAN(just in case they are different, though it can have one source.
To start squid service:
# service squid start
or to restart the squid service:
# service squid restart

Thats all for Squid.
Now for the BIND DNS resolver

Start the BIND service if its not running
$service bind start
# gedit /etc/named.conf
in gedit, copy the above file to a new file. Do not edit the file you opened. All changes should be made on the new file. After making your changes, save the file as /etc/named.conf
//
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//

options {
listen-on port 53 { 127.0.0.1; 10.0.0.1; 192.168.32.2; 192.168.32.250;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.32.0/19; 10.0.0.0/16; 192.168.32.250;};
recursion yes;
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

view "lan" {
match-clients { localhost; 10.0.0.0/16; 192.168.32.0/19;}; // our network
recursion yes;
zone "domain" {
type master;
file "master.local.domain";
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
};
changes should be made in the bolded areas.
restart the bind service
# service named restart


Thats all for the BIND server.

Now to the most important area, the iptables.
List the nat table; the rest are mangle-used for bridging- and the default filter which you can easily configure via the GUI.
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

redirect all incoming traffic to the squid proxy
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

All outgoing traffic to the internet
# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.32.2

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:192.168.32.2

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Additional Info about invalid rules

To edit(delete) invalid rules in your iptables


invalid rule on iptable filter FORWARD Chain
# iptables -t filter -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

list the rule on a specific chain(FORWARD)
# iptables -t filter -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

delete the rule; usage table-chain-rule_number(filter-FORWARD-1)
# iptables -t filter -D FORWARD 1

check the iptable settings for the nat table as shown in previous documentation above.
Restart the iptables service
#service iptables restart


For easier configuration of all the above, use the webmin tool

Monitoring your LAN traffic


This tools enable you to monitor traffic and give you logs. IPtraf offers live monitoring while ntop enalbles you to monitor various things like:

  • sites visited
  • network load
  • network flow


to install them
IPtraf
# yum install iptraf
to run
$iptraf

Ntop
To Install
#yum install ntop
To configure
#ntop
+ to exit
To start service
#service ntop start
To use
http://localhost:3000
(username admin password; password you configured

Enjoy your networking.

No comments:

Post a Comment