Escolar Documentos
Profissional Documentos
Cultura Documentos
CONFIGURATION MANUAL
Note:
The system was done with the following setup:
• Ubuntu 10.04 server edition (the latest as of this writing)
• dhcp3-server
• squid3
• iptables
• two (2) networking cards
This procedure will assume that that WAN is connected to your first NIC (eth0) is connected
to your WAN and the second NIC (eth1) will be your LAN.
1. Configure your configuration setting for your NICs. You should be modifying the
/etc/network/interfaces configuration file.
• eth0 and eth1 should be enable across reboots
• eth0 and eth1 IP addresses will be manually configured
• address of eth0 will be the address given by the ISP
• address of eth1 will be your private network's address and will be the address
of your squid proxy server
vim /etc/network/interfaces
auto etho
iface lo inet loopback
<Esc><Shift> :wq!
2. The sysctl is an interface that allows you to make changes to a running Linux kernel.
With /etc/sysctl.conf you can configure various Linux and system settings such as:
• Limit network-transmitted configuration for IPv4
• Limit network-transmitted configuration for Ipv6
• Turn on execshield protection
• Prevent against common 'syn flood attack'
• Turn on source IP address verification
• Prevents a cracker from using a spoofing attack against the IP address of the
server
• Log several types of suspicious packets such as spoofed packets, source-routed
packets and redirects
Modify the /etc/sysctl.conf to enable your Linux box to enable packet forwarding.
vim /etc/sysctl.conf
Locate and uncomment (remove #) the line that says: (To edit, press ( i ) or <Insert>
)
#net.ipv4.ip_forward=1
The changes will take effect once you restarted the Linux box. To immediate enable
this function, execute the following command:
sysctl -w net.ipv4.ip_forward=1
3. Finally modify iptables ruleset of NAT and FILTER. Execute the command:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
4. You need to restart the networking service of Linux for the changes to take effect.
Enter the following command:
/etc/init.d/networking restart
5. Check if the new IP address configurations were applied, enter the command:
ifconfig -a
You should be able to see the IP address you specify for the two NICs.
1. Install DHCP server and other necessary files on your Ubuntu Linux box.
2. Configure your DHCP server. You will need to specify which interface the DCHCP
server will listen to. We use eth1 since this is our interface for our private LAN.
Edit the file, /etc/default/dhcp3-server configuration file.
vim /etc/default/dhcp3-server
INTERFACES=”eth1”
3. We must specify the settings that our DHCP server will need to allocate dynamic
addresses. This is done with the /etc/dhcp3/dhcpd.conf file. Edit this file and enter
the necessary changes shown below:
4. Configure the workstation for dynamic IP address. Make sure that the IP address of
each workstation has its proper address that's within the network you setup on your
Linux box.
vi /etc/squid3/squid.conf
Add the necessary modifications for cache, acl and web filtering. (To edit, press ( i )
or <Insert> )
# APPEND THIS AT THE ACL SECTION
acl localnet 192.168.0.0/16
acl badsites dstdomain “/etc/squid3/badsites.acl”
#AT THE INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#INSERT THIS LINE
http_access allow localnet
Create your badsites.acl file that will be used to filter web sites.
vim /etc/squid3/badsites.acl
Enter the websites that are probihited. (To edit, press ( i ) or <Insert> ).
.facebook.com
.friendster.com
.youtube.com
Save and exit the file. ( <Esc><Shift> :wq! )
Create another file that will contain our new iptable rulesets to force all connection
to port 80 to be redirected to the squid proxy server listening on port 3128.
vim /home/sysadmin/fw_policy.sh
And it should contain the following entries (To edit, press ( i ) or <Insert> ).
#!/bin/bash
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Or modify the /etc/rc.local. This file contains BASH commands which will be run
after run-level specific commands whenever the system is booted.
vim /etc/rc.local
/home/sysadmin/fw_policy.sh