OpenVPN Server
yum -y install openvpn
http://openvpn.net/index.php/open-source/documentation/howto.html
locate server.conf
cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf /etc/openvpn/
vim /etc/openvpn/server.conf
local 10.10.5.20 --> IP Server
port 1194 --> Port to which openVPN service will bind to
Note:- If port 1194 is closed in certain countries you can use another port to connect
through i.e 110
proto udp --> Default protocol
dev tun --> Virtual interface or VPN server
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0 --> Determine rang of the VPN
ifconfig-pool-persist ipp.txt --> This option will create /etc/openvpn/ipp.txt file and it has statistics about what real IP clients connecting from and there private ip addresses.
push "route 192.168.20.0 255.255.255.0" --> This option will cause VPN clients to redirect it's default gateway to VPN server to redirect all WAN traffic through the VPN srever.
#openssl dhparam -out dh1024.pem 1024 --> To create certificate
status openvpn-status.log --> Create a new file /etc/openvpn/openvpn-status.log that
show the current connections on the VPN server.
log openvpn.log --> Create a new file /etc/openvpn/openvpn.log that shows the logs of the
VPN server.
Create the server certificate and keys.
#cd /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0
#chmod +x *
#vim vars --> Edit this file to refelect you details in the certificate as follow
export KEY_COUNTRY="EG"
export KEY_PROVINCE="ALEX"
export KEY_CITY="ALEX"
export KEY_ORG="lab101"
export KEY_EMAIL="ahmed@linux.or
#source ./vars
# ./clean-all
# ./build-ca --> Accept defaut setting "Pre-determined in vim vars step"
Note: ./clean-all step cleans all keys previously ceated inside folder keys.
#ls keys/
ca.crt ca.key index.txt serial
Build Server Key
#./build-key-server server--> "Data Base Updated" means the certificate has been created
successfully.
Build Client Key
#./build-key slave-vm --> This step will create keys for host named slave-vm so it can
connect to the VPN server.
Note:- You can use ./build-key-pass --> To force client to supply passwd in order to
connect to the server.
# ./build-key shady --> This step will create keys for host named shady so it can
connect to the VPN server.
# ./build-dh
# vim /etc/openvpn/server.conf
ca /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/ca.crt
cert /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/server.crt
key /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/server.key
dh /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/dh1024.pem
/etc/init.d/openvpn restart
netstat -antlpu |grep 1194
Clients Configuration.
#yum install openvpn
#yum --nogpg -y install openvpn
# cp /usr/share/doc/openvpn-2.2.0/sample-config-files/client.conf /etc/openvpn/
#vim /etc/openvpn/client.conf
client
dev tun
proto udp --> Must be defined as the server "udp or tcp"
remote 10.10.5.20 1194 --> Must also be defined as server port
ca ca.crt |
cert client.crt | Copy client creditials from the server and add them here
key client.key |
i.e
ca /etc/openvpn/ca.crt
cert /etc/openvpn/slave-vm.crt
key /etc/openvpn/slave-vm.key
On the server copy the keys and certificate of the server to every client wants to conenct to VPN.
cd /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys
scp ca.crt slave-vm.key slave-vm.crt 10.10.5.133:/etc/openvpn
--To connect from client to server do,
openvpn --config /etc/openvpn/client.conf
When it gives you this messages you could connect to VPN server.
Initialization Sequence Completed
Add new client,
---
cd /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/
source ./vars
./build-key-pass
On client client.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/shady.crt
key /etc/openvpn/shady.key
Iptables
Iptables important options
-L List the rules currently active.
-D Remove rule from the active rules.
-A Append new rule at the bottom of the iptables rules currently active.
-I Insert a rule as the first rule above the currently active rules.
-t Define table which you are working on
-F Flush all rules currently active but it will return after restart
-p Port name (ssh, icmp, ftp, ...)
-s Source (IP
-j Target
i.e
#iptable -L -t nat
#iptable -F INPUT --> Flushes the INPUT chain active rules
#iptable -F nat --> Flushes the NAT chain active rules
#iptable -L -n --> Numeric list
#/etc/init.d/iptables stop --> Flushes all rules in all chains
#/etc/init.d/iptables save --> Overwrite all currently active rules (new/old) in start up file /etc/sysconfig/iptables
##################################### Iutput Chain #####################################
#iptables -I INPUT -p icmp -s 10.10.5.20 -j DROP -->
Note iptables load its rules at start up from /etc/sysconfig/iptables
Iptables Consist of 3 tables and each table consist of 3 chains
1-Filter Table
1-a Input --> Incoming Traffic
1-b Output --> Outgoing Traffic
1-c Forward --> Traffic Pass Through (Host Act As Router)
2-Nat Table
2-a Prerouting --> Redirect Incoming Traffic (i.e Internet) To Certain host or port
2-b Postrouting --> Redirect Outgoing Traffic (i.e Request access to net from hosts)
2-c Output
Iptables Important Targets
1- ACCEPT --> Accept Traffic
2- REJECT --> Reject Traffic With Error Message
3- DROP --> Drop Traffic With No Error Message
4- LOG --> Logs Traffic in /var/log/messages
i.e
#iptables -I INPUT -p TCP --dport 80 -j LOG
#iptables -I INPUT -p UDP --dport 111 -j LOG
#iptables -I INPUT -p TCP --dport 80 -j LOG
#iptables -I INPUT -p ICMP -j LOG
Rules Order (First Match Wins)
#iptables -I INPUT -p icmp -s 10.10.5.90 -j ACCEPT --> First Rule
#iptables -I INPUT 2 -p icmp -s 10.10.5.0/24 -j REJECT --> Second Rule
#iptables -A INPUT -p icmp -s 10.10.5.190 -j DROP --> Last rule because of (-A) option
Note:- With (-I) option you can determine the order of the rule
#iptables -L -n --line-numbers --> Echo each rule number
#iptables -L -v --> Echo packet and byte counter (how many packets are matched the rule and its size)
Note:- Packet and byte counters are helpful to detect infected hosts by applying accept rule for each host (infected hosts always send heavy traffic on the gateway)
#iptables -D INPUT -p icmp -s 10.10.5.190 -j DROP
#iptables -D INPUT 30 --> Delete rule number 30 in INPUT chain
#iptables -R INPUT 29 -p icmp -s 10.10.5.155 -j ACCEPT --> Replace rule number 29 in INPUT chain with -p icmp -s 10.10.5.155 -j ACCEPT
##################################### Output Chain #####################################
#iptables -I OUTPUT -p tcp --dport 80 -j REJECT --> REJECT any outgoing traffic
#iptables -I OUTPUT -p tcp --dport 80 -d yahoo.com -j REJECT --> To REJECT traffic outgoing to yahoo domain
##################################### Forward Chain ####################################
(Gateway Configuration)
#echo 1 > /proc/sys/net/ipv4/ip_forward --> To enable IP forward
Note:- If you have 2 interfaces (Internal/External) use ip_forward to allow each interface
to communicate with each other
#iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE --> enable masquerading NAT device
Note:- MASQUERADING enbales host to act as a router
#########################################################################################
#iptables -P INPUT DROP --> To change the default policy for a chain (REJECT/ACCEPT)
#iptables -I INPUT -m mac --mac-source 00:1A:1F:B3:23:90 -j REJECT --> REJECT using mac
To Accept Certain Hosts With MAC and Reject Any Other Host
#iptables -I INPUT -m mac --mac-source 00:1A:1F:B3:23:90 -j ACCEPT
#iptables -I INPUT -m mac --mac-source 00:1A:1F:B3:23:20 -j ACCEPT
#iptables -I INPUT j REJECT
To Accept Traffic from host with Certain IP and MAC
#iptables -I INPUT -s 10.10.5.130 -m mac --mac-source 08:00:27:49:AF:12 -j ACCEPT
#iptables -I INPUT j DROP
Note:- If the host changes his IP or MAC traffic will be droped
More Iptables Options
-p (TCP, UDP, ICMP) --dport/--sport (80, 22, 21, 53)
-s Source Address (IP Address)
-d Destination Address (IP Address)
#iptables -I INPUT -p tcp --dport 80 -d www.yahoo.com -j ACCEPT
#iptables -I FORWARD -p tcp --dport 80 -d www.yahoo.com -s 10.10.5.132 -j REJECT
##################################### NAT Table ####################################
#iptables -t nat -L
POSTROUTING MASQUERADE
PREROUTING port forwarding
eth0 WAN Connection
eth1 LAN Connection
#iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE --> Enable NAT
#iptables -t nat -I POSTROUTING -s 10.10.5.0/24 -o eth0 -j MASQUERADE
#iptables -t nat -I POSTROUTING -s 10.10.5.90 -o eth0 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
#iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to 10.10.5.23 --> traffic from host will be spoofed as 10.10.5.23 (Man In The Middle)
PREROUTING
DNAT
#iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to 1000 --> Redirect incoming traffic to port 80 will be directed to port 1000
#iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to 1000 --> To Determine which interface incoming traffic will pass through
http_port 10.10.5.20:8080 transparent
echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -i eth0 -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
#iptables -t nat -i eth0 -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -i eth0 -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
192.168.1.5:3128
#iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to
10.10.5.99:1000
#iptables -t nat -i eth1 -I PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.5.23:3128
#iptables -t nat -i eth1 -I PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.5.23:8080
#iptables -t nat -I PREROUTING -i eth0 -d 10.10.5.99 -p tcp --dport 80 -j REDIRECT
--to 10.10.5.99:1000
#iptables -t nat -I PREROUTING -p tcp -d 10.10.5.99 --dport 80 -j DNAT --to
10.10.5.99:1000
Note:- Use (-j) to REDIRECT traffic on same server
Use DNAT to REDIRECT traffic to other server
i.e
#iptables -t nat -i eth0 -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
#iptables -t nat -i eth0 -I PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.5.23:3128
Note:- If you don't know the iterface name use eth+
##iptables Limits Module with icmp
#iptables -I INPUT -p icmp -m limit --limit 2/s -j ACCEPT | Accept ping from 2 hosts
#iptables -I INPUT 2 -p icmp -j DROP |Second rule must be DROP
#iptables -I INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
--> To determine the type of icmp "echo-request"
##iptables Limits Module with http
#iptables -I INPUT -p tcp --dport 80 -m limit --limit 2/s -j ACCEPT --> Accept ping from 2 hosts
#iptables -I INPUT 2 -p tcp --dport 80 -j DROP --> Second rule must be DROP
##Statful and statless firewalls
TCP Connection "3 Way HandShak"
1- "New Packet"= SYN packet "HOST"
2- SYN+ACK "SERVER"
3- ACK "HOST"
NOW you have established connection
##Connection Types
NEW --> New packets i.e Sending "SYN" Packet
RELATED --> Related packets i.e Receiving "SYN+ACK" from server
ESTABLISHED -->
INVALID --> Considered as attack
Statful firewall monitor all these types of connection which make heavey load on the router while Statless firewall don't monitor these connections
Note:- statful firewall don't permint packets related to invalid connection to pass however statless firewall will permit these type of packets
##To close all incoming packets
#iptables -I INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT --> allow only packets related to ESTABLISHED and RELATED types of connections
##To allow incoming from some protocols
#iptables -I INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -I INPUT 3 -p tcp --dport 80 -j ACCEPT | to pass VNC and HTTP ports from #iptables -I INPUT 4 -p tcp --dport 9500 -j ACCEPT | statful firewall
#iptables -I INPUT 2 -j DROP = #iptables -I INPUT 2 -m stat --state NEW,INVALID -j DROP
##Saving and Restoring Active Rules
#iptables-save > /etc/iptables.rules
#iptables-restore < /etc/iptables.rules
##Create New Chain
#iptables -N new-chain --> To add new chain
#iptables -I new-chain -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -j new-chain | To force INPUT and FORWARD chains to read rules in #iptables -A FORWARD -j new-chain | "new-chain"
#iptables -X new-chain --> To delete chain
RedHat Firewall tools
system-config-securitylevel GUI
system-config-securitylevel-tui CLI
DNS Server
BIND DNS server port 53 TCP-UDP
DNS quries UDP protocol by default, Uses TCP if UDP fails
TCP port 53 is used by default between the master server and it's slaves to transfer zones and DNS data but if it blocked by iptables it uses UDP.
--Caching Only Name Server--
yum install caching-nameserver --> To install the cache only name server.
/etc/init.d/named start
/etc/named.caching-nameserver.conf --> Default config file for the cache only name server on RedHat systems.
dig @127.0.0.1
/var/named/named.ca --> The root DNS file which contains the root servers IP addresses and names.
http://www.internic.net/zones/named.root
dig @8.8.8.8 www.yahoo.com --> Use @ to specify the DNS server which you want to query through.
dig +trace www.yahoo.com --> Display details about how the query took place.
--Resource Records RR
A Internet Address "ip address"
PTR Pointer record "Reverse lookup"
NS Name server authoritative for the domain.
MX Mail exchangers for the domain.
SOA Start of authority.
dig yahoo.com NS --> To query the name servers authorized for the domain.
dig yahoo.com MX --> To query the mail servers"Mail Exchanger" authorized for the domain.
dig yahoo.com SOA --> To query the start of authority for a domain.
nslookup www.yahoo.com
host or dig
--Configure DNS bind master server "Authoritative DNS server"--
#vim /etc/named.conf --> Main config file on RedHat systems.
#rpm -e bind-chroot --> To remove chroot pkg to work without chroot
#locate named.conf
#/usr/share/doc/bind-9.3.6/sample/etc/named.conf
#vim /etc/named.conf and add the following directives
directory "/var/named" --> This directive define the place of the DNS DBs
zone "linux.org" {
type master;
allow-transfer { 10.10.5.90; 10.10.5.23; };
file "linux.org.db";
};
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS
#cp /var/named/localdomain.zone /var/named/linux.org.db
#chown named.named -R /var/named/
#vim /var/named/linux.org.db
$TTL 86400
@ IN SOA ns1.linux.org. hostmaster.linux.org. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.linux.org.
IN NS ns2.linux.org.
IN NS ns3.linux.org.
ns1.linux1.org. IN A 10.10.5.20
ns2.linux1.org. IN A 10.10.5.90
ns3.linux1.org. IN A 10.10.5.23
www IN A 10.10.5.20
ftp IN A 10.10.5.29
mail.linux.org. IN A 10.10.5.20
mail2.linux.org. IN A 10.10.5.23
linux.org. IN MX 10 mail.linux.org.
linux.org. IN MX 15 mail2.linux.org.
#dig @10.10.5.20 linux.org MX
--Configure a slave DNS bind server--
#vim /etc/hosts
10.10.5.90 ns2.linux.org
#su -
OR
#vim /etc/sysconfig/network --> To control the netwroking of ipv4 and ipv6 on startup and to assign name to your host networking.
NETWORKING=yes
HOSTNAME=ns2.linux.org
Note:- On Debian systems to assign a name to your host edit /etc/HOSTNAME
--CHROOT environment--
To enable the chroot environment on RedHat systems
#yum install bind-chroot
#vim /etc/named.conf
vim /etc/sysconfig/named --> To enable or disable the chroot environment on RedHat
ROOTDIR=/var/named/chroot --> This means chroot is enabled all zone files should be on
/var/named/chroot
#ROOTDIR=/var/named/chroot --> This means chroot is disabled all zone files should be on
/var/named
On slave server's /etc/named.conf
#vim /var/named/chroot/etc/named.conf
options
{
query-source port 53;
query-source-v6 port 53;
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
zone "linux.org" {
type slave;
masters { 10.10.5.20; };
file "slaves/linux.org.slave.db";
};
On Master DNS server add allow-transfer { 10.10.5.90; }; to /etc/named.conf
Restart the service on the master nad slave
#ls /var/named/chroot/var/named/slaves/ --> On slave
linux.org.slave.db
#vim /var/named/chroot/var/named/slaves/linux.org.slave.db
#iptables -I INPUT -p tcp --dport 53 -j ACCEPT
#iptables -I INPUT -p udp --dport 53 -j ACCEPT
#dig @10.10.5.90 lab101.linux.org
To update or add new records or resource records to all DNS servers masters and slaves
On the master server's zone data base increase the serial number value like
vim /var/named/linux.org.db
44 ; serial (d. adams)
http://www.meait.com/interaction/jobs/index.php?proc=showjob&jobID=865
-----------------------------------------------------------------------------------
dns round robin load balance
www 100 IN A 10.10.5.101
www 100 IN A 10.10.5.102
www 100 IN A 10.10.5.103
------------
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-zone.html
-------------------------
numerical value incremented every time the zone file is altered to indicate it is time for named to reload the zone.
###Squid Server###
squidgaurd
www.opendns.com
#vim /etc/squid/squid.conf --> Default config file
Note:- You can use webmin to configure proxy
MS-ISA MicroSoft cache server.Default port 8080
Squid default port 3128
Edit->Prefrences->Advanced->Settings->ManualProxyConfiguration --> To configure firefox to use proxy
#/etc/init.d/squid restart
#vim /var/log/messages
#vim /var/log/squid/cache.log --> Main squid cache log file
#vim /etc/hosts
Note:- Make sure that /etc/hosts contains the line of
127.0.0.1 localhost.localdomain localhost
init_cache_dir /var/spool/squid --> created for the first time the cache directories on the hard disk when Squid starts for the first time.
/var/spool/squid --> Default cache directory on the server's hard disk.
visible_hostname localhost -->
#vim /etc/squid/squid.conf
acl mylan src 10.10.5.0/24 --> Use acl to define a certain subnet
http_access allow localhost mylan --> Define which subnet can login and use proxy
acl working_hours time 09:00-12:29 --> Define acl for access time
http_access allow mylan working_hours --> To allow access to mylan In certain times
acl blocked dstdomain .yahoo.com .youtube.com .google.com --> Block certain domains
http_acess deny blocked
acl blocked_url url_regex music games --> block certain words in the url
http_access deny blocked_url
http_access deny all --> Deny all to deny any host from any other subnet
acl Safe_ports port 80 # http --> acl to allow port 80
acl Safe_ports port 21 # ftp --> acl to allow port 21
http_access deny !Safe_ports --> Deny all except Safe_ports
http_port 10.10.5.23:8080 --> Define the IP and port the squid will listen on.
cache_mem 800 MB --> Define how many RAMS the Squid will use.
cache_dir ufs /var/spool/squid 100 16 256 --> The squid will use only 100MB.
cache_dir ufs /var/spool/squid 10000 16 256 --> The size on the hard disk the Squid will use. In the sample it will use 10000MB.
To integrate Squid with OpenLdap use these settings add these 3 lines in squid.conf
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=hellscream,dc=info" -f "uid=%s" -h 10.10.5.23
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
To Enable Transparent Proxy
http_port 10.10.5.20:8080 transparent
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -i eth0 -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -i eth0 -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.5.23:3128
Note:- This will redirect all traffic on port 80 to port 8080 (Automatically) then all traffic on port 8080 (On 10.10.5.20) will be redirected to port 3128 (Proxy) on 10.10.5.23
------------------------
visible_hostname linux --> Defines the hostname of the cache server statically.
--------
cache_mgr root@yahoo.com --> Defines the email of the admin which appears on the error pages appears to the users.
#vim /var/log/squid/access.log--> Logs access to squid cache and clients IP addresses.
TCP_MISS/200 --> Not found on the cache.
TCP_HIT/200 --> Found on the cache.
TCP_REFRESH_HIT/ --> Only part found on cache and the other part not found
To Install Sarg
#yum -y install sarg
#cat /etc/httpd/conf.d/sarg.conf
/var/log/squid/access.log --> Sarg get info. from this log file
#ls /var/www/sarg/
#http://127.0.0.1/sarg/
#cat /etc/cron.daily/sarg
sarg
### Squid Authentication ### Using htpasswd command
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5 --> Defines the number of users who can login simultaniously
auth_param basic realm Squid proxy-caching web server --> Title echoed to the user
auth_param basic credentialsttl 2 hours --> You'll be asked to supply credentials every 2h
auth_param basic casesensitive off --> Ignore case-sensitive
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
-----------------------------------
/etc/squid/passwd
htpasswd -c /etc/squid/passwd test --> create user name & passwd for authenticated users
-c is used only at first time to create /etc/squid/passwd file
===========bandwidth limit============
acl timess time 13:59-23:59
acl times time 00:01-11:59
delay_pools 2 --> Number of limits 150000 and 5000
delay_class 2 2 --> first "2" is number of class second "2" is means each user will get 150000 "1" means 150000 total for all users
delay_parameters 2 -1/-1 150000/150000 # 15 KB for download --> (-1/-1) to apply 150k to all users what ever the number of users
delay_access 2 allow all timess
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 5000/5000
delay_access 1 allow all times
http_access allow all
###Squid Delay Pools examples
24 hours static bandwidth limit.
--------------------
Shared bandwidth among users. Delay calss 1
------
delay_pools 1 # two limit in proxy morninig & night
delay_class 1 1
delay_parameters 1 5000/5000 # 15KB for download
delay_access 1 allow all
----------------------------------------
24 hours static bandwidth limit.
--------
per user bandwidth limit. Delay calss 2
delay_class 1 2
delay_parameters 1 -1/-1 15000/15000
delay_access 1 allow all
http_access allow all
HTB-tools --> Quality Of Service tool
tc command --> limit command
master shapper --> limit connection
The Wonder Shaper
yum -y install openvpn
http://openvpn.net/index.php/open-source/documentation/howto.html
locate server.conf
cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf /etc/openvpn/
vim /etc/openvpn/server.conf
local 10.10.5.20 --> IP Server
port 1194 --> Port to which openVPN service will bind to
Note:- If port 1194 is closed in certain countries you can use another port to connect
through i.e 110
proto udp --> Default protocol
dev tun --> Virtual interface or VPN server
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0 --> Determine rang of the VPN
ifconfig-pool-persist ipp.txt --> This option will create /etc/openvpn/ipp.txt file and it has statistics about what real IP clients connecting from and there private ip addresses.
push "route 192.168.20.0 255.255.255.0" --> This option will cause VPN clients to redirect it's default gateway to VPN server to redirect all WAN traffic through the VPN srever.
#openssl dhparam -out dh1024.pem 1024 --> To create certificate
status openvpn-status.log --> Create a new file /etc/openvpn/openvpn-status.log that
show the current connections on the VPN server.
log openvpn.log --> Create a new file /etc/openvpn/openvpn.log that shows the logs of the
VPN server.
Create the server certificate and keys.
#cd /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0
#chmod +x *
#vim vars --> Edit this file to refelect you details in the certificate as follow
export KEY_COUNTRY="EG"
export KEY_PROVINCE="ALEX"
export KEY_CITY="ALEX"
export KEY_ORG="lab101"
export KEY_EMAIL="ahmed@linux.or
#source ./vars
# ./clean-all
# ./build-ca --> Accept defaut setting "Pre-determined in vim vars step"
Note: ./clean-all step cleans all keys previously ceated inside folder keys.
#ls keys/
ca.crt ca.key index.txt serial
Build Server Key
#./build-key-server server--> "Data Base Updated" means the certificate has been created
successfully.
Build Client Key
#./build-key slave-vm --> This step will create keys for host named slave-vm so it can
connect to the VPN server.
Note:- You can use ./build-key-pass --> To force client to supply passwd in order to
connect to the server.
# ./build-key shady --> This step will create keys for host named shady so it can
connect to the VPN server.
# ./build-dh
# vim /etc/openvpn/server.conf
ca /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/ca.crt
cert /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/server.crt
key /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/server.key
dh /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/dh1024.pem
/etc/init.d/openvpn restart
netstat -antlpu |grep 1194
Clients Configuration.
#yum install openvpn
#yum --nogpg -y install openvpn
# cp /usr/share/doc/openvpn-2.2.0/sample-config-files/client.conf /etc/openvpn/
#vim /etc/openvpn/client.conf
client
dev tun
proto udp --> Must be defined as the server "udp or tcp"
remote 10.10.5.20 1194 --> Must also be defined as server port
ca ca.crt |
cert client.crt | Copy client creditials from the server and add them here
key client.key |
i.e
ca /etc/openvpn/ca.crt
cert /etc/openvpn/slave-vm.crt
key /etc/openvpn/slave-vm.key
On the server copy the keys and certificate of the server to every client wants to conenct to VPN.
cd /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys
scp ca.crt slave-vm.key slave-vm.crt 10.10.5.133:/etc/openvpn
--To connect from client to server do,
openvpn --config /etc/openvpn/client.conf
When it gives you this messages you could connect to VPN server.
Initialization Sequence Completed
Add new client,
---
cd /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/
source ./vars
./build-key-pass
On client client.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/shady.crt
key /etc/openvpn/shady.key
Iptables
Iptables important options
-L List the rules currently active.
-D Remove rule from the active rules.
-A Append new rule at the bottom of the iptables rules currently active.
-I Insert a rule as the first rule above the currently active rules.
-t Define table which you are working on
-F Flush all rules currently active but it will return after restart
-p Port name (ssh, icmp, ftp, ...)
-s Source (IP
-j Target
i.e
#iptable -L -t nat
#iptable -F INPUT --> Flushes the INPUT chain active rules
#iptable -F nat --> Flushes the NAT chain active rules
#iptable -L -n --> Numeric list
#/etc/init.d/iptables stop --> Flushes all rules in all chains
#/etc/init.d/iptables save --> Overwrite all currently active rules (new/old) in start up file /etc/sysconfig/iptables
##################################### Iutput Chain #####################################
#iptables -I INPUT -p icmp -s 10.10.5.20 -j DROP -->
Note iptables load its rules at start up from /etc/sysconfig/iptables
Iptables Consist of 3 tables and each table consist of 3 chains
1-Filter Table
1-a Input --> Incoming Traffic
1-b Output --> Outgoing Traffic
1-c Forward --> Traffic Pass Through (Host Act As Router)
2-Nat Table
2-a Prerouting --> Redirect Incoming Traffic (i.e Internet) To Certain host or port
2-b Postrouting --> Redirect Outgoing Traffic (i.e Request access to net from hosts)
2-c Output
Iptables Important Targets
1- ACCEPT --> Accept Traffic
2- REJECT --> Reject Traffic With Error Message
3- DROP --> Drop Traffic With No Error Message
4- LOG --> Logs Traffic in /var/log/messages
i.e
#iptables -I INPUT -p TCP --dport 80 -j LOG
#iptables -I INPUT -p UDP --dport 111 -j LOG
#iptables -I INPUT -p TCP --dport 80 -j LOG
#iptables -I INPUT -p ICMP -j LOG
Rules Order (First Match Wins)
#iptables -I INPUT -p icmp -s 10.10.5.90 -j ACCEPT --> First Rule
#iptables -I INPUT 2 -p icmp -s 10.10.5.0/24 -j REJECT --> Second Rule
#iptables -A INPUT -p icmp -s 10.10.5.190 -j DROP --> Last rule because of (-A) option
Note:- With (-I) option you can determine the order of the rule
#iptables -L -n --line-numbers --> Echo each rule number
#iptables -L -v --> Echo packet and byte counter (how many packets are matched the rule and its size)
Note:- Packet and byte counters are helpful to detect infected hosts by applying accept rule for each host (infected hosts always send heavy traffic on the gateway)
#iptables -D INPUT -p icmp -s 10.10.5.190 -j DROP
#iptables -D INPUT 30 --> Delete rule number 30 in INPUT chain
#iptables -R INPUT 29 -p icmp -s 10.10.5.155 -j ACCEPT --> Replace rule number 29 in INPUT chain with -p icmp -s 10.10.5.155 -j ACCEPT
##################################### Output Chain #####################################
#iptables -I OUTPUT -p tcp --dport 80 -j REJECT --> REJECT any outgoing traffic
#iptables -I OUTPUT -p tcp --dport 80 -d yahoo.com -j REJECT --> To REJECT traffic outgoing to yahoo domain
##################################### Forward Chain ####################################
(Gateway Configuration)
#echo 1 > /proc/sys/net/ipv4/ip_forward --> To enable IP forward
Note:- If you have 2 interfaces (Internal/External) use ip_forward to allow each interface
to communicate with each other
#iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE --> enable masquerading NAT device
Note:- MASQUERADING enbales host to act as a router
#########################################################################################
#iptables -P INPUT DROP --> To change the default policy for a chain (REJECT/ACCEPT)
#iptables -I INPUT -m mac --mac-source 00:1A:1F:B3:23:90 -j REJECT --> REJECT using mac
To Accept Certain Hosts With MAC and Reject Any Other Host
#iptables -I INPUT -m mac --mac-source 00:1A:1F:B3:23:90 -j ACCEPT
#iptables -I INPUT -m mac --mac-source 00:1A:1F:B3:23:20 -j ACCEPT
#iptables -I INPUT j REJECT
To Accept Traffic from host with Certain IP and MAC
#iptables -I INPUT -s 10.10.5.130 -m mac --mac-source 08:00:27:49:AF:12 -j ACCEPT
#iptables -I INPUT j DROP
Note:- If the host changes his IP or MAC traffic will be droped
More Iptables Options
-p (TCP, UDP, ICMP) --dport/--sport (80, 22, 21, 53)
-s Source Address (IP Address)
-d Destination Address (IP Address)
#iptables -I INPUT -p tcp --dport 80 -d www.yahoo.com -j ACCEPT
#iptables -I FORWARD -p tcp --dport 80 -d www.yahoo.com -s 10.10.5.132 -j REJECT
##################################### NAT Table ####################################
#iptables -t nat -L
POSTROUTING MASQUERADE
PREROUTING port forwarding
eth0 WAN Connection
eth1 LAN Connection
#iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE --> Enable NAT
#iptables -t nat -I POSTROUTING -s 10.10.5.0/24 -o eth0 -j MASQUERADE
#iptables -t nat -I POSTROUTING -s 10.10.5.90 -o eth0 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
#iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to 10.10.5.23 --> traffic from host will be spoofed as 10.10.5.23 (Man In The Middle)
PREROUTING
DNAT
#iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to 1000 --> Redirect incoming traffic to port 80 will be directed to port 1000
#iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to 1000 --> To Determine which interface incoming traffic will pass through
http_port 10.10.5.20:8080 transparent
echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -i eth0 -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
#iptables -t nat -i eth0 -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -i eth0 -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
192.168.1.5:3128
#iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to
10.10.5.99:1000
#iptables -t nat -i eth1 -I PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.5.23:3128
#iptables -t nat -i eth1 -I PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.5.23:8080
#iptables -t nat -I PREROUTING -i eth0 -d 10.10.5.99 -p tcp --dport 80 -j REDIRECT
--to 10.10.5.99:1000
#iptables -t nat -I PREROUTING -p tcp -d 10.10.5.99 --dport 80 -j DNAT --to
10.10.5.99:1000
Note:- Use (-j) to REDIRECT traffic on same server
Use DNAT to REDIRECT traffic to other server
i.e
#iptables -t nat -i eth0 -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
#iptables -t nat -i eth0 -I PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.5.23:3128
Note:- If you don't know the iterface name use eth+
##iptables Limits Module with icmp
#iptables -I INPUT -p icmp -m limit --limit 2/s -j ACCEPT | Accept ping from 2 hosts
#iptables -I INPUT 2 -p icmp -j DROP |Second rule must be DROP
#iptables -I INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
--> To determine the type of icmp "echo-request"
##iptables Limits Module with http
#iptables -I INPUT -p tcp --dport 80 -m limit --limit 2/s -j ACCEPT --> Accept ping from 2 hosts
#iptables -I INPUT 2 -p tcp --dport 80 -j DROP --> Second rule must be DROP
##Statful and statless firewalls
TCP Connection "3 Way HandShak"
1- "New Packet"= SYN packet "HOST"
2- SYN+ACK "SERVER"
3- ACK "HOST"
NOW you have established connection
##Connection Types
NEW --> New packets i.e Sending "SYN" Packet
RELATED --> Related packets i.e Receiving "SYN+ACK" from server
ESTABLISHED -->
INVALID --> Considered as attack
Statful firewall monitor all these types of connection which make heavey load on the router while Statless firewall don't monitor these connections
Note:- statful firewall don't permint packets related to invalid connection to pass however statless firewall will permit these type of packets
##To close all incoming packets
#iptables -I INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT --> allow only packets related to ESTABLISHED and RELATED types of connections
##To allow incoming from some protocols
#iptables -I INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -I INPUT 3 -p tcp --dport 80 -j ACCEPT | to pass VNC and HTTP ports from #iptables -I INPUT 4 -p tcp --dport 9500 -j ACCEPT | statful firewall
#iptables -I INPUT 2 -j DROP = #iptables -I INPUT 2 -m stat --state NEW,INVALID -j DROP
##Saving and Restoring Active Rules
#iptables-save > /etc/iptables.rules
#iptables-restore < /etc/iptables.rules
##Create New Chain
#iptables -N new-chain --> To add new chain
#iptables -I new-chain -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -j new-chain | To force INPUT and FORWARD chains to read rules in #iptables -A FORWARD -j new-chain | "new-chain"
#iptables -X new-chain --> To delete chain
RedHat Firewall tools
system-config-securitylevel GUI
system-config-securitylevel-tui CLI
DNS Server
BIND DNS server port 53 TCP-UDP
DNS quries UDP protocol by default, Uses TCP if UDP fails
TCP port 53 is used by default between the master server and it's slaves to transfer zones and DNS data but if it blocked by iptables it uses UDP.
--Caching Only Name Server--
yum install caching-nameserver --> To install the cache only name server.
/etc/init.d/named start
/etc/named.caching-nameserver.conf --> Default config file for the cache only name server on RedHat systems.
dig @127.0.0.1
/var/named/named.ca --> The root DNS file which contains the root servers IP addresses and names.
http://www.internic.net/zones/named.root
dig @8.8.8.8 www.yahoo.com --> Use @ to specify the DNS server which you want to query through.
dig +trace www.yahoo.com --> Display details about how the query took place.
--Resource Records RR
A Internet Address "ip address"
PTR Pointer record "Reverse lookup"
NS Name server authoritative for the domain.
MX Mail exchangers for the domain.
SOA Start of authority.
dig yahoo.com NS --> To query the name servers authorized for the domain.
dig yahoo.com MX --> To query the mail servers"Mail Exchanger" authorized for the domain.
dig yahoo.com SOA --> To query the start of authority for a domain.
nslookup www.yahoo.com
host or dig
--Configure DNS bind master server "Authoritative DNS server"--
#vim /etc/named.conf --> Main config file on RedHat systems.
#rpm -e bind-chroot --> To remove chroot pkg to work without chroot
#locate named.conf
#/usr/share/doc/bind-9.3.6/sample/etc/named.conf
#vim /etc/named.conf and add the following directives
directory "/var/named" --> This directive define the place of the DNS DBs
zone "linux.org" {
type master;
allow-transfer { 10.10.5.90; 10.10.5.23; };
file "linux.org.db";
};
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS
#cp /var/named/localdomain.zone /var/named/linux.org.db
#chown named.named -R /var/named/
#vim /var/named/linux.org.db
$TTL 86400
@ IN SOA ns1.linux.org. hostmaster.linux.org. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.linux.org.
IN NS ns2.linux.org.
IN NS ns3.linux.org.
ns1.linux1.org. IN A 10.10.5.20
ns2.linux1.org. IN A 10.10.5.90
ns3.linux1.org. IN A 10.10.5.23
www IN A 10.10.5.20
ftp IN A 10.10.5.29
mail.linux.org. IN A 10.10.5.20
mail2.linux.org. IN A 10.10.5.23
linux.org. IN MX 10 mail.linux.org.
linux.org. IN MX 15 mail2.linux.org.
#dig @10.10.5.20 linux.org MX
--Configure a slave DNS bind server--
#vim /etc/hosts
10.10.5.90 ns2.linux.org
#su -
OR
#vim /etc/sysconfig/network --> To control the netwroking of ipv4 and ipv6 on startup and to assign name to your host networking.
NETWORKING=yes
HOSTNAME=ns2.linux.org
Note:- On Debian systems to assign a name to your host edit /etc/HOSTNAME
--CHROOT environment--
To enable the chroot environment on RedHat systems
#yum install bind-chroot
#vim /etc/named.conf
vim /etc/sysconfig/named --> To enable or disable the chroot environment on RedHat
ROOTDIR=/var/named/chroot --> This means chroot is enabled all zone files should be on
/var/named/chroot
#ROOTDIR=/var/named/chroot --> This means chroot is disabled all zone files should be on
/var/named
On slave server's /etc/named.conf
#vim /var/named/chroot/etc/named.conf
options
{
query-source port 53;
query-source-v6 port 53;
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
zone "linux.org" {
type slave;
masters { 10.10.5.20; };
file "slaves/linux.org.slave.db";
};
On Master DNS server add allow-transfer { 10.10.5.90; }; to /etc/named.conf
Restart the service on the master nad slave
#ls /var/named/chroot/var/named/slaves/ --> On slave
linux.org.slave.db
#vim /var/named/chroot/var/named/slaves/linux.org.slave.db
#iptables -I INPUT -p tcp --dport 53 -j ACCEPT
#iptables -I INPUT -p udp --dport 53 -j ACCEPT
#dig @10.10.5.90 lab101.linux.org
To update or add new records or resource records to all DNS servers masters and slaves
On the master server's zone data base increase the serial number value like
vim /var/named/linux.org.db
44 ; serial (d. adams)
http://www.meait.com/interaction/jobs/index.php?proc=showjob&jobID=865
-----------------------------------------------------------------------------------
dns round robin load balance
www 100 IN A 10.10.5.101
www 100 IN A 10.10.5.102
www 100 IN A 10.10.5.103
------------
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-zone.html
-------------------------
###Squid Server###
squidgaurd
www.opendns.com
#vim /etc/squid/squid.conf --> Default config file
Note:- You can use webmin to configure proxy
MS-ISA MicroSoft cache server.Default port 8080
Squid default port 3128
Edit->Prefrences->Advanced->Settings->ManualProxyConfiguration --> To configure firefox to use proxy
#/etc/init.d/squid restart
#vim /var/log/messages
#vim /var/log/squid/cache.log --> Main squid cache log file
#vim /etc/hosts
Note:- Make sure that /etc/hosts contains the line of
127.0.0.1 localhost.localdomain localhost
init_cache_dir /var/spool/squid --> created for the first time the cache directories on the hard disk when Squid starts for the first time.
/var/spool/squid --> Default cache directory on the server's hard disk.
visible_hostname localhost -->
#vim /etc/squid/squid.conf
acl mylan src 10.10.5.0/24 --> Use acl to define a certain subnet
http_access allow localhost mylan --> Define which subnet can login and use proxy
acl working_hours time 09:00-12:29 --> Define acl for access time
http_access allow mylan working_hours --> To allow access to mylan In certain times
acl blocked dstdomain .yahoo.com .youtube.com .google.com --> Block certain domains
http_acess deny blocked
acl blocked_url url_regex music games --> block certain words in the url
http_access deny blocked_url
http_access deny all --> Deny all to deny any host from any other subnet
acl Safe_ports port 80 # http --> acl to allow port 80
acl Safe_ports port 21 # ftp --> acl to allow port 21
http_access deny !Safe_ports --> Deny all except Safe_ports
http_port 10.10.5.23:8080 --> Define the IP and port the squid will listen on.
cache_mem 800 MB --> Define how many RAMS the Squid will use.
cache_dir ufs /var/spool/squid 100 16 256 --> The squid will use only 100MB.
cache_dir ufs /var/spool/squid 10000 16 256 --> The size on the hard disk the Squid will use. In the sample it will use 10000MB.
To integrate Squid with OpenLdap use these settings add these 3 lines in squid.conf
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=hellscream,dc=info" -f "uid=%s" -h 10.10.5.23
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
To Enable Transparent Proxy
http_port 10.10.5.20:8080 transparent
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -i eth0 -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -i eth0 -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.5.23:3128
Note:- This will redirect all traffic on port 80 to port 8080 (Automatically) then all traffic on port 8080 (On 10.10.5.20) will be redirected to port 3128 (Proxy) on 10.10.5.23
------------------------
visible_hostname linux --> Defines the hostname of the cache server statically.
--------
cache_mgr root@yahoo.com --> Defines the email of the admin which appears on the error pages appears to the users.
#vim /var/log/squid/access.log--> Logs access to squid cache and clients IP addresses.
TCP_MISS/200 --> Not found on the cache.
TCP_HIT/200 --> Found on the cache.
TCP_REFRESH_HIT/ --> Only part found on cache and the other part not found
To Install Sarg
#yum -y install sarg
#cat /etc/httpd/conf.d/sarg.conf
/var/log/squid/access.log --> Sarg get info. from this log file
#ls /var/www/sarg/
#http://127.0.0.1/sarg/
#cat /etc/cron.daily/sarg
sarg
### Squid Authentication ### Using htpasswd command
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5 --> Defines the number of users who can login simultaniously
auth_param basic realm Squid proxy-caching web server --> Title echoed to the user
auth_param basic credentialsttl 2 hours --> You'll be asked to supply credentials every 2h
auth_param basic casesensitive off --> Ignore case-sensitive
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
-----------------------------------
/etc/squid/passwd
htpasswd -c /etc/squid/passwd test --> create user name & passwd for authenticated users
-c is used only at first time to create /etc/squid/passwd file
===========bandwidth limit============
acl timess time 13:59-23:59
acl times time 00:01-11:59
delay_pools 2 --> Number of limits 150000 and 5000
delay_class 2 2 --> first "2" is number of class second "2" is means each user will get 150000 "1" means 150000 total for all users
delay_parameters 2 -1/-1 150000/150000 # 15 KB for download --> (-1/-1) to apply 150k to all users what ever the number of users
delay_access 2 allow all timess
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 5000/5000
delay_access 1 allow all times
http_access allow all
###Squid Delay Pools examples
24 hours static bandwidth limit.
--------------------
Shared bandwidth among users. Delay calss 1
------
delay_pools 1 # two limit in proxy morninig & night
delay_class 1 1
delay_parameters 1 5000/5000 # 15KB for download
delay_access 1 allow all
----------------------------------------
24 hours static bandwidth limit.
--------
per user bandwidth limit. Delay calss 2
delay_class 1 2
delay_parameters 1 -1/-1 15000/15000
delay_access 1 allow all
http_access allow all
HTB-tools --> Quality Of Service tool
tc command --> limit command
master shapper --> limit connection
The Wonder Shaper
No comments:
Post a Comment