Firewall Install

From INIwiki
Jump to: navigation, search

Digg this!

Contents

[edit] Debian Etch on 512+ MB CF

1. Install from netinstall image

1a. Disk partition:

20 MB for Swap
remaining as /

2. From the install options choose

web server
dns server

3. Allow grub loader to install

[edit] Packages Install

4. Install additional packages:

apt-get install openssh-server shorewall squid dansguardian rsync dhcp3-server bind9 atop nload iptraf sudo -y

4a. Optional Installs:

apt-get install vim nmap ntpdate -y

4b. edit vim for colors

 vi /etc/vim/vimrc
    Uncomment "syntax on"

4c. Use vim for editing files (IE: Tell crontab that you want to use vim as your editor):

EDITOR=vi
export EDITOR 

4d. Set time

ntpdate -b clock.redhat.com or 0.debian.pool.ntp.org

or

ntpdate -b pool.ntp.org

[edit] Post install size reduction options:

5. Remove the documentation from the root file system

rm -rf /usr/doc
rm -rf /usr/info
rm -rf /usr/man
rm -rf /usr/games
rm -rf /usr/share/doc
rm -rf /usr/share/doc-base
rm -rf /usr/share/info
rm -rf /usr/share/man
rm -rf /usr/share/man-db

6. Two others that should either be trimmed or eliminated are

rm -rf /usr/share/locale 
rm -rf /usr/share/zoneinfo
  • /usr/share/locale -- provides locale information, so that users can see the system in their own languages
  • /usr/share/zoneinfo -- see local time and perform timezone conversions, not needed if in single timezone

[edit] Networking

7. Determine which network interface you are using:

mii-tool

7a. Configure interface bridging if needed:

apt-get install bridge-utils -y
mkdir /scripts
cat > /scripts/bridge.sh
#!/bin/sh
/sbin/ifconfig eth1 up
/sbin/ifconfig eth2 up
/sbin/ifconfig eth3 up
/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth1
/usr/sbin/brctl addif br0 eth2
/usr/sbin/brctl addif br0 eth3
/sbin/ifconfig br0 192.168.0.1 netmask 255.255.255.0
/sbin/shorewall start
(Now hit Control-D to end cat input)
  • edit the IP range as needed
chmod 777 /scripts/bridge.sh
ln -s /scripts/bridge.sh /etc/rc3.d/S10br0
cp /etc/rc3.d/S10br0 /etc/rc2.d/S10br0  - Based on current run level

Verify setup is correct:

/scripts/bridge.sh
ifconfig
  • Look for the interface br0 (at the top)
  • Ignore the shorewall error at this time

Restart the bind service for later use:

/etc/init.d/bind reload  -- Use for standard bind service
/etc/init.d/bind9 reload -- use for bind9 service

[edit] DHCPD

Upgrade to dhcp3 server if you plan on using PXE options (the following assumes dhcp3 installed)

apt-get install dhcp3-server

remove dhcpd server if necessarry

apt-get remove dhcpd
rm -rf /etc/dhcpd
rm -rf /etc/dhcpd.*
rm -rf /var/lib/dhcp/dhcpd.leases

overwrite the existing database with the following; Make a backup first

 mv /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.org
cat > /etc/dhcp3/dhcpd.conf
subnet 192.168.0.0 netmask 255.255.255.0 {
       range 192.168.0.100 192.168.0.199;
       option subnet-mask 255.255.255.0;
       option domain-name "inisec.com";
       option domain-name-servers 192.168.0.1;
       option broadcast-address 192.168.0.255;
       option routers 192.168.0.1;
}
group {
       option subnet-mask 255.255.255.0;
       option domain-name "inisec.com";
       use-host-decl-names on;
       option domain-name-servers 192.168.0.1;
       option broadcast-address 192.168.0.255;
       option routers 192.168.0.1;
       max-lease-time 10080;
       default-lease-time 7200;
       authoritative;
}

# Sample to set static ip for MAC address
#host mac {
#       hardware ethernet 00:11:24:76:8b:a2;
#       fixed-address 192.168.0.118;
#       }
(Now hit Control-D to end cat input)
  • vi /etc/dhcpd.conf and edit the file as needed (ip ranges and hostname etc.)

edit the /etc/default/dhcp

vi /etc/default/dhcp
Modify INTERFACES"" to 
INTERFACES="br0"   for bridged interfaces
or 
INTERFACES="eth1"  set the eth port to your LAN interface

restart the DHCPD service:

/etc/init.d/dhcp3-server restart

[edit] Bind (DNS)

Linux/Bind (dns)


[edit] Shorewall

edit the /etc/default/shorewall -- IF NOT BRIDGING INTERFACES --

vi /etc/default/shorewall
Modify startup=0 to startup=1

cd /etc/shorewall

zone

cat > /etc/shorewall/zones
# Example zones:
#
#    You have a three interface firewall with internet, local and DMZ interfaces.
#
#       #ZONE   DISPLAY         COMMENTS
#       net     Internet        The big bad Internet
#       loc     Local           Local Network
#       dmz     DMZ             Demilitarized zone.
#
#ZONE                   DISPLAY         COMMENTS
net                     Internet
loc                     Local
tun                     vpn
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

(Now hit Control-D to end cat input)

policy

cat > /etc/shorewall/policy
###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
loc             all             ACCEPT
tun             $FW             ACCEPT
tun             loc             ACCEPT
$FW             all             ACCEPT
net             all             DROP
all             all             REJECT
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 
(Now hit Control-D to end cat input)

masq - set to your WAN interface

cat > /etc/shorewall/masq
###############################################################################
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth0
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 
(Now hit Control-D to end cat input)

interfaces - modify as needed if not bridging

cat > /etc/shorewall/interfaces
##############################################################################
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0            detect
#loc    eth1            detect #not bridged
loc     br0             detect #for bridged
tun     tun0
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

(Now hit Control-D to end cat input)

rules

cat > /etc/shoreall/rules
#ACTION         SOURCE          DEST            PROTO   DEST            SOURCE          ORIGINAL        RATE            USER/
#                                               PORT    PORT(S)         DEST            LIMIT           GROUP
#############################################################################################################################
REDIRECT        loc:!192.168.0.31       8080    tcp     www     -       !192.168.0.1   - - #By Pass DG
#REDIRECT       loc     8080    tcp     www     -       !192.168.0.1   -       -

REDIRECT        loc             8080            tcp     www
ACCEPT          all             $FW             tcp     22      -       -       -       -   #SSH
### OpenVPN ###
ACCEPT  all     $FW                     tcp     1194
ACCEPT  all     $FW                     udp     1194
#--- END OpenVPN --- 
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

[edit] Squid

Backup original squid file /etc/squid/squid.conf

mv /etc/squid/squid.conf /etc/squid/squid.conf.org

Replace everything with the following:

  • Change the second to last line to your hostname
cat > /etc/squid/squid.conf
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 10 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
http_port 3128 transparent
always_direct allow all
access_log /var/log/squid/access.log squid
visible_hostname fw.inisec.com 
# redirect_program /usr/bin/adzapper.wrapper

(Now hit Control-D to end cat input)

Build the squid structure:

mkdir /var/log/spool/
mkdir /var/log/spool/squid
chmod 750 /var/log/spool -R
chown proxy.proxy /var/log/spool -R

Restart Squid

/etc/init.d/squid restart

[edit] ClamAV

Install ClamAV

Update Virus Database:

freshclam


Check if ClamAV is dead

apt-get install socat
echo PING|socat - /tmp/clamd

[edit] Add Killing Programs

[edit] Adzapper

http://adzapper.sourceforge.net/

Install with apt

apt-get install adzapper

Add the following line to your squid.conf

cat >> redirect_program /usr/bin/adzapper.wrapper

Create the update file

cat > /scripts/update-zapper
#!/bin/sh
#
# UNTESTED sample script to update the zapper script from the master copy on
# my web page.  - Cameron Simpson <cs@zip.com.au> 21jun1999
#
# "wget" can be obtained from:
#       http://sunsite.auc.dk/wget/
#

masterurl=http://adzapper.sourceforge.net/scripts/squid_redirect
zapper=/usr/bin/adzapper                ## hack to suit your site
pidfile=/var/run/squid.pid              ## hack to suit, again

tmp=/tmp/newzapper$$
if wget -q --cache=off -O $tmp "$masterurl"
then
   [ ! -s "$tmp" ] \
   || cmp -s "$tmp" "$zapper" \
   || ( cat "$tmp" >"$zapper" || exit 1
        [ -s "$pidfile" ] && kill -1 `cat "$pidfile"`
      )
fi
rm -f "$tmp"

exit 0

(Now hit Control-D to end cat input)

Set to executable

chmod 777 /scripts/update-zapper

Schedule updates

crontab -e

0 5 * * 1       /scripts/update-zapper > /dev/null

[edit] Privoxy

http://www.privoxy.org/

[edit] Dansguardian

Coming Soon

[edit] Additional Steps

NOT NECESSARY Add a dansguardian bypass page (Dansguardian Bypass)

[edit] Open VPN

Reference their site for now http://openvpn.net/howto.html Internal link Open VPN

[edit] PXE Boot Server

PXE Server

[edit] Redirect your terminal to the serial port

Console_to_Serial

[edit] Redirect Logs to MySQL

Apache example: Log_Apache_to_MySQL

[edit] Install Nagios System Monitor

Nagios

[edit] Install Webmin

Webmin Install

[edit] References:

Size Reduction: http://www.linuxdevices.com/articles/AT4540125636.html
Hardware: http://shopping.hacom.net/catalog/
          http://axiomtek.industrialpartner.com/human-machine-interface/na-0042a.htm
Old Install Notes: http://dom.inisec.com/inisec/faq.nsf/cb98d9015fdb124387256f8c0029437c/4a4df79a1f35a9ab87256fe9000cc06a?OpenDocument
BIND Setup: http://www.debian.org/doc/manuals/network-administrator/ch-bind.html
BIND chrooted Setup: http://people.debian.org/~pzn/howto/chroot-bind.sh.txt
ClamAV Info: http://www.clamav.net/support/faq
PXE Information: http://www.debian-administration.org/articles/478

Digg this!

Personal tools