Linux Gateway Notes

This gateway connects to the private trusted network via one ethernet interface and to the Internet via a separate ethernet interface .  The firewall allows restricted services to the Internet by TCP port such as smtp, http, etc.   The server freely provides a wide spectrum of services to the private network, such as DNS, DHCP/DDNS, email SMTP and POP/IMAP, NIS/NFS, private web pages as well as public web access.  There are some links below to example config files.  Some examples are not available for security reasons, other examples have benn sanitized.  These notes are for overall configuration with selected hints.  Please see the web pages and man pages for more complete documentation.
  1. ifconfig - network configuration
  2. named - Domain Name System (DNS)
  3. dhcpd - Dynamic Host Configuration Protocol update, private Dynamic DNS
  4. noip - Internet domain name, public Dynamic DNS
  5. iptables - NAT firewall
  6. email - postfix SMTP, POP, IMAP
  7. NIS - Network Information Service
  8. httpd - Apache Virtual Hosts
  9. SSL - Secure Sockets Layer
  10. nptd - Network Time Protocol
  11. tripwire
files to modify/configure (ifup requires a fix):
    /etc/sysconfig/network
    /etc/sysconfig/network-scripts/ifcfg-eth0
    /etc/sysconfig/network-scripts/ifcfg-eth1
    /sbin/ifup
    /etc/named.conf
    /etc/rndc.conf
    /etc/rndc.key
    /var/named/*
    /etc/dhcpd.conf
   /etc/rc.d/init.d/dhcpd
    /var/state/dhcp/dhcpd.leases
    /etc/sysconfig/dhcpd
    /usr/local/bin/noip
    /usr/local/lib/no-ip.conf
    /etc/rc.d/init.d/noip
    /etc/rc.d/init.d/firewall
    /etc/postfix/main.cf
    /var/yp/Makefile
    /etc/httpd/conf/httpd.conf

1. ifconfig - network configuration

gateway/router server configuration

/etc/sysconfig/network
NETWORKING=yes
HOSTNAME=www.yourdomain
DOMAIN=yourdomain
NISDOMAIN=yourdomain
LAN_IF=eth0     # private-side trusted local network
INET_IF=eth1    # wild-side untrusted internet
 

/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.0.255
IPADDR=192.168.0.1
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes

/etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=dhcp
DHCPCDARGS=-R
DHCP_HOSTNAME=www
ONBOOT=yes

Assign Private Network Addresses to the Internal LAN
ifconfig eth0 192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0

K > System > Network Configuration > Devices > eth0 > Edit > Ethernet Device > Protocols > TCP/IP > Edit
    Manual IP Address Settings
        Address: 192.168.0.1
        Subnet Mask: 255.255.255.0
        Default Gateway Address:

edit /sbin/ifup # edit so that DHCPDARGS is appended each time so that the -R option is not lost

client configuration

/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
DHCPCDARGS=-D
DHCP_HOSTNAME=yourhostname
ONBOOT=yes

edit /sbin/ifup # edit so that DHCPDARGS is appended each time so that the -D option is not lost

2. named - Domain Name System (DNS)

http://www.linuxdoc.org/HOWTO/DNS-HOWTO.html -
http://www.muine.org/~hoang/dns.html -

/etc/named.conf
/etc/rndc.conf
/etc/rndc.key
/etc/resolv.conf
/var/named/

service named start
chkconfig named on

/etc/resolv.conf
domain yourdomain
nameserver 127.0.0.1
search yourdomain

Test
dig -x 127.0.0.1
dig host.domain
tail -f /var/log/messages
echo "known secret text message" | mmencode
dnssec-keygen -a hmac-md5 -b 512 -n HOST rndckey

3. dhcpd - Dynamic Host Configuration Protocol update, private Dynamic DNS

http://www.isc.org/products/DHCP/ -
http://www.isc.org/products/DHCP/dhcp-v3.html - update with DDNS, RH7.2 dhcpd does not have DDNS
http://www.linuxdoc.org/HOWTO/Net-HOWTO/x1444.html -

/etc/rc.d.init.d/dhcpd
route add -host 255.255.255.255 dev eth0 # add this to your dhcpd init script

/etc/dhcpd.conf
subnet 192.168.0.0 netmask 255.255.255.0 {
        range 192.168.0.20 192.168.0.254;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.0.255;
        option routers 192.168.0.1;
        option domain-name-servers 192.168.0.1;
        option domain-name "yourdomain";
}

/etc/sysconfig/dhcpd
# Command line options here
DHCPDARGS=eth0
 

> /var/state/dhcp/dhcpd.leases
chkconfig dhcpd on
service dhcpd start
tail /var/log/messages

Debug
dhcpd -d -f eth0

4. noip - Internet Domain Name - public Dynamic DNS

http://www.no-ip.com/ - recommended - free if you use their top level domains, $24.95 for the No-IP+ service to be DNS for your own domain.

/etc/rc.d/init.d/noip
chkconfig noip on
service noip start

For your own domain name, register with one of the domain name registry services, then edit your DNS entry there to point at the DNS servers for no-ip.com -- see the documentation on the No-IP+ service at www.no-ip.com for details.
http://www.register.com/ - a recommended domain name registry service

http://www.jpsdomain.org/linux/linux.html -
ftp://angus.ind.wpi.edu/pub/packages/isc/dhcp/ -
http://www.technopagan.org/dynamic/ -
http://gnudip2.sourceforge.net/ -

5. iptables - NAT firewall

Kernel configuration

http://www.knowplace.org/netfilter/kernelconfig.html -
make xconfig
Networking Options
y    Network packet filtering (replaces ipchains)
    IP: Netfilter Configuration
    m    IP tables support
    m    * - compile modules for Netfilter options except ipchains and ipfwadm

Mourani, Securing and Optimizing Linux, OpenNA.com
https://www.openna.com/catalog/product_info.php?products_id=30

There's also Oskar Andreassen's tutorial on iptables, which unfortunately is incomplete:

http://www.boingworld.com/workshops/linux/iptables-tutorial/
http://www.linuxguruz.org/iptables/

http://www.knowplace.org/netfilter/reference.html
http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-2.4.X
http://www.linas.org/linux/load.html
http://www.linux-firewall-tools.com/linux/ -

6. email - postfix smtp, imap/pop

postfix - email SMTP

Postfix - http://www.postfix.org/
/etc/postfix/main.cf
chkconfig sendmail on
service sendmail start

POP/IMAP - email access

edit /etc/rc.d/init.d/firewall # allow specific TCP port services via multiport
chkconfig ipop2 on
chkconfig ipop3 on
chkconfig imap on

7. NIS - Network Information Service

http://www.linux.org/docs/ldp/howto/NIS-HOWTO/index.html -

/etc/sysconfig/network # make sure to set the correct nisdomain name on all clients!
NISDOMAIN=mynisdomainname

ypserv

cd /var/yp
edit securenets # add your private net
edit Makefile
make
chkconfig ypserv on
service ypserv start

ypbind

edit /etc/yp.conf # substitute your settings for HOSTNAME or NISDOMAIN
On server:
ypserver HOSTNAME
On clients:
domain NISDOMAIN broadcast
chkconfig ypbind on
service ypbind start

8. httpd - Apache VirtualHost

/etc/httpd/conf/httpd.conf # private network has a separate VirtualHost
<VirtualHost *>
DocumentRoot "/var/www/public/html"
ServerName www.nobell.org
ScriptAlias /cgi-bin/ "/var/www/public/cgi-bin/"
ErrorLog logs/public-error_log
CustomLog logs/public-access_log combined
<Directory "/var/www/public/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
<IfModule mod_userdir.c>
    UserDir public_html
</IfModule>
</VirtualHost>

Make sure to define something similar for <VirtualHost _default_:443> if you permit TCP port https through the firewall.

chkconfig httpd on
service httpd restart

webbot - web walker that can be used to check (local-only) links, HTML, map out a web site.
linklint - fast html link checker, works for remote links.
    linklint -help_all
    linklint -doc linkdoc -host host.domain /@ -http # replace host.domain with site to test
    linklint -doc linkdoc @@linkdoc/remote.txt
    more linkdoc/urllog.txt # test results for remote links

9. SSL - Secure Sockets Layer

http://www.linuxdoc.org/HOWTO/SSL-RedHat-HOWTO-3.html -
http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/custom-guide/s1-installation-selfsigned.html -

cd /etc/httpd/conf
rm ssl.key/server.key
rm ssl.crt/server.crt
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
chmod go-rwx /etc/httpd/conf/ssl.key/server.key
make testcert
service httpd restart
[https shows the Self-Signed Certificate, but IMAP still seem to be picking up a default certificate]

10. ntpd - Network Time Protocol

http://www.eecis.udel.edu/~ntp/ -

edit /etc/ntpd.conf # recommend adding 3 stratum-2 servers
chkconfig ntpd on
service ntpd start

11. tripwire

http://www.tripwire.org/
man tripwire
man twfiles
/etc/tripwire/
/etc/tripwire/twinstall.sh*

NoBell Home - gjm - last update 4/13/2002