**************************************************************************** ************** Building a Secure Subnet Gateway Server ********************* ************ using UBUNTU Linux (v8.04 Server - "Hardy Heron") ************* **************************************************************************** Author:Ken Zahorec 2008-06-05 **************************************************************************** Abstract: This document provides information on setting up a secure gateway centralized server for small business or home application. Intended Audience: It is assumed that the reader has at least limited skills in installing and setting up a Linux system. If this is the first time you have tried to use Linux, then it would be a good idea to first learn how to install and setup a Linux workstation before setting up a server. License: Copyright (c) 2008 Kenneth W. Zahorec Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". http://www.gnu.org/licenses/fdl.txt This document is free for public use; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This information is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. http://www.gnu.org/copyleft/gpl.html ***************************************************************************** Resources: Documentation: CD Available with UBUNTU Linux product. The Canonical Ubuntu website. This is where you can download the latest versions of Ubuntu server or Ubuntu workstation software. http://www.ubuntu.com/ The Ubuntu Forums Site. A wealth of community expertise and others learning Ubuntu and Linux http://ubuntuforums.org/ The unofficial UBUNTU guide maintained by the University of Latvia: http://ubuntuguide.org/wiki/Ubuntu:Gutsy Linux documentation on the internet: http://www.tldp.org/ http://www.linux.org/ To help validate the system firewall: http://grc.com/ (Sheilds up - Test Shields, Probe Ports) General topics that will be covered in this document: - Ubuntu Linux installation and use - Linux run levels and run-level controls (/etc/rc.d/.) - Some basic TCP/IP networking - Good system debugging and problem solving skills. Required Hardware: 1. Generally any PC that UBUNTU Linux can be installed on such as a x86 Pentium or Athlon system. A higher end machine, of course, is always better. 2. Two network interfaces are required in gatekeeper. 3. A multi-port network switch or a network hub 4. A various assortment of properly terminated network cables 5. Connection to cable modem or DSL modem. In other words, you must be able physically connect to the Internet. The directory structure in the tar file (gatekeeper_UBUNTU_x.xx.tar) contains config files for the main IP gateway server (called gatekeeper) that provides the following: 1. LAN gateway to WWW via cable modem (i.e. Roadrunner) 2. Caching domain name service (DNS) using bind for the internal network. 3. Dynamic Host Config Protocol (DHCP) services for the internal network. 4. Samba Windows-type file services for the internal network running on the local subnet. Windows style SMB workgroup called "ZGROUP.NET" provides user specific shares and public shares as needed on gatekeeper. 5. Samba print share provides a centralized print facility for the local subnet. This allows Windows or Linux workstations to access a printer attached to gatekeeper. 6. Custom iptables firewall configuration to protect the gateway box and the internal network. Provides flexible configuration support for various services such as NAT, VPN, IP forwarding (either direction), SSH, HTTP, and FTP. 7. Automated simple network configuration support for workstations. Add/remove workstations as desired. Allow workstation to have a DNS name which can be resolved across the internal subnet. 8. Automated backup service which performs backups to media on a programmed schedule such as every morning at 2:00 AM. The gateway PC hostname is "gatekeeper". Gatekeeper ethernet interfaces are arranged and identified as follows: eth0 - Interface to the external network which is the Internet eth1 - Interface to the internal subnet (LAN) ********************************************************************** ********** General process for setting up the gatekeeper ************* Make sure all hardware is installed and that the system is in good working order. General information for each step is provided below. **** Step 1: Installing Ubuntu Install the UBUNTU distribution on the target system (gatekeeper) as described below: Boot the system using the UBUNTU installation CD or Live CD, Select "Workstation" for installation type. Workstation will provide the GNOME graphical desktop and a reasonable arrangement of partitions on the hard drive. Feel free to experiement with partitions however, the defaults should work just fine. You can install the workstation or server edition of Ubuntu. Either one will work perfectly well as a server. If you choose to install the server edition you can add the graphical desktop to it using the command: sudo apt-get install ubuntu-desktop Ubuntu server installation is normally accomplished using an installation CD which boots directly to the install program. If you choose to install the workstation version of Ubuntu, then you normally start with a Live CD which boots to a fully operational desktop. From there you choose to install into the system. During the installation process you will provide the host name. The name to use in this case is gatekeeper. Of course you can use another name if you'd like. During installation you will be asked to provide the name a of an account. At this point provide an administrative account called "administrator", or perhaps another account name that you would like to use for administrative purposes. The account name "myadmin" will be used in this document to refer to the administrative account on the server. You will perform all administrative tasks under the myadmin account. Later, after installation has completed, you can add individual user accounts as necessary to provide server based resources to the network workstations. **** Step 2: Upgrading the Ubuntu Software Stack Apt-get is used to update UBUNTU and you can use Synaptics (front-end to apt-get) to gather additional applications (packages) beyond what is installed by default from the distribution CD. Once you have the basic UBUNTU Linux installed from CD you will then want to install the necessary updates by issuing the commands: sudo apt-get update sudo apt-get upgrade **** Step 3: Adding Additional Software Packages Synaptics is used to add or remove software application packages from the system. Synaptic is a graphical front end for apt-get. It provides a simple point and click interface for selecting software packages that you wish to install. Ubuntu may not have all of the packages installed by default. Some packages may need to be added. Make sure that the following packages are installed: bind9 - The DNS server which resolved IP host names. samba - The SMB CIFS samba server which provides windows type file shares. dhcp3-server - The Dynamic host configuration protocol which automatically configures IP settings for internal workstations. iptables - IP filtering configuration tool for the Linux kernel **** Step 4: Configuring Networking for ISP Once the system has all the necessary software installed, reboot it, then bring it up and login as myadmin. Your Internet-side network card should have already be setup during installation. Select "System - Administration - Network" to configure Network Devices. In the "Connections" tab, you should see two Wired connections. They should both be enabled with a check mark in their corresponding checkbox. (primary adapter on ISP side) Card interface is setup to use DHCP for networks that provide this. For example, the RoadRunner network with cable modem provides DHCP server on TCP/IP. You will see "Wired connection (eth0)" for this interface. If you have DSL you will see a PPPOE connection instead which may be labelled PPP0. Configuring the network for DSL will require that you run the point to point protocol over ethernet (PPOE) configuration command. I have not done this with Ubuntu lately, but the command to set the primary interface up for DSL should be: sudo ppoeconf (secondary adapter on LAN or subnet side) Set the ip address to static 192.168.2.1 with subnet mask of 255.255.255.0 You will normally see "Wired Connection (eth1)" for this interface. If you have PPPoE, then it will be eth0. This interface is set up with a static IP address and subnet mask. In the "General" tab you should see the following. Adjust accordingly. Host Name: gatekeeper Domain Name: zgroup.net In the "DNS" tab you should see the server IP addresses for your ISP DNS servers. DNS server entries will be filled in automatically by the DHCP client when the network is started and the DHCP information is passed to the host from your ISP. Select the "Hosts" tab. Leave the entry for "127.0.0.1 localhost.localdomain localhost" in place. Do not remove this entry. Leave the ipv6 entries in place. For information only - DNS resolution for the LAN at gatekeeper Gatekeeper's domain for hostname resolution will reside in the Internet Service Providers domain. This will prevent gatekeeper from being able to resolve hostnames on the local subnet. If name resolution for gatekeeper to the internal subnet is needed, then you can add internal- -subnet domain hostnames in the "Hosts" tab (see above). If you attempt to modify the resolver configuration (/etc/resolv.conf) you will find that gatekeeper's dhcp client will overwrite it the next time you connect to the ISP using DHCP. Although this can be prevented, it would also prevent any changes from the ISP from being deployed. So to summarize, if you need to resolve host names from gatekeeper to LAN workstations, then you will have to use the hosts definitions to do this. **** Step 5: Enabling and Disabling Network Connections Note: Security If you are concerned about unprotected exposure to the internet while setting up gatekeeper, you can delay bringing up eth0 until after the firewall script is in place. This would mean that you would not allow eth0 to activiate when the computer starts. Change the eth0 setting accordingly and don't try to start it up until you at least have the rc.iptables firewall executed. Alternatively, you could setup gatekeeper behind a firewall to prevent any unprotected exposure to the internet while setting gatekeeper up. This, of course, will require additional resources which may not be available. An easy way to take down a network interface is to use the ifdown command. For the primary ethernet adapter you can use the command 'sudo ifdown eth0'. To bring the primary ethernet adapter up you can use 'sudo ifup eth0'. To check the general network configuration and network adapter statistics you can use the following: 'sudo ifconfig' **** Step 6: Network Sanity Checks Determining which interface is eth0? If eth0 (ISP side) does not initialize then switch ISP cable modem to other network adapter. Try to bring up the network again for the eth0 interface (as root... "/sbin/ifup eth0"). It should come up. Recheck interface status (/sbin/ifconfig). Checkpoint... Sanity check gatekeeper's ISP connection and Internet name resolution: You should be able to ping outside DNS names at this time. Try pinging yahoo.com or google.com (ping google.com). If the ping times out, you need to review your steps and resolve the problem. Do not continue with additional configuration until you can successfully connect to your ISP and resolve host names on external domains with the ping test. Once the exterior interface "eth0" is established and working properly make sure to take it down if you are not setting it up behind a firewall. Leaving it up might present a threat to your system from the outside. You can take it down until you have the firewall in place. (as root... "/sbin/ifdown eth0"). Furthermore, if you will be shutting down the system without completing the full setup of the system, go ahead into network configuration and set the external interface to not automatically start (remove checkmark). **** Step 7: Connecting Gatekeeper to the LAN Connect the secondary eth1 interface adapter to the network hub or switch that will serve the internal subnet. **** Step 8: Configuring the Services As root, copy the configuration and script files provided on the media (using sudo) into the system at the same relative positions those files currently exist. In all cases, files with names ending in ".original" are not needed. These were included in the package to show differences from original files. You will need to cover the following items: /etc/bind/* (all files and directories) /etc/dhcp3/* (all files and directories) /etc/default/dhcp3-server /etc/samba/smb.conf /etc/arno-iptables-firewall/* (all files and directories) /etc/init.d/arno-iptables-firewall /etc/logrotate.d/backup /root/bin/backup Follow the instructions in the backup script (/root/bin/backup) for creating a crontab entry for nightly backups and also follow the instructions in the same script for setting up logrotation of the backup.log file. Make certain that the private zone directory for Bind allows access for the group "bind". This is the user group that the bind executable "named" is run under. It must have access to this directory. If you copy the config files from another filesystem, you may not get this set up correctly--so you must adjust it manually. If "bind" group access to this directory is not set up correctly, then local name resolution will not work while name resolution to outside (Internet) addresses will work. The following command should do the trick. chgrp -R bind /etc/bind/private_zone The listing line for the private_zone directory (ls -l /etc/bind) should look like this: drwxr-xr-- 2 root bind 4096 2005-10-20 00:12 private_zone Create the samba logon share as indicated in the samba confuration file (/etc/samba/smb.conf). As root create /tmp/smblogon and provide access rights of 744 (chmod 744 /tmp/smblogon). Create the network public share directory as indicated in the samba configuration file (/etc/samba/smb.conf). As root, create the directory /home/public/. This is a readonly share available for all users by attaching to the smb share /public on gatekeeper. Review the rc.firewall script config file (/etc/iptables-firewall.conf). You will have to edit a couple of addresses such as the DNS servers IP address(s). You can get the DNS server ip address from /etc/resolv.conf or by looking at the network configuration for eth0. Do not enable the DHCP_BOOTP setting. It is used for enabling DHCP service to the external interface "eth0". Our DHCP server on gatekeeper will be providing service on the internal interface "eth1" and requires no specific setting in the iptables-firewall.conf file. Start the firewall script: "sudo /etc/rc.d/init.d/arno-iptables-firewall start" You should see progress text that indicates the various ip tables routing entries as they are inserted by the script. Create a symbolic link to start the rc.iptables firewall script in runlevel 2. /etc/rc2.d/S19arno-iptables-firewall (this must be a symbolic link pointing to ../arno-iptables-firewall) You can pass the firewall script a "start" or "stop" on the command line to enable or disable it You can check to see if the firewall is active... the iptables configuration as root with "/sbin/iptables -L". The output should dump information on the kernel packet management policy setup by the rc.iptables script. If it just indicates "accept" for Input, Forward, and Output, then the script has not been run or it has been disabled. Make sure the script has been run. At this point you should have the filtering in place that is established by the arno-iptables-firewall script. You should have protected access to the internet using gatekeeper. Your external interface "eth0" should be activated automatically when the system is brought up. The next few steps add support for the workstations that will be connected to gatekeeper on the internal subnet. Create accounts on gatekeeper: Create accounts on gatekeeper for any users that will need to have shares available on gatekeeper. Users that do not require personal shares on gatekeeper will not need to have accounts on this server. Users that do not have accounts will still have access to public file shares, print resources (via pcguest) and gateway services to the internet. The account names (and password) should match the account name and password used for login to their windows workstation. This will prevent the server from challenging them when they try to access their shares on gatekeeper. Create Samba accounts: Any new smb accounts created must already be user accounts on the system. Login as root or su to root and run the smbpasswd program to add these users into the samba database. Again, this is only for users that require access to personal shares on gatekeeper. Include their windows password or the password that they would like to use to attach to their private gatekeeper home share. Connect a workstation to the hub or switch. Bring up the workstation. If it's a windows workstation, then set up the networking to use DHCP. Set the workstation up for user login and join the workgroup ZGROUP.NET. You should be able to browse the network and see gatekeeper along with gatkeeper's printer share. Set up a printer queue for this printer on the workstation. Test access to the internet, printer and various other services that might be used (AIM, HTTP, FTP, etc.). Everything should be working. The following configuration items are optional. They allow you to specify an IP address for each workstation. The IP address will be based on the MAC address of the workstation LAN adapter MAC (hardware address). Additionally you can establish a DNS name for each workstation. For example you would be able to ping a named host, such as "ping fred1". Without local DNS host name resolution you might have to resort to something like "ping 192.168.1.55" instead Setting up Local DNS service to fixed IP based on MAC address You may want to provide DNS name resolution for the internal network. You can assign specific names to each workstation attached to the network. To do this you can fix the IP address DHCP provides to the workstation based on the MAC address associated to the network adapter on the workstation. Check the system log file (var/log/system). Inspect it to pull the MAC address for the workstation when the DHCP server assigns them. Alternatively, you could get the MAC address of the workstation by running a local utility on the workstation like "ifconfig" (linux), "ipconfig /all" (windows), or "winipcfg" (windows). Use the MAC address in the DHCP server file (dhcpd.conf) to assign a specific ip to the host. Use the specific ip in the private_zone named configuration files to associate the host name to the ip adresses. Make sure to set up both the forward and reverse lookup private_zone files with the new host information. Use DHCP server to assign workstation hostname Additionally you can have the DHCP server assign the hostname to Linux workstations when they are provided their network configuration. The advantage of this is that workstation hostnames are defined centrally at the server. To do this you must address two items: 1. You will need to set the workstation up to accept a host name. This can be done in the network settings for Linux workstations. 2. You will need to use the "host-name" option in the configuration file for the DHCP server (dhcpd.conf). Refer to the dhcpd.conf file in the gatekeeper configuration files provided. Setting up the samba server on gatekeeper: Use "System Settings - Administration - Printing" to setup a local printer on gatekeeper. The local printer will be shared using samba. There should be an entry in the samba config file (etc/samba/smb.conf) for the printer share. The samba configuration file provided will make the alias provided in the printcap file available to workstations on the samba guest account. This network printer can be installed and accessed from the Windows or Linux workstations. Take a look at the samba configuration file (/etc/samba/smb.conf) and adjust the shares to include the printer and any other public or private shares you might want to make available to the workgroup or specific members of the workgroup or general guest. You can get help for the samba config file using the manual page "man smb.conf" or other sources on the internet or in books. Adjust the samba configuration as required and restart the samba server after any changes are made (/etc/rc.d/init.d/smb restart). Check the shares by browsing the network neighborhood on the workstation. Make sure to re-boot the windows workstation and try again. Windows does some strange things with networking so a reboot test for the workstation is highly recommended. :) IMPORTANT NOTE: email, web surfing, instant messaging, ftp, etc... If you plan to use the gatekeeper for general or non-administrative purposes, make sure avoid using the root account. For security and safety, any use that is not related to system administration should take place from within a normal user account. Add more workstations as needed. If you want to resolve the name of the workstation through DNS then do the following: Get the MAC address of the new workstation. You can get the MAC address by inspecting \var\log\messages for the auto assigned IP address by the DHCP daemon. The entry will list the MAC address of the interface that was granted the IP address. Set the workstation IP address in the dhcpd configuration file. Insert the new workstation host ip and name into the private_zone configuration for named (both the forward and reverse lookup tables). Once you have everything working, make sure to copy all of the customized scripts, config files, and documentation (like this document) to a floppy to capture your work and make it available for future reference or for disaster recovery. Linux or UNIX workstations - attaching to NT style shares on gatekeeper. The mount.cifs is used to mount NT style server disk shares to the local filesystem under Linux/UNIX. In the directory user_scripts/ you will find smb_net. smb_net is a file that can be script-included in a bash script to allow easy and convenient access to smb shares such as what may be availabe on a Windows server or Linux server running samba. There are two example scripts that include(use) the smb_net functionality (public, public_admin, and gatekeeper). Simply copy one of these off to another name and edit in your particular server, share, and Domain/workgroup settings. This script will create a logically named mount point (~/mnt/sharename_on_servername/) on your Linux/UNIX workstation when run with the -m option. It will also remove this mount point when you use the same script for unmounting the share (scriptname -u). Although this script would normally be used by a Linux workstation, it could also be used on gatekeeper to attach to shares available on internal hosts. Keep in mind that gatekeeper's DNS domain will be driven by the ISP DHCP service. That is to say; Gatekeeper will not use gatekeeper's BIND config data (local DNS zone) to resolve DNS names when operating on gatekeeper. You will have to add internal hostname-ipaddress information into /etc/hosts on gatekeeper to resolve internal subnet hostnames from gatekeeper. You should spend some time testing the system to make sure that everything is working as desired. Afterwards you can sit back and enjoy your new server. A special thank you... I would be remiss for not thanking the good folks who support Debian, the Free Software Foundation, Canonical (creators of Ubuntu) and the many individuals who have worked to provide high quality software--under the friendly terms of the GPL. A truly amazing system indeed! -end-