Config DNS server, webserver, mail server, iptable firewall
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (614.58 KB, 18 trang )
HANOI UNIVERSITY OF SCIENCE AND TECHNOLOGY
School of Information and Communication Technology
f
=========*=========
FINAL PROJECT REPORT
ITSS Linux System and Network Management
Instructor : Msc.Banh Thi Quynh Mai
Class : ICT 56
Group : Season1418
− Dao Duc Cuong 20111201
− Nguyen Hai Nam 20111884
− Le Anh Tien 20112311
− Hoang Minh Tuan 20112418
Project Report
ITSS Linux System and Network Management
Prerequisite setup and installation :
• Server machine : GNU/Linux CentOS 6.5, host name : server1.season1418.vn
• Client machine : GNU/Linux CentOS 6.5, hostname : client.season1418.vn
• Server machine has 2 NICs. One for Internet connection, one for local network
• Create a NetworkManager profile for each NIC of the server machine.
• Client machine has 1 NIC for local network.
1. Setup DHCP server:
− On the server machine :
eth1 is for Internet connection 10.0.3.0/24 ( changed to outter network 192.168.56.0/24 in
part 5 Firewall)
eth2 is for local network 192.168.50.0/24
− On the client machine :
eth2 is for local network 192.168.50.0/24
− On the server machine, install package dhcpd :
$ sudo yum install dhcp
− Edit the file : /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
BOOTPROTO=none
ONBOOT=no
NETWORK=192.168.50.0
NETMASK=255.255.255.0
IPADDR=192.168.50.1
DNS1=192.168.50.1
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
− To make the DHCP service running on eth2 interface, edit : /etc/sysconfig/dhcpd
DHCPDARGS=eth2
− We create the local network with router address, DNS server address, subnet of the network, range of
client IP addresses. Edit the file : /etc/dhcp/dhcpd.conf
ddns-update-style none;
authoritative;
log-facility local7;
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.50.255;
option routers 192.168.50.1;
option domain-name-servers 192.168.50.1;
subnet 192.168.50.0 netmask 255.255.255.0 {
range 192.168.50.100 192.168.50.200;
}
− Restart dhcpd service to make these changes effective :
$ sudo service dhcpd restart
− To find any client has been connected to the DHCP server, check lease log:
$ less /var/lib/dhcpd/dhcpd.leases
− On the client machine : eth2 is for local network
− Set in file /etc/sysconfig/network-scripts/ifcfg-eth2 the following value to use
DHCP service in client machine :
BOOTPROTO=dhcp
− Restart network service :
$ sudo service network restart
− On the client ping the server to check network :
$ ping 192.168.50.1
Local network has the DHCP server at 192.168.50.1, client addresses range from
192.168.50.100 to 192.168.50.200.
2. Setup DNS server:
− On the server, install bind package and related packages :
$ yum install bind*
− The DNS server will listen on DNS queries on port 53. If it does not have the authorative right to the
queried domain, it will forward the request to Google DNS server at 8.8.8.8 . This DNS server
only has authorative right to 5 domains, which are season1418.vn, season1418.com,
season1418.org, season1418.net, season1418.tk. Edit file : /etc/named.conf
options {
listen-on port 53 { 192.168.50.1; }; # master dns
listen-on-v6 port 53 { ::1; };
directory "/var/named";
forwarders { 8.8.8.8; }; # forward to Google DNS
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "season1418.vn" IN{
type master;
file "forward.season1418";
allow-update { none; };
};
zone "season1418.com" IN{
type master;
file "fw.season1418.com";
allow-update { none; };
};
zone "season1418.org" IN{
type master;
file "fw.season1418.org";
allow-update { none; };
};
zone "season1418.net" IN{
type master;
file "fw.season1418.net";
allow-update { none; };
};
zone "season1418.tk" IN{
type master;
file "fw.season1418.tk";
allow-update { none; };
};
zone "50.168.192.in-addr.arpa" IN{
type master;
file "reverse.season1418";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
− Create 5 forward zone files and 1 reverse zone file in /var/named/ directory. Four files
fw.season1418.com, fw.season1418.org, fw.season1418.net,
fw.season1418.tk are almost the same except their IP address. The file
forward.season1418.vn has some extra records since season1418.vn is the main domain
of this configuration. The reverse zone file is for determining a domain name that is associated with
a given IP address.
− File: /var/named/forward.season1418
$TTL 86400
@ IN SOA server1.season1418.vn. root.season1418.vn. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS server1.season1418.vn.
@ IN A 192.168.50.1
@ IN A 192.168.50.100
@ IN MX 10 mail.season1418.vn.
server1 IN A 192.168.50.1
client IN A 192.168.50.100
mail IN A 192.168.50.1
− The reserve zone file : /var/named/reverse.season1418
$TTL 86400
@ IN SOA server1.season1418.vn. root.season1418.vn. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS server1.season1418.vn.
@ IN MX 10 mail.season1418.vn.
server1 IN A 192.168.50.1
client IN A 192.168.50.100
mail IN A 192.168.50.1
1 IN PTR server1.season1418.vn.
1 IN PTR mail.season1418.vn.
100 IN PTR client.season1418.vn.
10 IN PTR season1418.com.
11 IN PTR season1418.org.
12 IN PTR season1418.net.
12 IN PTR season1418.tk.
− Other domain forward config file : /var/named/fw.season1418.com. The same
configuration goes to fw.season1418.org, fw.season1418.net,
fw.season1418.tk.
$TTL 86400
@ IN SOA season1418.com. root.season1418.com. (
2011071010 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
IN NS server1.season1418.vn.
IN A 192.168.50.10
− Start the the DNS service :
$ sudo service named start
− Edit iptables (using iptables command or edit /etc/sysconfig/iptables to allow DNS
query on port 53 or just temporarily stop iptables service for now)
$ iptables -A INPUT -p udp -m state state NEW dport 53 -j
ACCEPT
$ iptables -A INPUT -p tcp -m state state NEW dport 53 -j
ACCEPT
− Restart iptables service :
$ sudo service iptables restart
− Edit /etc/resolv.conf on both server and client machine to use our DNS server:
nameserver 192.168.50.1
− In /var/named.conf, the record : forwarders { 8.8.8.8; } which means it will
help this local DNS server to look up DNS record that it does not have authorative right in the
Internet via another NIC eth1.
− Test DNS server :
$ nslookup season1418.vn
$ nslookup server1.season1418.vn
$ ping client.season1418.vn
$ ping google.com
3. Setup Mail server
− Install postfix package :
$ yum install postfix
− Install SMPT AUTH package :
$ yum install openssl cyrus-sas cyrus-sasl-devel cyrus-sasl-
gssapi cyrus-sasl-md5 cyrus-sasl-plain
− Create SSL Certification : (optional)
$ mkdir /etc/postfix/ssl
$ cd /etc/postfix/ssl
$ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
$ chmod 600 smtpd.key
$ openssl req -new -key smtpd.key -out smtpd.csr
$ openssl x509-req -days 365 -in smtpd.csr -signkey smtpd.key
-out smtpd.crt
$ openssl rsa -in smtpd.key -out smtpd.key.unencrypted
$ mv -f smtpd.key.unencrypted smtpd.key
$ openssl req -new -x509 -extension v3_ca -keyout cakey.pem
-out cacert.pem -days 365
− Edit file : /etc/postfix/main.cf
myhostname = season1418.vn.season1418.vn
mydomain = season1418.vn
myorigin = $mydomain
home_mailbox = mail/
mynetworks = 192.168.50.0/24
mynetworks_style=subnet
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions=permit_sasl_authenticated,permit
_my networks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
− To send mail to the internet we have to use a registered mail server as a relay host ( eg: Google mail
server) . It means we will need an Google Mail account as a relay account. Suppose our email
address, , and our relay mail account, , and the
recipeint would see the sender is main@season1418 . Add following lines :
relayhost = [smtp.gmail.com]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
− Edit file : /etc/postfix/sasl_passwd. We put our Google Mail address and password in this
file. Make sure no other user could see the content of this file ( chmod 400 )
smtp.gmail.com :your-password
− Apply postfix rule :
$ sudo chown root:root /etc/postfix/sasl_passwd
$ sudo chmod 400 /etc/postfix/sasl_passwd
$ sudo postmap /etc/postfix/sasl_passwd
− Add following lines to : /etc/postfix/master.cf
smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes
− Edit iptables to allow connections via port 25 :
$ iptables -A INPUT -p udp -m state state NEW dport 25 -j
ACCEPT
$ iptables -A INPUT -p tcp -m state state NEW dport 25 -j
ACCEPT
− Restart postfix and saslauthd service :
$ sudo service postfix restart
$ sudo service saslauthd restart
Since Apache Web Server is so popular, in this report we will use it as a web service running on our server.
− On the server, install httpd package :
$ yum install httpd
Named-based virtual host: ( season1418.net, season1418.tk )
− Create directory for each virtual host :
$ sudo mkdir -p /var/www/season1418.net/public_html
$ sudo mkdir -p /var/www/season1418.tk/public_html
− Change owner to the main user :
$ sudo chown -R user:user /var/www/season1418.net/public_html
$ sudo chown -R user:user /var/www/season1418.tk/public_html
− Change permission :
$ sudo chmod 755 /var/www
− Create index for each website: /var/www/season1418.xxx/public_html/index.html
Ip-based virtual host: ( season1418.com, season1418.org )
− Create directory for season1418.com and season1418.org
− We reuse the same eth2 NIC for other IP addresses.
$ cd /etc/sysconfig/network-scripts
$ cp ifcfg-eth2 ifcfg-eth2:0
$ cp ifcfg-eth2 ifcfg-eth2:1
$ cp ifcfg-eth2 ifcfg-eth2:2
− Change DEVICE and IPADDR records to proper values of ifcfg-eth2:1 and ifcfg-
eth2:2. For example, in file : /etc/sysconfig/network-scripts/ifcfg-eth2:0
DEVICE=eth2:0
BOOTPROTO=static
ONBOOT=no
NETWORK=192.168.50.0
NETMASK=255.255.255.0
IPADDR=192.168.50.10
GATEWAY=192.168.50.1
HWADDR=08:00:27:32:DF:C2
DNS1=192.168.50.1
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
− We have to keep HWADDR the same as in ifcfg-eth2 and the BOOTPROTO type must be static
since we have to get a fixed IP address for those websites. We will do the same thing for ifcfg-
eth2:1, ifcfg-eth2:2 with the IPADDR=192.168.50.11 and
IPADDR=192.168.50.12 ,respectively.
In summary:
− Main domain : www.season1418.vn 192.168.50.1:80 ( eth2)
− IP-based hosting :
www.season1418.com 192.168.50.10:80 ( eth2:0)
www.season1418.org 192.168.50.11:80 ( eth2:1)
− Named-based hosting:
www.season1418.net 192.168.50.12:80 ( eth2:2)
www.season1418.tk 192.168.50.12:80 ( eth2:2)
− Edit file : /etc/httpd/conf/httpd.conf
####################################
###### IP-based & main domain ######
####################################
Listen 192.168.50.1:80
Listen 192.168.50.10:80
Listen 192.168.50.11:80
NameVirtualHost season1418.vn:80
NameVirtualHost season1418.com:80
NameVirtualHost season1418.org:80
<VirtualHost season1418.vn:80 >
ServerAdmin
DocumentRoot /var/www/season1418.vn/public_html
ServerName www.season1418.vn
ServerAlias season1418.vn
ErrorLog /var/www/season1418.vn/error.log
CustomLog /var/www/season1418.vn/requests.log common
Alias /~vn /var/www/season1418.vn/public_html/uservn
Alias /~vn/dir
/var/www/season1418.vn/public_html/uservn/dir
<Directory "/var/www/season1418.vn/public_html/uservn">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost season1418.com:80>
ServerAdmin
DocumentRoot /var/www/season1418.com/public_html
ServerName www.season1418.com
ServerAlias season1418.com
ErrorLog /var/www/season1418.com/error.log
CustomLog /var/www/season1418.com/requests.log common
</VirtualHost>
<VirtualHost season1418.org:80>
ServerAdmin
DocumentRoot /var/www/season1418.org/public_html
ServerName www.season1418.org
ServerAlias season1418.org
ErrorLog /var/www/season1418.org/error.log
CustomLog /var/www/season1418.org/requests.log common
</VirtualHost>
####################################
########### Name-based ###############
####################################
Listen 192.168.50.12:80
NameVirtualHost season1418.net:80
<VirtualHost season1418.net:80>
ServerAdmin
DocumentRoot /var/www/season1418.net/public_html
ServerName www.season1418.net
ServerAlias season1418.net
ErrorLog /var/www/season1418.net/error.log
CustomLog /var/www/season1418.net/requests.log common
</VirtualHost>
<VirtualHost season1418.tk:80>
ServerAdmin
DocumentRoot /var/www/season1418.tk/public_html
ServerName www.season1418.tk
ServerAlias season1418.tk
ErrorLog /var/www/season1418.tk/error.log
CustomLog /var/www/season1418.tk/requests.log common
</VirtualHost>
− To setup personal webpage and personal directory on a website we use Alias keyword inside the
<VirtualHost> </VirtualHost> record of that website :
<VirtualHost season1418.vn:80>
. . .
Alias /~vn /var/www/season1418.vn/public_html/uservn
Alias /~vn/dir
/var/www/season1418.vn/public_html/uservn/dir
<Directory "/var/www/season1418.vn/public_html/uservn">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
. . .
</VirtualHost>
− To view personal webpage, go to:
www.season1418.vn/~vn
www.season1418.vn/~vn/dir
5. Firewall:
In GNU/Linux and other *NIX system, iptables is the default firewall solution. In this part, we will use
iptables to hadle traffic going in or going out from a network.
In this report, we will try to allow/block a client client1.season1418.vn inside our local
network to connect to another computer outside of the network( or even the Internet). We configure the
firewall on the server machine that running DHCP service and DNS service to allow/block the client to
connect to outside world. This server server1.season1418.vn acts as an forwarder to all the requests.
In this server, we add the following rules to iptables chain. ( Before doing that, we have to enable
forwarding mode on the server : $ echo 1 > /proc/sys/net/ipv4/ip_forward and enable
NAT mode for iptables $ modprobe iptable_nat )
$ iptables -A FORWARD -i eth2 -j ACCEPT
$ iptables -A FORWARD -o eth2 -j ACCEPT
$ iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE
$ iptables -A FORWARD -t filter -o eth1 -m state state
NEW,ESTABLISHED,RELATED -j ACCEPT
$ iptables -A FORWARD -t filter -i eth1 -m state state
NEW,ESTABLISHED,RELATED -j ACCEPT
• To allow TCP packets on the default SSH on port 22:
$ sudo iptables -A FORWARD -p tcp dport ssh -j ACCEPT
$ sudo iptables -A INPUT -p tcp dport ssh -j ACCEPT
$ sudo iptables -A OUTPUT -p tcp dport ssh -j ACCEPT
• To block TCP web traffic :
$ sudo iptables -A FORWARD -p tcp dport 80 -j REJECT
$ sudo iptables -A INPUT -p tcp dport 80 -j REJECT
$ sudo iptables -A OUTPUT -p tcp dport 80 -j REJECT
• To block FTP connections :
$ sudo iptables -A FORWARD -p tcp dport 20:21 -j REJECT
$ sudo iptables -A INPUT -p tcp dport 20:21 -j REJECT
$ sudo iptables -A OUTPUT -p tcp dport 20:21 -j REJECT
• To block any incoming, outcoming, forwaring traffic for any port on any portocol on any interface :
$ sudo iptables -A INPUT -j REJECT reject-with icmp-host-
prohibited
$ sudo iptables -A OUTPUT -j REJECT reject-with icmp-host-
prohibited
$ sudo iptables -A FORWARD -j REJECT reject-with icmp-host-
prohibited
• To block any incoming TCP packets to interface eth2( local network), and go out at eth1 to
192.168.56.2 ( outter network ) with the requirement that at the source port range is from 1024 to
65535 and at the destination on ports 8080 and 443 :
$ sudo iptables -A FORWARD -s 0/0 -i eth2 -o eth1 -d
192.168.56.2 -p tcp sport 1024:65535 dport 8080,443 -j REJECT
• To block icmp echo-request and icmp echo-reply packets:
$ sudo iptables -A OUTPUT -p icmp icmp-type echo-request -j
DROP
$ sudo iptables -A OUTPUT -p icmp icmp-type echo-request -j
DROP
$ sudo iptables -A INPUT -p icmp icmp-type echo-reply -j DROP
• Some other INPUT and OUTPUT rules:
$ iptables -A INPUT -p tcp dport 80 -j ACCEPT
$ iptables -A INPUT -p tcp dport 443 -j ACCEPT
$ iptables -A INPUT -p tcp –dport 25 -j DROP
$ iptables -A OUTPUT -p tcp –dport 110 -j REJECT
$ iptables -A OUTPUT -p tcp –dport 143-j REJECT
6. Note:
− On the server, if using NetworkManager service, it is better to create two separate profile for 2 NICs
in order not going into the phase of chaos when configuring the network. Each profile has the
according information of its NIC.
− If one of these services cannot be started, try to look at its log. It depends on the service itself where
the log is located. One common way to deal with this situation is using $ man command. Just run
$ man service-name
− If one of these services cannot be stopped, run $ ps aux | grep service-name and find
the service's process ID ( the second column) and run $ kill -9 process-id
− If using virtualization softwares like VirtualBox or VMWare, the server machine should have one (1)
NIC configured as Internal Netwrok (VirtualBox) or LAN Segment/Host-only ( VMWare), and the
other one (2) should be NAT (preferable) or Bridged mode. The client machine should be configured
as the (1) NIC of server machine.
− In the case of part 5 : Firewall, we could easily create a virtual network connected to eth1 of the
server with many options. In VirtualBox, option 'NAT Network' means every clients connected to a
network ; 'NAT' means each client is connected to a separated network ; 'Host-only' is the same as
'NAT Network' except that the host machine running VirtualBox could connect to this network. For
example, we connect eth1 to a Host-only network to block/allow connection between the host
computer and the client inside the local network.
− Some useful command handling iptables:
$ iptables flush ( flush all rules)
$ iptables flush OUTPUT ( flush all OUTPUT rules)
$ iptables-save > save-file ( back up rules)
$ iptables-restore < save-file ( recover rules)
