Professional Documents
Culture Documents
Introduction 2
Project: your company – a small business company recently moved into a new building with Internet
access but no DHCP service or budget to purchase a firewall to protect your network You have 100
computers and 10 servers, couple of printers and network devices to connect your LAN. Your task as
network administrator is to implement a DHCP server, a firewall router but to your surprise you do not
have access to the router or any money to spend on a dedicated appliance. So what are your options – of
course you go the open source way. In this guide we’ll see how best to accomplish this task.
Solution:
In this Lab session, you’ll learn how to setup virtual network on VMware (you may also use any other
virtual machines like MS VirtualPC, Linux Xen, or VirtualBox from Sun). Next you will learn how to install
and configure Linux CentOS5 (VM1) with two NIC adapters. On the Linux VM1, I’ll show you how to install
& configure a DHCP server and Firestarter firewall on it. You’ll also learn how to install & configure a
second Linux CentOS5 (VM2) machine to use for testing your firewalled network connectivity to public
network (Internet). Finally you’ll have an opportunity to do the Hands-on Labs home assignment labs to
test what you have learned in this lesson. Once you’re done with this labs session you should have gained
an experience and capability to enable you to plan design implement and deploy a simple but secure
Home/SMB office network infrastructure.
Assumptions:
It’s assumed that you have a good understanding of Linux operating system and its working environment.
It’s also assumed that you know how to install and configure Linux CentOS5, if not go ahead and pop over
to scribd.com and check out a good howto entitled “Install Guide Linux CentOS5 Server v1.1” to get you
started.
Introduction
Figure 1 shows our setup for pilot lab test session of our private Home/SMB LAN, which have configured
using VMware with two NIC adapters attached to VMnet2. The eth0 is attached to the public side of the
network and is receiving its IP address from DHCP. The eth1 is configured with static IP address and is
also the NIC that is attached to DHCP server which feeds the dynamic IP address to the devices located
within the private LAN via the VMnet2 virtual switch. Machine 1 is running Linux CentOS5 which we’ll use
to install the DHCP server and the firewall.
2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Internet
Virtual NIC Virtual NIC
eth1 eth0
192.168.0.0/24
Note: once you’re done with pilot testing and all is working great then you can migrate your setup
to your production environment.
Why is it important to have the latest version? In IT security best practices, as is with any other software
that you're going to run on your server, it's critically important that you have the very latest version of this
'daemon' (the Linux lingo for programs that run on the server without intervention) on your system. It's
also very important to shut off any services that you’re not using
3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
6. This will create a directory called "DHCP 4.1.0p1" (in our case). Change into newly created
directory and run the following command as root:
# ./configure
7. If there are no errors you may run the following commands (as root):
to build and install the software. You may be prompted for the root password, then, if you typed it in
correctly, the new DHCP server will be installed onto your system.
Note: If you come across any errors when running the above commands you are likely missing some
library files or files on your system.
8. Good. Now you have the latest DHCP server it's time to configure it properly for your environment.
9. That’s, before launching the DHCP server, copy the file "server/dhcpd.conf" from the build
directory into your "/etc" directory,
# cp server/dhcpd.conf /etc/
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note 1: For the DNS Server, you can use the OpenDNS for all your public DNS needs; it's free and
allows for content filtering.
Note 2: It’s very important that you make sure that you set the domain name properly, identify your
set of DNS servers by name, and define the subnet range for which you want to provide services via
DHCP.
Syntax: OK
Note: If after checking the configuration for errors, if there are errors, you'll find them listed in
/var/log/messages so the changes will take effect.
ifconfig
2. You should then see something similar to "HWaddr 0A:CD:9E:05:AD:D7". The MAC address for
that NIC adapter would be "0A:CD:9E:05:AD:D7"
3. If you are running Windows XP/Vista/7/2k3/2k8/ you can find out the MAC address by clicking on
"Start --> Run and type "cmd" and hit "Enter" to access DOS prompt, and then type:
ipconfig /all
4. You should then see "Physical Address" and the MAC address listed. Note: Windows might list
the MAC address with hyphens (-) instead of colons (:), if so, just replace them with colons when
entering them into your "dhcpd.conf" file. (ex: change "0A-CD-9E-05-AD-D7" to
"0A:CD:9E:05:AD:D7")
5. Once you've found the MAC address you can add the following entry to the bottom your
"dhcpd.conf" file:
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=<leave empty>
6
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note: You'll need to edit at least the GATEWAY IP, that's just the IP of my eth0 interface, change it
be whatever your eth0 IP is, which you can find out by running:
# ifconfig eth0
It should say something like: "eth0 inet addr:192.168.1.107", that's the one you want.
6. Next you have to tell your computer to listen for the telltale DHCP request to come across the inside
the private network. When a client computer or network device within your internal network goes
looking for a DHCP address, it sends out a blast to anyone that'll listen that has an IP address of
255.255.255.255, so you have to tell your DHCP server to listen for that IP:
10. Once your test machine internal PC (server07) is up and running, fire-up a new Terminal window, and
issue the following command (see Fig. 2):
# ipconfig /all
Fig.2
7
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
11. Next issue the PING command to test connectivity with the rest of the NIC adapters, as shown in Fig.
2, by pinging our main server Internet NIC adapter eth1, IP address 192.168.1.107, as shown in
Fig. 3.
Fig.3
12. Now, from the main firewall Linux server, again issue the PING command to test connectivity with the
rest of the NIC adapters, as shown in Fig. 4, by ping the external Internet facing eth0 adapter, and our
WinXP client on internal network with IP address 192.168.0.250.
In the next section I will show you how to set up your firewall to block more things than we've done in this
install guide to keep your internal computers safe
8
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Firewalls are one of the core components of a network security implementation. Several vendors market
firewall solutions catering to all levels of the marketplace: from home users protecting one PC to data
center solutions safeguarding vital enterprise information. Firewalls can be stand-alone hardware
solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. Vendors such as Checkpoint,
McAfee, and Symantec have also developed proprietary software firewall solutions for home and business
markets.
Apart from the differences between hardware and software firewalls, there are also differences in the way
firewalls function that separate one solution from another. In this guide, we’ll only concentrate in Home-
SMB type of network configuration with very limited or no budget to carter for exotic firewall infrastructure.
However, with the open source Linux operating system you have a lot of choices for protection. And for
this lab session, we are going to use FireStarter firewall.
To understand Firestarter or any other Firewall let's take a look a very common scenario for small
business. We need to provide internet access to all computers in the network and yet we want them all to
be protected from outside access. The best access is transparent where the user behind firewall doesn't
feel the presence of firewall when he accesses the internet. However external access must be blocked
except where specifically allowed. Firestarter shines in such setup. You can setup this configuration in
less than 5 minutes. And the best part of all is that the client machines need nothing more than a simple
configuration during setup wherein you specify that the IP address etc. information will be provided by
DHCP, most likely it is already the default for your Linux distribution.
Firestarter is conveniently available in RPM package format for RPM enabled Linux distributions like,
Fedora Core, SuSE and Mandrake. In this section you will learn how to install Firestarter and set up a
basic desktop firewall on Linux CentOS5 server.
In most cases, Firestarter is packaged for many of the leading Linux distributions. Using a pre-compiled
package ensures that the program will integrate properly with your distribution of choice. For platforms for
9
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
which a binary package does not yet exist and for experienced users, Firestarter can also be compiled
from source.
1. Hope over to Firestarter website and download the latest package, which at the time of writing this lab
manual was "FireStarter-1.0.3-1.i386"
2. Once you have downloaded the Firestarter RPM specific to your distribution, open a terminal and
change to the directory where you downloaded the RPM to.
3. To install the Firestarter package, issue the following command:
4. Next, launch Firestarter using the Applications -> System Tools and then select Firestarter, as
shown in Fig. 5.
Fig. 5
5. As you can see from Fig. 6, instead of an intimidating interface, Firestarter uses a simple wizard to
take new users through the steps necessary for configuring the firewall. Click the Forward button.
10
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 6
6. The first step is to identify which network interface the firewall will listen to as shown in Fig. 7. This is
usually the primary network interface of the machine which is connected to the Internet, in our case
"Virtual Machine 1 (Linux Firewall)", see Fig. 1. Click the Forward button.
Fig. 7
7. Next comes the part where the user is asked to choose whether this machine is also used for sharing
the Internet connection. Select the secondary network interface of the machine which is connected to
the rest of the internal network, if this machine is also being used for sharing the internet connection.
Next select, Enable DHCP for local network to enable your internal network devices to receive IP
address dynamically. Next click create new DHCP configuration, as shown in Fig. 8.
11
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 8
8. That’s it you’re done with the initial configuration. The firewall is ready to be deployed. Select Start
Firewall now, and then click Save to complete the installation, as shown in Fig. 9.
Fig. 9
12
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
9. Next you will see the Firewall status window, as shown in Fig. 10. This is where you can see current
statistics about your newly created firewall and also tweak the rules even more if you so desire.
Fig. 10
10. Recall that in Fig.11, we had used Firestarter to reconfigure our internal DHCP server. Now check and
verify the current DHCP configuration using your favorite Text editor; or issue the following command:
"gedit /etc/dhcpd.conf". Figure 11 shows the current "dhcpd.conf" file content.
Fig. 11
11. You’re now done with the installation and configuration of Firestarter
13
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note: The functions can be invoked by appending them as parameters to the script. For example,
on a Red Hat Mandrake distribution you can start the firewall by issuing the command:
# /etc/init.d/Firestarter start
Note: Most distributions also include tools, like chkconfig, to manage the service scripts. These
tools allow you to change the boot priority and many other parameters of the services.
13. Now let’s do some testing and then use to Firestarter to monitor the activities, as shown in Fig. 12.
Here go ahead fire-up your browser and go any website as desired.
Fig. 12
14
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note 1: You can click the “Active connection” link to view what kinds of connections are
underway within your network, as shown in Fig. 13.
Fig. 13
That is, the Active Connections listing allows you to monitor every active connection ever made to and
from your machine/network. In both the Active connections section and the Events tab you can right
click an entry and take action. For instance, in the Active Connections section you can right click an
entry and look up the hostname of that entry. In the Events tab you can do more. If you right click an
entry in the Events tab you can do the following:
Note 2: By default, Firestarter firewall is fairly restrictive but if, for example, you want to create a rule
that only your employer, and in particular, road warriors should be able to remotely access this
machine, then you can add a policy to whitelist you’re your employees’ IP address.
14. To this, click Policy tab, and then click Add Rule, and add as desired, as shown in Fig. 14. When
done click Apply Policy and you’re done.
15
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 14
15. As you might have realized by now, Firestarter is, a very simple and easy to use utility to configure
and manage the iptables firewall, both for the novice and the experienced user. And a great tool for
Home/SMB who doesn’t have extra money to use for deploying expensive network security device.
Firestarter makes the often daunting task of creating a firewall for a Linux machine simple. If you have
ever dealt with iptables you will understand when I say this is a huge relief for not so experienced
users or network administrators who do not want to take the time to learn to use the underlying
technology, which incase of Linux can be very scary and nightmarish.
1. From Virtual Machine 2 (Internal PC), Fig. 1, open a Terminal window and issue the ping test to
WinXP Host machine, you should be able to have connectivity without any problem.
2. Now from WinxXP machine issue the ping test again, this time to VM2 (Internal PC), see Fig. 1. Thus,
if your firewall is working correctly, you should not be able to ping the VM2 from outside our Private
LAN. You should see "Request time out" or "Network unreachable".
16
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
3. Next test that you can access the Internet from within the internal network, from WinXP, using PING
command, as shown Fig. 15.
Fig. 15
4. Again from WinXP, verify that your internal devices can access websites within the public Internet,. To
do this, fire-up your favorite and browser and access any website as desired, www.google.com, as
shown in Fig. 16.
Fig. 16
17
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
5. From the Firestarter status window, you can monitor the connections, to verify that indeed someone
from the internal network is indeed accessing the Google Search page, as shown in Fig. 17.
Fig. 17
6. Also form the Linux OS status window, you should see the Firestarter status icon change from normal
running icon, Fig. 18(a); to a warning icon, Fig. 18(b), to warn you as to which LAN system’s IP
address is trying to access the network, as shown in Fig. 18(c).
18
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
7. You’re done with this lab session, Installing and configuring DHCP server and Firestarter firewall.
8. Enjoy
19
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 19
6. Once the installation is completed, click Start Æ Programs ÆNmap Æ Nmap – Zenmap GUI
7. Next, enter the IP address of Internet facing IP address "192.168.1.107", i.e., the NIC adapter,
eth0, and then click Scan, as shown in Fig. 20.
20
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note: As can be observed from Fig. 21 above, NMAP confirms the firewall is filtering traffic sent to the
public IP address on eth0.
Step 2: Install Nmap on Linux Firewall Server inside the Internal Network
You’re done with NMAP installation and using it to test our Firestarter firewall.
21
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
The final more realistic network infrastructure should look like shown in Fig. 20.
22
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 20
Internet
© Global Open Versity,
Vancouver Canada
www.globalopenversity.org
Business
Partners
Access
Public IP address
Internet Wi-Fi
DMZ Network
Switch 1
FTP Server
192.168.0.0/24
Linux box 1
Switch 2 (Firestarter Firewall)
Switch 3
Web Server
Linux box 2
(Firestarter Firewall)
Linux
Private LAN Messaging RHE5
Server Samba
Server
192.168.10.0/24
Win7
Mac OSX Server: Win2k8 AD
Dbase
Linux Internal
Wi-Fi Wi-Fi
Win-Vista
Switch 7 - Rm 300
SSO Access to
Network Resources
Terminal
WinXP
Note: Add network devices to switches 3 & 4 or any other part of the network as desired.
23
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note: Figure 12 above shows a schematic but more realistic network infrastructure to work with
for your hands-on lab assignment. Fill free to re-configure the network design to suit your taste
and aspiration.
Stay tuned as I am continuously updating this lab session manual with more goodies!
Contact us today:
Email: info@globalopenversity.org
URL: www.globalopenversity.org
1. Install Ubuntu 10.04 LTS (Lucid Lynx) ensure it’s updated with the latest patches and bug fixes.
2. Install and configure OpenNebula Cloud Computing with two nodes.
3. Install and configure VMs with image for installing cloud applications
-----------------------------------------------
Kefa Rabah is the Founder of Global Technology Solutions Institute. Kefa is knowledgeable in several
fields of Science & Technology, Information Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your
educating and career goals using the latest innovations and technologies.
25
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada