Professional Documents
Culture Documents
Introduction 1
Part 6: Troubleshooting 25
Introduction
The Shorewall, is a high-level tool for configuring Netfilter. You describe your firewall/gateway
requirements using entries in a set of configuration files. Shorewall reads those configuration files and with
the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be
used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux
system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of
Netfilter's connection state tracking capabilities.
CentOS is a community-supported, free and open source operating system based on Red Hat Enterprise
Linux. It exists to provide a free enterprise class computing platform and strives to maintain 100% binary
compatibility with its upstream distribution .CentOS stands for "Community ENTerprise Operating
System". CentOS is the perfect server for people who need an enterprise class operating system stability
without the cost of certification and support and pocket burning baggage that comes with proprietary
software. And the beauty is CentOS is free.
Webmin is a web-based GUI interface for system administration for Linux/UNIX. Using any modern web
browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the
need to manually edit UNIX configuration files like /etc/passwd, and lets you manage a system from
the console or remotely with ease. Here we’ll use Webmin mainly to configure Shorewall firewall.
Lockdown server: we also need to lockdown our firewall server to secure our application servers against
cyber-criminals and malwares. For this we’ll use Clamd. Clamd which comes integrated with ClamAV and
Clamav-db fits the bill for our task. It’s a multi-threaded daemon that uses libclamav to scan files for
viruses. The daemon listens for incoming connections on Unix and/or TCP socket and scans files or
directories on demand for viruses. The daemon is fully configurable via the clamd.conf file. It reads the
configuration from /etc/clamd.conf. Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus
toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities
including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for
automatic database updates. The core of the package is an anti-virus engine available in a form of shared
library.
Assumptions:
It’s assumed that you have a good understanding of Linux operating system and its working environment.
It’s also assumed that you know how to install and configure Linux CentOS5, if not go ahead and pop over
to scribd.com and check out a good howto entitled “Install Guide Linux CentOS5 Server v1.1” to get you
started.
1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Solution:
In this Lab session, you’ll learn how to setup virtual network on VMware (you may also use any other
virtual machines like MS VirtualPC, Linux Xen, or VirtualBox from Oracle). Next it’s assumed that you
know how to install and configure Linux CentOS5 (VM1) with three NIC adapters. On the Linux VM1, I’ll
show you how to install & configure a DHCP server and Shorewall firewall on it. I’ll show you how to use
Webmin to ease the pain of configuring Shorewall firewall. You’ll also learn how to configure to more
virtual machines (VM) either a Linux distros or any OS of choice to use for testing your firewalled network
connectivity form LAN and DMZ to public network (Internet). Finally, you’ll have an opportunity to do some
Hands-on Labs assignment to test what you have learned in this lab session. Once you’re done with this
labs session you should have gained an experience and capability to enable you to plan design implement
and deploy a secure private network or Home/SMB office network infrastructure.
Note: once you’re done with hands-on training and build a pilot test lab for prototype testing, and
all is working great then you can migrate your setup to your production environment.
2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Why is it important to have the latest version? In IT security best practices, as is with any other software
that you're going to run on your server, it's critically important that you have the very latest version of this
'daemon' (the Linux lingo for programs that run on the server without intervention) on your system. It's
also very important to shut off any services that you’re not using
Installation
1. Head over to the Internet Software Consortium and Download the latest version of the
DHCP Server. As I write this, it's at version "dhcp-4.1.0p1.tar.gz".
2. Once you've downloaded it, move the file to your favorite location (/usr/local/src for this guide)
and unpack it by running the following command:
# tar -zxvf dhcp-*.tar.gz
3. This will create a directory called "DHCP 4.1.0p1" (in our case). Change into newly created
directory and run the following command as root:
# ./configure
4. If there are no errors you may run the following commands (as root):
3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
to build and install the software. You may be prompted for the root password, then, if you typed it in
correctly, the new DHCP server will be installed onto your system.
Note: If you come across any errors when running the above commands you are likely missing some
library files or files on your system.
5. Good. Now you have the latest DHCP server it's time to configure it properly for your environment.
6. That’s, before launching the DHCP server, copy the file "server/dhcpd.conf" from the build
directory into your "/etc" directory,
# cp server/dhcpd.conf /etc/
7. Finally, it’s time to edit the configuration file to match your system configuration. Here's what the
"/etc/dhcpd.conf" file looks like:
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note 1: For the DNS Server, you can use the OpenDNS for all your public DNS needs; it's free and
allows for content filtering. For production server remember to use public IP address.
Note 2: It’s very important that you make sure that you set the domain name properly, identify your
set of DNS servers by name, and define the subnet range for which you want to provide services via
DHCP.
Note: When checking the configuration for errors, if there are errors, you'll find them listed in
/var/log/messages so the changes will take effect.
6. To do this, use your favorite Text editor and it the file as follows::
5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
vi /etc/shorewall/shorewall.conf
to
STARTUP_ENABLED=Yes
8. Also ensure that forwarding is enabled forwarding and reads "IP_Forwarding=on"
9. Save and exit (in vi, hit [ESC] and then ':wq').
In this section I show through a step-by-step procedure for configuring the Shorewall firewall using
Webmin as the interface instead of using the console for editing files. It assumed that you already have a
server in basic configuration with Webmin. After the installation of Webmin and configuring it you can login
using the URL http://localhost:10000 or http://yourdomain:10000
1. Now you see the first screen of the Webmin admin interface.
2. Here you can select the topics to different tasks, such as Webmin administration, different server
administration tasks etc.
3. Scroll down and click Networking Æ click Shorewall Firewall, link to access Shorewall
configuration screen, as shown in Fig. 1:
6
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
In the next section we’ll expand on the different options for configuring Shorewall Firewall.
The full document has moved to Docstoc.com. You can access and download it from
here:
OR
http://www.docstoc.com/docs/50346510/Build-and-Deploy-Secure-Shorewall-Firewall-Protected-Network
-----------------------------------------------
Kefa Rabah is the Founder of Global Technology Solutions Institute. Kefa is knowledgeable in several
fields of Science & Technology, Information Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your
educating and career goals using the latest innovations and technologies.
7
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada