/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsThe first server, which we refer to as the gateway in the setup, is the server that is connected to the Internet. It connects to the Internet and provides Internet connectivity to users on the LAN via the second server, and also protects the LAN from attacks and compromises from the Internet.
The gateway machine will not provide any user accounts–the only accounts on it will be administrative ones. This is to further increase the security of the server by removing the possibility of local-user attacks and compromises.
The gateway machine is connected via a NIC-to-NIC network cable to the second server, which we refer to as the Intranet server. At no time will any of the LAN users access the gateway server directly. All services will be availed of via the Intranet server.
The gateway machine will be used for the following:
-
Masquerade/Firewall: Block all access to the machine from the Internet and open only selected ports for services like mail and secure remote logins. Masquerade all other connections to the Internet
-
Mail server: The machine will be the point of entry for any mail traffic going in or out from the LAN. The Intranet machine will use this machine as a mail relay
-
Connect to the Internet: The way services will work on this machine will mainly depend on the type of connectivity to the Internet. This machine has two network connections, one to the Intranet box using an Ethernet cable and the other to the Internet, which may be through a leased line, a cable modem, DSL or using dial-up connectivity like ISDN or normal analog telephone line. The point of difference is whether the machine has a static IP address on the Internet or gets a dynamic IP address whenever the Internet connection comes up.
Disable unnecessary services
The gateway box should run bare minimum services so as to minimize the chances of the machine being accessible through the unnecessary services. It’s a good idea to stop all unnecessary services on the machine. Run ntsysv and keep the following services enabled. Enable any other services only if they are absolutely necessary.
Some of the required services on the machine are anacron, atd, crond, network, sendmail, sshd, and
syslog.
Put up the firewall
The term firewall is used for a machine that applies access restrictions to the network connections which go through it. In our setup, we have two layers of firewall–one running on the gateway box that opens only mail and secure logins to come through from the Internet and allows masqueraded traffic and mail traffic to go through from the Intranet box to the Internet. The other firewall layer runs on the Intranet box.
Enable IP forwarding
For any traffic to be forwarded out from this machine, IP forwarding needs to be enabled. Open the file /etc/sysctl.conf and change the line which says
net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1
Firewall rules
We’ll put the firewall rules on the gateway box using ipchains. To run these rules every time the machine starts, put the following in a file.
/etc/rc.d/rc.firewall
# ––––––––––––––––––
#!/bin/sh
modprobe ipchains
Intranet_box=”192.168.0.2”
gateway_internal_ip=”192.168.0.1”
# Name of the interface used to connect to the Internet
# Change this to ppp0 for if you are on dial-up
internet_interface=”eth0”
# Extract the ip assigned to the interface on the Internet
# in case of dial-up
internet_ip=`/sbin/ifconfig $internet_interface | grep inet | tr -s “ “ | cut -d” “ -f3 | cut -d”:” -f2 | cut -d “ “ -f1`
# Flush firewall rules
/sbin/ipchains -F
# Default policy of DENY for forward chain
/sbin/ipchains -P forward DENY
# Block ssh sessions from the Internet
# Comment these two lines if you want to allow ssh
/sbin/ipchains -A input -p tcp -d $internet_ip 22 -j REJECT
/sbin/ipchains -A input -p udp -d $internet_ip 22 -j REJECT
# Block netbios ports
/sbin/ipchains -A forward -p tcp -s 0/0 -d 0/0 137 -j REJECT
/sbin/ipchains -A forward -p udp -s 0/0 -d 0/0 137 -j REJECT
/sbin/ipchains -A forward -p tcp -s 0/0 -d 0/0 138 -j REJECT
/sbin/ipchains -A forward -p udp -s 0/0 -d 0/0 138 -j REJECT
/sbin/ipchains -A forward -p tcp -s 0/0 -d 0/0 139 -j REJECT
/sbin/ipchains -A forward -p udp -s 0/0 -d 0/0 139 -j REJECT
# Fully Masquerade the Intranet machine
/sbin/ipchains -A forward -s $Intranet_box -j MASQ
# –––––––––––––––––––––
Make this file executable using
chmod +x /etc/rc.d/rc.firewall
Call this file from /etc/rc.d/rc.local by putting the following line in.
/etc/rc.d/rc.local
/etc/rc.d/rc.firewall
The ipchains rules in this file are doing the following things:
- Blocking SSH to the gateway machine from the Internet
- Blocking any NetBIOS packets to go through the machine
- Masquerading all the packets coming from the Intranet box so that the internal traffic can go through to
theInternet.
You can add your own blocking rules similar to the ones mentioned in the rc.firewall file.
Configuring the mail server
All internal mail will be handled by the Intranet box itself, but for all outbound mail traffic the scenario will be something like this.
When a user sends mail from inside to someone outside the domain, the mail will travel from the user to the Intranet box to the gateway box to the Internet. For an incoming mail, the mail will come from the Internet to the gateway box to the Intranet box and then to the user. There is a difference in the way the gateway machine will handle mail if it has a static IP or a dynamic IP on the Internet.
Scenario 1: Dynamic IP addres
If the box doesn’t have a static IP address, you’ll need to hire space from a hosting provider, which would accept all mail meant for our domain
pcqlinux.com and store it in a multi-drop POP3 account. Whenever the gateway box goes online, all mail can be downloaded from this POP3 mailbox and distributed to the local user accounts using the following route.
Sender > Hosting account > Gateway box > Intranet box
for example, on hotmail.com > mail.pcqlinux.com > gateway.pcqlinux.com
> Intranet.pcqlinux.com
Scenario 2: Static IP address
f the box does have a static IP on the Internet, all mail can directly come to the gateway box and get delivered immediately to the user accounts on the Intranet box using the following route.
Sender > Gateway box > Intranet box
for example, on hotmail.com > gateway.pcqlinux.com
> Intranet.pcqlinux.com
Let’s first configure sendmail for these two cases.
Configuring sendmail
We’ll use the m4 macros to generate sendmail’s sendmail.cf file. It’s much easier than manually making changes to the sendmail.cf file.
There are two set of macros that we need to use for the setup–one for the dial-up setup and one for the dedicated connectivity setup. After putting in these macros in sendmail.mc, we’ll generate the new sendmail.cf file for our setup.
Let’s go through the various sendmail.mc macro’s we need to add. Open the file /etc/mail/sendmail.mc and make the following changes to it.
The gateway machine will be used as an outgoing mail server or the smart machine by the Intranet box. So we need to ensure that when we are on dial-up connectivity, sendmail does not deliver mail immediately and queues them as expensive mail for future delivery.
For this, we need two macros.
define(`confCON_EXPENSIVE’, `True’)
define(`SMTP_MAILER_FLAGS’, `e’)
Please note that you can add these to the set of define entries in sendmail.mc. You don’t need to add this if the gateway machine is on a dedicated link to the Internet.
If we are on dial-up, we can use the ISP’s SMTP server to push out any external mail from our network. For that, we need to define a smart host. We use
bgl.vsnl.net.in as the smart host, so the macro we need to define will look like:
define(`SMART_HOST’, `bgl.vsnl.net.in’)
Change bgl.vsnl.net.in to the smart host of your ISP.
You cannot substitute this with an IP address directly. If you need to specify the IP of your smart host here, then you need to use ‘< >’ like this
define(`SMART_HOST’, `<202.4.186.140>’)
However, we don’t need this if the gateway machine is on dedicated connectivity as the machine can directly connect to the recipient’s mail server and deliver mail.
The gateway machine is not online all the time if it’s on a dial-up. sendmail will try to do DNS lookups every time it processes any mail. To change this behavior, we need to add the following in sendmail.mc.
define(`confBIND_OPTS’, `-DNSRCH -DEFNAMES’)
As per our setup, all mail traffic for the domain pcqlinux.com should be sent to the Intranet machine. Hence we need to tell sendmail to use the Intranet machine as a central mail server. Add this to sendmail.mc for this.
define(`MAIL_HUB’, `Intranet’)
By default sendmail is configured to listen on the ‘lo’ interface only. We’ll change this behavior in order to accept connections from the Intranet box. Add this to sendmail.mc for this.
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)
DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.1, Name=MTA’)
If your gateway has a static IP address, insert another line with the IP of the Internet interface, so that sendmail can accept incoming mail directly from the Internet. For example, if the static IP of the gateway box on the Internet is 202.4.186.140, the entries would look something like:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)
DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.1, Name=MTA’)
DAEMON_OPTIONS(`Port=smtp,Addr=202.4.186.140, Name=MTA’
Apply the appropriate changes to this file according to your setup. That is, if you are on a dial-up, apply all the changes mentioned above to the sendmail.mc file, otherwise skip the ones which are mentioned to be only for dial-up connectivity.
Now we need to generate the new sendmail.cf file. Run
m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
This will overwrite the current sendmail.cf with our version.
Open /etc/mail/local-host-names. Put your domain name on a line by itself for which you want to accept mail. In our case, this is
pcqlinux.com
Sendmail by default won’t allow relaying mail through it. So, open the file /etc/mail/access and put a line which says
192.168.0.2 RELAY
This tells sendmail to RELAY any mails coming from the Intranet box.
For proper mail delivery to happen, you’ll need entries in the /etc/hosts file and a domain name server. Open the file /etc/hosts and ensure that you have the following entries in it.
127.0.0.1 localhost.localdomain localhost
192.168.0.1 gateway.pcqlinux.com gateway
192.168.0.2 Intranet.pcqlinux.com Intranet
Also ensure that you have a proper DNS entry in /etc/resolv.conf. For instance, if your DNS servers are 202.54.1.30 and 202.54.1.18, resolv.conf will contain
nameserver 202.54.1.30
nameserver 202.54.1.18
This sets up sendmail to handle all your outgoing mail and the internal mail traffic. However, we still need to set up the machine to be able to get mail from outside.
You can now restart the machine once so that we can proceed further.
Getting mail from the Internet
If the gateway machine is put up with a static IP, the simplest thing will be to accept mail directly on the gateway machine. This can be done by specifying the gateway machine as the primary Mail eXchanger for the domain
pcqlinux.com. See the article on configuring DNS (page 118) for this. Typically, you’ll need an entry like
IN MX 10 gateway.pcqlinux.com.
in your DNS files. Any external mail server trying to deliver mail for the domain pcqlinux.com will then connect directly to the
gateway.pcqlinux.com machine through the Internet link and deliver mail. The gateway box will then pass the mail to the Intranet box, as specified in the sendmail configuration.
Most ISPs, however, be it dial-up service providers, cable ISPs or DSL, don’t provide static IP addresses to their customers. To put up the gateway machine with this kind of connectivity, the domain pcqlinux.com will need to be hosted with a Web hosting provider and all mail meant for this domain be redirected to a POP3 account either on the same hosting server or to any POP3 account. For the purpose of this setup, we used a POP3 account on
bgl.vsnl.net.in.
This mail then needs to be fetched and distributed among the local users. For this, we’ll use a software called fetchmail. Fetchmail picks up its configuration from a file called .fetchmailrc. We used
bgl.vsnl.net.in as the incoming mail server with the user pcqlinux and password testpassword. Replace these with the entries specific to your setup.
Create .fetchmailrc in /root on the gateway machine with the following in it.
poll bgl.vsnl.net.in with protocol pop3
user pcqlinux with password testpassword is * here smtphost 192.168.0.2
This instructs fetchmail to get all mail meant for the user pcqlinux from the server bgl.vsnl.net.in and pass it through to the Intranet box for final delivery. The IP address of the Intranet box as visible to the gateway machine is 192.168.0.2.
Save this file and change the file permissions to 600 using
chmod 600 .fetchmailrc
Now whenever the gateway box connects to the Internet, fetchmail will have to be called so that mail from bgl.vsnl.net.in can be fetched. When the dial-up link comes up we need to do the following.
- Set up the firewall with the IP address assigned on dial-up.
- Instruct sendmail to process the mails stored in the queue.
- Invoke fetchmail to get all the mails for our domain.
To do this, we write a script called ‘now-online’ which contains the following.
#!/bin/sh
/etc/rc.d/rc.firewall
sendmail -q5m
fetchmail -a -F -d 300 -L /var/log/fetchmail.log
Make this file executable by writing
chmod +x /etc/ppp/now-online
To execute this script when the link comes up, we need to call it from /etc/ppp/ip-up.local. So, you need to create the ip-up.local file and make it executable. Assuming that this script lies in /etc/ppp/now-online, open the file /etc/ppp/ip-up.local and put this at the end of the file.
/etc/ppp/now-online
Make the file ip-up.local executable with
chmod +x /etc/ppp/ip-up.local
The script will ask sendmail to process the mail queue every five minutes. (By default, sendmail is configured to process the queue every one hour). The second line will call fetchmail and put it in daemon mode so that it fetches mail every five minutes and logs all activity to /var/log/fetchmail.log file.
Similarly, when the connection gets disconnected we need to do the following.
- Stop fetchmail from trying to fetch mail
- Change the queue-processing time for sendmail so that it does not try to deliver mail very often when we are not online
We can write a similar script called ‘now-offline’.
#!/bin/sh
fetchmail –quitt
/sbin/sendmail -q1h
Make this file executable using
chmod +x /etc/ppp/now-offline
Open /etc/ppp/ip-down.local and put a reference to this script at the end of the file just like we called now-online from ip-up.local. Make ip-down.local executable with
chmod +x /etc/ppp/ip-down.local
Connecting to the Internet
Throughout this article, we took into consideration the two ways of connecting the gateway machine to the Internet. One is a dedicated connection, which allows the machine to be on the Internet with a static IP address and the other can be a dial-up or a cable connection which gives the machine a dynamic IP address.
Dynamic IP address (Cable or dial-up ppp)
Dial-up connection
There are a number of tools available for dialing out using a modem and connecting to the Internet. Since we do not have X on the gateway box, we’ll use a tool called wvdial. This is an intelligent PPP dialer, which means that it dials a modem and starts PPP in order to connect to the Internet. It is something like a chat program, except that it uses heuristics to guess how to dial and log into the ISP’s server rather than forcing you to write a login script.
Wvdial needs a configuration file /etc/wvdial. conf, which contains the number to dial, username, password, and any other things you want to supply to it. It comes with a configuration tool which you can use to generate a basic wvdial.conf file.
Make sure that a modem is connected to a working serial port on the gateway machine and then run the following
wvdialconf /etc/wvdial.conf
This would search for a modem on the serial ports and generate a basic wvdial.conf file, which will look something like
Modem = /dev/ttyS0
Baud = 115200
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 S11=55 +FCLASS=0
; Phone =
; Username =
; Password =
Uncomment the last three lines and supply the three required things. It should then look like
Modem = /dev/ttyS0
Baud = 115200
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 S11=55 +FCLASS=0
Phone = 172226
Username = pcqlinux@bgl
Password = testpassword
Change the permissions on the file to 600 so that only root can read the file.
chmod 600 /etc/wvdial.conf
Make sure that the firewall script /etc/rc.d/rc.firewall contains the following line.
Internet_interface=”ppp0”
You can now dial to the Internet by just executing wvdial.
Cable connectio
Cable ISPs currently provide connectivity in two ways: using cable modem technology or via coaxial cable using Ethernet. In both cases, the end connectivity is to a RJ45 connector to the first Ethernet adapter on your gateway machine.
IP addresses are dished out by cable ISPs to clients dynamically. You’ll need to use the linuxconf program to set the first Network Adapter(eth0) on your gateway server to look for an IP address using the DHCP protocol.
Start linuxconf and go to Config>Networking>Client Tasks>Host name>IP network devices
Then select:
Host name + domain gateway.pcqlinux.com
–––––-Adapter 1–––––
Config Mode () Manual (o) Dhcp () Bootp
Quit from linuxconf.
Restart the network interface using the command
service network restart
for the changes to take effect. Your cable link should now be functional.
DSL line
The CD has a set of programs to configure a DSL line. There is a command line and a GUI version of this program. We’ll use the command-line script since we don’t have X on the gateway machine.
Execute the command ‘adsl-setup’ to start the configuration of your DSL line. The program asks for a few rudimentary parameters like default login, Ethernet interface (select eth0), and whether you want the line to stay up continuously or would like it to come up on demand. If you choose the latter option, specify the demand value. Also needed is information about your DNS server and your password. Options are available for setting up a firewall from this script, but we recommend against using this option at this moment. Instead, refer to the section above on setting up a firewall for this. You’ll also be asked whether you want to start the connection at boot time, and you can choose what you like.
The script writes the values you have chosen into the file /etc/ppp/pppoe.conf. At the end of the configuration you should have a file that looks something like this.
DEVICE=””
BOOT=”no”
ETH=’eth0’
USER=’test’
PASS=”abc”
DEMAND=0
USEPEERDNS=no
DNS1=”1.2.3.4”
CONNECT_TIMEOUT=”60”
CONNECT_POLL=”6”
PING=”.”
SYNCHRONOUS=”no”
CLAMPMSS=”1412”
LCP_INTERVAL=”20”
LCP_FAILURE=”3”
PPPOE_TIMEOUT=”80”
FIREWALL=NONE
PPPOE_EXTRA=””
CF_BASE=`basename $CONFIG`
PIDFILE=”/var/run/$CF_BASE-adsl.pid”
DEVICE=ppp0
BOOT=no
Execute the command adsl-start to bring up the DSL link. Your DSL link should now be usable.
Static IP on a dedicated connection
(No dial-up)
Leased line
A typical leased line will comprise a local loop from the telecom authority running between your premises and that of your ISP. The line will comprise a two-wire or four-wire circuit terminated on a leased-line modem at each end. The leased line is attached to a router to which your LAN is connected. A bunch of IP addresses are assigned to leased line subscribers by their ISPs. (We assume that your leased line is already set up; discussing its setup is outside the scope of this article.)
Use Linuxconf to configure your first Ethernet adapter with one of the addresses assigned to you by your ISP. Enter the ISP’s DNS server’s IP address for DNS lookups. Configure the IP address of the Ethernet interface of the router as gateway.
Quit Linuxconf. Execute ‘service network restart’ to apply the changes made.
Linuxconf will write the changes into two files. The first of these, /etc/sysconfig/network will look like this.
NETWORKING=yes
HOSTNAME=”pcqlinux”
GATEWAY=”202.4.186.140”
GATEWAYDEV=”eth0”
FORWARD_IPV4=”no”
The second, /etc/sysconfig/network-scripts/ifcfg-eth0 will look something like this.
DEVICE=”eth0”
BOOTPROTO=”none”
ONBOOT=”yes”
IPADDR=”202.4.186.141”
NETMASK=”255.255.255.0”
IPXNETNUM_802_2=””
IPXPRIMARY_802_2=”no”
IPXACTIVE_802_2=”no”
IPXNETNUM_802_3=””
IPXPRIMARY_802_3=”no”
IPXACTIVE_802_3=”no”
IPXNETNUM_ETHERII=””
IPXPRIMARY_ETHERII=”no”
IPXACTIVE_ETHERII=”no”
IPXNETNUM_SNAP=””
IPXPRIMARY_SNAP=”no”
IPXACTIVE_SNAP=”no”
Your gateway machine should now be able to ping the routers’ interfaces and access content on the Internet across the leased line.
That was certainly a long list of changes that we made to the machine to customize it to work for our setup. Take a break, have some coffee and then head on to the next article on configuring your Intranet box.
Vaibhav Sharma is a network consultant and Avinash Shenoy is manager (network operations)
with Exocore Consulting