steps to configure a centos router

7/29/2019 Steps to Configure a CentOS Router

1/50

http://keymoo.info/trading

1 | P a g e

Moo Trader IT Infrastructure

Publish Date: 1 Sep 2012

This written guide is for videos 3, 4, 5 of my guide for a virtual trading infrastructure. There are five

videos in the series.

The playlist is herehttp://www.youtube.com/playlist?list=PL0EE3D21CC70F0541
http://www.youtube.com/playlist?list=PL0EE3D21CC70F0541http://www.youtube.com/playlist?list=PL0EE3D21CC70F0541http://www.youtube.com/playlist?list=PL0EE3D21CC70F0541http://www.youtube.com/playlist?list=PL0EE3D21CC70F0541


2/50


2 | P a g e

Part 3Video guide available here:http://youtu.be/iBqjabVnfY0

Steps to configure a CentOS router/firewall

Install CentOS 6.3 x64

Download the ISO fromhttp://www.centos.org/orhttp://mirror.centos.org/centos/6/isos/x86_64/

I use CentOS-6.3-x86_64-bin-DVD1.iso theres a torrent link there also for a faster download.

Create VM

Create your VM as shown in the video in Part 3 here:
http://youtu.be/iBqjabVnfY0http://youtu.be/iBqjabVnfY0http://youtu.be/iBqjabVnfY0http://www.centos.org/http://www.centos.org/http://www.centos.org/http://mirror.centos.org/centos/6/isos/x86_64/http://mirror.centos.org/centos/6/isos/x86_64/http://mirror.centos.org/centos/6/isos/x86_64/http://mirror.centos.org/centos/6/isos/x86_64/http://www.centos.org/http://youtu.be/iBqjabVnfY0


3/50


3 | P a g e


4/50


4 | P a g e


5/50


5 | P a g e


6/50


6 | P a g e


7/50


7 | P a g e


8/50


8 | P a g e


9/50


9 | P a g e


10/50


10 | P a g e


11/50


11 | P a g e


12/50


12 | P a g e

Boot VM and install CentOS


13/50


13 | P a g e


14/50


14 | P a g e


15/50


15 | P a g e


16/50


16 | P a g e


17/50


17 | P a g e

Check the MAC addresses you configured in vSphere Client. In my example The external network is

Internal network is

Configure each network card

Click Edit


18/50


18 | P a g e


19/50


19 | P a g e


20/50


20 | P a g e

Click Apply


21/50


21 | P a g e

Now edit the internal interface


22/50


22 | P a g e

Click Apply


23/50


23 | P a g e

Click Close, Next.


24/50


24 | P a g e


25/50


25 | P a g e


26/50


26 | P a g e

Click Write changes to disk


27/50


27 | P a g e


28/50


28 | P a g e


29/50


29 | P a g e


30/50


30 | P a g e

Click Reboot


31/50


31 | P a g e

Login, and shut down the machine and take a Snapshot.


32/50


32 | P a g e


33/50


33 | P a g e

Power on

Connect via Puttyhttp://www.putty.org/

Click Yes
http://www.putty.org/http://www.putty.org/http://www.putty.org/http://www.putty.org/


34/50


34 | P a g e

Check network interfaces are up and running


35/50


35 | P a g e

Update packagesyum update

This will update your packages to the latest version

Check network settingsifconfig

Make sure that your adapters are set up correctly, note down which is internal, external and

DMZ/Wireless if you use a third.

Install download toolyum install wget

Install rpmforge

Download the files

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

wgethttp://apt.sw.be/RPM-GPG-KEY.dag.txt

Import the key

rpm --import RPM-GPG-KEY.dag.txt

Check the package

rpm -K rpmforge-release-0.5.2-2.el6.rf.i686.rpm

Install the package

rpm -ivh rpmforge-release-0.5.2-2.el6.rf.i686.rpm

Install nano editor

yum install nano

Check the package is enabled

nano /etc/yum.repos.d/rpmforge.repo

check its enabled

[rpmforge]

name = RHEL $releasever - RPMforge.net - dag

baseurl = http://apt.sw.be/redhat/el6/en/$basearch/rpmforge

mirrorlist = http://apt.sw.be/redhat/el6/en/mirrors-rpmforge

#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge

enabled = 1

protect = 0
http://apt.sw.be/RPM-GPG-KEY.dag.txthttp://apt.sw.be/RPM-GPG-KEY.dag.txthttp://apt.sw.be/RPM-GPG-KEY.dag.txthttp://apt.sw.be/RPM-GPG-KEY.dag.txt


36/50


36 | P a g e

gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag

gpgcheck = 1


37/50


37 | P a g e

Part 4Video guide available here:http://youtu.be/gRIYIDyXQQY

Configure internal network interfacenano /etc/sysconfig/network-scripts/ifcfg-eth1

edit the file so it looks like this. Your HWADDR and UUID will be different. There may be other minor

differences.

DEVICE="eth1"

BOOTPROTO="static"

ONBOOT=yes

TYPE="Ethernet"

UUID="2915807d-57a3-4c1b-a67e-96c3d10043f7"

HWADDR=00:0C:29:5B:2D:17

IPADDR=10.0.0.9

DNS1=10.0.0.6

DNS2=208.67.222.222

DNS3=208.67.220.220

IPV4_FAILURE_FATAL=yes

IPV6INIT=no

NAME="eth1 internal"

Install Shorewall

Take a VMware snapshot

In case you mess this bit up

Install pre-requisites

Shorewall has some dependencies that are not resolved by the rpm package. You will need to install

bc, perl and the perl-Digest-SHA1 package.

yum install bc perl perl-Digest-SHA1

Download the packages

Refer tohttp://shorewall.net/download.htmfor more info

wgethttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-4.5.7.1-1.el5.noarch.rpm

wgethttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-core-4.5.7.1-

1.el5.noarch.rpm

Download the key
http://youtu.be/gRIYIDyXQQYhttp://youtu.be/gRIYIDyXQQYhttp://youtu.be/gRIYIDyXQQYhttp://shorewall.net/download.htmhttp://shorewall.net/download.htmhttp://shorewall.net/download.htmhttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-4.5.7.1-1.el5.noarch.rpmhttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-4.5.7.1-1.el5.noarch.rpmhttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-4.5.7.1-1.el5.noarch.rpmhttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-core-4.5.7.1-1.el5.noarch.rpmhttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-core-4.5.7.1-1.el5.noarch.rpmhttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-core-4.5.7.1-1.el5.noarch.rpmhttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-core-4.5.7.1-1.el5.noarch.rpmhttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-core-4.5.7.1-1.el5.noarch.rpmhttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-core-4.5.7.1-1.el5.noarch.rpmhttp://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/shorewall-4.5.7.1-1.el5.noarch.rpmhttp://shorewall.net/download.htmhttp://youtu.be/gRIYIDyXQQY


38/50


38 | P a g e

wgethttps://lists.shorewall.net/shorewall.gpg.key

Install the key

rpm --import shorewall.gpg.key

Install the core package

rpm -ivh shorewall-core-4.5.7.1-1.el5.noarch.rpm

Install the main package

rpm -ivh shorewall-4.5.7.1-1.el5.noarch.rpm

Check that shorewall is there

cd /etc/shorewall/

lslha

Make copies of the config files were going to change in case we need to revert, and for future

reference.

cp zones zones.orig

cp shorewall.conf shorewall.conf.orig

cp rules rules.orig

cp policy policy.orig

cp masq masq.orig

cp interfaces interfaces.orig

Configure the firewall

Edit the zones file

nano zones

This file may differ from my setup, refer to the documentation

http://shorewall.net/GettingStarted.html

You will probably use the two-interface configuration, so I will show you how to set that up.

http://shorewall.net/two-interface.htm

Heres my file

# Shorewall version 4 - Zones File

#

# For information about this file, type "man shorewall-zones"

#

# The manpage is also online at
https://lists.shorewall.net/shorewall.gpg.keyhttps://lists.shorewall.net/shorewall.gpg.keyhttps://lists.shorewall.net/shorewall.gpg.keyhttp://shorewall.net/GettingStarted.htmlhttp://shorewall.net/GettingStarted.htmlhttp://shorewall.net/two-interface.htmhttp://shorewall.net/two-interface.htmhttp://shorewall.net/two-interface.htmhttp://shorewall.net/GettingStarted.htmlhttps://lists.shorewall.net/shorewall.gpg.key


39/50


39 | P a g e

# http://www.shorewall.net/manpages/shorewall-zones.html

#

###############################################################################

#ZONE TYPE OPTIONS IN OUT

# OPTIONS OPTIONS

fw firewall

net ipv4

loc ipv4

nano interfaces

Add the following lines

net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0

loc eth1 tcpflags,nosmurfs,routefilter,logmartians

Configure policy

nano policy

Add these lines

loc net ACCEPT

net all DROP info

loc $FW ACCEPT

$FW all ACCEPT

# THE FOLLOWING POLICY MUST BE LAST

all all REJECT info

Configure masquerading

nano masq

Add

eth0 10.0.0.0/8

Edit shorewall.conf so that the firewall is enabled at startup

nano shorewall.conf

Change

STARTUP_ENABLED=No


40/50


40 | P a g e

To

STARTUP_ENABLED=Yes

Any other setups, look at the docs, theyre pretty good. Configure your files as shown in the guide on

that two-interface page.

Check your firewall configshorewall check

Should get something like this with no errors

Checking...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Checking /etc/shorewall/zones...

Checking /etc/shorewall/interfaces...

Determining Hosts in Zones...

Locating Action Files...

Checking /usr/share/shorewall/action.Drop for chain Drop...

Checking /usr/share/shorewall/action.Broadcast for chain Broadcast...

Checking /usr/share/shorewall/action.Invalid for chain Invalid...

Checking /usr/share/shorewall/action.NotSyn for chain NotSyn...

Checking /usr/share/shorewall/action.Reject for chain Reject...

Checking /etc/shorewall/policy...

Running /etc/shorewall/initdone...

Adding Anti-smurf Rules

Adding rules for DHCP

Checking TCP Flags filtering...

Checking Kernel Route Filtering...

Checking Martian Logging...

Checking Accept Source Routing...

Checking /etc/shorewall/tcrules...

Checking MAC Filtration -- Phase 1...

Checking /etc/shorewall/rules...

Checking /etc/shorewall/conntrack...

Checking MAC Filtration -- Phase 2...


41/50


41 | P a g e

Applying Policies...

Shorewall configuration verified

Start your firewall for the first timeshorewall start

Should get this:

Compiling...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Compiling /etc/shorewall/zones...

Compiling /etc/shorewall/interfaces...

Determining Hosts in Zones...

Locating Action Files...

Compiling /usr/share/shorewall/action.Drop for chain Drop...

Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...

Compiling /usr/share/shorewall/action.Invalid for chain Invalid...

Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...

Compiling /usr/share/shorewall/action.Reject for chain Reject...

Compiling /etc/shorewall/policy...

Running /etc/shorewall/initdone...

Adding Anti-smurf Rules

Adding rules for DHCP

Compiling TCP Flags filtering...

Compiling Kernel Route Filtering...

Compiling Martian Logging...

Compiling Accept Source Routing...

Compiling /etc/shorewall/tcrules...

Compiling MAC Filtration -- Phase 1...

Compiling /etc/shorewall/rules...

Compiling /etc/shorewall/conntrack...

Compiling MAC Filtration -- Phase 2...

Applying Policies...

Generating Rule Matrix...


42/50


42 | P a g e

Creating iptables-restore input...

Shorewall configuration compiled to /var/lib/shorewall/.start

Starting Shorewall....

Initializing...

Processing /etc/shorewall/init ...

Processing /etc/shorewall/tcclear ...

Setting up Route Filtering...

Setting up Martian Logging...

Setting up Accept Source Routing...

Setting up Proxy ARP...

Preparing iptables-restore input...

Running /sbin/iptables-restore...

IPv4 Forwarding Enabled

Processing /etc/shorewall/start ...

Processing /etc/shorewall/started ...

done.

Test your connection at this stage and configure one of your machines to use your new firewall as

the gateway. It should work.

Troubleshooting

If it doesnt, then it is likely either ifcfg-eth0, ifcfg-eth1 or you have muddled up your internal with

external interfaces. Check your /etc/shorewall/interfaces file. Check the output ofifconfig matches

the network interfaces you have set up in VMware vSphere client.

Take a snapshot

We will take a snapshot now before moving on to the caching proxy server installation.

Proxy server installationyum install squid

Done!

Backup config file

cp /etc/squid/squid.conf /etc/squid/squid.conf.orig

Configure firewall to redirect local traffic to the proxynano /etc/shorewall/rules

Proxy server by default listens on port 3128. Add these lines /etc/shorewall/rules file


43/50


43 | P a g e

ACCEPT $FW net tcp www

REDIRECT loc 3128 tcp www

Configure squidnano /etc/squid/squid.conf

Change line

http_port 3128

to

http_port 3128 intercept

Depending on what your local network range is, you will need to comment out some possible

internal networks in squid.conf. Mine looks like this:

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

#acl localnet src fc00::/7 # RFC 4193 local private network range

#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

Restart shorewall and start squidshorewall restart

service squid start

Test

In your test machine, make sure you can still access the internet when it is pointed to this firewall as

the gateway. All should be well. Squid can be configured in a variety of ways depending on your

setup. I recommend you read the documentation. The default config options may not be optimal.

You may want to change or add the following options:

Cache_mem

Maximum_object_size_in_memory

Maximum_object_size

And others.

Enable autostart of shorewall and squidTo see what services begin at startup, type


44/50


44 | P a g e

Chkconfig

Will look like this:

auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off

ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off

netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off

netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off

network 0:off 1:off 2:on 3:on 4:on 5:on 6:off

postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off

rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off

restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off

rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off

saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

shorewall 0:off 1:off 2:on 3:on 4:on 5:on 6:off

squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off

sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off

Shorewall should already be configured, but squid wont be.

chkconfig squid on

Squid will now start on boot.

Take a snapshot

We will take a snapshot now before moving on to the content filter installation. If you dont want a

content filter, then you can skip this step. If you have kids on your network, you might want to installand configure this, or use OpenDNS.org as a content filter. I use both.

Install content filterThis step can be skipped if you dont want a content filter.

yum install dansguardian

Reconfigure firewall

You will need to point your firewall to dansguardian now instead ofsquid. The flow is

internet->firewall->dansguardian->squid->client


45/50


45 | P a g e

dansguardian listens on port 8080, so we need to change the firewall.

nano /etc/shorewall/rules

Change


To


Configure dansguardian

Dansguardian comes with a lot of config files and blacklist files. Im not going into it in depth here,

theres plenty of info on the internet about it. Dansguardian should work with the default config, but

it is setup for a primary school and will be over-eager in blocking. Change the naughtiness level to

from 50 to a higher number. I use 150. Before we do that, let s copy our original files.

cp /etc/dansguardian/dansguardian.conf /etc/dansguardian/dansguardian.conf.orig

cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian/dansguardianf1.conf.orig

Dansguardian allows you to have different settings in the dansguardianf1, dansguardianf2 file, etc. I

only use one, lets edit dansguardianf1.conf

nano /etc/dansguardian/dansguardianf1.conf

Change the line

Naughtynesslimit = 50

To

Naughtynesslimit = 150

Yes, the dansguardian developers cant spell. Start dansguardian

service dansguardian start

Test your connection. Try a dodgy site, it should be blocked. There are various exception files which

you can configure, have a look through and read the docs if you want to tune it to your needs.

Finally,

chkconfig dansguardian on

Take a snapshot

We will take a snapshot now before moving on to the DNS/DHCP installation.


46/50


46 | P a g e

DNS/DHCP Server configYou can use industry standard software for this, but they are quite large and tricky to set up. The

main ones are BIND9, and ISC DHCP. I use dnsmasq instead as it is easier for me to set up. You can

use the heavier weight ones if you like, but you dont need to for home/soho use.

yum install dnsmasq

IMPORTANT: Before starting this, make sure any other DHCP and DNS servers are stopped on your

network. Competing DHCP servers on a network dont work very well.

DHCP

DHCP is configured using the dnsmasq.conf file. If you want to use DHCP reservations then use the

/etc/ethers file. This will give out the same IP address every time for the MAC address specified. For

info on configuring dnsmasq, go tohttp://www.thekelleys.org.uk/dnsmasq/doc.html

My config file looks like this:

# these options were copied from ClearOS config

bogus-priv

cache-size=5000

conf-dir=/etc/dnsmasq.d

dhcp-authoritative

dhcp-lease-max=1000

domain-needed

domain=localdomain

expand-hosts

no-negcache

strict-order

user=nobody

# For debugging purposes, log each DNS query as it passes through.

log-queries

# Log lots of extra information about DHCP transactions.

log-dhcp

DHCP options are in /etc/dnsmasq.d/dhcp.conf My file looks like this

dhcp-option=eth1,1,255.255.255.0


dhcp-option=eth1,6,10.0.0.9,208.67.222.222,208.67.220.220
http://www.thekelleys.org.uk/dnsmasq/doc.htmlhttp://www.thekelleys.org.uk/dnsmasq/doc.htmlhttp://www.thekelleys.org.uk/dnsmasq/doc.htmlhttp://www.thekelleys.org.uk/dnsmasq/doc.html


47/50


47 | P a g e

dhcp-option=eth1,15,localdomain


dhcp-range=eth1,10.0.0.100,10.0.0.254,12h

read-ethers

This file doesnt exist by default, you will need to create it.

option 1 is the netmask to give

option 3 is the default gateway set this to 10.0.0.9

option 6 are the DNS servers to give out.

option 15 is the domain suffix

option 28 is the broadcast address

dhcp-range is the range of ip addresses that dynamic IPs will be given out.

Read-ethers tells dnsmasq to read the /etc/ethers file

My /etc/ethers file looks like this

# see man ethers for syntax

00:1b:2f:d5:f6:78 10.0.0.2

00:0c:29:cd:6f:18 10.0.0.6

Etc for each MAC address on your network. I have about 25 lines in here.

DNS setup

The DNS is read from the /etc/hosts file. Make sure this is set up how you want. Mine looks like this:

127.0.0.1 localhost.localdomain localhost

10.0.0.6 carbon.localdomain carbon

10.0.0.1 hydrogen.localdomain hydrogen

10.0.0.2 helium.localdomain helium

10.0.0.3 lithium.localdomain lithium

10.0.0.4 beryllium.localdomain

10.0.0.5 boron.localdomain boron

10.0.0.7 nitrogen.localdomain nitrogen

10.0.0.8 oxygen.localdomain oxygen

10.0.0.9 flourine.localdomain flourine

10.0.0.10 neon.localdomain neon

10.0.0.12 magnesium.localdomain magnesium


48/50


48 | P a g e

Finally,

chkconfig dnsmasq on

Shut down your server and take another snapshot. Boot it up and test it with a client using DHCP. It

should all work.


49/50


49 | P a g e

Part 5Video guide available here:http://youtu.be/4EFnSJS5FWQ

NTP

Install the service

Yum install ntp

Backup the config file

cp /etc/ntp.conf /etc/ntp.conf.orig

A the top of the file add

tinker panic 0

In the server section you can add your preferred NTP servers near your location. Start the service,

service ntpd start

Start at boot

chkconfig ntpd on

Webmin

Documentation herehttp://www.webmin.com/rpm.html

Add the webmin repo

nano /etc/yum.repos.d/webmin.repo

And add these lines

[Webmin]

name=Webmin Distribution Neutral

#baseurl=http://download.webmin.com/download/yum

mirrorlist=http://download.webmin.com/download/yum/mirrorlist

enabled=1

Download the key

wget http://www.webmin.com/jcameron-key.asc

Import the key

rpm --import jcameron-key.asc

Update the repos

yum update

Install the software
http://youtu.be/4EFnSJS5FWQhttp://youtu.be/4EFnSJS5FWQhttp://youtu.be/4EFnSJS5FWQhttp://www.webmin.com/rpm.htmlhttp://www.webmin.com/rpm.htmlhttp://www.webmin.com/rpm.htmlhttp://www.webmin.com/rpm.htmlhttp://youtu.be/4EFnSJS5FWQ


50/50


yum install webmin

When its installed you should be able to access it like so

http://flourine.localdomain:10000/

You will get a screen similar to this in your browser
http://flourine.localdomain:10000/http://flourine.localdomain:10000/http://flourine.localdomain:10000/

steps to configure a centos router

Documents