Linux How To/Tutorial

Squid Transparent Proxy Configuration

2008-03-27T01:04:00.000-07:00

Squid Transparent Proxy Configuration

1. Your first step will be to modify your squid.conf to create a transparent proxy.

Prior to version 2.6: In older versions of Squid, transparent proxy was achieved through the use of the httpd_accel options which were originally developed for http acceleration. In these cases, the configuration syntax would be as follows:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Version 2.6 and Beyond: Newer versions of Squid simply require you to add the word "transparent" to the default "http_port 3128" statement. In this example, Squid not only listens on TCP port 3128 for proxy connections, but will also do so in transparent mode.

http_port 3128 transparent

2. Edit the iptables to deal with the connection
# Firewall created by jepoy
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to 203.189.11.73
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT

# Generated by iptables-save v1.3.0 on Tue Oct 11 20:53:45 2005
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p tcp -m multiport --dport smtp,pop3,imap,6301,443,5100,
13,554,1101,8080,5900,5901,5902 -o eth0 -i eth1 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p icmp -o eth0 -i eth1 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT

Squid with Password Authentication

2008-03-27T01:01:00.000-07:00

Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password.
Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file.
You can use the htpasswd program that comes installed with Apache to create your passwords.

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd

[root@jepoy tmp]# touch /etc/squid/squid_passwd
[root@jepoytmp]# chmod o+r /etc/squid/squid_passwd

2) Use the htpasswd program to add users to the password file.
You can add users at anytime without having to restart Squid. In this case, you add a username called www:

[root@jepoy tmp]# htpasswd /etc/squid/squid_passwd www
New password:
Re-type new password:
Adding password for user www
[root@jepoy tmp]#

3) Find your ncsa_auth file using the locate command.

[root@jepoy tmp]# locate ncsa_auth
/usr/lib/squid/ncsa_auth
[root@jepoy tmp]#

4) Edit squid.conf; here's an example:

#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users

5) This requires password authentication and allows access only during business hours. Once again, the order of the statements is important:

#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED
acl business_hours time M T W H F 9:00-17:00

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users business_hours

6. Remember to restart Squid for the changes to take effect.
service squid restart

Squid - Restricting Access to specific Web sites

2008-03-27T00:51:00.000-07:00

Restricting Access to specific Web sites

Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs.

Create a file under /etc/squid: /usr/local/etc/allowed-sites.squid
http://howtonixnux.blogspot.com
http://jeffersonbriones.blogspot.com

Create a file under /etc/squid: /usr/local/etc/restricted-sites.squid
www.porn.com
illegal.com
www.xxx.com

These can then be used to always block the restricted sites and permit the allowed sites during working hours.
This can be illustrated by expanding our previous example slightly.

#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.0.0/24
acl business_hours time M T W H F 9:00-17:00
acl GoodSites dstdomain "/etc/squid/allowed-sites.squid"
acl BadSites dstdomain "/etc/squid/restricted-sites.squid"

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites

Squid ACL

2008-03-27T00:40:00.000-07:00

Squid ACL

ACLs have many options to restrict access based on source ip address, destination ip address, source domain, and destination domain. This is done by:

 acl src w.x.y.z/a.b.c.d   # ACL based on source ip address
acl dst w.x.y.z/a.b.c.d   # ACL based on destination ip address
acl srcdomain foo.com   # ACL based on source domain
acl dstdomain foo.com   # ACL based on destination domain

To use this to restrict access to your Squid proxy to only those hosts you wish - ie, local hosts, use the following directive format:

 acl localnet src 192.168.0.0/255.255.255.0
http_access allow localnet
http_access deny all

Restricting Web Access By IP Address

You can create an access control list that restricts Web access to users on certain networks. In this case, it's an ACL that defines a home network of 192.168.1.0.

#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.0.0/255.255.255.0

You also have to add a corresponding http_access statement that allows traffic that matches the ACL:

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow home_network

To restrict access to the Squid proxy via the time, use the format:

acl aclname time [day-abbrevs] [h1:m1-h2:m2] day-abbrevs: S - Sunday M - Monday T - Tuesday W - Wednesday H - Thursday F - Friday A - Saturday

Example 1: Allow only business hour access from the home network, while always restricting access to host 192.168.1.20.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.0.0/24
acl business_hours time M T W H F 9:00-17:00
acl resticthost src 192.168.0.20

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny restricthost
http_access allow home_network business_hours


Example 2: Allow morning only.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl mornings time 08:00-12:00

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow mornings

IPTABLES using multiport

2008-03-27T00:34:00.000-07:00

Specifying Multiple Ports with `multiport`

The multiport module allows one to specify a number of different ports in one rule. This allows for fewer rules and easier maintenance of iptables configuration files. For example, if we wanted to allow global access to the SMTP, HTTP, HTTPS and SSH ports on our server we would normally use something like the following:

-A INPUT -i eth0 -p tcp -m state --state NEW --dport ssh   -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport smtp  -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport http  -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport https -j ACCEPT

Example1:

-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT

Example2:

-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p tcp -m multiport --dport smtp,pop3,imap,6301,443,5100,13,554,1101,8080,5900,5901,5902 -o eth0 -i eth1 -j ACCEPT

It must be used in conjunction with either -p tcp or -p udp and only up to 15 ports may be specified. The supported options are:

--sports port[,port,port...]
matches source port(s)
--dports port[,port,port...]
matches destination port(s)
--ports port[,port,port...]
matches both source and destination port(s)

mport^* is another similar extension that also allows you to specify port ranges, e.g. --dport 22,80,110,25, 6000:6010.

IPTABLES Scenario 2.1 - Transparent Proxy

2008-03-26T23:08:00.000-07:00

Example2

In this example, we will share the internet with allowed ports on the LAN side. With the use of transparent proxy, port 80 is redirected to port 3128

#NAT Table

*nat

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:PREROUTING ACCEPT [0:0]

-A POSTROUTING -o eth0 -j SNAT --to 203.189.11.73

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

COMMIT

# Completed on Tue Oct 11 20:53:45 2005

# Generated by iptables-save v1.3.0 on Tue Oct 11 20:53:45 2005

*filter

:FORWARD DROP [0:0]

:INPUT DROP [0:0]

:OUTPUT ACCEPT [0:0]

-A FORWARD -m state --state INVALID -j DROP

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p tcp -m multiport --dport smtp,pop3,imap,6301,443,5100,13,554,1101,8080,5

900,5901,5902 -o eth0 -i eth1 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p icmp -o eth0 -i eth1 -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state INVALID -j DROP

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# SSS Access from outside

-A INPUT -s 203.189.xxx.5 -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# Application Access from LAN

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 1101 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 554 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p icmp -m state --state NEW -m icmp -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Logging

-A INPUT -j LOG

-A OUTPUT -j LOG

-A FORWARD -j LOG

COMMIT

# Completed on Tue Oct 11 20:53:45 2005

IPTABLES Scenario 2 - Internet Sharing

2008-03-26T23:00:00.000-07:00

Scenario 2: Internet Sharing

Example1

In this example, we will configure the machine to share internet connection.

eth0 – public connection with ip address 10.20.30.4

eth1 – LAN with network address 192.168.0.0/24

/etc/sysconfig/iptables

# NAT Table for ICS

*nat

# set up IP forwarding and nat

-A POSTROUTING -o eth0 -j SNAT --to 10.20.30.4

COMMIT

#Filter Table

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

# allow local loopback connections

-A INPUT -i lo -j ACCEPT

# drop INVALID connections

-A INPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state INVALID -j DROP

-A FORWARD -m state --state INVALID -j DROP

# allow all established and related

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow connections to my ISP's DNS servers

-A OUTPUT -d 10.10.10.10 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT

-A OUTPUT -d 10.10.10.11 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT

-A FORWARD -d 10.10.10.10 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT

-A FORWARD -d 10.10.10.11 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT

# allow outgoing connections to web servers

-A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -j ACCEPT

-A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 -j ACCEPT

# allow outgoing mail connections to my ISP's SMTP and POP3 server only

-A OUTPUT -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 -o eth0 -j ACCEPT

-A FORWARD -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 -o eth0 -j ACCEPT

# log all other attempted out going connections

-A OUTPUT -o eth0 -j LOG

-A FORWARD -j LOG

# default is to DROP out-going connections

COMMIT

Notes:

$ echo 1 > /proc/sys/net/ipv4/ip_forward
You can place this line in the iptables startup scripts (usually /etc/rc.d/init.d/iptables) or, preferably, in the /etc/rc.d/rc.local script which is the last script executed during startup.

What if you are using a dynamic IP? Simply change line 43 to:
-A POSTROUTING -o eth0 -j MASQUERADE

IPTABLES Scenario 1.1

2008-03-26T22:18:00.000-07:00

Here is another example configuration. This is a mail server with allowed services.
Services: remote ssh 22, smtp 25 and pop3 110, http 80, dns 53 and icmp.

/etc/sysconfig/iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# allow local loopback connections
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# drop INVALID connections
-A INPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP

# allow all established and related
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#SSH Port (22)
-A INPUT -s 203.189.xxx.15 -m state --state NEW -p tcp --dport 22 -i eth1 -j ACCEPT
-A INPUT -s 203.189.xxx.5 -m state --state NEW -p tcp --dport 22 -i eth1 -j ACCEPT

#Mail Ports 110 and 25
-A INPUT -s 0/0 -m state --state NEW -p tcp --dport 110 -i eth1 -j ACCEPT
-A INPUT -s 0/0 -m state --state NEW -p tcp --dport 25 -i eth1 -j ACCEPT

#Browsing,DNS for RBL and ClamAV Update
-A INPUT -s 0/0 -m state --state NEW -p tcp --dport 80 -i eth1 -j ACCEPT
-A INPUT -s 0/0 -m state --state NEW -p udp --dport 53 -i eth1 -j ACCEPT

#ICMP
-A INPUT -s 203.189.xxx.15 -m state --state NEW -p icmp -i eth1 -j ACCEPT
-A INPUT -s 203.189.xxx.5 -m state --state NEW -p icmp -i eth1 -j ACCEPT

# log all other attempted out going connections
#-A INPUT -i eth0 -j LOG
#-A OUTPUT -o eth0 -j LOG
# default is to DROP all incoming and outgoing connections
COMMIT

IPTABLES Scenario 1

2008-03-26T20:36:00.001-07:00

Scenario 1: Standard Machine

A good practice in firewall is to allow the needed ports/connections then drop all. In that order you can monitor the OPEN ports/connections.

/etc/sysconfig/firewall

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

# Loopback connections

-A INPUT -i lo -j ACCEPT

# Drop ALL INVALID Connections

-A INPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state INVALID -j DROP

-A FORWARD -m state --state INVALID -j DROP

# Allow all established and related connections

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT CHAIN HERE

# allow connections to my ISP's DNS servers

# Primary DNS 10.9.8.7, Secondary DNS 10.9.8.6

# DNS port is 53

-A OUTPUT -d 10.9.8.7 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT

-A OUTPUT -d 10.9.8.6 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT

# allow outgoing connections to web servers

# Destination is ANY

# http is port 80, https is port 443

-A OUTPUT -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -j ACCEPT

-A OUTPUT –d 0/0-m state --state NEW -p tcp --dport https -o eth0 -j ACCEPT

# allow outgoing mail connections to my ISP's SMTP and POP3 server only

# Mail Server is 10.10.10.40

-A OUTPUT -d 10.10.10.40 -m state --state NEW -p tcp --dport smtp -o eth0 -j ACCEPT

-A OUTPUT -d 10.10.10.40 -m state --state NEW -p tcp --dport pop3 -o eth0 -j ACCEPT

# log all other attempted out going connections

-A OUTPUT -o eth0 -j LOG

# default is to DROP out-going connections

COMMIT

Starting with IPTABLES

2008-03-26T20:34:00.000-07:00

Linux Firewall using IPTABLES

What is IPTABLES?

· Iptables is a generic table structure for the definition of rulesets

· iptables is Linux's firewall which has been a part of the kernel since version 2.4

What can I do with netfilter/iptables?

· build internet firewalls based on stateless and stateful packet filtering

· use NAT and masquerading for sharing internet access if you don't have enough public IP addresses

· use NAT to implement transparent proxies

The Rules of the Game…

· iptables makes decisions on what to do with a packet based on rules

· A rule specifies the criteria necessary for a packet to match it

· A decision is known as a target and it can be a user-defined chain (not covered in this article) or one of the following:

Things to remember… DECISION

ACCEPT Allow the packet through the firewall.

DROP Drops the packet; the packet is not allowed through the firewall

TABLES

There are three default tables which the packets may traverse; we are only concerned with one of these right now: the filter table. This is the default table and contains three chains: the filter table

(filter table)

OUTPUT                          For packets generated by and leaving your machine

INPUT                              Any packets coming into your mahine

FORWARD                     For packets being routed through your machine

The two other tables available by default are the nat table and the mangle table. This will be discussed on advance topic.

STATES

This means that we can create rules not only based on IPs and ports but also on whether a packet exists in any of the following states:

NEW The packet is trying to start a new connection.

ESTABLISHED A connection that has seen packets travel in both directions

RELATED A packet that is starting a new connection but is related to an

existing connection

INVALID This packet is associated with no known connection. These packets

should be dropped.

Creating and Saving the RULES

Rules can be appended to the chains directly by using the iptables command.

Example: To add a new rule to allow new connections to a web server running on your computer from anywhere we would execute the following:

$ iptables -A INPUT -s 0/0 -d 10.10.10.10 -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT

where:

-s (or --src or --source) and -d (or --dst or --destination)

0/0 is shorthand for 0.0.0.0/0.0.0.0 meaning that the source can be ANY IP address.

10.10.10.10 is the IP Address our your machine or the destination address

-m state --state NEW

matches only packets that have a status of NEW. This can be anyone

of or a comma separated list of the four possible states.

-p tcp

apply this rule to packets using the TCP protocol only. This can be

anyone of tcp, udp, icmp or all (default). The exclamation mark can

be used to invert the match.

--dport 80 (or --destination-port)

matches a packet trying to connect to port 80. The exclamation mark

can be used to invert this match also. A range of ports can be

given in the format begin:end.

-i eth0 (or --in-interface eth0)

name of an interface via which a packet is going to be received.

Possible interfaces on your computer can be found using the command

'ifconfig'. In this example your computer is connected to

the Internet through the first (or only) ethernet card.

-j ACCEPT

the target. In this case, if the incoming packet is creating a new

TCP connection from anywhere to port 80 on your computer through

the first ethernet card, we will allow it through.

Breaking the Manual Creation

File: /etc/sysconfig/iptables

The essential elements of an iptables file

1 # Firewall configuration

2 *filter

3 :INPUT [0:0]

4 :FORWARD [0:0]

5 :OUTPUT [0:0]

6 # your rules here

7 COMMIT

Line 1 Comment

Line 2 this file tells iptables that the following rules apply to the filter table.

Line 3, 4, 5 define the default targets for the three chains. We place our rules after these and before COMMIT

Line 6 comment about your rules

Line 7 Commit, end of the file

Each packet traverses the rules of the appropriate chain from the first to the last. If a packet matches a rule then it stops

traversing the chain at that rule and its fate is decided by that rule's target. If the packet does not match any rule then its

fate is the default target of its chain.

Skeleton …

Using this skeleton, you can easily create your rules and adjust as you need it.

# Start of the file

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

# allow local loopback connections

-A INPUT -i lo -j ACCEPT

# drop INVALID connections

-A INPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state INVALID -j DROP

-A FORWARD -m state --state INVALID -j DROP

# allow all established and related

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# add your rules here before the COMMIT

COMMIT

Scenario 1: Standard Machine

A good practice in firewall is to allow the needed ports/connections then drop all. In that order you can monitor the OPEN ports/connections.

/etc/sysconfig/firewall

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

# Loopback connections

-A INPUT -i lo -j ACCEPT

# Drop ALL INVALID Connections

-A INPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state INVALID -j DROP

-A FORWARD -m state --state INVALID -j DROP

# Allow all established and related connections

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT CHAIN HERE

# allow connections to my ISP's DNS servers

# Primary DNS 10.9.8.7, Secondary DNS 10.9.8.6

# DNS port is 53

-A OUTPUT -d 10.9.8.7 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT

-A OUTPUT -d 10.9.8.6 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT

# allow outgoing connections to web servers

# Destination is ANY

# http is port 80, https is port 443

-A OUTPUT -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -j ACCEPT

-A OUTPUT –d 0/0-m state --state NEW -p tcp --dport https -o eth0 -j ACCEPT

# allow outgoing mail connections to my ISP's SMTP and POP3 server only

# Mail Server is 10.10.10.40

-A OUTPUT -d 10.10.10.40 -m state --state NEW -p tcp --dport smtp -o eth0 -j ACCEPT

-A OUTPUT -d 10.10.10.40 -m state --state NEW -p tcp --dport pop3 -o eth0 -j ACCEPT

# log all other attempted out going connections

-A OUTPUT -o eth0 -j LOG

# default is to DROP out-going connections

COMMIT

How To: MYSQL Server

2008-03-23T19:49:00.000-07:00

MYSQL Installation

1. Installation

[root@proxy conf]# yum install mysql mysql-devel mysql-server

Setting up Install Process

Setting up repositories

Reading repository metadata in from local files

Parsing package install arguments

Resolving Dependencies

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for mysql-devel to pack into transaction set.

mysql-devel-4.1.20-3.RHEL 100% |=========================| 25 kB 00:00

---> Package mysql-devel.i386 0:4.1.20-3.RHEL4.1.el4_6.1 set to be updated

---> Package mysql-server.i386 0:4.1.20-3.RHEL4.1.el4_6.1 set to be updated

---> Package mysql.i386 0:4.1.20-3.RHEL4.1.el4_6.1 set to be updated

--> Running transaction check

--> Processing Dependency: openssl-devel for package: mysql-devel

--> Processing Dependency: perl-DBD-MySQL for package: mysql-server

--> Restarting Dependency Resolution with new changes.

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for openssl-devel to pack into transaction set.

openssl-devel-0.9.7a-43.1 100% |=========================| 126 kB 00:06

---> Package openssl-devel.i586 0:0.9.7a-43.17.el4_6.1 set to be updated

---> Package perl-DBD-MySQL.i386 0:2.9004-3.1.centos4 set to be updated

--> Running transaction check

--> Processing Dependency: zlib-devel for package: openssl-devel

--> Processing Dependency: krb5-devel for package: openssl-devel

--> Restarting Dependency Resolution with new changes.

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for krb5-devel to pack into transaction set.

krb5-devel-1.3.4-54.el4_6 100% |=========================| 40 kB 00:00

---> Package krb5-devel.i386 0:1.3.4-54.el4_6.1 set to be updated

---> Downloading header for zlib-devel to pack into transaction set.

zlib-devel-1.2.1.2-1.2.i3 100% |=========================| 6.2 kB 00:00

---> Package zlib-devel.i386 0:1.2.1.2-1.2 set to be updated

--> Running transaction check

--> Processing Dependency: krb5-libs = 1.3.4-54.el4_6.1 for package: krb5-devel

--> Processing Dependency: e2fsprogs-devel for package: krb5-devel

--> Restarting Dependency Resolution with new changes.

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for e2fsprogs-devel to pack into transaction set.

e2fsprogs-devel-1.35-12.1 100% |=========================| 20 kB 00:00

---> Package e2fsprogs-devel.i386 0:1.35-12.11.el4_6.1 set to be updated

---> Downloading header for krb5-libs to pack into transaction set.

krb5-libs-1.3.4-54.el4_6. 100% |=========================| 33 kB 00:00

---> Package krb5-libs.i386 0:1.3.4-54.el4_6.1 set to be updated

--> Running transaction check

--> Processing Dependency: krb5-libs = 1.3.4-54 for package: krb5-workstation

--> Restarting Dependency Resolution with new changes.

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for krb5-workstation to pack into transaction set.

krb5-workstation-1.3.4-54 100% |=========================| 41 kB 00:01

---> Package krb5-workstation.i386 0:1.3.4-54.el4_6.1 set to be updated

--> Running transaction check

Dependencies Resolved

=============================================================================

Package Arch Version Repository Size

=============================================================================

Installing:

mysql i386 4.1.20-3.RHEL4.1.el4_6.1 update 2.9 M

mysql-devel i386 4.1.20-3.RHEL4.1.el4_6.1 update 2.1 M

mysql-server i386 4.1.20-3.RHEL4.1.el4_6.1 update 9.8 M

Installing for dependencies:

e2fsprogs-devel i386 1.35-12.11.el4_6.1 update 487 k

krb5-devel i386 1.3.4-54.el4_6.1 update 824 k

openssl-devel i586 0.9.7a-43.17.el4_6.1 base 1.6 M

perl-DBD-MySQL i386 2.9004-3.1.centos4 base 111 k

zlib-devel i386 1.2.1.2-1.2 base 89 k

Updating for dependencies:

krb5-libs i386 1.3.4-54.el4_6.1 update 484 k

krb5-workstation i386 1.3.4-54.el4_6.1 update 824 k

Transaction Summary

=============================================================================

Install 8 Package(s)

Update 2 Package(s)

Remove 0 Package(s)

Total download size: 19 M

Is this ok [y/N]:y

Downloading Packages:

(1/7): mysql-devel-4.1.20 100% |=========================| 2.1 MB 00:42

(2/7): krb5-devel-1.3.4-5 100% |=========================| 824 kB 00:19

(3/7): e2fsprogs-devel-1. 100% |=========================| 487 kB 00:08

(4/7): krb5-workstation-1 100% |=========================| 824 kB 00:13

(5/7): openssl-devel-0.9. 100% |=========================| 1.6 MB 00:29

(6/7): zlib-devel-1.2.1.2 100% |=========================| 89 kB 00:02

(7/7): krb5-libs-1.3.4-54 100% |=========================| 484 kB 00:18

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

Updating : krb5-libs ####################### [ 1/12]

Installing: mysql ####################### [ 2/12]

Installing: perl-DBD-MySQL ####################### [ 3/12]

Installing: zlib-devel ####################### [ 4/12]

Installing: e2fsprogs-devel ####################### [ 5/12]

Installing: krb5-devel ####################### [ 6/12]

Installing: openssl-devel ####################### [ 7/12]

Installing: mysql-devel ####################### [ 8/12]

Updating : krb5-workstation ####################### [ 9/12]

Installing: mysql-server ####################### [10/12]

Cleanup : krb5-workstation ####################### [11/12]

Cleanup : krb5-libs ####################### [12/12]

Installed: mysql.i386 0:4.1.20-3.RHEL4.1.el4_6.1 mysql-devel.i386 0:4.1.20-3.RHEL4.1.el4_6.1 mysql-server.i386 0:4.1.20-3.RHEL4.1.el4_6.1

Dependency Installed: e2fsprogs-devel.i386 0:1.35-12.11.el4_6.1 krb5-devel.i386 0:1.3.4-54.el4_6.1 openssl-devel.i586 0:0.9.7a-43.17.el4_6.1 perl-DBD-MySQL.i386 0:2.9004-3.1.centos4 zlib-devel.i386 0:1.2.1.2-1.2

Dependency Updated: krb5-libs.i386 0:1.3.4-54.el4_6.1 krb5-workstation.i386 0:1.3.4-54.el4_6.1

Complete!

2. Check the installation.

a. If its properly installed.

[root@proxy ~]# rpm -qa|grep mysql

mysql-4.1.20-3.RHEL4.1.el4_6.1

mysql-devel-4.1.20-3.RHEL4.1.el4_6.1

mysql-server-4.1.20-3.RHEL4.1.el4_6.1

b. Start/Stop/Restart the service.

[root@proxy /]# service mysqld start

Starting MySQL: [ OK ]

[root@proxy /]# service mysqld stop

[root@proxy /]# service mysqld restart

c. Checking at boot time.

[root@proxy /]# /sbin/chkconfig mysqld on

[root@proxy /]# /sbin/chkconfig --list mysqld

mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off

d. Check if its listening on the port

[root@azcomm ~]# netstat -tap |grep mysql

tcp 0 0 *:mysql *:* LISTEN 4443/mysqld

3. Configure your password

a. Creating a MySQL "root" Account

[root@machine etc]# mysqladmin -u root password 12345678

b. Accessing The MySQL Command Line

[root@machine etc]# mysql -u root -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 4 to server version: 4.1.20

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

mysql> show databases;

+----------+

| Database |

+----------+

| mysql |

| test |

+----------+

2 rows in set (0.00 sec)

c. Create a sample db.

mysql> create database jepoy;

Query OK, 1 row affected (0.00 sec)

mysql> show databases;

+----------+

| Database |

+----------+

| jepoy |

| mysql |

| test |

+----------+

3 rows in set (0.01 sec)

d. Granting Privileges to Users

sql> grant all privileges on database.* to username@"servername" identified by 'password';

sql> grant all privileges on salesdb.* to mysqluser@"localhost" identified by 'mypass';

sql> flush privileges;

How To: PHP Installation

2008-03-23T19:31:00.001-07:00

PHP Installation

1. Install php

[root@proxy ~]# yum install php

Setting up Install Process

Setting up repositories

updates-released 100% |=========================| 951 B 00:00

extras 100% |=========================| 1.1 kB 00:00

base 100% |=========================| 1.1 kB 00:00

Reading repository metadata in from local files

Parsing package install arguments

Resolving Dependencies

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for php to pack into transaction set.

php-5.0.4-10.5.i386.rpm 100% |=========================| 18 kB 00:01

---> Package php.i386 0:5.0.4-10.5 set to be updated

--> Running transaction check

--> Processing Dependency: php = 5.0.4-10 for package: php-ldap

--> Processing Dependency: php = 5.0.4-10 for package: php-pear

--> Restarting Dependency Resolution with new changes.

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for php-pear to pack into transaction set.

php-pear-5.0.4-10.5.i386. 100% |=========================| 35 kB 00:01

---> Package php-pear.i386 0:5.0.4-10.5 set to be updated

---> Downloading header for php-ldap to pack into transaction set.

php-ldap-5.0.4-10.5.i386. 100% |=========================| 13 kB 00:00

---> Package php-ldap.i386 0:5.0.4-10.5 set to be updated

--> Running transaction check

Dependencies Resolved

=============================================================================

Package Arch Version Repository Size

=============================================================================

Updating:

php i386 5.0.4-10.5 updates-released 2.3 M

Updating for dependencies:

php-ldap i386 5.0.4-10.5 updates-released 28 k

php-pear i386 5.0.4-10.5 updates-released 371 k

Transaction Summary

=============================================================================

Install 0 Package(s)

Update 3 Package(s)

Remove 0 Package(s)

Total download size: 2.7 M

Is this ok [y/N]:

Downloading Packages:

(1/3): php-pear-5.0.4-10. 100% |=========================| 371 kB 00:58

(2/3): php-ldap-5.0.4-10. 100% |=========================| 28 kB 00:01

(3/3): php-5.0.4-10.5.i38 100% |=========================| 2.3 MB 01:35

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

Updating : php ######################### [1/6]

Updating : php-pear ######################### [2/6]

Updating : php-ldap ######################### [3/6]

Cleanup : php-pear ######################### [4/6]

Cleanup : php-ldap ######################### [5/6]

Cleanup : php ######################### [6/6]

Updated: php.i386 0:5.0.4-10.5

Dependency Updated: php-ldap.i386 0:5.0.4-10.5 php-pear.i386 0:5.0.4-10.5

Complete!

2. Checking the installation

a. [root@proxy ~]# rpm -qa|grep php

php-ldap-5.0.4-10.5

php-pear-5.0.4-10.5

php-5.0.4-10.5

3. Put this php file on /var/www/html, name it index.php to test.

http://www.php.net/phpinfo

How To: Apache Web Server

2008-02-05T19:07:00.000-08:00

How To Web Server

1. Install Apache

[root@proxy /]# yum install httpd

Setting up Install Process

Setting up repositories

updates-released 100% |=========================| 951 B 00:00

extras 100% |=========================| 1.1 kB 00:00

base 100% |=========================| 1.1 kB 00:00

Reading repository metadata in from local files

Parsing package install arguments

Resolving Dependencies

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for httpd to pack into transaction set.

httpd-2.0.54-10.4.i386.rp 100% |=========================| 74 kB 00:02

---> Package httpd.i386 0:2.0.54-10.4 set to be updated

--> Running transaction check

--> Processing Dependency: httpd = 2.0.54-10 for package: mod_ssl

--> Processing Dependency: httpd = 2.0.54-10 for package: httpd-manual

--> Restarting Dependency Resolution with new changes.

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for mod_ssl to pack into transaction set.

mod_ssl-2.0.54-10.4.i386. 100% |=========================| 23 kB 00:01

---> Package mod_ssl.i386 1:2.0.54-10.4 set to be updated

---> Downloading header for httpd-manual to pack into transaction set.

httpd-manual-2.0.54-10.4. 100% |=========================| 114 kB 00:03

---> Package httpd-manual.i386 0:2.0.54-10.4 set to be updated

--> Running transaction check

Dependencies Resolved

=============================================================================

Package Arch Version Repository Size

=============================================================================

Updating:

httpd i386 2.0.54-10.4 updates-released 947 k

Updating for dependencies:

httpd-manual i386 2.0.54-10.4 updates-released 1.7 M

mod_ssl i386 1:2.0.54-10.4 updates-released 94 k

Transaction Summary

=============================================================================

Install 0 Package(s)

Update 3 Package(s)

Remove 0 Package(s)

Total download size: 2.7 M

Is this ok [y/N]: y

Downloading Packages:

(1/3): mod_ssl-2.0.54-10. 100% |=========================| 94 kB 00:03

http://download.fedoraproject.org/pub/fedora/linux/core/updates/4/i386/httpd-manual-2.0.54-10.4.i386.rpm: [Errno 4] IOError: [Errno ftp error] timed out

Trying other mirror.

(2/3): httpd-manual-2.0.5 100% |=========================| 1.7 MB 01:00

(3/3): httpd-2.0.54-10.4. 100% |=========================| 947 kB 00:33

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

Updating : httpd ######################### [1/6]

Updating : mod_ssl ######################### [2/6]

Updating : httpd-manual ######################### [3/6]

Cleanup : mod_ssl ######################### [4/6]

Cleanup : httpd-manual ######################### [5/6]

Cleanup : httpd ######################### [6/6]

Updated: httpd.i386 0:2.0.54-10.4

Dependency Updated: httpd-manual.i386 0:2.0.54-10.4 mod_ssl.i386 1:2.0.54-10.4

Complete!

2. Check the installation.

a. If its properly installed.

[root@proxy /]# rpm -qa|grep httpd

system-config-httpd-1.3.2-2

httpd-2.0.54-10.4

httpd-manual-2.0.54-10.4

b. Start/Stop/Restart the service.

[root@proxy /]# service httpd start

[root@proxy /]# service httpd stop

[root@proxy /]# service httpd restart

c. Checking at boot time.

[root@proxy /]# /sbin/chkconfig httpd on

[root@proxy /]# /sbin/chkconfig --list httpd

httpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

3. Check the config files.

The Apache configuration file is: /etc/httpd/conf/httpd.conf

Web pages are served from the directory as configured by the DocumentRoot directive. The default directory location is:

Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4, CentOS 4: /var/www/html/

4. Common configuration options

a. ServerRoot – used for specifying the base directory of the Web server.

ServerRoot "/etc/httpd"

b. ServerAdmin – email address that is included in error messages

ServerAdmin root@example.com

c. ServerName – hostname and port the server uses

ServerName www.example.com:80

d. DocumentRoot – primary directory of the Web server.

DocumentRoot "/var/www/html"

e. Listen – this the port where server listens for requests.

Listen 203.189.11.73:80

e. Users/Groups – tell which user/group will anser requests

User apache

Group apache

f. LoadModule – used for loading modules into apache’s running config

LoadModule cgi_module modules/mod_cgi.so

LoadModule cgi_module modules/mod_ssl.so

g. ErrorLog – location of the errors

ErrorLog logs/error_log

5. Try your site by going to your browser.

http://localhost or http://ip-address

How To: VSFTP Server

2008-02-04T22:39:00.000-08:00

How To Install and Configure VSFTP Server

1. Install VSFTPD service

[root@proxy /]# yum install vsftpd

Setting up Install Process

Setting up repositories

updates-released 100% |=========================| 951 B 00:00

Content-Length: 345

Date: Tue, 05 Feb 2008 01:32:49 GMT

Server: lighttpd/1.4.18

Trying other mirror.

http://ftp.lug.ro/fedora/linux/extras/4/i386/repodata/repomd.xml: [Errno 4] IOError: HTTP Error 404: Date: Tue, 05 Feb 2008 01:32:51 GMT

Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-22

Vary: accept-language,accept-charset

Accept-Ranges: bytes

Transfer-Encoding: chunked

Content-Type: text/html; charset=iso-8859-1

Content-Language: en

Trying other mirror.

extras 100% |=========================| 1.1 kB 00:00

base 100% |=========================| 1.1 kB 00:00

Reading repository metadata in from local files

Parsing package install arguments

Resolving Dependencies

--> Populating transaction set with selected packages. Please wait.

---> Downloading header for vsftpd to pack into transaction set.

vsftpd-2.0.3-1.i386.rpm 100% |=========================| 14 kB 00:00

---> Package vsftpd.i386 0:2.0.3-1 set to be updated

--> Running transaction check

Dependencies Resolved

=============================================================================

Package Arch Version Repository Size

=============================================================================

Installing:

vsftpd i386 2.0.3-1 base 123 k

Transaction Summary

=============================================================================

Install 1 Package(s)

Update 0 Package(s)

Remove 0 Package(s)

Total download size: 123 k

Is this ok [y/N]:y

Downloading Packages:

(1/1): vsftpd-2.0.3-1.i38 100% |=========================| 123 kB 00:04

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

Installing: vsftpd ######################### [1/1]

Installed: vsftpd.i386 0:2.0.3-1

Complete!

2. Check the service

# rpm –qa|grep vsftpd

# chkconfig –list vsftpd

# chkconfig vsftpd on

3. Check the config files

etc/vsftpd/vsftpd.conf

[root@proxy vsftpd]# more vsftpd.conf

# Example config file /etc/vsftpd/vsftpd.conf

# The default compiled in settings are fairly paranoid. This sample file

# loosens things up a bit, to make the ftp daemon more usable.

# Please see vsftpd.conf.5 for all compiled in defaults.

# READ THIS: This example file is NOT an exhaustive list of vsftpd options.

# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's

# capabilities.

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=YES

# Uncomment this to allow local users to log in.

local_enable=YES

# Uncomment this to enable any form of FTP write command.

write_enable=YES

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

local_umask=022

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

#anon_upload_enable=YES

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

#anon_mkdir_write_enable=YES

# Activate directory messages - messages given to remote users when they

# go into a certain directory.

dirmessage_enable=YES

# Activate logging of uploads/downloads.

xferlog_enable=YES

# Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using "root" for uploaded files is not

# recommended!

#chown_uploads=YES

#chown_username=whoever

# You may override where the log file goes if you like. The default is shown

# below.

#xferlog_file=/var/log/vsftpd.log

# If you want, you can have your log file in standard ftpd xferlog format

xferlog_std_format=YES

# You may change the default value for timing out an idle session.

#idle_session_timeout=600

# You may change the default value for timing out a data connection.

#data_connection_timeout=120

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

#nopriv_user=ftpsecure

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it,

# however, may confuse older FTP clients.

#async_abor_enable=YES

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that turning on ascii_download_enable enables malicious remote parties

# to consume your I/O resources, by issuing the command "SIZE /big/file" in

# ASCII mode.

# These ASCII options are split into upload and download because you may wish

# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),

# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be

# on the client anyway..

#ascii_upload_enable=YES

#ascii_download_enable=YES

# You may fully customise the login banner string:

#ftpd_banner=Welcome to blah FTP service.

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

#deny_email_enable=YES

# (default follows)

#banned_email_file=/etc/vsftpd/banned_emails

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

#chroot_list_enable=YES

# (default follows)

#chroot_list_file=/etc/vsftpd/chroot_list

# You may activate the "-R" option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

# the presence of the "-R" option, so there is a strong case for enabling it.

#ls_recurse_enable=YES

pam_service_name=vsftpd

userlist_enable=YES

#enable for standalone mode

listen=YES

tcp_wrappers=YES

4. Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf

The basic config is already set to anonymous download, no upload generally.

anonymous_enable=YES

in case you use passive and behind a firewall

pasv_min_port=6000

pasv_max_port=6001

5. Creating FTP site for users.

/etc/vsftpd/vsftd.conf

anonymous_enable=NO # This will disable anonymous login

chroot_local_user=YES # Security purposes, jail users

6. Checking the logs

/etc/vsftpd/vsftpd.conf

xferlog_file=/var/log/vsftpd.log # uncomment this to put your logs on /var/log/vsftpd.log

#xferlog_std_format=YES # comment this to have a readable log format

[root@proxy log]# tail -f vsftpd.log

Tue Feb 5 03:35:32 2008 [pid 9651] CONNECT: Client "203.189.11.5"

Tue Feb 5 03:35:33 2008 [pid 9650] [user1] OK LOGIN: Client "203.189.xxx.5"

Tue Feb 5 03:35:47 2008 [pid 9652] [user1] OK DELETE: Client "203.189.xxx.5", "/YServer.txt"

Tue Feb 5 03:36:02 2008 [pid 9652] [user1] OK UPLOAD: Client "203.189.xxx.5", "/boot.ini", 211 bytes, 13.03Kbyte/se

7. For passive configuration, this will limit the connection.

pasv_min_port=6000

pasv_max_port=6001

-A INPUT -s 203.189.xxx.0/255.255.255.0 -i eth0 -p tcp -m state --state NEW -m tcp --dport 6000 -j ACCEPT

-A INPUT -s 203.189.xxx.0/255.255.255.0 -i eth0 -p tcp -m state --state NEW -m tcp --dport 6001 -j ACCEPT

8. Common FTP Commands

?	to request help or information about the FTP commands
ascii	to set the mode of file transfer to ASCII (this is the default and transmits seven bits per character)
binary	to set the mode of file transfer to binary (the binary mode transmits all eight bits per byte and thus provides less chance of a transmission error and must be used to transmit files other than ASCII files)
bye	to exit the FTP environment (same as quit)
cd	to change directory on the remote machine
close	to terminate a connection with another computer
	close brubeck	closes the current FTP connection with brubeck, but still leaves you within the FTP environment.
delete	to delete (remove) a file in the current remote directory (same as rm in UNIX)
get	to copy one file from the remote machine to the local machine
	get ABC DEF	copies file ABC in the current remote directory to (or on top of) a file named DEF in your current local directory.
	get ABC	copies file ABC in the current remote directory to (or on top of) a file with the same name, ABC, in your current local directory.
help	to request a list of all available FTP commands
lcd	to change directory on your local machine (same as UNIX cd)
ls	to list the names of the files in the current remote directory
mkdir	to make a new directory within the current remote directory
mget	to copy multiple files from the remote machine to the local machine; you are prompted for a y/n answer before transferring each file
	mget *	copies all the files in the current remote directory to your current local directory, using the same filenames. Notice the use of the wild card character, *.
mput	to copy multiple files from the local machine to the remote machine; you are prompted for a y/n answer before transferring each file
open	to open a connection with another computer
	open brubeck	opens a new FTP connection with brubeck; you must enter a username and password for a brubeck account (unless it is to be an anonymous connection).
put	to copy one file from the local machine to the remote machine
pwd	to find out the pathname of the current directory on the remote machine
quit	to exit the FTP environment (same as bye)
rmdir	to to remove (delete) a directory in the current remote directory

Checking DHCP Logs

2008-01-14T22:06:00.000-08:00

1. Edit dhcpd.conf and add this line
log-facility local7;

2. Edit syslog.conf and append
local7.* /var/log/dhcpd.log

[root@proxy etc]# more syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron

# Save boot messages also to boot.log
local7.* /var/log/boot.log
local7.* /var/log/dhcpd.log

3. Check the logs by performing a tail command.
[root@proxy log]# tail -f dhcpd.log
Jan 15 13:49:59 proxy dhcpd: DHCPACK on 192.168.0.23 to 00:80:ad:01:7e:12 (programming) via eth1
Jan 15 13:54:45 proxy dhcpd: DHCPINFORM from 192.168.0.13 via eth1: not authoritative for subnet 192.168.0.0
Jan 15 13:54:48 proxy dhcpd: DHCPINFORM from 192.168.0.13 via eth1: not authoritative for subnet 192.168.0.0
Jan 15 13:58:29 proxy dhcpd: DHCPINFORM from 192.168.0.15 via eth1: not authoritative for subnet 192.168.0.0
Jan 15 13:58:32 proxy dhcpd: DHCPINFORM from 192.168.0.15 via eth1: not authoritative for subnet 192.168.0.0
Jan 15 14:09:22 proxy dhcpd: Unable to add forward map from mach1.jepoy.net to 192.168.0.10: timed out
Jan 15 14:09:22 proxy dhcpd: DHCPREQUEST for 192.168.0.10 from 00:40:05:6d:7c:a2 via eth1
Jan 15 14:09:22 proxy dhcpd: DHCPACK on 192.168.0.10 to 00:40:05:6d:7c:a2 via eth1

How To: Squid

2007-12-18T05:19:00.001-08:00

Installation and configuration of the Squid Caching service

1. Installation
[root@proxy squid]# yum install squid
Setting up Install Process
Setting up repositories
updates-released 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
base 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files

[root@proxy squid]# rpm -qa|grep squid
squid-2.5.STABLE9-7

2. Check the service if its succssfully installed
[root@proxy squid]# chkconfig --list squid
squid 0:off 1:off 2:off 3:on 4:on 5:on 6:off

3. Edit the configuration file, /etc/squid/squid.conf

#This port can be used for transparent proxy together with iptables
http_port 3128
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

# OPTIONS FOR TUNING THE CACHE
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# ACCESS LIST
acl all src 0.0.0.0/0.0.0.0
acl deny_url url_regex "/etc/squid/acl/deny_url"
# Block files for certain time
acl largefiles url_regex -i \.exe$ \.mp3$ \.avi$ \.mpeg$ \.ogg$
#Default open ports
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Networks Using the PROXY
acl private-net src 192.168.0.0/24
acl public-net src 20.18.11.0/24, 20.18.12.0/24

# Delay pools 80Kbps per station
delay_pools 1
delay_class 1 2
delay_parameters 1 100000/100000 10000/10000
delay_access 1 allow private-net

# ACL for time
acl gypmshift time 22:01-23:59
acl gyamshift time 00:01-05:59
acl amshift time M T W H F 06:00-12:00
acl lunchbreak time 12:01-12:59
acl pmshift time M T W H F 13:00-22:00

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny deny_url

#http_access deny block_download
http_access deny amshift largefiles
http_access allow lunchbreak largefiles
http_access deny pmshift largefiles

#http_access allow pmshift largefiles
http_access allow gyamshift largefiles
http_access allow gypmshift largefiles
http_access allowprivate-net
http_access allow public-net
http_access deny all

# and finally allow by default
http_reply_access allow all
icp_access allow all

cache_mgr jepoy
visible_hostname calamares

#########################
# FOR TRANSPARENT PROXY #
#########################
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

#for logs /var/spool/squid
logfile_rotate 3

4. For every changes on the squid.conf file, restart the squid and check the logs for errors.
[root@proxy squid]# /sbin/service squid restart
Stopping squid: ................[ OK ]
Starting squid: ..[ OK ]

How To: DNS Server

2007-12-18T05:16:00.000-08:00

Installation and Configuration of Caching DNS service

1. Install the needed software, for this document we will use bind.
[root@proxy log]# yum install bind
Setting up Install Process
Setting up repositories
updates-released 100% |=========================| 951 B 00:00
Setting up repositories
updates-released 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
base 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
Installed Packages
Name : bind
Arch : i386
Version: 9.3.1
Release: 4
Size : 1.4 M
Repo : installed
Summary: A DNS (Domain Name System) server.

2. Edit the config files based on your network.

[root@proxy etc]# more named.conf
//
// named.conf for Red Hat caching-nameserver
//
acl pmsi-net { 127.0.0.1; localhost;
192.168.0/24;
20.18.10.0/24;
};

logging {
channel query_logging {
file "/var/log/querylog" versions 3 size 100M;
print-time yes; // timestamp log entries
print-severity yes;
};
channel activity_log {
file "/var/log/activity_log" versions 3 size 100M;
print-time yes;
print-severity yes;
};
category resolver { query_logging; };
category queries { query_logging; };
category xfer-in { activity_log; };
category xfer-out { activity_log; };
category notify { activity_log; };
category security { activity_log; };
category update-security { activity_log; };
category network { null; };
category lame-servers { null; };
};

options {
forwarders { 208.67.xxx.222; 208.67.xxx.220; };
directory "/var/named";
allow-recursion { pmsi-net; };
allow-query { pmsi-net; };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};

include "/etc/rndc.key";

3. After editing the conf file, restart the service.
[root@proxy log]# /sbin/service named restart
Stopping named: [ OK ]
Starting named: [ OK ]

Installing IPTABLES

2007-12-17T19:28:00.000-08:00

Install IPTABLES for NAT/Firewall/Transparent Proxy

1. Install the iptables.
[root@proxy log]# yum install iptables
Setting up repositories
updates-released 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:04
base 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
Installed Packages
Name : iptables
Arch : i386
Version: 1.3.0
Release: 2
Size : 393 k
Repo : installed
Summary: Tools for managing Linux kernel packet filtering capabilities.

2. Check the installation.
[root@proxy log]# rpm -qa|grep iptables

3. Start at boot time.
[root@proxy log]# chkconfig iptables on

4. Configure /etc/sysconfig/iptables file
# Firewall created by jepoy habang inaantok... bbzzzz......
# eth0 - public
# eth1 - private
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to 203.189.x.x
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

COMMIT
# Completed on Tue Oct 11 20:53:45 2005
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]

#Forward Chain
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#allow port
-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p tcp -m multiport --dport smtp,pop3,imap,6301,443,5100,13,554,1101,8080 -o eth0 -i eth1 -j ACCEPT
#allow network to use icmp
-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p icmp -o eth0 -i eth1 -j ACCEPT

#Input Chain
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#allow public address to use Squid port 3128
-A INPUT -s 203.189.x.0/255.255.255.0 -i eth0 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT

# Allow public for DNS ACCESS
-A INPUT -s 203.189.x.0/255.255.255.0 -i eth0 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

# SSH Access
-A INPUT -s 203.189.x.5 -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# Application Access
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 1101 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 554 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p icmp -m state --state NEW -m icmp -j ACCEPT

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Logging
-A INPUT -j LOG
-A OUTPUT -j LOG
-A FORWARD -j LOG
COMMIT

3. Restart the service for every changes made.
[root@proxy /]# /sbin/service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter nat [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]

Configuring the DHCP Server

2007-12-17T18:25:00.000-08:00

Installation and configuration of your DHCP service

1. Installation of the service
[root@proxy docadmin]# yum install dhcp
Setting up Install Process
Setting up repositories
updates-released 100% |=========================| 951 B 00:00
ddns-update-style interim;
ignore client-updates;

2. Check the install process
[root@proxy docadmin]# ps -ef|grep dhcp
root 2941 1 0 Sep06 ? 00:00:40 /usr/sbin/dhcpd
root 18191 18163 0 11:06 pts/1 00:00:00 grep dhcp

[root@proxy docadmin]# /sbin/chkconfig --list dhcpd
dhcpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

3. Configuring the dhcp config file
Settings:
Gateway of the clients: 192.168.0.1
Domain Name: jepoy.net
Range: 192.168.0.10 to 192.168.0.50

/etc/dhcpd.conf

ddns-update-style interim;
ignore client-updates;

subnet 192.168.0.0 netmask 255.255.255.0 {

# --- default gateway
option routers 192.168.0.1;
option subnet-mask 255.255.255.0;

option nis-domain "jepoy.net";
option domain-name "jepoy.net";
option domain-name-servers 192.168.0.1;
option time-offset -18000; # Eastern Standard Time
range dynamic-bootp 192.168.0.10 192.168.0.50;
default-lease-time 21600;
max-lease-time 43200;

# we want the nameserver to appear at a fixed address
host ns {next-server calamares.server.net;
# hardware ethernet 12:34:56:78:AB:CD;
fixed-address 192.168.0.1;
}
}

4. Start the service
[root@proxy etc]# /sbin/service dhcpd restart
Internet Systems Consortium DHCP Server V3.0.2
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Shutting down dhcpd: [ OK ]
Starting dhcpd: [ OK ]

Linux How To/Tutorial

Squid Transparent Proxy Configuration

Squid with Password Authentication

Squid - Restricting Access to specific Web sites

Squid ACL

IPTABLES using multiport

Specifying Multiple Ports with multiport

IPTABLES Scenario 2.1 - Transparent Proxy

IPTABLES Scenario 2 - Internet Sharing

IPTABLES Scenario 1.1

IPTABLES Scenario 1

Starting with IPTABLES

Linux Firewall using IPTABLES

What is IPTABLES?

· Iptables is a generic table structure for the definition of rulesets

· iptables is Linux's firewall which has been a part of the kernel since version 2.4

What can I do with netfilter/iptables?

· build internet firewalls based on stateless and stateful packet filtering

· use NAT and masquerading for sharing internet access if you don't have enough public IP addresses

· use NAT to implement transparent proxies

The Rules of the Game…

· iptables makes decisions on what to do with a packet based on rules

· A rule specifies the criteria necessary for a packet to match it

· A decision is known as a target and it can be a user-defined chain (not covered in this article) or one of the following:

Things to remember… DECISION

ACCEPT Allow the packet through the firewall.

DROP Drops the packet; the packet is not allowed through the firewall

TABLES

The two other tables available by default are the nat table and the mangle table. This will be discussed on advance topic.

STATES

This means that we can create rules not only based on IPs and ports but also on whether a packet exists in any of the following states:

NEW The packet is trying to start a new connection.

ESTABLISHED A connection that has seen packets travel in both directions

RELATED A packet that is starting a new connection but is related to an

existing connection

INVALID This packet is associated with no known connection. These packets

should be dropped.

Creating and Saving the RULES

Rules can be appended to the chains directly by using the iptables command.

Example: To add a new rule to allow new connections to a web server running on your computer from anywhere we would execute the following:

$ iptables -A INPUT -s 0/0 -d 10.10.10.10 -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT

where:

-s (or --src or --source) and -d (or --dst or --destination)

0/0 is shorthand for 0.0.0.0/0.0.0.0 meaning that the source can be ANY IP address.

10.10.10.10 is the IP Address our your machine or the destination address

-m state --state NEW

matches only packets that have a status of NEW. This can be anyone

of or a comma separated list of the four possible states.

-p tcp

apply this rule to packets using the TCP protocol only. This can be

anyone of tcp, udp, icmp or all (default). The exclamation mark can

be used to invert the match.

--dport 80 (or --destination-port)

matches a packet trying to connect to port 80. The exclamation mark

can be used to invert this match also. A range of ports can be

given in the format begin:end.

-i eth0 (or --in-interface eth0)

name of an interface via which a packet is going to be received.

Possible interfaces on your computer can be found using the command

'ifconfig'. In this example your computer is connected to

the Internet through the first (or only) ethernet card.

-j ACCEPT

the target. In this case, if the incoming packet is creating a new

TCP connection from anywhere to port 80 on your computer through

the first ethernet card, we will allow it through.

Breaking the Manual Creation

File: /etc/sysconfig/iptables

The essential elements of an iptables file

1 # Firewall configuration

2 *filter

3 :INPUT [0:0]

4 :FORWARD [0:0]

5 :OUTPUT [0:0]

6 # your rules here

7 COMMIT

Line 1 Comment

Line 2 this file tells iptables that the following rules apply to the filter table.

Line 3, 4, 5 define the default targets for the three chains. We place our rules after these and before COMMIT

Line 6 comment about your rules

Line 7 Commit, end of the file

Specifying Multiple Ports with `multiport`