[CentOS] CentOS as an internet gateway

Thu Mar 31 00:44:33 UTC 2005
ryanag at zoominternet.net <ryanag at zoominternet.net>

I would add the below:

-Recommend using CentOS 4.0
-Use squid rpm, no tar (this is for new users I'm guessing).
-Recommend using etherape and iptraf (available as rpms) for a graphical
overview of traffic. http://etherape.sourceforge.net/
-Recommend the use of chkrootkit, and TCP Wrappers (at the least put 
ALL: ALL EXCEPT PARANOID in /etc/hosts.allow) to protect servers.
-Provide some information about how to protect the whole network from 
spyware with the /etc/hosts file (a nice side benefit from doing DNS
proxy). http://www.mvps.org/winhelp2002/hosts.htm
-A *huge* disclaimer on running squid on a machine with a public 
-Consider using webmin to manage this outside a GUI.
-fwlogwatch can parse log files nicely. http://fwlogwatch.inside-

Biggest issue I have with your setup:

-I wouldn't use Guard Dog as the GUI setup - it is very nice, but 
inflexible and not really meant for what you are doing.
Try kmyfirewall instead if you want a GUI for iptables. It offers near 
complete control of iptables functions. 
If you can get along with using webmin, try shorewall.

*If* this is going to be in a bigger than SOHO (+ 30 PC) network, go
with shorewall.

Just my $.02, good luck with the site, it'll help a lot of people. :-)

On Wednesday 30 March 2005 13:27, Seth Bardash wrote:
> To the list:
> HOW-TO on DNS + DHCP + SQUID + Firewall + Router
> Since this seems to be a recurring topic:
> Thought you might be interested in a working set up of
> DNS + DHCP + SQUID + Firewall + Router machine that took
> quite an effort to get working but now runs flawlessly.
> Don't get discouraged. This takes some time to set up
> correctly but once you get through it - it works great!
> Remember: tcpdump is your friend!!!!
> Anyone having a network internally that needs these
> features should continue reading:
> We set up a new firewall based on CentOS 3.3. (3.4 should work fine)
> We needed it to serve many protocols internally.
> The specifications for it are:
> NOT Microsoft based
> (We are a MS Partner with all the software but I wanted something
> MS virus proof)
> KDE Graphical Firewall Control
> External Internet LAN Port x 1
> Internal Networks x 2 (more can be added) -> we used 192.168.0.X and
> 192.168.1.X
> DNS Name Caching Server - internal and external, forward and reverse
> lookups DHCP Server that does ddns-update internally
> Squid Server
> IP Masqerading
> Routing between all networks
> Hardware:
> OLD P3-800 Based System (Only non AMD system we run)
> 3 x Intel Pro 100 NIC's (We have a big box of these)
> 40GB IDE Disk
> CDROM Drive
> Floppy
> Standard PC Case with extra cooling and 400 w ps.
> This hardware is overkill as it never runs above 30% load.
> Any machine supported by Centos with > 600 MHz CPU and 512M Memory 
> do.
> Software:
> Centos 3.3 Full Install (Lessens the chance of missing packages)
> Guarddog Firewall RPM for Centos
> (http://centos.hughesjr.com/3/guarddog/RPMS/)
> Guidedog router/masqerader RPM for RH9 (works fine)
> Squid source tar ball.
> First install Centos and set it for a KDE graphical boot up.
>  Turn off all services not used
>  Leave Iptables on but turn off IP6tables
> Then Install Guarddog
> Then install Guidedog
> Configure both of the above - read the instructions for these 
>                             - questions for these should go to the 
> or his mail forum
>                             - Make sure to enable DHCP for eth1 and 
> BUT NOT eth0 (external LAN NIC)
> Make sure you can see the internet from the inside LANs with the 
> set to use static IPs.
> NEXT ---
> Please read the instructions on how to set up DHCP and bind(DNS) here:
> http://integratedsolutions.org/downloads/DHCP-DDNS.txt
> Read this multiple times and make sure you understand it!
> Cut and paste can be an enemy. Be careful which editor you use
> This set up allows us to have any number of machines on our internal
> network automagically connected to each other and the internet with 
all the
> IP information coming from our firewall / router / masquerader / squid
> server.
> It works for forward and reverse DNS internally for Windows and linux
> clients and servers.
> It also speeds up client internet traffic by caching most outside 
> Install squid per the INSTALL in the src tar ball and
> add a startup entry to either chkconfig or rc.local.
> We set it to use 5 GB of disk cache and start
> automatically at boot time. We used the standard proxy port.
> We configured squid using webmin and this works fine.
> We added Webmin just to see how well it works:
> It can break DNS and DHCP easily if you are not careful but it was 
> getting squid working.
> Read up on syslogd and change the config file (or use webmin) to 
> logs every day and keep 7 to 14 old logs for back checking purposes. 
> will limit log size and make it easier to find any problems.
> Your milage mary vary.
> Standard software disclaimer applies.
> If this is helpful drop me an email so I know.
> If this needs work drop me an email with specifics.
> We will be adding a knowledgebase to our website with complete 
> for this in the next few weeks.
> Best
> Seth Bardash
> Integrated Solutions and Systems
> seth at integratedsolutions.org
> 719-495-5866
> Failure can not cope with perseverance!