[CentOS] CentOS as an internet gateway

Thu Mar 31 00:44:33 UTC 2005
ryanag at zoominternet.net <ryanag at zoominternet.net>

I would add the below:

-Recommend using CentOS 4.0
-Use squid rpm, no tar (this is for new users I'm guessing).
-Recommend using etherape and iptraf (available as rpms) for a graphical
overview of traffic. http://etherape.sourceforge.net/
-Recommend the use of chkrootkit, and TCP Wrappers (at the least put 
ALL: ALL EXCEPT PARANOID in /etc/hosts.allow) to protect servers.
-Provide some information about how to protect the whole network from 
spyware with the /etc/hosts file (a nice side benefit from doing DNS
proxy). http://www.mvps.org/winhelp2002/hosts.htm
-A *huge* disclaimer on running squid on a machine with a public 
interface.
-Consider using webmin to manage this outside a GUI.
-fwlogwatch can parse log files nicely. http://fwlogwatch.inside-
security.de/



Biggest issue I have with your setup:

-I wouldn't use Guard Dog as the GUI setup - it is very nice, but 
inflexible and not really meant for what you are doing.
Try kmyfirewall instead if you want a GUI for iptables. It offers near 
complete control of iptables functions. 
If you can get along with using webmin, try shorewall.

*If* this is going to be in a bigger than SOHO (+ 30 PC) network, go
with shorewall.


Just my $.02, good luck with the site, it'll help a lot of people. :-)


On Wednesday 30 March 2005 13:27, Seth Bardash wrote:
> To the list:
>
> HOW-TO on DNS + DHCP + SQUID + Firewall + Router
>
> Since this seems to be a recurring topic:
>
> Thought you might be interested in a working set up of
> DNS + DHCP + SQUID + Firewall + Router machine that took
> quite an effort to get working but now runs flawlessly.
>
> Don't get discouraged. This takes some time to set up
> correctly but once you get through it - it works great!
>
> Remember: tcpdump is your friend!!!!
>
> Anyone having a network internally that needs these
> features should continue reading:
>
> We set up a new firewall based on CentOS 3.3. (3.4 should work fine)
>
> We needed it to serve many protocols internally.
>
> The specifications for it are:
>
> NOT Microsoft based
> (We are a MS Partner with all the software but I wanted something
that 
was
> MS virus proof)
>
> KDE Graphical Firewall Control
> External Internet LAN Port x 1
> Internal Networks x 2 (more can be added) -> we used 192.168.0.X and
> 192.168.1.X
> DNS Name Caching Server - internal and external, forward and reverse
> lookups DHCP Server that does ddns-update internally
> Squid Server
> IP Masqerading
> Routing between all networks
>
> Hardware:
>
> OLD P3-800 Based System (Only non AMD system we run)
> 3 x Intel Pro 100 NIC's (We have a big box of these)
> 1GB SDRAM
> 40GB IDE Disk
> CDROM Drive
> Floppy
> Standard PC Case with extra cooling and 400 w ps.
>
> This hardware is overkill as it never runs above 30% load.
> Any machine supported by Centos with > 600 MHz CPU and 512M Memory 
should
> do.
>
> Software:
>
> Centos 3.3 Full Install (Lessens the chance of missing packages)
>
> Guarddog Firewall RPM for Centos
> (http://centos.hughesjr.com/3/guarddog/RPMS/)
> Guidedog router/masqerader RPM for RH9 (works fine)
>  
(http://www.simonzone.com/software/guidedog/guidedog-1.0.0-1_rh9.i386.rpm)
>
> Squid source tar ball.
>
> First install Centos and set it for a KDE graphical boot up.
>  Turn off all services not used
>  Leave Iptables on but turn off IP6tables
>
> Then Install Guarddog
> Then install Guidedog
> Configure both of the above - read the instructions for these 
carefully.
>                             - questions for these should go to the 
writer
> or his mail forum
>                             - Make sure to enable DHCP for eth1 and 
eth2
> BUT NOT eth0 (external LAN NIC)
>
> Make sure you can see the internet from the inside LANs with the 
clients
> set to use static IPs.
>
> NEXT ---
>
> Please read the instructions on how to set up DHCP and bind(DNS) here:
>
> http://integratedsolutions.org/downloads/DHCP-DDNS.txt
>
> Read this multiple times and make sure you understand it!
>
> Cut and paste can be an enemy. Be careful which editor you use
>
>
> This set up allows us to have any number of machines on our internal
> network automagically connected to each other and the internet with 
all the
> IP information coming from our firewall / router / masquerader / squid
> server.
>
> It works for forward and reverse DNS internally for Windows and linux
> clients and servers.
>
> It also speeds up client internet traffic by caching most outside 
pages.
>
> Install squid per the INSTALL in the src tar ball and
> add a startup entry to either chkconfig or rc.local.
> We set it to use 5 GB of disk cache and start
> automatically at boot time. We used the standard proxy port.
>
> We configured squid using webmin and this works fine.
>
> We added Webmin just to see how well it works:
> It can break DNS and DHCP easily if you are not careful but it was 
helpful
> getting squid working.
>
> Read up on syslogd and change the config file (or use webmin) to 
rotate
> logs every day and keep 7 to 14 old logs for back checking purposes. 
This
> will limit log size and make it easier to find any problems.
>
> Your milage mary vary.
>
> Standard software disclaimer applies.
>
> If this is helpful drop me an email so I know.
>
> If this needs work drop me an email with specifics.
>
> We will be adding a knowledgebase to our website with complete 
instructions
> for this in the next few weeks.
>
> Best
>
> Seth Bardash
>
> Integrated Solutions and Systems
>
> seth at integratedsolutions.org
>
> 719-495-5866
>
> Failure can not cope with perseverance!