Set Up Ubuntu-Server 6.06 LTS As A Firewall/Gateway For Your Small Business Environment - Page 8

Want to support HowtoForge? Become a subscriber!
 
Submitted by tycho (Contact Author) (Forums) on Wed, 2006-12-06 16:20. ::

Now you have to send each real user a welcome message, thus creating the initial Maildir structures in their home directorys needed to be able to login to their accounts. You can use webmin's postfix module for this. No need to send anything to their aliases. You may wish to use an external email account to send those welcome messages, however, you'll have to open port 25 in your firewall first to do so, as shown on this page of the tuto.

Note that you'll have to send a message to every new user added after this initial setup too, of course. 

Your Webmail Server is located at https://your.domain/webmail (first send those messages!)

Munin is at http://your.domain/munin

Webmin is at https://your.domain:10000

If you haven't set any domains, use https://192.168.1.1/webmail etc.

Check that you can log in to your webmail and actually send and receive mail within your local network. If you're satisfied, open port 25 on your firewall for incoming tcp traffic (postfix) and port 6277 for incoming udp traffic (dcc). You may wish to make your webmail server available to your users from the outside world. Open port 443 for incoming tcp traffic as well (apache ssl). Opening port 993 is also a good idea for incoming tcp connections, as it facilitates imaps.

My /etc/shorewall/rules now looks like this: (just to begin with, all firewall settings shown in this article are just ment to get you up and running, you might want to adjust these settings once you are done!)

#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 443
ACCEPT net $FW tcp 993
ACCEPT net $FW udp 6277
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
ACCEPT $FW net all
ACCEPT $FW loc all
ACCEPT loc $FW all
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Restart the firewall:

/etc/init.d/shorewall restart

Next do:

/var/dcc/libexec/updatedcc

Now we configure your VPN Server.

Edit /etc/pptpd.conf. It should look like this now:

###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################

# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options

# TAG: debug
# Turns on (more) debugging to syslog
#
#debug

# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam

# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp

# TAG: bcrelay <if>
# Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1

# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 192.168.1.1
remoteip 192.168.1.10-30
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

Next edit /etc/ppp/options. It should look like this:
asyncmap 0
noauth
lock
hide-password
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx

Edit /etc/ppp/pptpd-options. It should look like this:
###############################################################################
# $Id: pptpd-options 4643 2006-11-06 18:42:43Z rene $
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################


# Authentication

# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptp-vpn

# Optional: domain name to use for authentication
# domain mydomain.net

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain


# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}




# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
#ms-dns 10.0.0.1
ms-dns 192.168.0.1

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
ms-wins 192.168.0.1

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Debian: do not replace the default route
nodefaultroute


# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump


# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp
auth

Next, edit /etc/ppp/chap-secrets. It should look like this:

# Secrets for authentication using CHAP
# client	server	secret			IP addresses
user  pptp-vpn  abcdefg  "*"
Now do:

/etc/init.d/pptpd restart

You must be able now to setup a vpn connection to your new server from the inside of your firewall as "user" with password "abcdefg" (without the quotes) Change this initial username and password and add some users, if you like. Maybe you'll have to reboot some machines to make it work.

Now open your firewall for incoming vpn connections. To do this, set your /etc/shorewall/rules as shown.

My /etc/shorewall/rules at this time:

#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 443
ACCEPT net $FW tcp 993
ACCEPT net $FW udp 6277
DNAT net fw:192.168.1.1 tcp 1723
DNAT net fw:192.168.1.1 47
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
ACCEPT $FW net all
ACCEPT $FW loc all
ACCEPT loc $FW all
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
To complete this step, do:

/etc/init.d/shorewall restart

So now your customers will be able to do their (computer network related) job at home as well.

Note, that this only makes sense when your server has a reliable broadband connection to the internet, which in The Netherlands is the defacto standard, even for very tiny offices and most home addresses. In this respect we are way ahead of the rest of the world.

Now edit your /etc/MailScanner/spam.assassin.prefs.conf and add the following lines at the bottom:

score RCVD_IN_SORBS_WEB 10
score RCVD_IN_WHOIS_INVALID 10
score RCVD_IN_WHOIS_BOGONS 10
score RCVD_IN_NJABL_PROXY 10
score RCVD_IN_DSBL 10
score RCVD_IN_XBL 10
score RCVD_IN_BL_SPAMCOP_NET 10
score RCVD_IN_SORBS_DUL 10
score SARE_LWSYMFMT 3
score SARE_MLB_Stock4 3
score SARE_BAYES_5x8 3
score SARE_BAYES_6x8 3
score URIBL_SC_SURBL 10
score URIBL_WS_SURBL 10
score URIBL_PH_SURBL 10
score URIBL_OB_SURBL 10
score URIBL_AB_SURBL 10
score URIBL_JP_SURBL 10
score URIBL_SBL 10
score ALL_TRUSTED 0

Now clean your /root directory. That's where all the downloads went.

Samba is installed. As every setup of Samba is unique, I can't help you out here. Don't know how to do it? This is a good starting point.

To complete all of this, do:

/etc/init.d/mailscanner restart

Now watch the spam reports in the headers of incoming mail (but make sure your users agree to this, as you will be violating some postal and maybe other laws) to adjust the last edit (and add some) to make it work as you like. Especially false negatives and even more false positives should draw your attention. When you are done you may wish to send most spam, if not all, to /dev/null.

Make this spy yob easy: Create a special account to which you send a copy of all mail handled by your server. Let's assume you create this user and call it "spy" (without quotes) and you have given spy a line in /etc/postfix/virtual, (like "spy@yourdomain.com    spy", without quotes). Next do:

postmap /etc/postfix/virtual

Now send spy a welcome message, as a rule of thumb, and check that spy's account is fully operational. Next do:

postconf -e 'always_bcc = spy' 

DONE!


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by buhcia (registered user) on Wed, 2007-06-06 14:18.

This work is very helpful, but for novice it can be added (Page 8, before words

"To complete this step, do:

/etc/init.d/shorewall restart")

because if I establish VPN connection then I get new zone. I added:

To add in file /etc/shorewall/policy before the last line:

##### Added for support VPN connections

vpn loc ACCEPT

vpn $FW ACCEPT

loc vpn ACCEPT

$FW vpn ACCEPT

To add in file /etc/shorewall/zones before the las line:

vpn ipv4

To add in file /etc/shorewall/interfaces before the last line:

vpn ppp0

It was necessary to my system to allow VPN connections from Internet.

Sorry for dump question, but why in /etc/shorewall/rules exists a line

DNAT   net   fw:192.168.1.1 47

I can't find the protocol 47 anywhere

Sincerely yours, buhcia2006 dog yandex dot ru

Submitted by undertaker (registered user) on Mon, 2006-12-18 00:46.

a lot of lines in policy file.. i'm using simpler version.. is this any less secure??

$FW    all    ACCEPT
loc    all    ACCEPT
all    all    DROP    info