Set Up Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business Environment - Page 10

Want to support HowtoForge? Become a subscriber!
 
Submitted by tycho (Contact Author) (Forums) on Sat, 2006-11-18 22:20. ::

Now edit /etc/default/mailscanner. It should loo like this:

# This sets how many days files will remain in the "quarantine" area before
# being automatically removed.
#
q_days=7
#
# This sets how much the priority of the mailscanner daemon should be
# reduced by (i.e. "nice -X").  Since it is a batch oriented task,
# there it can easily give up some CPU cycles to more interactive
# tasks.
#
run_nice=5
#
# Uncomment this line once MailScanner has been fully configured.
#
run_mailscanner=1

Next edit /etc/courier/imapd-ssl and change the following:

TLS_CERTFILE=/etc/apache2/ssl/apache.pem

Now do the same with your /etc/courier/pop3d-ssl.

Next do:

shutdown -r now

and wait until it is up again.

Now you have to send each real user a welcome message, thus creating the Maildir structures in their home directorys needed to be able to login to their accounts. You can use webmin's postfix module for this.

No need to send anything to their aliases.

Your Webmail Server is located at https://your.domain/webmail (first send those messages!).

Munin is at http://your.domain/munin

Webmin is at https://your.domain:10000

If you haven't set any domains, use https://192.168.1.1/webmail etc.

Check that you can login to your webmail and actually send and receive mail within your local network.

If you're satisfied, open port 25 on your firewall for incoming tcp traffic (postfix) and port 6277 (dcc) for incoming udp traffic.

You may wish to make your webmail server available to your users from the outside world.
Open port 443 (apache ssl)  for incoming tcp traffic as well. Opening port 993 is also a good idea for tcp connections, as it facilitates imaps.

My /etc/shorewall/rules now looks like this: (just to begin with, all firewall settings shown in this article are just ment to get you up and running, you might want to adjust these settings once you are done!)

#############################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#								PORT	PORT(S) DEST			LIMIT	GROUP
#
#	Accept DNS connections from the firewall to the network
#
ACCEPT	net	$FW	tcp	25
ACCEPT	net	$FW	tcp	443
ACCEPT	net	$FW	udp	6277
DNS/ACCEPT	$FW		net
#
#	Accept SSH connections from the local network for administration
#
SSH/ACCEPT	loc		$FW
#
#	Allow Ping from the local network
#
Ping/ACCEPT	loc		$FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT	net		$FW
ACCEPT		$FW		loc		icmp
ACCEPT		$FW		net		icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Restart the firewall:

/etc/init.d/shorewall restart

Next do:

/var/dcc/libexec/updatedcc

Now we configure your VPN Server.

Edit /etc/pptpd.conf. It should look like this now:

###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
#	Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
#	Specifies the location of the PPP options file.
#	By default PPP looks in '/etc/ppp/options'
#
option	/etc/ppp/options.pptpd
# TAG: debug
#	Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
#	Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam
# TAG: logwtmp
#	Use wtmp(5) to record client connections and disconnections.
#
# logwtmp        ## comment this out!! broken deb package!!
# TAG: bcrelay 
#	Turns on broadcast relay to clients from interface 
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
#	Specifies the local and remote IP address ranges.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#	You can specify single IP addresses seperated by commas or you can
#	specify ranges, or both. For example:
#
#		192.168.0.234,192.168.0.245-249,192.168.0.254
#
#	IMPORTANT RESTRICTIONS:
#
#	1. No spaces are permitted between commas or within addresses.
#
#	2. If you give more IP addresses than MAX_CONNECTIONS, it will
#	   start at the beginning of the list and go until it gets 
#	   MAX_CONNECTIONS IPs. Others will be ignored.
#
#	3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#	   you must type 234-238 if you mean this.
#
#	4. If you give a single localIP, that's ok - all local IPs will
#	   be set to the given one. You MUST still give at least one remote
#	   IP for each simultaneous client.
#
# (Recommended)
localip	192.168.1.1
remoteip	192.168.1.90-99
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
speed	115200

Next edit /etc/ppp/options. It should look like this:

lock

Now do:

touch /etc/ppp/options.pptpd

Now edit /etc/ppp/options.pptpd. It should look like this:

lock
ms-dns 192.168.1.1
ms-wins 192.168.1.1
domain your.domain.here
debug
name pptp-vpn
auth
proxyarp
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
chapms-strip-domain
lcp-echo-failure 10
lcp-echo-interval 30
nobsdcomp

Next, edit /etc/ppp/chap-secrets. It should look like this:

# Secrets for authentication using CHAP
# client	server	secret			IP addresses
user  pptp-vpn  abcdefg  "*"

Now do:

/etc/init.d/pptpd restart

You must be able now to setup a vpn connection from the inside of your firewall as "user" with paswword "abcdefg" (without the quotes) Change this initial username and password and add some users, if you like. Maybe you'll have to reboot some machines to make it work.

Now open your firewall for vpn connections. To do this, set your /etc/shorewall/rules as shown.

My /etc/shorewall/rules at this time:

#############################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#								PORT	PORT(S) DEST			LIMIT	GROUP
#
#	Accept DNS connections from the firewall to the network
#
ACCEPT	net	$FW	tcp	25
ACCEPT	net	$FW	tcp	443
ACCEPT	net	$FW	tcp	993
ACCEPT	net	$FW	udp	6277
DNAT	net	loc:192.168.1.1	tcp	1723
DNAT	net	loc:192.168.1.1	47
DNS/ACCEPT	$FW		net
#
#	Accept SSH connections from the local network for administration
#
SSH/ACCEPT	loc		$FW
#
#	Allow Ping from the local network
#
Ping/ACCEPT	loc		$FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#

To comlete this step, do:

/etc/init.d/shorewall restart

So now your customers will be able to do their job at home as well.

Note, that this only makes sense when your server has a reliable broadband connection to the internet, which in The Netherlands is the defacto standard, even for very tiny offices and most home addresses. In this respect we are way ahead of the rest of the world.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by buhcia (registered user) on Fri, 2007-06-08 09:38.

Sorry, I was not understandable and choose wrong place to comment.

A. When I wrote /etc/shorewall/rules exactly  as written here (Page 10, up to words:

To comlete this step, do:

/etc/init.d/shorewall restart)

- I couldn't establish connection to my VPN-server.

I had to add new zone "vpn" in such a way: in /etc/shorewall/interfaces before the last line:

vpn ppp0

 in

/etc/shorewall/zones before the last line:

vpn ipv4

in

/etc/shorewall/policy before the last line:

##### for VPN

vpn loc ACCEPT

vpn $FW ACCEPT

loc vpn ACCEPT

$FW vpn ACCEPT

and modify in /etc/shorewall/rules the line:

DNAT net loc:192.168.1.1 tcp 1723

to the line: 

DNAT net $FW:192.168.1.1 tcp 1723

After all that the connection to VPN-server started properly .

B. When I wrote in /etc/shorewall/rules first to other rules

LOG:warning:L2    net     loc:192.168.1.1    47 

I found nothing in kern.log           

So I wonder, is protocol 47 necessary here in /etc/shorewall/rules ?

I hope, my comments help you to improve your brilliant HowTo