How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch
This how-to describes how to install and configure Dansguardian with multi-group filtering, Squid with NTLM auth, ipmasq, and dnsmasq to provide a full internet gateway solution for small to medium sized networks. This how-to requires two NICs in order to preform firewalling and transparent proxying.
Install Debian Etch with the base system only.
Configure the base system
This how-to assumes you have the following configured:
eth0 with a static or dynamic IP as the external NIC and eth1 with the static address of 192.168.1.1/24 as the internal NIC
The base system install does not install SSH so we will do that now.
apt-get install ssh openssh-server
Now that SSH is installed you can finish the rest of this how-to
from within an SSH session if you wish.
ClamAV in Etch has a bug in that when you start Dansguardian it takes a long time to load. We are going to set Apt to get a newer version of ClamAV from Debian Backports to avoid this.
Edit and add the following line to your /etc/apt/sources.lst:
deb http://download.webmin.com/download/repository sarge contrib deb http://www.backports.org/debian etch-backports main contrib non-free
Adding the following info in /etc/apt/preferences tells Apt to only get ClamAV from backports.org.
Note: If a newer version then "0.91.2" of ClamAV comes out for Etch that fixes the bug then you may not have to preform this step.
Edit /etc/apt/preferences and enter the following:
Package: clamav Pin: release a=etch-backports Pin-Priority: 999 Package: clamav-base Pin: release a=etch-backports Pin-Priority: 999 Package: clamav-freshclam Pin: release a=etch-backports Pin-Priority: 999 Package: libclamav2 Pin: release a=etch-backports Pin-Priority: 999
Update Apt, install some software, and configure Kerberos...
apt-get install debian-backports-keyring
apt-get install dnsmasq webmin squid dansguardian samba winbind krb5-user libcompress-zlib-perl resolvconf ntp ntpdate
You will be asked the following questions:
Note: The answers to these questions are case sensitive. You must answer them as in the example below.
Please specify the workgroup you want this server to appear to be in when queried by clients. <-- EXAMPLEDOMAIN
Modify smb.conf to use WINS settings from DHCP? <-- No
Kerberos servers for your realm: <-- domaincontroller.EXAMPLEDOMAIN.LOCAL
Administrative server for your Kerberos realm: <-- domaincontroller.EXAMPLEDOMAIN.LOCAL
And again some more questions.
Default Kerberos version 5 realm: <-- EXAMPLEDOMAIN.LOCAL
Does DNS contain pointers to your realm's Kerberos Servers? <-- Yes
Configure resolvconf and dnsmasq
Many internet connections are dynamic and because of this it can cause Kerberos to fail when the DNS servers are updated by pppd or dhcp. We installed resolvconf earlier which will help us solve the problem.
Edit /etc/resolvconf/resolv.conf.d/head and add search exampledomain.local to line 3.
DNSmasq is a small dns forwarder and dhcp server which integrates into resolvconf
We need to verify that we have the right name servers in /var/run/dnsmasq/resolv.conf
Edit it to look like the example below.
nameserver <IP of domain controller> nameserver <IP of primary ISP DNS server> nameserver <IP of secondary ISP DNS server>
DNSmasq's config file needs to be modified for best preformance and security. Edit /etc/dnsmasq.conf make the nessisary changes listed below.
nano -c /etc/dnsmasq.conf
Uncomment lines 14 and 16
Uncomment line 71 and add eth0 to the end of the line.
Currently dnsmasq's DHCP feature is disabled but if you would like to use this feature then I would suggest starting at line 100 as the DHCP options start there. There are also some advanced options for DNS starting on line 307, such as configuring MX records and the like. Many more options are available but are beyond the scope of this how-to.
Set the domain controller as the time server
nano -c /etc/ntp.conf
Comment out lines 19 through 22 of /etc/ntp.conf and insert the following on line 23:
server domaincontroller.exampledomain.local iburst
Configure Samba and join the domain
First make a copy of your /etc/samba/smb.conf and then edit it.
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
nano -c /etc/samba/smb.conf
Enter on line 53 interfaces = 192.168.1.1/255.255.255.0.
Uncomment line 59.
Uncomment line 91 and change to security = ads.
Uncomment lines 204 and 205.
Add the following lines before line 217:
winbind trusted domains only = yes realm = EXAMPLEDOMAIN.LOCAL winbind cache time = 3600
Restart samba, winbind and synchronize the time with the domain controller.
net time set -S domaincontroller
Now join the domain
net ads join -U Administrator
If all went well you should be able to run the following with success.
The output should be "checking the trust secret via RPC calls succeeded"
This should list all users in the domain.
This should list all of the groups in the domain.