Set Up Ubuntu-Server 6.06 LTS As A Firewall/Gateway For Your Small Business Environment
Includes: Shorewall, NAT, Caching NameServer, DHCP Server, VPN Server, Webmin, Munin, Apache (SSL enabled), Squirrelmail, Postfix setup with virtual domains, courier imap imaps pop3 pop3s, sasl authentication for road warriors, MailScanner as a wrapper for SpamAssassin, Razor, ClamAV, etc. Samba installed, not configured.
Needs very little maintenance and is extendable beyond your wildest imagination. All depending on the hardware used, of course.
This is just a COPY&PASTE howto. For more info use the net. I did... However, contributions and suggestions are allways welcome! I know this can be done better, so feel free.
I should have based this tuto on 6.06 LTS right away, because of the LTS. Sorry for that. Due to some minor but important changes needed to make this work with Ubuntu 6.06 LTS, I wrote it again.
If anyone of you can find the time to add a good install and config for snort AND snortsam, including a comprehensive control pannel, I would be grateful.
Scope: creating a firewall/(mail)gateway for a small network (say 10 to 15 users or so on a PIII 450MHz, 512 MB ram and two identical network interface cards, broadband connection, fully featured, for a business environment. Better specs of your hardware (notably the amount of ram) will improve the performance of your server significantly. The specs mentioned ar a bare minimum for not so demanding customers, yust to indicate that if you really want, it can be done indeed (need to do some tweaking afterwards though).
Expected audience: (beginning) sysop.
This tuto leads towards a solid 'ready to go' sytem. The fun part, I think, (tweaking and tuning etc.) starts when you are done. You may wish to inspect your logs to find clues as to where the tuning should start. Munin might tell you a lot as well.
Have Fun!
First, do a clean install using Ubuntu-Server 6.06 LTS. During installation, proper settings for eth0 will be detected automatically. If this fails, change your network cables and try again. There is a very small chance that your ISP does not run a DHCP server (never seen that happen), or it just might be down (seen that quite a few times, also they may screw up their DNS every now and then), in which case you are on your one, best to wait till they are done fixing it. So we start out with a DHCP assigned address for eth0. This is just an easy way to figure out which NIC is actually eth0. If you already know which is which you better start out with a static address for eth0. If your ISP isn't crappy, you have the proper settings for it.
Now proceed and accept all defaults (but you may want to do your own partitioning), don't install LAMP.
Now login as the new user you just created and do:
sudo passwd
Now enter your password again. Next enter the new password for user "root" and confirm. So we dropped the nasty sudo experience (bit strange on a server, isn’t it?) Now logout and login again as root with the new root password.
Using vim (or your favorite editor) edit /etc/apt/sources.list. Comment out the cd repository. Next add "universe" (without the quotes) to all lines that aren't commented out and uncomment the backport repositorys. Save the file.
Edit /etc/network/interfaces and add the following at the bottom:
auto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 network 192.168.1.0
Note that the rest of this tuto assumes that you actually make the settings for eth1 as shown.
My full/etc/network/interfaces looks like this:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 network 192.168.1.0
As you can see my eth0 gets its settings using DHCP.
Save the file. Next do:
apt-get update
apt-get install openssh-server
apt-get upgrade
During the upgrade process a new kernel image is installed. So next do:
reboot
The rest of this you can do from your workstation, either linux or the other one (must have putty), so you can actually copy and paste. Just login to 192.168.1.1 as root and get on with it.
Make sure that the network settings of your workstation match the settings of your server's eth1
If you are confused here, first configure and start your DHCP server as shown in this article, and let your workstation detect proper settings automatically.