Set Up Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business Environment - Page 10
Now edit /etc/default/mailscanner. It should loo like this:
# This sets how many days files will remain in the "quarantine" area before # being automatically removed. # q_days=7 # # This sets how much the priority of the mailscanner daemon should be # reduced by (i.e. "nice -X"). Since it is a batch oriented task, # there it can easily give up some CPU cycles to more interactive # tasks. # run_nice=5 # # Uncomment this line once MailScanner has been fully configured. # run_mailscanner=1
Next edit /etc/courier/imapd-ssl and change the following:
TLS_CERTFILE=/etc/apache2/ssl/apache.pem
Now do the same with your /etc/courier/pop3d-ssl.
Next do:
shutdown -r now
and wait until it is up again.
Now you have to send each real user a welcome message, thus creating the Maildir structures in their home directorys needed to be able to login to their accounts. You can use webmin's postfix module for this.
No need to send anything to their aliases.
Your Webmail Server is located at https://your.domain/webmail (first send those messages!).
Munin is at http://your.domain/munin
Webmin is at https://your.domain:10000
If you haven't set any domains, use https://192.168.1.1/webmail etc.
Check that you can login to your webmail and actually send and receive mail within your local network.
If you're satisfied, open port 25 on your firewall for incoming tcp traffic (postfix) and port 6277 (dcc) for incoming udp traffic.
You may wish to make your webmail server available to your users from the outside world.
Open port 443 (apache ssl) for incoming tcp traffic as well. Opening port 993 is also a good idea for tcp connections, as it facilitates imaps.
My /etc/shorewall/rules now looks like this: (just to begin with, all firewall settings shown in this article are just ment to get you up and running, you might want to adjust these settings once you are done!)
############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP # # Accept DNS connections from the firewall to the network # ACCEPT net $FW tcp 25 ACCEPT net $FW tcp 443 ACCEPT net $FW udp 6277 DNS/ACCEPT $FW net # # Accept SSH connections from the local network for administration # SSH/ACCEPT loc $FW # # Allow Ping from the local network # Ping/ACCEPT loc $FW # # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping/REJECT net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Restart the firewall:
/etc/init.d/shorewall restart
Next do:
/var/dcc/libexec/updatedcc
Now we configure your VPN Server.
Edit /etc/pptpd.conf. It should look like this now:
############################################################################### # $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $ # # Sample Poptop configuration file /etc/pptpd.conf # # Changes are effective when pptpd is restarted. ############################################################################### # TAG: ppp # Path to the pppd program, default '/usr/sbin/pppd' on Linux # #ppp /usr/sbin/pppd # TAG: option # Specifies the location of the PPP options file. # By default PPP looks in '/etc/ppp/options' # option /etc/ppp/options.pptpd # TAG: debug # Turns on (more) debugging to syslog # #debug # TAG: stimeout # Specifies timeout (in seconds) on starting ctrl connection # # stimeout 10 # TAG: noipparam # Suppress the passing of the client's IP address to PPP, which is # done by default otherwise. # #noipparam # TAG: logwtmp # Use wtmp(5) to record client connections and disconnections. # # logwtmp ## comment this out!! broken deb package!! # TAG: bcrelay# Turns on broadcast relay to clients from interface # #bcrelay eth1 # TAG: localip # TAG: remoteip # Specifies the local and remote IP address ranges. # # Any addresses work as long as the local machine takes care of the # routing. But if you want to use MS-Windows networking, you should # use IP addresses out of the LAN address space and use the proxyarp # option in the pppd options file, or run bcrelay. # # You can specify single IP addresses seperated by commas or you can # specify ranges, or both. For example: # # 192.168.0.234,192.168.0.245-249,192.168.0.254 # # IMPORTANT RESTRICTIONS: # # 1. No spaces are permitted between commas or within addresses. # # 2. If you give more IP addresses than MAX_CONNECTIONS, it will # start at the beginning of the list and go until it gets # MAX_CONNECTIONS IPs. Others will be ignored. # # 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238, # you must type 234-238 if you mean this. # # 4. If you give a single localIP, that's ok - all local IPs will # be set to the given one. You MUST still give at least one remote # IP for each simultaneous client. # # (Recommended) localip 192.168.1.1 remoteip 192.168.1.90-99 # or #localip 192.168.0.234-238,192.168.0.245 #remoteip 192.168.1.234-238,192.168.1.245 speed 115200
Next edit /etc/ppp/options. It should look like this:
lock
Now do:
touch /etc/ppp/options.pptpd
Now edit /etc/ppp/options.pptpd. It should look like this:
lock ms-dns 192.168.1.1 ms-wins 192.168.1.1 domain your.domain.here debug name pptp-vpn auth proxyarp refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 chapms-strip-domain lcp-echo-failure 10 lcp-echo-interval 30 nobsdcomp
Next, edit /etc/ppp/chap-secrets. It should look like this:
# Secrets for authentication using CHAP # client server secret IP addresses user pptp-vpn abcdefg "*"
Now do:
/etc/init.d/pptpd restart
You must be able now to setup a vpn connection from the inside of your firewall as "user" with paswword "abcdefg" (without the quotes) Change this initial username and password and add some users, if you like. Maybe you'll have to reboot some machines to make it work.
Now open your firewall for vpn connections. To do this, set your /etc/shorewall/rules as shown.
My /etc/shorewall/rules at this time:
############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP # # Accept DNS connections from the firewall to the network # ACCEPT net $FW tcp 25 ACCEPT net $FW tcp 443 ACCEPT net $FW tcp 993 ACCEPT net $FW udp 6277 DNAT net loc:192.168.1.1 tcp 1723 DNAT net loc:192.168.1.1 47 DNS/ACCEPT $FW net # # Accept SSH connections from the local network for administration # SSH/ACCEPT loc $FW # # Allow Ping from the local network # Ping/ACCEPT loc $FW # # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. #
To comlete this step, do:
/etc/init.d/shorewall restart
So now your customers will be able to do their job at home as well.
Note, that this only makes sense when your server has a reliable broadband connection to the internet, which in The Netherlands is the defacto standard, even for very tiny offices and most home addresses. In this respect we are way ahead of the rest of the world.