2 sleepless nights and a lot of pain later, this is how I spent my Friday.
This howto goes over how to setup a router/gateway on a home or small business network that will filter content through tinyproxy and Dan’s Guardian. The awesome thing about this setup is that you can run this on any old piece of crap pc in your garage or house. A 486 will effectively run this for a household, and a older pentium class machine for a small business network. This howto was written specifically for CentOS 4.x however you can use the same instructions to do this on a RedHat ES 4.x server or any CentOS 5.x or RedHat ES 5.x server. The only changes that would need to be made in regards to a new version is getting the updated rpms for the distro from a repository such as http://dag.wieers.com/rpm
About my system:
MotherBoard: Asrock K7S41GX
Processor: Socket A (Socket 462) AMD Sempron(tm) 2800+
Ram: 2x 333 ddr1 512 MB for a total of 1gb
Drives: 2x 250.0 GB drives 1x 500GB drive 1x dvdrw drive
Network: 2x 100mbps network adapters
Getting the router/gateway up and running
Step1. Setting up an extra network interface ( if you have already done this move to step 2)
If you have just installed a new network interface you will need to get the system to properly see the device. Use lspci or cat /etc/sysconfig/hwconf and look for the new device and if it is not listed do a service kudzu restart and follow the prompts if necessary. Once you have positively identified that it is detecting in the system, you can add the device by creating this file
/etc/sysconfig/network-scripts/ifcfg-eth1
This file can then be formatted as shown below:
# cat /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=STATIC ONBOOT=yes TYPE=Ethernet IPADDR=10.0.0.1 NETMASK=255.255.255.0
The network information is what I am going to use for this setup. You can adjust this to be any subnet value you wish – to get this up and running restart networking with
# service network restart
Step2. Installing and configuring the dhcp server
We first need to get the dhcp servcer package installed. We can do this by issuing the following command:
# yum -y install dhcp
This will install the server we need to run the dhcp server. This will not start without modication of a few files. We will go over these files below:
The main configuration file for the dhcp server /etc/dhcpd.conf – I have posted and example of mine below that can easily be adapted for your network:
# cat /etc/dhcpd.conf
ddns-update-style interim;
ignore client-updates;
subnet 10.0.0.0 netmask 255.255.255.0 {
# --- default gateway
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;
option nis-domain "larmeir.com";
option domain-name "larmeir.com";
option domain-name-servers 10.0.0.1;
option time-offset -18000; # Eastern Standard Time
# option ntp-servers 10.0.0.1;
# option netbios-name-servers 10.0.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
range dynamic-bootp 10.0.0.100 10.0.0.254;
default-lease-time 21600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
host ns {
next-server home.larmeir.com;
hardware ethernet 12:34:56:78:AB:CD;
fixed-address 10.0.0.1;
}
}
Once we have this file configured we will need to set the device that will host the dhcp service. The file that controls this is /etc/sysconfig/dhcpd
Below is an example of mine:
# cat /etc/sysconfig/dhcpd # Command line options here DHCPDARGS=eth1
Step 3. Modifying sysctl and iptables
In order to get the dhcp requests forwarded through the correct adapter sysctl and iptables has to be configured to do this. To enable ipv4 forwarding issue the following command:
#echo 1 > /proc/sys/net/ipv4/ip_forward
Then to get iptables routing the requets properly issue the following commands:
# /sbin/iptables -P FORWARD ACCEPT # /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save
If everything went right you should now have a functioning dhcp server. To get everything running we need to do the following commands:
# chkconfig dhcpd on # service network restart # service dhcpd restart
In my above example dhcpd.conf I specified an internal DNS server, but if you dont want to run one you can easily point this to your isp’s dns resolvers. If you do wish to host your dns, lets move on to the next step.
Step 4. Setting up a basic DNS server.
This part is easy, just do the following commands:
# yum -y install bind # chkconfig named on # service named start
No configuration is needed here unless you have specific requirements.
Step 5. Installing TinyProxy
This part is very easy as well. For larger networks squid is more appropriate but for a small office or home network tinyproxy is highly effective. To get TinyProxy installed you will need to get it form a 3rd party repo. I am hosting the rpm on this site for CentOS 4.x for convenience. To get this rolling perform the commands below:
# wget http://larmeir.com/downloads/centos4/tinyproxy-1.6.4-1.of.el4.i386.rpm # rpm -ivh tinyproxy-1.6.4-1.of.el4.i386.rpm #chkconfig tinyproxy on
Now we need to configure the configuration file for tiny proxy in /etc/tinyproxy/tinyproxy.conf with the following directives:
User root Group root Port 3128 ViaProxyName "tinyproxy"
Once this has been set you can start up tiny proxy with the command below:
# service tinyproxy start
Step 6. Setting up Dan’s Guardian.
To get dansguardian we need to obtain this from the Dag repositories. To do this follow the commands below:
# rpm -Uhv http://apt.sw.be/redhat/el4/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el4.rf.i386.rpm # yum update # yum install dansguardian # chkconfig dansguardian on
Then we need to modify the /etc/dansguardian/dansguardian.conf file and make sure the following directives are set:
# the port that DansGuardian listens to. filterport = 8080 # the ip of the proxy (default is the loopback - i.e. this server) proxyip = 127.0.0.1 # the port DansGuardian connects to proxy on proxyport = 3128
Finally we need to start dansguardian with the following command:
# service dansguardian start
And setup iptables to route all requests through the Dan’s guardian filter:
# /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 # service iptables save
This will now force all connection on the dhcp network through the Dan’s Guardian filter. Now, just to make sure everything is working let’s restart everything:
service network restart service dhcpd restart service tinyproxy restart service dansguardian restart
If you receive no errors you now have a gateway with dhcp, dns, a transparent proxy and content filtering. Give yourself a pat on the back. You can easily test the filer by going google and type in a banned keyword such as sex. For more information on everything used in this article check out these links:
TinyProxy https://www.banu.com/tinyproxy/
Dans Guardian: http://dansguardian.org/
dhcpd http://en.wikipedia.org/wiki/Dhcpd
CentOS http://www.centos.org/
Filed under:
Information, Linux, Open Source, Security, Software, The Internet, centos, howto's, ipv4, networking, redhat
Not much to say here, but worth posting none-the-less.
I was in the mood for a blonde lager today. This heineken 24oz. can hit the spot.
Filed under:
beer
“By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is the bitterest.”
I wrote a howto a while back on how to setup windows vista with a ipv6 tunnel to tunnelbroker.net – this post can be found here http://larmeir.com/?p=354 . To follow up on this I host a Debian etch 5.0 server in my office that I use for troubleshooting network connections and as a backup system for my webserver. Below is how I setup the ipv6 tunnel:
#ip tunnel add he-ipv6 mode sit remote my.tunnel.broker.ip local 192.168.1.8 ttl 255
#ip link set he-ipv6 up
#ip addr add 2001:470:1f0e:4ee::2/64 dev he-ipv6
# ip route add ::/0 dev he-ipv6
#ip -f inet6 addr
Also, dont forget to check that the ipv6 kernel module is loaded:
~# lsmod | grep ipv6
ipv6 235364 31 sit
If not then load it:
# modprobe ipv6
then test it 
~# ping6 -c4 ipv6.google.com
PING ipv6.google.com(vx-in-x68.google.com) 56 data bytes
64 bytes from vx-in-x68.google.com: icmp_seq=1 ttl=56 time=116 ms
64 bytes from vx-in-x68.google.com: icmp_seq=2 ttl=56 time=117 ms
64 bytes from vx-in-x68.google.com: icmp_seq=3 ttl=56 time=116 ms
64 bytes from vx-in-x68.google.com: icmp_seq=4 ttl=56 time=116 ms
— ipv6.google.com ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3011ms
rtt min/avg/max/mdev = 116.301/116.750/117.440/0.429 ms
Hopefully this will help somone with Debian when trying to get a ipv6 tunnel setup.
What in the heck has this world come too? A student in Utah was forced to remove his kilt as his teacher said it could be misconstrued as “cross-dressing” – I can’t help but find this ridicoulus. Well, apparently principal Longshanks has to apologize to the student. You can read the whole story here: http://www.myfoxdfw.com/dpp/news/weird/dpg_School_Makes_Student_Change_out_of_Kilt_SAB_05172009_2492726
You normally do not think of Texas as being a place for earth quakes, well yesterday we had a 3.3 magnitude quake near Forth Worth. you can read more about this here http://neic.usgs.gov/neis/last_event_states/states_texas.html – The USGS details are below:
| Magnitude | 3.3 |
|---|---|
| Date-Time |
|
| Location | 32.80N 97.09W |
| Depth | 5.0 kilometers |
| Region | NORTHERN TEXAS |
| Distances | 15 km (10 miles) ESE of Watauga, Texas 25 km (15 miles) ENE of Fort Worth, Texas 25 km (15 miles) W of Dallas, Texas 285 km (180 miles) NNE of AUSTIN, Texas |
| Location Uncertainty | Error estimate: horizontal +/- 9.0 km; depth fixed by location program |
| Parameters | Nst=11, Nph=11, Dmin=44.4 km, Rmss=0.86 sec, Erho=9.0 km, Erzz=0 km, Gp=92.8 degrees |
| Source | USGS NEIC (WDCS-D) |
| Event ID | usgsba |
Working in the Technology industry, I hear alot of people asking about how to monitor their bandwidth accurately. Most people (specially sharedhosters, gameserver admins, etc.) will use their control panels to monitor their bandwidth and this often leads to inaccurate results. In this article we will go over setting a basic mrtg bandwidth graph that can be monitored from a webpage on your server to help you keep track of your bandwidth usage. I have written the below howto as a guide to your installation on a RedHat ES 5.x or CentOS 5.x system. The link http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/mrtg/ was used as a guide regarding the snmpd.conf so if you have any doubts please check it out.
The best way to watch your own bandwidth is with iptables or snmp however in this article we are covering snmp only – If you want to have a better technical understanding of snmp you can read more about snmp protocal here: http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
Let’s get started
My server enviornment: cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.3 (Tikanga)
Our goals: Setup snmp and mrtg and have it monitor the bandwidth in 5 minute intervals with it publishing to a webpage.
Setting up snmp:
First we have to get snmp and its utlities installed. To do this we will use yum
yum -y install net-snmp-utils net-snmp
Now we will make sure that snmpd starts at boot time:
chkconfig –add snmpd
chkconfig snmpd on
We can then verify that it is properly setup by issuing this command:
# chkconfig –list | grep snmpd
snmpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Start the snmpd daemon up:
/etc/init.d/snmpd start or service snmpd start
Make sure it is up and listening:
# netstat -anp | grep snmpd | grep LISTEN
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 24465/snmpd
Configuring snmpd.conf:
the snmpd.conf is found /etc/snmp/snmpd.conf – there is a million options here but we will only modify what is necessary to get this working
We will go section by section:
first find this area and adjust it accordingly with your network address information – make sure and leave localhost as is – for the network part, add your networks cidr notation (you can get this from your dedicated server provider if you are not sure) :
####
# First, map the community name “public” into a “security name”
# sec.name source community
#com2sec notConfigUser default public
com2sec local localhost public
com2sec mynetwork 10.0.0.200/30 public
####
Next, find this area and adjust it exactly as shown below:
####
# Second, map the security name into a group name:
# groupName securityModel securityName
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
group MyROGroup v1 mynetwork
group MyROGroup v2c mynetwork
group MyROGroup usm mynetwork
####
Then, move on the to next section and it configure it exactly as shown below:
# Make at least snmpwalk -v 1 localhost -c public system fast again.
# name incl/excl subtree mask(optional)
#view systemview included .1.3.6.1.2.1.1
#view systemview included .1.3.6.1.2.1.25.1.1
view all included .1
Now modify this section exactly as shown below:
####
# Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif
#access notConfigGroup “” any noauth exact systemview none none
access MyROGroup “” any noauth exact all none none
access MyRWGroup “” any noauth exact all all none
Find this section and modify it as you would like:
###############################################################################
# System contact information
#
# It is also possible to set the sysContact and sysLocation system
# variables through the snmpd.conf file:
syslocation www.elitepowerhost.com
syscontact Dustin Larmeir <dustin@larmer.com>
There is a great article on how to configure this that served as a point of reference for me that can be found here: http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/mrtg/mrtg_config_step_3.php
Now we need to restart the snmpd daemon:
/etc/init.d/snmpd restart or service snmpd restart
And now we need to test it:
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex
IP-MIB::ipAdEntIfIndex.10.8.118.194 = INTEGER: 2
When executing the snmpwalk command this should show all of your network addresses – if this returns them that means snmp is monitoring correctly. Now how the 10.x.x.x address was returned.
Installing mrtg
Use yum to install the mrtg package
yum -y install mrtg
Assuming your htdocs directory is in /var/www/html – you would create a location to place the mrtg graphs:
mkdir -p /var/www/html/mymrtg/
Now you will setup the config for mrtg:
cfgmaker –global ‘WorkDir: /var/www/html/mymrtg’ –output /etc/mrtg/mymrtg.cfg public@my.fqdn.com
Note, it is best to your FQDN but you can use localhost as well. The FQDN is much cleaner though.
Making the mrtg index file:
indexmaker –output=/var/www/html/mymrtg/index.html /etc/mrtg/mymrtg.cfg
Making sure all the images files are where they should be:
cp -av /var/www/html/mrtg/*.png /var/www/html/mymrtg/
Testing it out:
env LANG=C /usr/bin/mrtg /etc/mrtg/mymrtg.cfg
now browse to your vhost.com/mrtg and you should now see your graphs!
Setting the graphs up as a cron job:
run crontab -e
and put this in the file:
*/5 * * * * env LANG=C mrtg /etc/mrtg/mymrtg1.cfg –logging /var/log/graphing.log
This will generate your graphs every 5 minutes and log it for you.
This should be all you need to monitor your own bandwidth graphs, there are many different options you can modify with this system so researching into it further would be worth your time! Ill write a howto on Debian soon.
Filed under:
Software, Technology, The Internet, Web Tech, centos, howto's, ipv4, ipv6, networking, redhat