Setting up an Internet gateway for a small office CentOS, Iptables, NAT, Squid Transparent, Sarg
Gone are the days when our office had 2 computers, and a DSL modem for 4 ports with 2 megabit Internet
saved the situation. Now the office has 5 working machines and 1 server for developer tasks.
When connecting everyone to a switch with a standard Tp Link gateway, if someone started downloading, the Internet would hang on everyone. It was decided to create your own Internet gateway, with a traffic shaper, DNS, DHCP and statistics (squid + sarg) and a proxy.
A DualCore pentium, 4 GB RAM with CentOS 6.4 minimal installed onboard was chosen as a server.
So, let's proceed to the configuration of our future Internet gateway.
')
The task is to configure :
Internet distribution via NAT (iptables, htb), DHCP, DNS, HTTPD, NGINX, SARG
Add the necessary repositories
Clear YUM cache
Install the software to build
Install other necessary utilities.
Create the nginx.conf file:
Contents of nginx.conf
File to run:
For Apache we supply APR, APR-UTIL, PCRE
Install APR
Installing APR-UTIL
PCRE installation
APACHE installation
Let's fix httpd.conf to this view:
Create a file to run:
with content:
The server has two network interfaces:
eth0 - Internet from the provider
eth1 - Our local network
Create a file / iptables with the contents:
We give the right to run the file:
Run
Editing the network interface:
GATEWAY - ip eth0 interface
Reboot the network:
Install it through yum
Configuring:
Here we specified dns server, ip of our gateway. As DNS, it is logical to use something simple, I chose dnsmasq
We already have DHCP installed, we do not need the rest of the functionality, the config file is quite simple according to the principle of including only what is needed
In / etc / hosts, some hosts were needed for our local network:
SARG - log generator for SQUID
The configuration file is governed to the following state:
Since the settings are not important in our local network, the standard ones are quite suitable, the only thing needed was to specify the folder where to save the logs, we edit the configuration file to this state:
It is desirable to add SARG to kroons, so that he would keep statistics every day. Log generation is performed by running the command:
Shaper settings depend on your needs. In our case, the initial data were:
Channel width: 6Mbit / sec
Users: 5
Note: Users rarely download, often "surf" on the Internet.
Create files:
eth1 - The root file of our interface
# - Shaper accuracy
eth1-2.root - Set the rules for the whole chain
eth1-2: 06.astraPC1 - File for the machine, for convenience, the file extension is the host computer, and the prefix is the last octet of the ip
The remaining files are made by analogy.
saved the situation. Now the office has 5 working machines and 1 server for developer tasks.
When connecting everyone to a switch with a standard Tp Link gateway, if someone started downloading, the Internet would hang on everyone. It was decided to create your own Internet gateway, with a traffic shaper, DNS, DHCP and statistics (squid + sarg) and a proxy.
A DualCore pentium, 4 GB RAM with CentOS 6.4 minimal installed onboard was chosen as a server.
So, let's proceed to the configuration of our future Internet gateway.
')
The task is to configure :
Internet distribution via NAT (iptables, htb), DHCP, DNS, HTTPD, NGINX, SARG
The first step, installing the necessary basic software
Add the necessary repositories
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt rpm -ivh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm rpm --import https://fedoraproject.org/static/0608B895.txt rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm --import http://rpms.famillecollet.com/RPM-GPG-KEY-remi rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm Clear YUM cache
yum clean all Install the software to build
yum -y groupinstall "Development tools" Install other necessary utilities.
yum -y install git mc htop lftp unzip zlib zlib-devel openssl openssl-devel patch libtool re2c bison fprintd-pam subversion sshfs curlftpfs The second step, installing nginx
useradd nginx -s /bin/false -M -U mkdir /var/run/nginx/ chown -R nginx:nginx /var/run/nginx/ mkdir /var/log/nginx/ chown -R nginx:nginx /var/log/nginx/ cd /usr/src wget http://nginx.org/download/nginx-1.4.2.tar.gz tar xvzf nginx* cd nginx* git clone https://github.com/yaoweibin/nginx_tcp_proxy_module.git git clone git://github.com/mikewest/nginx-static-etags.git patch -p1 < nginx_tcp_proxy_module/tcp.patch wget -O release-1.6.29.5-beta.zip https://github.com/pagespeed/ngx_pagespeed/archive/release-1.6.29.5-beta.zip unzip release-1.6.29.5-beta.zip cd ngx_pagespeed-release-1.6.29.5-beta/ wget --no-check-certificate -O 1.6.29.5.tar.gz https://dl.google.com/dl/page-speed/psol/1.6.29.5.tar.gz tar -xzvf 1.6.29.5.tar.gz cd /usr/src/nginx* ./configure --error-log-path=/var/log/nginx/error_log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/subsys/nginx --add-module=nginx-static-etags --add-module=nginx_tcp_proxy_module --add-module=ngx_pagespeed-release-1.6.29.5-beta --user=nginx --group=nginx --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --without-http_geo_module --without-http_ssi_module --without-http_empty_gif_module --without-http_browser_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre=/usr/src/pcre-8.33 --without-http_memcached_module --without-http_scgi_module --without-http_uwsgi_module --without-http_fastcgi_module --http-fastcgi-temp-path= --http-uwsgi-temp-path= --prefix=/server/nginx --with-ipv6 make make install cd /server/nginx/conf/ && rm -f fastcgi.conf fastcgi.conf.default fastcgi_params fastcgi_params.default koi-utf koi-win mime.types.default nginx.conf.default scgi_params scgi_params.default uwsgi_params uwsgi_params.default win-utf mkdir /server/nginx/conf/conf.d/ Create the nginx.conf file:
touch /server/nginx/conf/nginx.conf Contents of nginx.conf
worker_processes 8; events { worker_connections 25000; use epoll; } http { include mime.types; default_type application/octet-stream; sendfile on; tcp_nopush on; gzip on; gzip_min_length 1000; gzip_proxied any; gzip_types text/plain text/xml application/xml application/x-javascript text/javascript text/css text/json; gzip_comp_level 8; client_max_body_size 20M; server { listen 192.168.5.1:80 default_server; stub_status on; location = /apache-stats { proxy_pass http://127.0.0.1:80; } allow 192.168.5.1; deny all; } include conf.d/*.conf; } File to run:
touch /etc/init.d/nginx chmod +x /etc/init.d/nginx #!/bin/bash # chkconfig: - 58 74 # # Source function library. . /etc/init.d/functions # Source networking configuration. . /etc/sysconfig/network if [ -f /etc/sysconfig/nginx ];then . /etc/sysconfig/nginx fi RETVAL=0 prog="nginx" start() { # Check that networking is up. [ "$NETWORKING" = "no" ] && exit 1 echo -n $"Starting $prog: " daemon /server/nginx/sbin/nginx $OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/nginx return $RETVAL } stop() { echo -n $"Shutting down $prog: " killproc /server/nginx/sbin/nginx RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/nginx return $RETVAL } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) status nginx RETVAL=$? ;; restart|reload) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/nginx ]; then stop start RETVAL=$? fi ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status}" RETVAL=3 esac exit $RETVAL The third step, installing httpd
For Apache we supply APR, APR-UTIL, PCRE
Install APR
cd /usr/src wget http://apache.ip-connect.vn.ua//apr/apr-1.5.0.tar.gz tar xvzf apr-1.5.0* cd apr-1.5.0 ./configure --prefix=/server/misc/apr make make install Installing APR-UTIL
yum -y install openldap-devel nss nss-devel cd /usr/src wget http://apache.ip-connect.vn.ua//apr/apr-util-1.5.3.tar.gz tar xvzf apr-util* cd apr-util-* ./configure --prefix=/server/misc/apr-util --with-apr=/server/misc/apr --with-crypto --with-ldap make make install PCRE installation
cd /usr/src wget http://ftp.exim.llorien.org/pcre/pcre-8.33.tar.gz tar xvzf pcre-8.33.tar.gz cd pcre* ./configure --prefix=/server/misc/pcre make make install APACHE installation
useradd apache -s /bin/false -M -U mkdir /var/run/httpd/ && chown -R apache:apache /var/run/httpd/ mkdir /var/log/httpd/ && chown -R apache:apache /var/log/httpd/ cd /usr/src wget http://mpm-itk.sesse.net/mpm-itk-2.4.4-04.tar.gz tar xvzf mpm* wget http://archive.apache.org/dist/httpd/httpd-2.4.6.tar.gz tar xvzf httpd* cp -r httpd-2.4.6 httpd-2.4.6.orig cd httpd-2.4.6 patch -p1 < /usr/src/mpm-itk-2.4.4-04/patches/r1389339-pre-htaccess-hook.diff rm -rf /usr/src/httpd-2.4.6.orig ./buildconf --with-apr=/usr/src/apr-1.4.8 --with-apr-util=/usr/src/apr-util-1.5.2 ./configure --prefix=/server/httpd --with-mpm=prefork --with-apr=/server/misc/apr --with-apr-util=/server/misc/apr-util --with-pcre=/server/misc/pcre --disable-version --disable-status --enable-rewrite=static --enable-realip=static --enable-mods-static="authn_file mime authn_core authz_host authz_groupfile authz_user authz_core access_compat auth_basic reqtimeout filter log_config env headers setenvif unixd dir alias realip status info" make make install cd /usr/src/mpm* ./configure --with-apxs=/server/httpd/bin/apxs make make install mkdir -p /server/httpd/conf/conf.d/sites/ rm -rf /server/httpd/man rm -rf /server/httpd/manual rm -rf /server/httpd/icons rm -rf /server/httpd/cgi-bin rm -rf /server/httpd/logs rm -rf /server/httpd/conf/extra rm -rf /server/httpd/conf/original mkdir /var/www chown root:root /var/www chown -R apache:apache /server/httpd Let's fix httpd.conf to this view:
ServerRoot "/server/httpd" Listen 127.0.0.1:80 LoadModule mpm_itk_module modules/mpm_itk.so LoadModule remoteip_module modules/mod_remoteip.so <IfModule unixd_module> User apache Group apache </IfModule> ServerAdmin webmaster@{HOSTNAME} ServerName {HOSTNAME} <IfModule dir_module> DirectoryIndex index.html </IfModule> <Files ".ht*"> Require all denied </Files> ErrorLog "/var/log/httpd/error_log" LogLevel warn PidFile /var/run/httpd/httpd.pid <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog "/var/log/httpd/access_log" common #CustomLog "/var/log/httpd/logs/access_log" combined </IfModule> <IfModule alias_module> ScriptAlias /cgi-bin/ "/server/httpd/cgi-bin/" </IfModule> <Directory "/server/httpd/cgi-bin"> AllowOverride None Options None Require all granted </Directory> <IfModule mime_module> TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz </IfModule> <IfModule prefork.c> StartServers 6 MinSpareServers 5 MaxSpareServers 10 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 10000 </IfModule> ServerName 127.0.0.1 IncludeOptional conf/conf.d/*.conf IncludeOptional conf/conf.d/sites/*.conf # Timeout: The number of seconds before receives and sends time out. Timeout 60 # KeepAlive: Whether or not to allow persistent connections (more than one request per connection). Set to "Off" to deactivate. KeepAlive On # MaxKeepAliveRequests: The maximum number of requests to allow during a persistent connection. Set to 0 to allow an unlimited amount. We recommend you leave this number high, for maximum performance. MaxKeepAliveRequests 100 # KeepAliveTimeout: Number of seconds to wait for the next request from the same client on the same connection. KeepAliveTimeout 5 # Set to one of: Full | OS | Minor | Minimal | Major | Prod where Full conveys the most information, and Prod the least. ServerTokens Prod UseCanonicalName Off AccessFileName .htaccess ServerSignature Off HostnameLookups Off ExtendedStatus On <IfModule reqtimeout_module> RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 </IfModule> <IfModule remoteip_module> RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 127.0.0.1 </IfModule> Create a file to run:
touch /etc/init.d/httpd chmod +x /etc/init.d/httpd with content:
#!/bin/bash # # httpd Startup script for the Apache HTTP Server # # chkconfig: - 85 15 # description: The Apache HTTP Server is an efficient and extensible \ # server implementing the current HTTP standards. # processname: httpd # config: /server/httpd/conf/httpd.conf # pidfile: /var/run/httpd/httpd.pid # ### BEGIN INIT INFO # Provides: httpd # Required-Start: $local_fs $remote_fs $network $named # Required-Stop: $local_fs $remote_fs $network # Should-Start: distcache # Short-Description: start and stop Apache HTTP Server # Description: The Apache HTTP Server is an extensible server # implementing the current HTTP standards. ### END INIT INFO # Source function library. . /etc/rc.d/init.d/functions # Start httpd in the C locale by default. HTTPD_LANG="C" # This will prevent initlog from swallowing up a pass-phrase prompt if # mod_ssl needs a pass-phrase from the user. INITLOG_ARGS="" # Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server # with the thread-based "worker" MPM; BE WARNED that some modules may not # work correctly with a thread-based MPM; notably PHP will refuse to start. # Path to the apachectl script, server binary, and short-form for messages. apachectl=/server/httpd/bin/apachectl httpd=/server/httpd/bin/httpd prog=httpd pidfile=/var/run/httpd/httpd.pid lockfile=/var/lock/subsys/httpd RETVAL=0 STOP_TIMEOUT=10 # The semantics of these two functions differ from the way apachectl does # things -- attempting to start while running is a failure, and shutdown # when not running is also a failure. So we just do it the way init scripts # are expected to behave here. start() { echo -n $"Starting $prog: " LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS RETVAL=$? echo [ $RETVAL = 0 ] && touch ${lockfile} return $RETVAL } # When stopping httpd, a delay (of default 10 second) is required # before SIGKILLing the httpd parent; this gives enough time for the # httpd parent to SIGKILL any errant children. stop() { echo -n $"Stopping $prog: " killproc -p ${pidfile} -d ${STOP_TIMEOUT} $httpd RETVAL=$? echo [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile} } reload() { echo -n $"Reloading $prog: " if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then RETVAL=6 echo $"not reloading due to configuration syntax error" failure $"not reloading $httpd due to configuration syntax error" else # Force LSB behaviour from killproc LSB=1 killproc -p ${pidfile} $httpd -HUP RETVAL=$? if [ $RETVAL -eq 7 ]; then failure $"httpd shutdown" fi fi echo } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) status -p ${pidfile} $httpd RETVAL=$? ;; restart) stop start ;; condrestart|try-restart) if status -p ${pidfile} $httpd >&/dev/null; then stop start fi ;; force-reload|reload) reload ;; graceful|help|configtest|fullstatus) $apachectl $@ RETVAL=$? ;; *) echo $"Usage: $prog {start|stop|restart|condrestart|try-restart|force-reload|reload|status|fullstatus|graceful|help|configtest}" RETVAL=2 esac exit $RETVAL The fourth step, setting up the distribution of the Internet
The server has two network interfaces:
eth0 - Internet from the provider
eth1 - Our local network
Create a file / iptables with the contents:
#!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin # - iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.5.1:3128 echo 1 > /proc/sys/net/ipv4/ip_forward We give the right to run the file:
chmod +x /iptables Run
/iptables Editing the network interface:
mcedit /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 HWADDR=00:0E:0C:73:E4:F9 TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=static IPADDR=192.168.5.1 NETMASK=255.255.255.0 GATEWAY=192.168.1.106 NETWORK=192.168.5.0 GATEWAY - ip eth0 interface
Reboot the network:
service network restart The fifth step, setting dhcpd
Install it through yum
yum -y install dhcpd Configuring:
mcedit /etc/dhcp/dhcpd.conf ddns-update-style none; ignore client-updates; DHCPARGS="eth1"; INTERFACES="eth1"; subnet 192.168.5.0 netmask 255.255.255.0 { range 192.168.5.100 192.168.5.200; option routers 192.168.5.1; option subnet-mask 255.255.255.0; option domain-name ".loc"; option domain-name-servers 192.168.5.1; option time-offset -18000; default-lease-time 21600; max-lease-time 43200; } host astraPC1 { hardware ethernet 00:21:91:91:11:42; fixed-address 192.168.5.6; } host astraPC2 { hardware ethernet D0:27:88:43:7E:AE; fixed-address 192.168.5.7; } host astraPC3 { hardware ethernet D0:27:88:43:7F:0E; fixed-address 192.168.5.8; } host astraPC4 { hardware ethernet 90:2B:34:BB:15:F2; fixed-address 192.168.5.9; } host astraPC5 { hardware ethernet 90:2B:34:BA:E1:55; fixed-address 192.168.5.10; } Here we specified dns server, ip of our gateway. As DNS, it is logical to use something simple, I chose dnsmasq
Step Six, configure the server dns
yum -y install dnsmasq We already have DHCP installed, we do not need the rest of the functionality, the config file is quite simple according to the principle of including only what is needed
interface=eth1 no-dhcp-interface=eth1 port=53 # - /etc/hosts localise-queries all-servers # - clear-on-reload # - DNS server=192.168.1.1 In / etc / hosts, some hosts were needed for our local network:
192.168.5.1 sarg.loc 192.168.5.1 mysql.loc SARG - log generator for SQUID
Step Seven, installing squid
yum -y install squid The configuration file is governed to the following state:
acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl lan src 192.168.5.1/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access allow lan http_access deny all # - http_port 3128 transparent hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # - squid forwarded_for off request_header_access From deny all request_header_access Server deny all request_header_access Link deny all request_header_access X-Forwarded-For deny all request_header_access Via deny all request_header_access Cache-Control deny all visible_hostname myhost.com Step Eight, install sarg
yum -y install sarg Since the settings are not important in our local network, the standard ones are quite suitable, the only thing needed was to specify the folder where to save the logs, we edit the configuration file to this state:
mcedit /usr/local/etc/sarg.conf output_dir /var/www/sarg/public_html/sarg.loc It is desirable to add SARG to kroons, so that he would keep statistics every day. Log generation is performed by running the command:
sarg Step Nine, HTB Setup
wget -O /etc/init.d/htb wget http://downloads.sourceforge.net/project/htbinit/HTB.init/0.8.5/htb.init-v0.8.5?use_mirror=citylan Shaper settings depend on your needs. In our case, the initial data were:
Channel width: 6Mbit / sec
Users: 5
Note: Users rarely download, often "surf" on the Internet.
Create files:
cd /etc/sysconfig/htb touch eth1 touch eth1-2.root touch eth1-2:06.astraPC1 touch eth1-2:07.astraPC2 touch eth1-2:08.astraPC3 touch eth1-2:09.astraPC4 touch eth1-2:10.astraPC5 eth1 - The root file of our interface
# - Shaper accuracy
R2Q=20 DEFAULT=0 eth1-2.root - Set the rules for the whole chain
RATE=6Mbit CEIL=6Mbit eth1-2: 06.astraPC1 - File for the machine, for convenience, the file extension is the host computer, and the prefix is the last octet of the ip
BURST=100kb RATE=1024Kbit CEIL=3064Kbit LEAF=sfq PRIO=1 RULE=192.168.5.6 The remaining files are made by analogy.
Source: https://habr.com/ru/post/205460/
All Articles