Comments are welcome.. If this gets moved I apologize for putting it in the wrong place...
Purpose of server: RED GREEN ROUTER for SOHO or PARENTAL CONTROL
Block known bad URL,IP... ie porn, malware, ads, others
Block Good URL,IP if Desired by OWNER
Scan mail protocols for viruses out and in if out is found log and mail MASTER
POSSIBILTY??? scan all protocols in and out for viruses
in block log
out block log and mail MASTER
It is a server build log and possibly a step by step assist for new users.
Version of ubuntu server 10.04
Hardware
Gateway Pentium 4
2 network cards
Use of server RED GREEN ROUTER FIREWALL that blocks site list from shalla and my own list. general use would be for SOHO or Parental control
Install ubunutu server 10.04 pick eth0 as DHCP provided RED "OUTBOUND" NIC
installer step by step
pick language...pick it again???...country...no...country for kb...kb layout...eth0(as RED)...name it...timezone...HDD choice(i used guided-use entire disk)...user...proxy if needed(not for RED GREEN ROUTER!!!)...updates(i picked auto)...LAMP,openssh, mail server ...sqlpassword...grub...done
then
login as user/pass created in install
run following
sudo passwd ....
exit
login as root
apt-get update ... work? great move on
vim /etc/network/interfaces ... add
auto eth1
iface eth1 inet static
address 192.168.5.1
netmask 255.255.255.0
broadcast 192.168.5.255
network 192.168.5.0
...
/etc/init.d/networking restart
... putty from a statically configured device connected to the eth1(GREEN) nic should now work ...
now lets get and configure dnsmasq and dhcp
apt-get install dnsmasq dhcp3-server
vim /etc/default/dhcp3-server
change line
interfaces=""
to
interfaces="eth1"
...
a good idea for reading later and reference
https://help.ubuntu.com/community/dhcp3-server
cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.back
then create your own.
rm /etc/dhcp3/dhcpd.conf
vim /etc/dhcp3/dhcpd.conf
add ...
# Sample /etc/dhcpd.conf
# (add your comments here)
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.5.255;
option routers 192.168.5.1;
option domain-name-servers 192.168.5.1;
option domain-name "whatev.local";
subnet 192.168.5.0 netmask 255.255.255.0 {
range 192.168.5.100 192.168.5.199;
#wireless range provided by switch connected wap
#192.168.5.200 192.168.3.250
}
...
/etc/init.d/dhcp3-server restart
/etc/init.d/networking restart
... dhcp should now work
... now to configure shorewall
apt-get install shorewall
... a good reference is
https://help.ubuntu.com/community/ShorewallBasics
http://www.howtoforge.com/ubuntu6.10_firewall_gateway
...
cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/
vim /etc/shorewall/shorewall.conf
... change line
IP_FORWARDING=Keep
... to
IP_FORWARDING=On
...
vim /etc/default/shorewall
... change line
startup=0
... to
startup=1
...
vim /etc/shorewall/policy
... looks like the following
#
# Shorewall version 4.0 - Sample Policy File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
################################################## #############################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW ACCEPT
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW loc ACCEPT
$FW all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
...
/etc/init.d/shorewall start
... you should now be able to surf the net
... good time to reboot and check dependencies and startup options
.... a good tool for checking traceroute
apt-get install traceroute
I will post now and see if any comments come in at this point I have a working firewall that has been tested for inbound block and outbound allow. My next steps are to configure a proxy.. then I want to be able to block URL and IP reverse and forward so that users can not enter IE: www.facebook.com or 69.63.189.34
I have tried squid and am successful to block a found working malware list found at
some references i have found at this point
http://www.digriz.org.uk/dns-malware-blacklisting
http://www.shallalist.de/
http://malware.hiperlinks.com.br/
However squid will not reverse lookup IP address and block if found to be a BAD/Blocked URL
Bookmarks