Install CentOS 7.6 and Configure it as a Firewall Gateway Router

From a networker’s perspective there is so much you can do with Linux, so many servers and free tools to play with. Linux can be a server, a gateway router, a proxy, a transparent bridge you name it, and using virtualization I have the flexibility to test things from my laptop workstation.

The idea for this lab was taken from my Winter 2015 Final Exam, it is a great project that I know you will love. I have updated it to work with CentOS7.

Lab Instructions:

//*******************************************\\
    CentOS7 Linux Router and Server 
\\*******************************************//
====================
 Install Linux       – 2pts
====================
A. Use the CentOS7 minimal install x86_64 iso image file. You can download it here: http://centos.org/

B. Using Virtualbox create a new virtual machine: Choose “I will install the operating system later.”
      – Settings: Linux, RedHat 64 bit, Disk Size minimum 12Gb, Memory 1 to 2Gb 
      – Choose Settings: set the CD-ROM to boot directly from the CentOS-7 iso image file, 
      – Choose Settings: set the network adapter to bridged mode

C. Click finish and then Start which will boot the virtual machine to the iso image file. Install CentOS-7.5 (the latest version)

D. Important settings:

   – Name your Centos localhost hostname <centos.yourname.local>
   – set the root password <yourchoice>
   – create a user account and password
   – set the location timezone
   – accept all other default settings  

E. Login to CentOS7 as root and take a screenshot logged into your CentOS7 Virtual Machine (save screenshot)

======================================
 Add and Configure 2 Network Adapters  – 2pts
======================================

1. Starting with CentOS-7 minimal install and virtual machine network interface in bridged mode

2. # ip addr    //have you picked up an ip address from the network DHCP server? If not, try:

   # ifdown enp0s3
   # ifup enp0s3
   
3. Next, you will manually edit/configure the ifcfg-enp0s3 network adapter configuration file: 

   # cd /etc/sysconfig/network-scripts
   # ls          # vi ifcfg-enp0s3

     – using vi press “i” for insert mode
     – to save press “esc”, then type a “:”, then “wq” to write quit
     – make sure the configuration has the following items you do not need to delete any other items:

    DEVICE=enp0s3
    HWADDR=<mac-address>  //adding this is optional, see network adapter advanced settings in Virtualbox for the virtual NIC mac address
    TYPE=Ethernet
    ONBOOT=yes
    NM_CONTROLLED=no  //**this is the only line we need to add
    BOOTPROTO=dhcp   

   # ifup enp0s3
        
   – if needed
   # ifdown enp0s3
   # service network restart

4. Once you are online install the following tools:

   # yum install nano
   # yum install vim
   # yum install wget
   # yum install openssh
   # yum install iptables-services
   # yum install net-tools
   # yum install bridge-utils

5. Now that eth0 is working and you are connected online it is time to shutdown your system
   and install a second network interface card. 

   # shutdown -h now

   – edit your virtual machine’s Settings: 
   – Settings: select Network > select Adapter 2: 
     – Activate Network Adapter: checkmarked,
     – Attached to: Internal Network, 
     – Name: vlan
     – Advanced > Promiscuous Mode: Allow all
     –   ”     > cable connected: checkmarked

6. Start Centos7 and check to see if CentOS7 recognizes the new network adapter:

   # ifconfig -a |less
 
   – if enp0s8 shows up, then go to step 7.
   – if enp0s8 doesn’t show up, then shutdown CentOS, go back to virtual machine settings
   – deactivate the network adapter 2 and then re-enable it.
   – if enp0s8 still doesn’t show up, then go to step 7 anyway and try and force it to see it.

7. Copy ifcfg-enp0s3 to ifcfg-enp0s8 to create a configuration file for enp0s8:

   # cp /etc/sysconfig/network-scripts/ifcfg-enp0s3 /etc/sysconfig/network-scripts/ifcfg-enp0s8

8. Edit ifcfg-enp0s8

   # nano /etc/sysconfig/network-scripts/ifcfg-enp0s8

    DEVICE=enp0s8
    HWADDR=<mac-address>  //see network adapter advanced settings
    TYPE=Ethernet
    IPADDR=172.16.1.1
    NETMASK=255.255.255.0
    ONBOOT=yes
    NM_CONTROLLED=no
    BOOTPROTO=none   

   # ifup enp0s8
    
   – if needed
   # ifdown enp0s8
   # service network restart

9. Take a screenshot showing your active enp0s3 and enp0s8 interfaces. 

   # ifconfig -a |less     //take screenshot

=========================================================
 Install Apache Webserver and reach it from your Windows computer  – 2pts
=========================================================

1. # yum install httpd        //install apache web server
    # systemctl start httpd    //start the apache web server
    # systemctl enable httpd    //set it to run on startup

   # nano /var/www/html/index.html    //create and edit a simple index.html homepage 
    
    <html>
    <head><title>Welcome to my “Your Name” Homepage Final</title>
    </head>
    <body> 
         Hello this is my webserver homepage!
    </body>
    html>

2. In this lab we will use the older iptables instead of the newer nftables(firewalld). You will need to shutdown the nftables firewall in order to reach the Apache webserver

   # systemctl stop firewalld
   # systemctl disable firewalld

3. Using your hsot computer (not CentOS7) open a web browser, and browse to your CentOS7 web server’s enp0s3 ip address

4. Take a screenshot of your Apache web server homepage from the Web Browser


=====================================
Install and configure a DHCP server  – 2pts
=====================================

1. # yum install dhcp    //install dhcp server
   # systemctl start dhcpd     //the dhcpd service should fail because it has not been configured yet
   # systemctl enable dhcpd    //set it to run on startup

3. Configure the dhcp server

   # cd /etc/dhcp/
   # ls
   # nano /etc/dhcp/dhcpd.conf

    subnet 172.16.1.0 netmask 255.255.255.0 {
        range 172.16.1.100 172.16.1.150;
        option domain-name-servers 8.8.4.4, 4.4.2.2;
        option routers 172.16.1.1;
        option broadcast-address 172.16.1.255;
    }

4. # service dhcpd restart 
    
    Note: if it fails the dhcpd.conf file has errors that need to be fixed, 
          or your enp0s8 interface is not enabled with the correct ip address 

5. From another virtual machine (Linux Mint VM) with the virtual network adapter set to Internal Network (name: vlan) try picking up an ip address from the CentOS7 DHCP server by setting the local area connection to automatically pick up an IP address (DHCP client)

6. Take a screenshot showing a successful dhcp address lease on a virtual machine using the same Internal Network as the CentOS7 Server. Open a command prompt and issue an ipconfig, or from the Centos Server use the following command to check for dhcp leases:

   # cat /var/lib/dhcpd/dhcpd.leases 


=================================================
 SSH into your server from Windows using PuTTY  – 2pts
=================================================

1. Install the Windows PuTTY client to your Windows computer

2. In Centos check to see of SSHD is already started, if not start it 
    
   # service sshd status
   # service sshd start

3. If you did not create a user account when you installed CentOS7 then you will want one:

   # adduser 
   # passwd 
    <enter a password of your choice>
    <re-enter the password>

4. In Windows open PuTTY, put the ip address of CentOS (enp0s3), click Open and enter your name and password.

5. Take a screenshot of your successful SSH connection.


===============================
 IP Forwarding and Iptables     – 2pts 
===============================

1. Turn on routing in the kernel by setting net.ipv4.ip_forward = 1 

   # sysctl -w net.ipv4.ip_forward=1

   – to make the setting survive a reboot add the setting to the sysctl.conf file

   # nano /etc/sysctl.conf 
   
   –  add the following line, save and quit
   net.ipv4.ip_forward = 1         
      
2. Load the new sysctl settings

   # sysctl -p

3. Configure iptables firewall rules and nat by creating a firewall script to load the configuration commands

   # cd /usr/local/bin
   # touch firewall_script
   # chmod 700 firewall_script
   # nano firewall_script

4. Below is the firewall_script line by line:

#!/bin/bash
# Basic firewall script

# Define variables
ipt=”/sbin/iptables”
int_intf=enp0s8 
ext_intf=enp0s3

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X

# Set default policies
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

# This line is necessary for the loopback interface
# and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT

# Enable IP masquerading (NAT)
$ipt -t nat -A POSTROUTING -o $ext_intf -j MASQUERADE

# Allow outside connections to servers
$ipt -A INPUT -p tcp –dport 22 –sport 1024:65535 -m state –state NEW -j ACCEPT
$ipt -A INPUT -p tcp –dport 80 –sport 1024:65535 -m state –state NEW -j ACCEPT

# Enable unrestricted outgoing traffic, incoming traffic
# is restricted to locally-initiated sessions only
$ipt -A INPUT -i $ext_intf -m state –state ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -i $int_intf -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $ext_intf -o $int_intf -m state –state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $int_intf -o $ext_intf -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# Accept important ICMP messages
$ipt -A INPUT -p icmp –icmp-type echo-request  -j ACCEPT
$ipt -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT

# Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp –syn -j DROP

# Send LAN web requests to Squid, 
# the line below is commented out at first until Squid is installed and configured 
#$ipt -t nat -A PREROUTING -i $int_intf -p tcp –dport 80 -j DNAT –to 172.16.1.1:3128

5. Start iptables then run your script to configure iptables 

   # service iptables start
   # ./firewall_script        //if errors exist fix script, save, and run script again        

6. Take a screenshot of your firewall script and another of your firewall running successfully    

   # service iptables status


===============================
 Install and configure Squid    – 2pts
===============================

1. Install Squid 

   # yum install squid
   # systemctl start squid
   # systemctl enable squid

   # nano /etc/squid/squid.conf

    //since this is now a transparent proxy, on line 62 edit the following line to read
    http_port 3128 intercept

   # systemctl restart squid   //or reload

2. Open up your WindowsXP Pro client, behind your Centos Server (LAN Segment VLAN10) and open a browser to test to see if Squid is intercepting web requests

   # tail -f /var/log/squid/access.log

3. Take a screenshot of the Squid access log 


==========================================
 Install and configure squidGuard    – extra credit 2pts
==========================================

1. Install squidGuard, you need the epel repositories
    
   # yum install epel-release
   # yum install squidGuard

2. Configure Squid to use squidGuard:

   # nano -c /etc/squid/squid.conf

   // add the following line around line 26:
   url_rewrite_program /usr/bin/squidGuard

   # systemctl restart squid

3. Make a blacklists directory in squidGuard

   # mkdir /var/squidGuard/blacklists

   //download a publicly available blacklist file to /usr/local/bin using wget or you could do a testdomains page instead of a full blacklist
   
   # cd /usr/local/bin
   # wget http://www.shallalist.de/Downloads/shallalist.tar.gz
    
   //extract the compressed blacklist file, then copy the folder named “gamble” to the blacklists folder
   //the file extracts into a folder named “BL” and within that folder are the blacklist categories

   # tar -xvf shallalist.tar.gz
   # ls
   # cd BL
   # cp -R gamble /var/squidGuard/blacklists     

4. Configure squidGuard:

   # nano -c /etc/squid/squidGuard.conf
    
//edit the squidGuard.conf file starting at line 33 with the following changes:
//comment out the user line shown below in the “src admin” block with a “#” 
//comment out all the lines in the “dest adult” block with a “#” in front of each line 

src admin {
        ip              1.2.3.4 1.2.3.5
#       user            root foo bar     //don’t forget to comment this out
        within          workhours
}

#dest adult {
#   domainlist blacklists/…
#   urllist blacklists/…
#   expressionlist blacklists/…
#   redirect        http://admin…
#}

dest gamble {                     //add this dest gamble block
    domainlist    gamble/domains        //…add
    urllist        gamble/urls        //…add
}                        //…add

acl {
    admin {
        pass any
    }

    foo-clients within workhours {
#        pass good !in-addr !adult any    //comment out this line with a “#”
    } else {
        pass any
    }

    bar-clients {
        pass local none
    }

    default {                
        pass !gamble any            //change this line to “pass !gambling any”
        rewrite dmz
        redirect http://172.16.1.1/blocked.html    //change to redirect to your own blocked webpage
    }
}

5. Add draftkings.com to your gambling blacklist (or any other domains you want to block) 

   # nano -c /var/squidGuard/blacklists/gamble/domains
 
   // add a line at the top of domains for draftkings.com (you can add more test domains to block also)

6. Compile the squidGuard database files, then chown the entire blacklists folder and files

   # squidGuard -b -d -C all
   # chown squid:squid -R /var/squidGuard/blacklists

7. Reload Squid

   # systemctl restart squid

7. Go to the Linux Mint or Windows virtual machine on the internal network vlan10
   and open a browser to test to see if Squid is using squidGuard to block unsavory websites.
   If you cannot web browse to a gambling domain listed in the gamble/domains file then squidGuard is working.

   // run an ongong tail command on the LAN segment host   # tail -f /var/log/squid/access.log

8. Create a blocked.html file by copying your index.html file

   # cp /var/www/html/index.html /var/www/html/blocked.html
    
9. Edit the blocked.html file content to read, “You are blocked!”

   # nano /var/www/html/blocked.html

   //you should now see your blocked.html page everytime squidGuard blocks a web site or domain

10. Take a screenshot of a successful blocked page result from the virtual machine client (Mint or Win) on the internal network (vlan)

Video Walkthrough

Part 1

Part 2

Part 3

Part 4

Part 5

Part 6

Part 7

Configuring NAT basics for the CCNA with Packet Tracer

NAT Basics Overview

NAT basics, also known as network address translation is an important part of the CCENT and CCNA certification exams. When NAT is implemented it allows a router to translate the source IPv4 address in the packet header as it crosses the router, changing the source address in the packet from one address to another. This allows the sending computer’s message to appear as if it is coming from another computer’s address. When you masquerade the origin of a computer’s IPv4 address on a network it is known as a NAT firewall.

NAT basics lab topology using Packet Tracer

Network address translation is a primary reason that IPv4 addressing has survived and is still in use today. The creation of NAT along with private IPv4 address ranges like 192.168.0.0 to 192.168.255.255, 172.16.0.0 to 172.31.255.255, and 10.0.0.0 to 10.255.255.255 has allowed for the conservation of publicly routable IPv4 addresses. One of the results of NAT’s ability translate public addresses at the router to private IPv4 addresses is that the advent of IPv6 addressing has essentially been delayed.

Configuring NAT

For the CCENT and the CCNA certifications you need to know how NAT works and how to configure it on a Cisco router. In the following Packet Tracer exercise and accompanying video tutorials, I demonstrate four different ways of configuring NAT.

  • Static NAT translation
  • Port forwarding static NAT translation
  • NAT overload translation
  • Dynamic NAT translation using a NAT Pool

Download

Download the Packet Tracer 6.3 activity here: NAT_practice_activity

NAT Basics Lab – Video Tutorials


Multiarea OSPF for the CCNA

Multiarea OSPF Overview

Multiarea OSPF is used in large or enterprise networks where there are so many routers that having every router communicating every link in their link state database with every other router in the network, even when it is a small change becomes taxing on the network. In this type of situation you don’t need every router, lets say there are 30 or more routers, running the shortest path first algorithm if an interface is momentarily shut down.

The solution is to use multi-area OSPF instead of single area OSPF where every network is in Area 0. In multiarea OSPF you still have to have a backbone area named Area 0 but you can add additional networks in other areas. The result is that routers will only share their entire link state databases with routers in there own area and other areas will be configured to receive only summary information from the area. This way, when there is a change in the network the SPF algorithm will only need to run on routers in the effected area.

I created a packet tracer lab activity that goes with a video tutorial series. Watch all of the videos in-order below, while you follow along with the downloadable packet activity here: multi-area-ospf-begin

Multiarea OSPF Video Tutorial

 

 

How to Install Ruby on Windows

Don’t.

Seriously, just don’t.


Ruby support on Windows just isn’t very good. If you absolutely need to get Ruby running on Windows, use RubyInstaller. You’ll be able to get a basic Ruby installation going, but support for all of Ruby’s various Gems (“gems” are code library in Ruby-land) is going to be spotty (gems that require native extensions, in particular).

But what it really comes down to is that I don’t think it’s feasible to develop in Ruby in Windows. And I say that as a long-time professional Ruby developer.

So, what are your alternatives? One, you could get a Mac. Now, I realize, given the cost of Macs and all, that’s not really a viable option for most people. But, I think it’s good to understand that most (I’d say at least 80%) of Ruby developers use Macs, and that, as a result, a lot of the tooling in the Ruby ecosystem is best supported on MacOS.

The other, more reasonable option, is to run some variety of Linux (I’d suggest Ubuntu) in a virtual machine on your Windows box using something like VirtualBox. I know of people that do this is, and it seems to work reasonable well. And it’s sure a heck of a lot better than trying to install Ruby on Windows 😉

How to Create a WIM System Image Using WindowsAIK and WindowsPE

WIM System Image File Overview

A system image is a single file that contains the entire operating system and all of the files, programs, and settings of an installed computer system. Network administrators use system images to deploy the Windows 7 operating system to many computers in a Windows network. Besides just deploying operating systems across a large network, a system image is also be a useful backup tool for re-imaging corrupted systems. A Windows 7 system image file is called a WIM file, it has a .wim file extension. A WIM file can be created in such a way (generalized) that it can be deployed to any computer independent of the particular hardware or drivers.

In this tutorial, I attempt to simplify the process of creating a Windows system image or WIM file, into easy to understand, step-by-step instructions. I hope you find the tutorial helpful and the process interesting! I have also added video tutorials showing how to do the entire process using a VMware Windows 7 virtual machine as the reference computer.

The tools you will need:

  • The Reference Computer – A computer with Windows 7 installed. This is the source computer that the image file will be created from. In my example, I used a fresh install of Windows 7 on an extra computer, then I ran updates, installed a couple programs, changed the desktop and the homepage, and took a screenshot (see below). Important! The first time you do this, I do not recommend using the Windows 7 home computer that you use on a daily basis, as the reference computer. This process will involve a generalizing of the system (sysprep) which will strip it of drivers, as well as the System ID. Though everything will be put back to normal, I do not recommend using a machine that you rely on the first time you do this exercise. I am also in the process of showing how this entire lab can be done using virtual machines.

    wim-reference-computer
    This is a screenshot of the system I am going to image.

  • The Technician Computer – In my case running Windows 7. This is the computer with Windows AIK installed.
  • A USB flash drive or CD – To hold your bootable WinPE image.
  • A USB external drive or flash drive – To store your WIM system image files (Note: a WIM file can be as large as the hard drive your imaging){loadposition adposition6}
  • Windows Automated Installation Kit (Windows AIK) – Used to create and maintain Windows system images or WIM files. Windows AIK is a free download from Microsoft that you will need to burn to DVD and then install. Windows AIK includes the following tools:
    • Windows PE – The Windows preinstallation environment is a thin version
      of Windows 7 based on the Windows 7 kernel. Windows PE is like a Windows
      7 Boot Disk. It can be used to fix Windows 7 installations.
    • Windows SIM – Windows System Image Manager creates ‘answer files’ that are used to automate the Windows installation (This is optional, I do not use this tool in this tutorial).
    • SysPrep Tool – The System Preparation Tool is used to generalize the system image for installation by removing specific computer system information. (The SysPrep tool is included in Windows 7)
    • ImageX – Command line tool that creates the image file. In this tutorial, we will copy the ImageX.exe file to the root of the USB WindowsPE boot drive, for easy access.

Initial Steps

In this tutorial you want to pay close attention to the syntax of the commands (eg. the spaces between words or characters)

  1. Set up the ‘Reference Computer’ with Windows 7. This is the computer I will use to create my “golden image. (see above recommendations)
  2. Download the Windows Automated Installation Kit for Windows 7 iso file. You can download it here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34&displaylang=en. Once you have it downloaded you will need to burn it to a DVD. Now install WindowAIK from the DVD (If it does not start by itself run the StartCD.exe file located on the DVD)
  3. For good online instructions I recommend going to TechNet.Microsoft.com. This is my starting point for this tutorial: http://technet.microsoft.com/en-us/library/dd349343(WS.10).aspx

Create a Windows PE Boot Disk (USB Flash Drive or CD)

  1. Next, you need to make a Windows pre-installation environment, Windows PE boot disk. You can do this on a CD-ROM or a USB flash drive, I show both ways in the steps below . You can also find more information on how to create WindowsPE boot disks at the Microsoft TechNet website: http://technet.microsoft.com/en-us/library/dd744530(WS.10).aspx. I have also included a video tutorial on how to create a WindowsPE boot CD below.
  2. On your technician computer (computer with AIK installed), click:
    Start > All
    Programs > Microsoft Windows AIK
    , right-click Deployment Tools Command
    Prompt
    , and then select Run as administrator.
  3. At the command prompt, run the Copype.cmd script. The script requires two additional parameters: hardware architecture and destination location.
    copype.cmd <arch> <destination>
    <arch> can be x86, amd64, or ia64 and <destination> is a path to local directory. For example, I typed in the following command:
    copype.cmd x86 c:\winpe_x86 (the directory winpe_x86 will be created by the command)
  4. Next, run the following command to copy and rename the winpe.wim file:
    copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim
  5. Add ImageX.exe to your WinPE image (optional but recommended). Type the following command:
    copy c:\<the path to WindowsAIK>\tools\x86\imagex.exe c:\winpe_x86\iso\
    On my computer, I installed AIK directly to the c: drive in a folder named “WindowsAIK” instead of the “Program Files” folder so my command looked like this:
    copy c:\WindowsAIK\tools\x86\imagex.exe c:\winpe_x86\iso\
  6. Now you need to decide if you want to prepare a USB flash drive or a CD for accepting WindowsPE. If you want to prepare for burning a CD, you can skip to step 9, otherwise continue on. Now you need to prepare your USB Flash Drive. Insert your flash drive. Open a command prompt and type in the following command:
    diskpart (opens the diskpartition command line utility)
    When you see the prompt “DISKPART>” type in the following command to verify which disk is your USB Flash Drive:
    list disk (you should see a listing of disks based on size)
    Type in the following commands (Important: this assumes your USB drive was listed as “Disk 1” you don’t want to format the wrong disk)
    select disk 1
    clean
    create partition primary
    select partition 1
    active
    format quick fs=fat32
    assign
    exit

    Now your USB flash drive should be formatted with fat32.
  7. Copy the iso directory in your c:\winpe_x86 folder to your Flash drive. Type in the following commands:
    xcopy C:\winpe_x86\iso\*.* /e F:\
    the above command assumes your f: drive is your USB drive, else adjust accordingly
  8. Congratulations! You just created your Windows PE Boot Flash Drive. Now you need to capture a generalized image for deployment.
  9. If you would like to burn
    WindowsPE to a CD instead of a USB thumb drive. The following command will copy all of the files necessary to create a WindowsPE boot disc into an ISO image file. Then you can burn the image file to a CD to create a bootable WindowsPE CD. In the command below the ISO image file that you will want to burn is winpex86.iso
    Oscdimg -n -bC:\winpe_x86\Etfsboot.com C:\winpe_x86\ISO C:\winpe_x86\winpex86.iso
  10. Now burn the ISO image file winpex86.iso to a CD as a bootable image disc and you are finished! You can find more
    information on how to do it from the Microsoft Technet site here: http://technet.microsoft.com/en-us/library/dd799303%28v=ws.10%29.aspx .
  11. Congratulations! You just created your Windows PE Boot CD. Now you need to capture a generalized image for deployment.

How to Create a WindowsPE boot cd using Windows AIK

Generalize your Windows 7 Reference Computer with SysPrep

  1. Generalize your image with the SysPrep utility.
  2. On the reference computer. Click Start > All Programs > Accessories > Right Click the Command Prompt. Opens the command prompt in administrative mode. Type in the following command to run sysprep:
    c:\windows\system32\sysprep\sysprep.exe
  3. In the sysprep dialogue box choose the OOBE, generalize, and shutdown options and click “ok”.
  4. Sysprep will prepare your system for imaging by stripping it of hardware specific settings and will then shutdown.

Generalize the reference system using the SysPrep utility

Capture an Image for Deployment (Generalized Golden Image) with ImageX

  1. Now that you have generalized your Windows 7 Reference System you need to boot the reference computer to your WindowsPE Boot Disk (USB or CD). If you are doing the lab on a VMware virtual machine you can configure the virtual CD/DVD drive to boot directly to the WindowsPE .iso file. You will still need to tell the virtual machine to boot the CD/DVD drive by quickly clicking inside the VM as it boots and hitting the escape key on the keyboard in order to get to the boot menu. Working from a physical computer, you need to press the F12 key while starting the computer in order to bring up a one-time boot menu, and set the computer to boot to the CD/DVD or USB flash drive instead of the hard drive.
    Note: If you boot to the hard drive instead of your WindowsPE USB then your computer will begin the Windows setup procedure and load pnp drivers, and you will need to do sysprep all over again to generalize your system.
  2. In the WinPE command prompt run diskpartition by typing in the command: diskpart (and hitting enter)
  3. Type in the following command: list disk (to see your recognized disks)
    I showed 3 hard disk drives listed:disk0 = my hard drivedisk1 = my USB flash drivedisk2 = my larger external USB drive where I plan on saving my image file
  4. Type in the command: exit to exit disk partition
  5. Now I recommend figuring out which disks are under which drive letters. You can do this by executing the following commands:
    c:\ (switching to the c drive I found “Volume in drive C is System reserved”)
    d:\ (switching to the d drive I found the files and folders of a WindowsOS, i.e Program Files, Users, Windows, autoexec.bat, etc.)
    e:\ (depending on whether you are using a WindowsPE CD or a USB boot drive, switching to the e:\ drive you may find the contents of the WindowsPE drive or a “The device is not ready” message)
    f:\ (under the f drive I found the WindowsPE drive and the imagex.exe file)
    g:\ (under the g drive I found my USB external hard drive where I am going to store my image file)
  6. Once you know where imagex.exe is located (USB WinPE drive) you can run it on your generalized Win7 drive and save the image an external storage device. My final command to create the image and save it to an external hard drive was:
    f:\imagex /capture d:\ g:\my-windows-image.wim “myImage” (make sure you put the quotation marks)
    Explanation of command above: after using the cd and dir commands to search around the disks and directiories I found the imagex.exe file in the F:\ drive. The separate pieces of the command are as follows:
    f:\imagex (is where imagex.exe was located)
    /capture (the argument that tells imagex to capture the image)
    d:\ (location of the drive with the generalized Windows 7 OS)
    g:\my-windows-image.wim “myImage” (location of drive to save the image file (in this case an external USB drive), the file name to give it, and a label name)
  7. Now check to see if the image successfully copied to your external USB drive. You should see a .wim file. If you did, congratulations, you now have an image file of your entire Window 7 operating system, which includes installed programs, documents, and configurations! You can now install that image on a different computer, the same computer, or you could open that image file with the Windows AIK program and mount the image like an external hard drive. A mounted wim file can be browsed, edited or added to.

Capture the WIM from WindowsPE, using ImageX

Installing/Deploying your WIM Image to a Computer or Network with ImageX

  1. Now that you have your image file you can install it to another computer using ImageX!
  2. Boot a computer to your USB WindowsPE boot drive.
  3. Attach the USB external drive with your wim file.
  4. Format the drive using Diskpartition. After typing diskpart you will need to search the drives to verify which letters correspond with which drives. Here are the commands:
    diskpart (starts Disk Partition)
    list disk (lists the mounted disks, note which one is which by comparing sizes)
    select disk 0 (select the disk that corresponds with your hard drive where you want to install your image)
    clean
    create partition primary
    select partition 1
    active
    format quick fs=ntfs label=OS
    (Important: NTFS not fat32, label is optional)
    assign letter=C (Important: you want it to be the C drive)
    exit
    Now run the command to apply the image to the hard drive:
    f:\imagex.exe /apply e:\my-windows-image.wim 1 c:\
    Explanation:
    /apply (apply instead of capture)
    e:\my-windows-image.wim 1 (Important: the 1 is the index of the first wim. Each wim can have multiple versions)
    c:\ (where you will install the wim)
    Once the image is done you can try restarting and seeing if the system boots normally. If it doesn’t you will need to set up the boot configuration location. In WindowsPE type the following commands:
    c: (to switch to the c drive)
    cd windows\system32
    dir bcd* (list all the files beginning with bcd)
    bcdedit.exe (looks for boot files)
    bcdboot c:\windows /s c: (sets the system boot boot directory)
  5. Restart your computer and go to Windows setup mode. You will need to add a new user in setup mode which you can delete later. Log off and log back into your original user account and you should see all your programs, documents and settings! Image is restored!

Welcome to CCNA 1

Cisco CCNA 1 Introduction

The Cisco CCNA certification is the most well known computer networking certification in the industry. I recommend a Cisco CCNA Routing and Switching course of study. The Cisco Academy Curriculum in particular for anyone who wants to learn about computer networking. It is the best foundation for learning about network communication protocols, network addressing including IPv4 and IPv6, subnetting, routing, switching, VLANs and more!

I have taught the Cisco CCNA curriculum, as a Cisco Academy instructor for over 14 years. The Cisco Academy offers 4 courses that together map to the Cisco CCNA certification exam. The current exam is the 200-120 CCNA which has a stronger emphasis on IPv6. All of the students that sign up for a class through the college will be automatically enrolled in the Cisco Academy, and all Cisco Academy students will have access to online curriculum as well as the latest version of Packet Tracer. Packet Tracer is a program for creating simulated networked environments, complete with functioning routers, switches, and endpoint hosts.

Most of all, the Cisco Academy releases regular version updates to their CCNA Routing and Switching curriculum and the recently updated curriculum coincides with the new 200-125, CCNA Routing and Switching exam. The new curriculum covers new exam topics such as, IPv6, VTP, LLDP, eBGP, PPPoE, QoS, SNMPv3, NTP, DMVPN, SPAN, SDN, virtualization and Cloud computing.

CCNA 1 – Course Materials

As a Cisco Networking Academy student, all of the course materials are available through the Academy website learning management system. Including the complete text, the Packet Tracer network simulator, interactive activities, multiple choice exams, and plenty of labs with complete step-by-step instructions. If you prefer a paper copy of the text you can purchase it online from Cisco Press or Amazon. Make sure you order a current version of the text. Here is a link to the text
at Cisco Press and the ISBN number:

Introduction to Networks Companion Guide: Print ISBN: 978-1-58713-316-9, eBook: ISBN: 978-0-13347-544-9

Introduction to Networks | Cisco CCNA | Cisco Press

Class Availability

  • Where can I enroll in a class?
    I recommend looking for a Cisco Academy nearest you. That way, you take an in-person class, and get to work on physical equipment within the classroom environment. Finally, I teach the Cisco CCNA through Central Oregon Community College. The CCNA 1 class begins in the Fall quarter with CCNA2 and CCN3/4 following in the Winter and Spring respectively. Sign up for a class! You can even attend remotely online. Look for new student registration information at http://www.cocc.edu.
  • Where can I do my labs?.
    Some labs are done in class, some labs are done at home using Packet Tracer, and some labs are done by remotely by connecting to the CIS Department Netlab+ server.
  • I am an online student, and I can’t come to the lab?
    If you are an online student, I recommend that you login to Blackboard and attend class online using the Blackboard Collaborate video conference tool. The class is always available through video conference and each class is recorded for downloading or streaming at a later date.
  • How do I turn in assignments?
    Students take exams online through the Cisco Netacad website and learning management system. Labwork and homework is turned in through Blackboard or the Netacad website.
  • How are assignments graded?
    I grade on a point system. Every week you have the opportunity to
    earn points from chapter exams and chapter labs. At the end of the class there is a cumulative multiple choice final exam as well as a hands-on lab final.

Install and Configure Squid in Ubuntu

Squid in Ubuntu Overview

A proxy server is a very useful tool for a network. It is commonly used in computer networks to protect the network from attack, to filter nefarious web content and pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”

Types of Proxy Servers

Proxy Server The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Caching) The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.

diagram of proxy server scenarios

Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid on an Ubuntu distribution of Linux.

Steps to install and configure Squid

Open a terminal, and type in the following commands to install Squid

sudo apt-get update
sudo apt-get install squid squid-common

Ways to start and stop Squid

sudo service squid start (stop|restart|status)
sudo /usr/sbin/squid (launch program directly)
sudo pkill -9 squid

Navigate to the Squid folder to find the squid.conf configuration file

cd /etc/squid
ls (you should see the squid.conf file)

Create a backup of the squid.conf file

sudo cp squid.conf squid.conf.bak

For testing purposes open Firefox and set it to send web requests to the Squid Proxy Server (You will need to know your ip address)

ifconfig (write down your inet address e.g. 192.168.1.100)
 

Open Firefox

Edit > Preferences, Advanced > Network Tab > Connection-Settings:

Manual Proxy Configuration:

HTTP Proxy: your IP address or loopback address 127.0.0.1,    Port: 3128
   Click Ok and Close

Now if you try and go to a website like google you should see an ERROR – Access Denied message from Squid (see bottom line). This means that Squid is working by actively denying the traffic.

Now we need to configure Squid to allow web traffic through the proxy server. Open squid.conf in your favorite text editor like gedit, nano, or vi

sudo nano squid.conf

or

sudo gedit squid.conf & (If gedit does not open from the terminal you can open it as root user)
sudo su
gedit squid.conf &

To switch out of root user

su your-username (if you are root user the prompt is a "#" switch back to your user account privilege)

If you chose to open with squid.conf with gedit, then turn on line numbering (Edit > Preferences > View >Display Line Numbers)

Change the name of your Squid Proxy Server, around line 3399, change.

#    TAG: visible_hostname

to

 visible_hostname YourNameProxyServer  

You can configure access rules for your Squid proxy server (lines 331 to 831 are for Access Control). Notice that on lines 606 to 630 the local networks and usable ports (services) are defined. Active configuration lines, are the lines that are not commented out, i.e. they do not start with  a # sign.

To re-enable web access uncomment line 676

#http_access allow localnet

to

http_access allow localnet

To verify the Web is now working, save your changes to the squid.conf file and restart your Squid server.

sudo service squid restart

Now resfresh your Firefox web browser and your homepage should be visible.

Now we can practice writing a custom ACL (access list) in the squid.conf file to block specific domains and websites. We can write our custom ACL at the end of the acl lines around line 631. From an empty line write the following lines to test domain blocking.

acl blocked_websites dstdomain .msn.com .yahoo.com
http_access deny blocked_websites

Now restart your Squid server, and test to see if Squid denies access to your blocked domains/websites in Firefox.

Video Tutorials

In this series of videos, I go through the same process outlined above, to install and configure a Squid proxy server in Ubuntu .

In part 1, I install Squid in Ubuntu, start and stop it, backup the configuration
file, and configure Firefox to use Squid as a proxy server

In part 2, I discuss editing the configuration file

In part 3, I write a custom ACL in the squid.conf file

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard Overview

Most routers for the home don’t do a very good job at filtering objectionable web content. One possible solution is to turn a Raspberry Pi into a proxy web filter that can protect users on your home network. In this lab, I turn a Raspberry Pi running the Raspbian Linux operating system into a robust web proxy that filters objectionable web sites. In order to turn the Raspberry Pi into a web proxy I install and configure Squid and SquidGuard, and then I download and configure a blacklist file which is available for personal use through a creative commons license. This lab focuses on turning the Raspberry Pi into a standalone proxy server that can be reached by changing the network clients web browser proxy settings, or by configuring the router to direct web traffic to the proxy server. In a follow up lab, you could configure the Raspberry Pi as a transparent inline proxy server.

Step-by-step instructions

First, I recommend updating your repositories and then installing the program locate and updating the index/database of file locations. This will help you if you need search for the file paths to the Squid and SquidGuard configuration files. After installing Squid and SquidGuard you will want to run the sudo updatedb command again in order to make the newly installed files indexed and searchable with locate.

$ sudo apt-get update
$ sudo apt-get install locate
$ sudo updatedb

1. Install Squid, start it, and set it to start on boot

$ sudo apt-get install squid3
$ sudo update-rc.d squid3 enable

Use netstat to check to see if Squid is listening on port 3128, also using ps notice that one of the process ids that Squid uses is proxy:proxy for the user and group

$ sudo netstat -antp |grep squid
$ sudo ps -aux |grep squid

2. Edit the Squid configuration file and then reload Squid. Notice, that I run updatedb and then use locate to find the location of the squid.conf file

$ sudo updatedb
S sudo locate squid.conf
$ sudo nano -c /etc/squid3/squid.conf

on lines 1038 to 1040 uncomment the lines that start with #acl localnet src …  (In nano use the Ctrl+w keys to search for, and jump to, specific lines in the configuration file)

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16

on line 1209 uncomment the line #http_access allow localnet

http_access allow localnet

on line 1613 make sure http_port 3128 is uncommented:

http_port 3128

save and quit.

$ sudo service squid3 reload

or

$ sudo service squid3 restart

3. Now that Squid is running you can test it from another computer on the network by going to another computer and changing the settings in Firefox or Chrome to point to the Squid web proxy on the Raspberry Pi. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration

and set it to: <the ip address of the computer/RPi running squid>:3128

*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server’s firewall is not blocking outside requests. Depending on your distribution the Linux firewalld or iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. On the Raspbian operating system by default there should be no firewall activated, but just in case, you can turn off the iptables firewall using the following command:

$ sudo service iptables stop

4. You can monitor the access log to see it working

$ sudo tail -f /var/log/squid3/access.log

Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid’s access.log file to see the requests reaching Squid (issue the tail command shown above)

5. With Squid working you can now install SquidGuard

$ sudo apt-get install squidGuard

6. Now that SquidGuard is installed, you will want to download a blacklist of websites and domains that you can block with SquidGuard. You can find more information at http://squidguard.org on SquidGuard and where to find blacklists. A great resource is located at http://dsi.ut-capitole.fr/blacklists/ which has an extensive blacklists.tar.gz file under a “creative commons” license. The website http://www.shallalist.de has a similar downloadable blacklist with similar license terms. You will find links to other commercial blacklist sites as well. For this lab, I recommend downloading the shallalist.tar.gz file from http://www.shallalist.de. You can download it from the command line using wget or from the gui using a webbrowser. Download the blacklist file to your Downloads or home folder but before you install a full blacklist let’s create a testdomain file with test domains for SquidGuard to practice blocking

$ cd /var/lib/squidguard/db
$ sudo nano testdomains

type in three lines of text to add some test-domains to block:

yahoo.com
msn.com
whatever-you-want-to-block.com

save and exit.

7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.

$ cd /etc/squidguard
$ sudo cp squidGuard.conf squidGuard.conf.bak
$ sudo nano -c /etc/squidguard/squidGuard.conf

In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.

#dest adult {
#   domainlist        BL/porn/domains
#   urllist        BL/porn/urls
#   expressionlist    BL/adult/expressions
#   redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
#}

dest test {
domainlist testdomains
}

acl {
admin {
pass any
}

foo-clients within workhours {
#           pass good !in-addr !adult any
} else {
pass any
}

bar-clients {
pass local none
}

default {
pass !test any
redirect http://127.0.0.1/blocked.html
}
}

Save and exit

8. Now install the Apache2 webserver and create a blocked.html page using nano

$ sudo apt-get install apache2
$ cd /var/www/html
$ sudo nano blocked.html

<html>
<head>
<title>Blocked!</title>
</head>
<body>
<h1>You have been blocked by Raspberry Pi administrator!</h1>
</body>
</html>

Save and exit

9. Now you need to compile the SquidGuard blacklists.

$ sudo squidGuard -C all

10. Now give Squid3 ownership or access to some of the squidguard files and directories:

$ sudo chown -R proxy:proxy /var/lib/squidguard/db
$ sudo chown -R proxy:proxy /var/log/squidguard
$ sudo chown -R proxy:proxy /usr/bin/squidGuard

11. Edit the squid.conf file and then reload Squid

$ sudo nano -c /etc/squid3/squid.conf

Add the following line to the squid.conf file around line 4168:

url_rewrite_program /usr/bin/squidGuard

$ sudo service squid3 reload

12. Now open the Firefox browser from another computer and test to see if the domains listed in the testdomains file in step 6 are successfully blocked. Domains not listed in the testdomains file should be allowed. In other words, from another computer with the web browser configured with the proxy settings of the Raspberry Pi’s ip address and port number 3128, try browsing to msn.com or one of the domains listed in the testdomains file that you created in step 6

13. If you were successful at blocking the testdomains then it’s time to extract and decompress the shallalist.tar.gz file that you downloaded in Step 6. When you extract shallalist.tar.gz is will extract into a folder titled BL. You will then copy BL to the squidguard db folder

$ cd ~/Downloads
$ tar -xzf shallalist.tar.gz
$ ls
$ sudo cp BL -R /var/lib/squidguard/db
$ cd /var/lib/squidguard/db

Now recursively change permissions on the BL blacklists folder so you can list through the various blacklist categories that you may wish to activate. You will need to know the name paths of the categories, folders and files that you will want to compile to work with SquidGuard

$ sudo chmod -R 755 /var/lib/squidguard/db/BL
$ sudo chown -R proxy:proxy /var/lib/squidguard/db/BL
$ ls
/var/lib/squidguard/db/BL

14. Now you can edit the squidGuard.conf file to configure it to begin blocking undesirable content

$ sudo nano -c /etc/squidguard/squidGuard.conf

In the config file, change the following lines in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. You will need to add a dest gamble block as well as changing the paths to the content you intend to block. Notice under dest gamble that I change the paths under domainlist and urllist to match the content and paths in the BL folder

<… previous lines in the squidGuard configuration file are omitted>
#dest adult {
#   domainlist        BL/porn/domains
#   urllist        BL/porn/urls
#   expressionlist    BL/adult/expressions
#   redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
#}

dest test {
domainlist testdomains
}

dest gamble {
domainlist     BL/gamble/domains
urllist             BL/gamble/urls
}

acl {
admin {
pass any
}

foo-clients within workhours {
#          pass good !in-addr !adult any
} else {
pass any
}

bar-clients {
pass local none
}

default {
pass !gamble !test any
redirect http://127.0.0.1/blocked.html
}
}

Save and exit

15. Now you need to recompile the SquidGuard blacklists which will create new squidGuard blacklist database files. Then change ownership of the files in the db folder to proxy

$ sudo squidGuard -C all
$ sudo chown -R proxy:proxy /var/lib/squidguard/db

16. Reload Squid and then use Firefox from another computer to test to see if Squid and SquidGuard are blocking websites with known adult content. You may want to execute this test privately or with the majority of the web browser dragged off screen … just in case it doesn’t work!

$ sudo service squid3 reload
$ sudo service squid3 status