Configuring NAT basics for the CCNA with Packet Tracer

NAT Basics Overview

NAT basics, also known as network address translation is an important part of the CCENT and CCNA certifications. NAT allows a router to translate the source IPv4 address in the packet header as it crosses the router, changing the source address in the packet from one address to another. This allows the sending computer’s message to appear as if it is coming from another computer’s address. This type of address masquerading is known as a NAT firewall.

NAT basics lab topology using Packet Tracer

NAT is a the primary reason that IPv4 addressing has survived and is still in use today. The creation of NAT along with private IPv4 address ranges like 192.168.0.0 to 192.168.255.255, 172.16.0.0 to 172.31.255.255, and 10.0.0.0 to 10.255.255.255 has allowed for the conservation of publicly routable IPv4 addresses. One of the results of NAT’s¬†ability translate public addresses at the router to private IPv4 addresses is that the advent of IPv6 addressing has essentially been delayed.

Configuring NAT

For the CCENT and the CCNA certifications you need to know how NAT works and how to configure it on a Cisco router. In the following Packet Tracer exercise and accompanying video tutorials, I demonstrate four different ways of configuring NAT.

  • Static NAT translation
  • Port forwarding static NAT translation
  • NAT overload translation
  • Dynamic NAT translation using a NAT Pool

Download

Download the Packet Tracer Activity here: NAT_practice_activity

NAT Basics Lab – Video Tutorials

Videos to be published on YouTube and available here on Sunday 4/30

Multiarea OSPF for the CCNA

Multiarea OSPF Overview

Multiarea OSPF is used in large or enterprise networks where there are so many routers that having every router communicating every link in their link state database with every other router in the network, even when it is a small change becomes taxing on the network. In this type of situation you don’t need every router, lets say there are 30 or more routers, running the shortest path first algorithm if an interface is momentarily shut down.

The solution is to use multi-area OSPF instead of single area OSPF where every network is in Area 0. In multiarea OSPF you still have to have a backbone area named Area 0 but you can add additional networks in other areas. The result is that routers will only share their entire link state databases with routers in there own area and other areas will be configured to receive only summary information from the area. This way, when there is a change in the network the SPF algorithm will only need to run on routers in the effected area.

I created a packet tracer lab activity that goes with a video tutorial series. Watch all of the videos in-order below, while you follow along with the downloadable packet activity here: multi-area-ospf-begin

Multiarea OSPF Video Tutorial

 

 

How to Install Ruby on Windows

Don’t.

Seriously, just don’t.


Ruby support on Windows just isn’t very good. If you absolutely need to get Ruby running on Windows, use RubyInstaller. You’ll be able to get a basic Ruby installation going, but support for all of Ruby’s various Gems (“gems” are code library in Ruby-land) is going to be spotty (gems that require native extensions, in particular).

But what it really comes down to is that I don’t think it’s feasible to develop in Ruby in Windows. And I say that as a long-time professional Ruby developer.

So, what are your alternatives? One, you could get a Mac. Now, I realize, given the cost of Macs and all, that’s not really a viable option for most people. But, I think it’s good to understand that most (I’d say at least 80%) of Ruby developers use Macs, and that, as a result, a lot of the tooling in the Ruby ecosystem is best supported on MacOS.

The other, more reasonable option, is to run some variety of Linux (I’d suggest Ubuntu) in a virtual machine on your Windows box using something like VirtualBox. I know of people that do this is, and it seems to work reasonable well. And it’s sure a heck of a lot better than trying to install Ruby on Windows ūüėČ

How to Create a WIM System Image Using WindowsAIK and WindowsPE

WIM System Image File Overview

A system image is a single file that contains the entire operating system and all of the files, programs, and settings of an installed computer system. Network administrators use system images to deploy the Windows 7 operating system to many computers in a Windows network. Besides just deploying operating systems across a large network, a system image is also be a useful backup tool for re-imaging corrupted systems. A Windows 7 system image file is called a WIM file, it has a .wim file extension. A WIM file can be created in such a way (generalized) that it can be deployed to any computer independent of the particular hardware or drivers.

In this tutorial, I attempt to simplify the process of creating a Windows system image or WIM file, into easy to understand, step-by-step instructions. I hope you find the tutorial helpful and the process interesting! I have also added video tutorials showing how to do the entire process using a VMware Windows 7 virtual machine as the reference computer.

The tools you will need:

  • The Reference Computer – A computer with Windows 7 installed. This is the source computer that the image file will be created from. In my example, I used a fresh install of Windows 7 on an extra computer, then I ran updates, installed a couple programs, changed the desktop and the homepage, and took a screenshot (see below). Important! The first time you do this, I do not recommend using the Windows 7 home computer that you use on a daily basis, as the reference computer. This process will involve a generalizing of the system (sysprep) which will strip it of drivers, as well as the System ID. Though everything will be put back to normal, I do not recommend using a machine that you rely on the first time you do this exercise. I am also in the process of showing how this entire lab can be done using virtual machines.

    wim-reference-computer
    This is a screenshot of the system I am going to image.

  • The Technician Computer – In my case running Windows 7. This is the computer with Windows AIK installed.
  • A USB flash drive or CD – To hold your bootable WinPE image.
  • A USB external drive or flash drive – To store your WIM system image files (Note: a WIM file can be as large as the hard drive your imaging){loadposition adposition6}
  • Windows Automated Installation Kit (Windows AIK) – Used to create and maintain Windows system images or WIM files. Windows AIK is a free download from Microsoft that you will need to burn to DVD and then install. Windows AIK includes the following tools:
    • Windows PE – The Windows preinstallation environment is a thin version
      of Windows 7 based on the Windows 7 kernel. Windows PE is like a Windows
      7 Boot Disk. It can be used to fix Windows 7 installations.
    • Windows SIM – Windows System Image Manager creates ‘answer files’ that are used to automate the Windows installation (This is optional, I do not use this tool in this tutorial).
    • SysPrep Tool – The System Preparation Tool is used to generalize the system image for installation by removing specific computer system information. (The SysPrep tool is included in Windows 7)
    • ImageX – Command line tool that creates the image file. In this tutorial, we will copy the ImageX.exe file to the root of the USB WindowsPE boot drive, for easy access.

Initial Steps

In this tutorial you want to pay close attention to the syntax of the commands (eg. the spaces between words or characters)

  1. Set up the ‘Reference Computer’ with Windows 7. This is the computer I will use to create my “golden image. (see above recommendations)
  2. Download the Windows Automated Installation Kit for Windows 7 iso file. You can download it here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34&displaylang=en. Once you have it downloaded you will need to burn it to a DVD. Now install WindowAIK from the DVD (If it does not start by itself run the StartCD.exe file located on the DVD)
  3. For good online instructions I recommend going to TechNet.Microsoft.com. This is my starting point for this tutorial: http://technet.microsoft.com/en-us/library/dd349343(WS.10).aspx

Create a Windows PE Boot Disk (USB Flash Drive or CD)

  1. Next, you need to make a Windows pre-installation environment, Windows PE boot disk. You can do this on a CD-ROM or a USB flash drive, I show both ways in the steps below . You can also find more information on how to create WindowsPE boot disks at the Microsoft TechNet website: http://technet.microsoft.com/en-us/library/dd744530(WS.10).aspx. I have also included a video tutorial on how to create a WindowsPE boot CD below.
  2. On your technician computer (computer with AIK installed), click:
    Start > All
    Programs > Microsoft Windows AIK
    , right-click Deployment Tools Command
    Prompt
    , and then select Run as administrator.
  3. At the command prompt, run the Copype.cmd script. The script requires two additional parameters: hardware architecture and destination location.
    copype.cmd <arch> <destination>
    <arch> can be x86, amd64, or ia64 and <destination> is a path to local directory. For example, I typed in the following command:
    copype.cmd x86 c:\winpe_x86 (the directory winpe_x86 will be created by the command)
  4. Next, run the following command to copy and rename the winpe.wim file:
    copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim
  5. Add ImageX.exe to your WinPE image (optional but recommended). Type the following command:
    copy c:\<the path to WindowsAIK>\tools\x86\imagex.exe c:\winpe_x86\iso\
    On my computer, I installed AIK directly to the c: drive in a folder named “WindowsAIK” instead of the “Program Files” folder so my command looked like this:
    copy c:\WindowsAIK\tools\x86\imagex.exe c:\winpe_x86\iso\
  6. Now you need to decide if you want to prepare a USB flash drive or a CD for accepting WindowsPE. If you want to prepare for burning a CD, you can skip to step 9, otherwise continue on. Now you need to prepare your USB Flash Drive. Insert your flash drive. Open a command prompt and type in the following command:
    diskpart (opens the diskpartition command line utility)
    When you see the prompt “DISKPART>” type in the following command to verify which disk is your USB Flash Drive:
    list disk (you should see a listing of disks based on size)
    Type in the following commands (Important: this assumes your USB drive was listed as “Disk 1” you don’t want to format the wrong disk)
    select disk 1
    clean
    create partition primary
    select partition 1
    active
    format quick fs=fat32
    assign
    exit

    Now your USB flash drive should be formatted with fat32.
  7. Copy the iso directory in your c:\winpe_x86 folder to your Flash drive. Type in the following commands:
    xcopy C:\winpe_x86\iso\*.* /e F:\
    the above command assumes your f: drive is your USB drive, else adjust accordingly
  8. Congratulations! You just created your Windows PE Boot Flash Drive. Now you need to capture a generalized image for deployment.
  9. If you would like to burn
    WindowsPE to a CD instead of a USB thumb drive. The following command will copy all of the files necessary to create a WindowsPE boot disc into an ISO image file. Then you can burn the image file to a CD to create a bootable WindowsPE CD. In the command below the ISO image file that you will want to burn is winpex86.iso
    Oscdimg -n -bC:\winpe_x86\Etfsboot.com C:\winpe_x86\ISO C:\winpe_x86\winpex86.iso
  10. Now burn the ISO image file winpex86.iso to a CD as a bootable image disc and you are finished! You can find more
    information on how to do it from the Microsoft Technet site here: http://technet.microsoft.com/en-us/library/dd799303%28v=ws.10%29.aspx .
  11. Congratulations! You just created your Windows PE Boot CD. Now you need to capture a generalized image for deployment.

How to Create a WindowsPE boot cd using Windows AIK

Generalize your Windows 7 Reference Computer with SysPrep

  1. Generalize your image with the SysPrep utility.
  2. On the reference computer. Click Start > All Programs > Accessories > Right Click the Command Prompt. Opens the command prompt in administrative mode. Type in the following command to run sysprep:
    c:\windows\system32\sysprep\sysprep.exe
  3. In the sysprep dialogue box choose the OOBE, generalize, and shutdown options and click “ok”.
  4. Sysprep will prepare your system for imaging by stripping it of hardware specific settings and will then shutdown.

Generalize the reference system using the SysPrep utility

Capture an Image for Deployment (Generalized Golden Image) with ImageX

  1. Now that you have generalized your Windows 7 Reference System you need to boot the reference computer to your WindowsPE Boot Disk (USB or CD). If you are doing the lab on a VMware virtual machine you can configure the virtual CD/DVD drive to boot directly to the WindowsPE .iso file. You will still need to tell the virtual machine to boot the CD/DVD drive by quickly clicking inside the VM as it boots and hitting the escape key on the keyboard in order to get to the boot menu. Working from a physical computer, you need to press the F12 key while starting the computer in order to bring up a one-time boot menu, and set the computer to boot to the CD/DVD or USB flash drive instead of the hard drive.
    Note: If you boot to the hard drive instead of your WindowsPE USB then your computer will begin the Windows setup procedure and load pnp drivers, and you will need to do sysprep all over again to generalize your system.
  2. In the WinPE command prompt run diskpartition by typing in the command: diskpart (and hitting enter)
  3. Type in the following command: list disk (to see your recognized disks)
    I showed 3 hard disk drives listed:disk0 = my hard drivedisk1 = my USB flash drivedisk2 = my larger external USB drive where I plan on saving my image file
  4. Type in the command: exit to exit disk partition
  5. Now I recommend figuring out which disks are under which drive letters. You can do this by executing the following commands:
    c:\ (switching to the c drive I found “Volume in drive C is System reserved”)
    d:\ (switching to the d drive I found the files and folders of a WindowsOS, i.e Program Files, Users, Windows, autoexec.bat, etc.)
    e:\ (depending on whether you are using a WindowsPE CD or a USB boot drive, switching to the e:\ drive you may find the contents of the WindowsPE drive or a “The device is not ready” message)
    f:\ (under the f drive I found the WindowsPE drive and the imagex.exe file)
    g:\ (under the g drive I found my USB external hard drive where I am going to store my image file)
  6. Once you know where imagex.exe is located (USB WinPE drive) you can run it on your generalized Win7 drive and save the image an external storage device. My final command to create the image and save it to an external hard drive was:
    f:\imagex /capture d:\ g:\my-windows-image.wim “myImage” (make sure you put the quotation marks)
    Explanation of command above: after using the cd and dir commands to search around the disks and directiories I found the imagex.exe file in the F:\ drive. The separate pieces of the command are as follows:
    f:\imagex (is where imagex.exe was located)
    /capture (the argument that tells imagex to capture the image)
    d:\ (location of the drive with the generalized Windows 7 OS)
    g:\my-windows-image.wim “myImage” (location of drive to save the image file (in this case an external USB drive), the file name to give it, and a label name)
  7. Now check to see if the image successfully copied to your external USB drive. You should see a .wim file. If you did, congratulations, you now have an image file of your entire Window 7 operating system, which includes installed programs, documents, and configurations! You can now install that image on a different computer, the same computer, or you could open that image file with the Windows AIK program and mount the image like an external hard drive. A mounted wim file can be browsed, edited or added to.

Capture the WIM from WindowsPE, using ImageX

Installing/Deploying your WIM Image to a Computer or Network with ImageX

  1. Now that you have your image file you can install it to another computer using ImageX!
  2. Boot a computer to your USB WindowsPE boot drive.
  3. Attach the USB external drive with your wim file.
  4. Format the drive using Diskpartition. After typing diskpart you will need to search the drives to verify which letters correspond with which drives. Here are the commands:
    diskpart (starts Disk Partition)
    list disk (lists the mounted disks, note which one is which by comparing sizes)
    select disk 0 (select the disk that corresponds with your hard drive where you want to install your image)
    clean
    create partition primary
    select partition 1
    active
    format quick fs=ntfs label=OS
    (Important: NTFS not fat32, label is optional)
    assign letter=C (Important: you want it to be the C drive)
    exit
    Now run the command to apply the image to the hard drive:
    f:\imagex.exe /apply e:\my-windows-image.wim 1 c:\
    Explanation:
    /apply (apply instead of capture)
    e:\my-windows-image.wim 1 (Important: the 1 is the index of the first wim. Each wim can have multiple versions)
    c:\ (where you will install the wim)
    Once the image is done you can try restarting and seeing if the system boots normally. If it doesn’t you will need to set up the boot configuration location. In WindowsPE type the following commands:
    c: (to switch to the c drive)
    cd windows\system32
    dir bcd* (list all the files beginning with bcd)
    bcdedit.exe (looks for boot files)
    bcdboot c:\windows /s c: (sets the system boot boot directory)
  5. Restart your computer and go to Windows setup mode. You will need to add a new user in setup mode which you can delete later. Log off and log back into your original user account and you should see all your programs, documents and settings! Image is restored!

Welcome to CCNA 1

Cisco CCNA 1 Introduction

The Cisco CCNA certification is the most well known computer networking certification in the industry. I recommend a Cisco CCNA Routing and Switching course of study. The Cisco Academy Curriculum in particular for anyone who wants to learn about computer networking. It is the best foundation for learning about network communication protocols, network addressing including IPv4 and IPv6, subnetting, routing, switching, VLANs and more!

I have taught the Cisco CCNA curriculum, as a Cisco Academy instructor for over 14 years. The Cisco Academy offers 4 courses that together map to the Cisco CCNA certification exam. The current exam is the 200-120 CCNA which has a stronger emphasis on IPv6. All of the students that sign up for a class through the college will be automatically enrolled in the Cisco Academy, and all Cisco Academy students will have access to online curriculum as well as the latest version of Packet Tracer. Packet Tracer is a program for creating simulated networked environments, complete with functioning routers, switches, and endpoint hosts.

Most of all, the Cisco Academy releases regular version updates to their CCNA Routing and Switching curriculum and the recently updated curriculum coincides with the new 200-125, CCNA Routing and Switching exam. The new curriculum covers new exam topics such as, IPv6, VTP, LLDP, eBGP, PPPoE, QoS, SNMPv3, NTP, DMVPN, SPAN, SDN, virtualization and Cloud computing.

CCNA 1 – Course Materials

As a Cisco Networking Academy student, all of the course materials are available through the Academy website learning management system. Including the complete text, the Packet Tracer network simulator, interactive activities, multiple choice exams, and plenty of labs with complete step-by-step instructions. If you prefer a paper copy of the text you can purchase it online from Cisco Press or Amazon. Make sure you order a current version of the text. Here is a link to the text
at Cisco Press and the ISBN number:

Introduction to Networks Companion Guide: Print ISBN: 978-1-58713-316-9, eBook: ISBN: 978-0-13347-544-9

Introduction to Networks | Cisco CCNA | Cisco Press

Class Availability

  • Where can I enroll in a class?
    I recommend looking for a Cisco Academy nearest you. That way, you take an in-person class, and get to work on physical equipment within the classroom environment. Finally, I teach the Cisco CCNA through Central Oregon Community College. The CCNA 1 class begins in the Fall quarter with CCNA2 and CCN3/4 following in the Winter and Spring respectively. Sign up for a class! You can even attend remotely online. Look for new student registration information at http://www.cocc.edu.
  • Where can I do my labs?.
    Some labs are done in class, some labs are done at home using Packet Tracer, and some labs are done by remotely by connecting to the CIS Department Netlab+ server.
  • I am an online student, and I can’t come to the lab?
    If you are an online student, I recommend that you login to Blackboard and attend class online using the Blackboard Collaborate video conference tool. The class is always available through video conference and each class is recorded for downloading or streaming at a later date.
  • How do I turn in assignments?
    Students take exams online through the Cisco Netacad website and learning management system. Labwork and homework is turned in through Blackboard or the Netacad website.
  • How are assignments graded?
    I grade on a point system. Every week you have the opportunity to
    earn points from chapter exams and chapter labs. At the end of the class there is a cumulative multiple choice final exam as well as a hands-on lab final.

Install and Configure Squid in Ubuntu

Squid in Ubuntu Overview

A proxy server is a very useful tool for a network.¬†It is commonly used in computer networks to protect the network from attack, to filter nefarious web content and pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers¬†in order¬†to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”

Types of Proxy Servers

Proxy Server The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Caching) The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.

diagram of proxy server scenarios

Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid on an Ubuntu distribution of Linux.

Steps to install and configure Squid

Open a terminal, and type in the following commands to install Squid

sudo apt-get update
sudo apt-get install squid squid-common

Ways to start and stop Squid

sudo service squid start (stop|restart|status)
sudo /usr/sbin/squid (launch program directly)
sudo pkill -9 squid

Navigate to the Squid folder to find the squid.conf configuration file

cd /etc/squid
ls (you should see the squid.conf file)

Create a backup of the squid.conf file

sudo cp squid.conf squid.conf.bak

For testing purposes open Firefox and set it to send web requests to the Squid Proxy Server (You will need to know your ip address)

ifconfig (write down your inet address e.g. 192.168.1.100)
 

Open Firefox

Edit > Preferences, Advanced > Network Tab > Connection-Settings:

Manual Proxy Configuration:

HTTP Proxy: your IP address or loopback address 127.0.0.1,    Port: 3128
   Click Ok and Close

Now if you try and go to a website like google you should see an ERROR РAccess Denied message from Squid (see bottom line). This means that Squid is working by actively denying the traffic.

Now we need to configure Squid to allow web traffic through the proxy server. Open squid.conf in your favorite text editor like gedit, nano, or vi

sudo nano squid.conf

or

sudo gedit squid.conf & (If gedit does not open from the terminal you can open it as root user)
sudo su
gedit squid.conf &

To switch out of root user

su your-username (if you are root user the prompt is a "#" switch back to your user account privilege)

If you chose to open with squid.conf with gedit, then turn on line numbering (Edit > Preferences > View >Display Line Numbers)

Change the name of your Squid Proxy Server, around line 3399, change.

#    TAG: visible_hostname

to

 visible_hostname YourNameProxyServer  

You can configure access rules for your Squid proxy server (lines 331 to 831 are for Access Control). Notice that on lines 606 to 630 the local networks and usable ports (services) are defined. Active configuration lines, are the lines that are not commented out, i.e. they do not start with  a # sign.

To re-enable web access uncomment line 676

#http_access allow localnet

to

http_access allow localnet

To verify the Web is now working, save your changes to the squid.conf file and restart your Squid server.

sudo service squid restart

Now resfresh your Firefox web browser and your homepage should be visible.

Now we can practice writing a custom ACL (access list) in the squid.conf file to block specific domains and websites. We can write our custom ACL at the end of the acl lines around line 631. From an empty line write the following lines to test domain blocking.

acl blocked_websites dstdomain .msn.com .yahoo.com
http_access deny blocked_websites

Now restart your Squid server, and test to see if Squid denies access to your blocked domains/websites in Firefox.

Video Tutorials

In this series of videos, I go through the same process outlined above, to install and configure a Squid proxy server in Ubuntu .

In part 1, I install Squid in Ubuntu, start and stop it, backup the configuration
file, and configure Firefox to use Squid as a proxy server

In part 2, I discuss editing the configuration file

In part 3, I write a custom ACL in the squid.conf file

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard Overview

Most routers for the home don’t do a very good job at filtering objectionable web content. One possible solution is to turn a Raspberry Pi into a proxy web filter that can protect users on your home network. In this lab, I turn a Raspberry Pi running the Raspbian Linux operating system into a robust web proxy that filters objectionable web sites. In order to turn the Raspberry Pi into a web proxy I install and configure Squid and SquidGuard, and then I download and configure a blacklist file which is available for personal use through a creative commons license. This lab focuses on turning the Raspberry Pi into a standalone proxy server that can be reached by changing the network clients web browser proxy settings, or by configuring the router to direct web traffic to the proxy server. In a follow up lab, you could configure the Raspberry Pi as a transparent inline proxy server.

Step-by-step instructions

First, I recommend updating your repositories and then installing the program locate and updating the index/database of file locations. This will help you if you need search for the file paths to the Squid and SquidGuard configuration files. After installing Squid and SquidGuard you will want to run the sudo updatedb command again in order to make the newly installed files indexed and searchable with locate.

$ sudo apt-get update
$ sudo apt-get install locate
$ sudo updatedb

1. Install Squid, start it, and set it to start on boot

$ sudo apt-get install squid3
$ sudo update-rc.d squid3 enable

Use netstat to check to see if Squid is listening on port 3128, also using ps notice that one of the process ids that Squid uses is proxy:proxy for the user and group

$ sudo netstat -antp |grep squid
$ sudo ps -aux |grep squid

2. Edit the Squid configuration file and then reload Squid. Notice, that I run updatedb and then use locate to find the location of the squid.conf file

$ sudo updatedb
S sudo locate squid.conf
$ sudo nano -c /etc/squid3/squid.conf

on lines¬†1038 to¬†1040¬†uncomment the lines that start with #acl localnet src …¬†¬†(In nano use the Ctrl+w keys to search for, and jump to, specific lines in the configuration file)

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16

on line 1209 uncomment the line #http_access allow localnet

http_access allow localnet

on line 1613 make sure http_port 3128 is uncommented:

http_port 3128

save and quit.

$ sudo service squid3 reload

or

$ sudo service squid3 restart

3. Now that Squid is running you can test it from another computer on the network by going to another computer and changing the settings in Firefox or Chrome to point to the Squid web proxy on the Raspberry Pi. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration

and set it to: <the ip address of the computer/RPi running squid>:3128

*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server’s firewall is not blocking outside requests. Depending on your distribution the Linux firewalld or iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. On the Raspbian operating system by default there should be no firewall activated, but just in case, you can turn off the iptables firewall using the following command:

$ sudo service iptables stop

4. You can monitor the access log to see it working

$ sudo tail -f /var/log/squid3/access.log

Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid’s access.log file to see the requests reaching Squid (issue the tail command shown above)

5. With Squid working you can now install SquidGuard

$ sudo apt-get install squidGuard

6. Now that SquidGuard is installed, you will want to download a blacklist of websites and domains that you can block with SquidGuard. You can find more information at http://squidguard.org on SquidGuard and where to find blacklists. A great resource is located at http://dsi.ut-capitole.fr/blacklists/ which has an extensive blacklists.tar.gz file under a “creative commons” license. The website http://www.shallalist.de has a similar downloadable blacklist with similar license terms. You will find links to other commercial blacklist sites as well. For this lab, I recommend downloading the shallalist.tar.gz file from http://www.shallalist.de. You can download it from the command line using wget or from the gui using a webbrowser. Download the blacklist file to your Downloads or home folder but before you install a full blacklist let’s create a testdomain file with test domains for SquidGuard to practice blocking

$ cd /var/lib/squidguard/db
$ sudo nano testdomains

type in three lines of text to add some test-domains to block:

yahoo.com
msn.com
whatever-you-want-to-block.com

save and exit.

7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.

$ cd /etc/squidguard
$ sudo cp squidGuard.conf squidGuard.conf.bak
$ sudo nano -c /etc/squidguard/squidGuard.conf

In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.

#dest adult {
#   domainlist        BL/porn/domains
#   urllist        BL/porn/urls
#   expressionlist    BL/adult/expressions
#   redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
#}

dest test {
domainlist testdomains
}

acl {
admin {
pass any
}

foo-clients within workhours {
#           pass good !in-addr !adult any
} else {
pass any
}

bar-clients {
pass local none
}

default {
pass !test any
redirect http://127.0.0.1/blocked.html
}
}

Save and exit

8. Now install the Apache2 webserver and create a blocked.html page using nano

$ sudo apt-get install apache2
$ cd /var/www/html
$ sudo nano blocked.html

<html>
<head>
<title>Blocked!</title>
</head>
<body>
<h1>You have been blocked by Raspberry Pi administrator!</h1>
</body>
</html>

Save and exit

9. Now you need to compile the SquidGuard blacklists.

$ sudo squidGuard -C all

10. Now give Squid3 ownership or access to some of the squidguard files and directories:

$ sudo chown -R proxy:proxy /var/lib/squidguard/db
$ sudo chown -R proxy:proxy /var/log/squidguard
$ sudo chown -R proxy:proxy /usr/bin/squidGuard

11. Edit the squid.conf file and then reload Squid

$ sudo nano -c /etc/squid3/squid.conf

Add the following line to the squid.conf file around line 4168:

url_rewrite_program /usr/bin/squidGuard

$ sudo service squid3 reload

12. Now open the Firefox browser from another computer and test to see if the domains listed in the testdomains file in step 6 are successfully blocked. Domains not listed in the testdomains file should be allowed. In other words, from another computer with the web browser configured with the proxy settings of the Raspberry Pi’s ip address and port number 3128, try browsing to msn.com or one of the domains listed in the testdomains file that you created in step 6

13. If you were successful at blocking the testdomains then it’s time to extract and decompress the shallalist.tar.gz file that you downloaded in Step 6. When you extract shallalist.tar.gz is will extract into a folder titled BL. You will then copy BL to the squidguard db folder

$ cd ~/Downloads
$ tar -xzf shallalist.tar.gz
$ ls
$ sudo cp BL -R /var/lib/squidguard/db
$ cd /var/lib/squidguard/db

Now recursively change permissions on the BL blacklists folder so you can list through the various blacklist categories that you may wish to activate. You will need to know the name paths of the categories, folders and files that you will want to compile to work with SquidGuard

$ sudo chmod -R 755 /var/lib/squidguard/db/BL
$ sudo chown -R proxy:proxy /var/lib/squidguard/db/BL
$ ls
/var/lib/squidguard/db/BL

14. Now you can edit the squidGuard.conf file to configure it to begin blocking undesirable content

$ sudo nano -c /etc/squidguard/squidGuard.conf

In the config file, change the following lines in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. You will need to add a dest gamble block as well as changing the paths to the content you intend to block. Notice under dest gamble that I change the paths under domainlist and urllist to match the content and paths in the BL folder

<… previous lines in the squidGuard configuration file are omitted>
#dest adult {
#   domainlist        BL/porn/domains
#   urllist        BL/porn/urls
#   expressionlist    BL/adult/expressions
#   redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
#}

dest test {
domainlist testdomains
}

dest gamble {
domainlist     BL/gamble/domains
urllist             BL/gamble/urls
}

acl {
admin {
pass any
}

foo-clients within workhours {
#          pass good !in-addr !adult any
} else {
pass any
}

bar-clients {
pass local none
}

default {
pass !gamble !test any
redirect http://127.0.0.1/blocked.html
}
}

Save and exit

15. Now you need to recompile the SquidGuard blacklists which will create new squidGuard blacklist database files. Then change ownership of the files in the db folder to proxy

$ sudo squidGuard -C all
$ sudo chown -R proxy:proxy /var/lib/squidguard/db

16. Reload Squid and then use Firefox from another computer to test to see if Squid and SquidGuard are blocking websites with known adult content. You may want to execute this test privately or with the majority of the web browser dragged off screen … just in case it doesn’t work!

$ sudo service squid3 reload
$ sudo service squid3 status

Install OpenVPN in a Centos 7 Virtual Machine -Page 3

OpenVPN Lab continued from Page 2

Build the client keys using easy-rsa
=============================

You can build separate client keys for each client you wish to allow to connect to your server.

25. Navigate to the easy-rsa directory and build your client keys.

   cd /etc/openvpn/easy-rsa
source ./vars
./build-key myclient


Copy the client keys to the client’s computer
=====================================

26. Change directories to the keys folder and verify your client keys. You should see files named myclient.crt and myclient.key

   cd /etc/openvpn/easy-rsa/keys
ls

27. Copy the files ca.crt, myclient.crt, and myclient.key to the remote client computer using a flash drive, emailing the files or using an SSH/SCP client like Filezilla. To copy the files using Filezilla you will may first need to copy the files to a folder like Documents that does not require root access and then change the file permissions on myclient.key so that group and public have read access. The client computer used to connect to the OpenVPN server can be a computer running Windows, Linux, or OSX.

   cp ca.crt myclient.crt myclient.key /home/student/Documents
cd /home/student/Documents
ls -l
chmod 644 myclient.key   

Now from a remote computer you can use a program like Filezilla to copy the files from the server.

 

Create the client OpenVPN configuration file used to connect to the server
=============================================================

28. Using a text editor like nano in Linux or notepad in Windows create the text file myclient.ovpn and place it in the same directory as the ca.crt, myclient.crt, and myclient.key files that you copied from the Centos 7 server.

   nano myclient.ovpn

add the following lines.:

client
dev tun
proto udp
remote <centos server ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert myclient.crt
key myclient.key

auth-user-pass

 

On the server, enable Centos 7 to forward packets through its network interfaces
==================================================================

29. Use sysctl to allow IP packet forwarding. Add the following line to the sysctl.conf file

   nano /etc/sysctl.conf
  edit -> net.ipv4.ip_forward = 1

   sysctl -p

 

 

Enable the OpenVPN pam authentication module to add user authentication
==============================================================

30. Using the OpenVPN auth-pam module the OpenVPN server can authenticate using the Linux system users. To do this you will need to create a PAM service file:

   touch /etc/pam.d/openvpn
nano /etc/pam.d/openvpn

then add the following two lines:
auth    required    pam_unix.so    shadow    nodelay
account required    pam_unix.so

31. Add the following line to the end of the OpenVPN server.conf file

   nano /etc/openvpn/server.conf

    plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

On the server, add and uncomment two lines in the OpenVPN server.conf file
=============================================================== 

32. In server.conf add a line to push a route to the server’s inside LAN network and uncomment a line to allow client to client communication between tunneled users

   cd /etc/openvpn
nano server.conf

add/uncomment the following two lines:

push “route 192.168.10.0 255.255.255.0”
            client-to-client                                      

Ctrl+x, type y and press enter to save.
33. Now restart the OpenVPN server

   systemctl stop openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service

 

Connect the the OpenVPN Server from a client computer
===============================================

34. With root access use the following command to connect to the server from a Linux host. Notice, in the example command below the path to the myclient.ovpn file is the current directory. If the ovpn config file is in a different directory you will need to provide the path. You may need to install openvpn and easy-rsa if openvpn is not already installedon your linux client.

   openvpn myclient.ovpn   

OpenVPN is now running in that terminal window, to close the OpenVPN connection press Ctrl+c, or to continue working you will need to open a new terminal window. You can also close OpenVPN and the tunnel connection using the pkill program.

   pkill openvpn

35. In a new terminal window examine your tunnel interface using ifconfig. You should see a tun0 interface with a 10.8.0.0 range IP address.

   ifconfig

36. Test to see if you can ping the router’s tunnel interface at 10.8.0.1, as well communicate to the inside LAN network at 192.168.10.1

   ping 10.8.0.1
ping 192.168.10.1

37. To connect to the OpenVPN server from a Windows client computer you will need to download and install the openvpn client program from http://openvpn.net. You will find the the windows client installer at the website under community downloads. After installing the OpenVPN client for Windows you will need to copy the ca.crt, myclient.crt, myclient.key, and myclient.ovpn files to the C:\Programs and Files (x86)\OpenVPN\config\ folder, or if you installed the 64bit version of the OpenVPN client the location will be C:\Programs and Files\OpenVPN\config\.

38. Now start the Windows OpenVPN client. It will launch into the System Tray. You will right click the OpenVPN icon in the System Tray, choose the config file and select Connect.

Start > Programs > OpenVPN GUI
Right click the OpenVPN icon in the system stray, and select Connect.

 

Configure the iptables firewall to allow OpenVPN connections
===================================================

Earlier in the lab, I shutdown the iptables firewall with the intention of turning it back, after configuring it to allow OpenVPN connections.

39. to be posted soon…

 

Video Tutorial

 

 

<– Click here to go to Part 2