Install OpenVPN in a Centos 7 Virtual Machine -Page 2

OpenVPN Lab continued from Page 1

Install the EPEL Repositories
========================

To install OpenVPN you will need the EPEL repositories

13. Using yum install EPEL

yum install epel-release

Disable firewalld and use iptables
===========================

14. Centos 7 has the new firewalld dynamic firewall daemon installed by default. Firewalld has many new updated and advanced features that you would want in a firewall, however if you are more familiar with the iptables firewall service you can disable firewalld and use iptables. The following commands assume root access through su.

   systemctl stop firewalld
systemctl disable firewalld

   yum install iptables-services   //iptables should already be installed, if not then type y to install.

systemctl enable iptables
systemctl start iptables
systemctl status iptables
systemctl stop iptables

Stop iptables with the intention of configuring it later in the lab.
Install and Configure the OpenVPN Server
===================================

15. Install OpenVPN server

yum install openvpn

16. Copy the sample OpenVPN server configuration file to the /etc/openvpn folder

   cd /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/
ls
cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn

17. Edit the OpenVPN server.conf file

   cd /etc/openvpn
nano server.conf

edit -> uncomment the following lines and change the DNS server addresses
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
user nobody
group nobody

Install Easy-RSA to create certificate of authority, server certificates, and keys
================================================================

18. Install easy-rsa to handle encryption, certificates, and keys

   yum install easy-rsa
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

19. Change the variables file in the easy-rsa folder

   nano /etc/openvpn/easy-rsa/vars

edit -> change the following lines (the following settings are just my example settings)
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”OR”
export KEY_CITY=”Portland”
export KEY_ORG=”danscourses”
export KEY_EMAIL=”webadmin@danscentos-s2.danscourses.com”
export KEY_OU=”danscourses”

20. Build your security your server security certificates and keys. You will accept the default settings.

   cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server $( hostname )
./build-dh

21. Copy your server certificates and keys to the openvpn folder

   cd /etc/openvpn/easy-rsa/keys
cp ca.crt danscentos-s2.crt danscentos-s2.key dh2048.pem /etc/openvpn

Start the OpenVPN Server
=====================

22. Restore SE Linux security context and create symbolic link for systemd

   restorecon -Rv /etc/openvpn
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service

23. Edit the OpenVPN server.conf file and change the names of the server certificate and server key, to match the certificates and keys that you created. Save the file and exit.

   cd /etc/openvpn
nano server.conf

in server.conf change the following lines:
cert server.crt
key server.key    # This file should be kept secret

replace the word “server” with your server’s hostname which should be the name of your server certificate and key files:
cert danscentos-s2.crt
key danscentos-s2.key    # This file should be kept secret

24. Start the OpenVPN server

   systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service

 

Video Tutorial

 

 

Click here to go to Part 3

 

Install OpenVPN in a Centos 7 Virtual Machine -Page 3

OpenVPN Lab continued from Page 2

Build the client keys using easy-rsa
=============================

You can build separate client keys for each client you wish to allow to connect to your server.

25. Navigate to the easy-rsa directory and build your client keys.

   cd /etc/openvpn/easy-rsa
source ./vars
./build-key myclient


Copy the client keys to the client’s computer
=====================================

26. Change directories to the keys folder and verify your client keys. You should see files named myclient.crt and myclient.key

   cd /etc/openvpn/easy-rsa/keys
ls

27. Copy the files ca.crt, myclient.crt, and myclient.key to the remote client computer using a flash drive, emailing the files or using an SSH/SCP client like Filezilla. To copy the files using Filezilla you will may first need to copy the files to a folder like Documents that does not require root access and then change the file permissions on myclient.key so that group and public have read access. The client computer used to connect to the OpenVPN server can be a computer running Windows, Linux, or OSX.

   cp ca.crt myclient.crt myclient.key /home/student/Documents
cd /home/student/Documents
ls -l
chmod 644 myclient.key   

Now from a remote computer you can use a program like Filezilla to copy the files from the server.

 

Create the client OpenVPN configuration file used to connect to the server
=============================================================

28. Using a text editor like nano in Linux or notepad in Windows create the text file myclient.ovpn and place it in the same directory as the ca.crt, myclient.crt, and myclient.key files that you copied from the Centos 7 server.

   nano myclient.ovpn

add the following lines.:

client
dev tun
proto udp
remote <centos server ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert myclient.crt
key myclient.key

auth-user-pass

 

On the server, enable Centos 7 to forward packets through its network interfaces
==================================================================

29. Use sysctl to allow IP packet forwarding. Add the following line to the sysctl.conf file

   nano /etc/sysctl.conf
  edit -> net.ipv4.ip_forward = 1

   sysctl -p

 

 

Enable the OpenVPN pam authentication module to add user authentication
==============================================================

30. Using the OpenVPN auth-pam module the OpenVPN server can authenticate using the Linux system users. To do this you will need to create a PAM service file:

   touch /etc/pam.d/openvpn
nano /etc/pam.d/openvpn

then add the following two lines:
auth    required    pam_unix.so    shadow    nodelay
account required    pam_unix.so

31. Add the following line to the end of the OpenVPN server.conf file

   nano /etc/openvpn/server.conf

    plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

On the server, add and uncomment two lines in the OpenVPN server.conf file
=============================================================== 

32. In server.conf add a line to push a route to the server’s inside LAN network and uncomment a line to allow client to client communication between tunneled users

   cd /etc/openvpn
nano server.conf

add/uncomment the following two lines:

push “route 192.168.10.0 255.255.255.0”
            client-to-client                                      

Ctrl+x, type y and press enter to save.
33. Now restart the OpenVPN server

   systemctl stop openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service

 

Connect the the OpenVPN Server from a client computer
===============================================

34. With root access use the following command to connect to the server from a Linux host. Notice, in the example command below the path to the myclient.ovpn file is the current directory. If the ovpn config file is in a different directory you will need to provide the path. You may need to install openvpn and easy-rsa if openvpn is not already installedon your linux client.

   openvpn myclient.ovpn   

OpenVPN is now running in that terminal window, to close the OpenVPN connection press Ctrl+c, or to continue working you will need to open a new terminal window. You can also close OpenVPN and the tunnel connection using the pkill program.

   pkill openvpn

35. In a new terminal window examine your tunnel interface using ifconfig. You should see a tun0 interface with a 10.8.0.0 range IP address.

   ifconfig

36. Test to see if you can ping the router’s tunnel interface at 10.8.0.1, as well communicate to the inside LAN network at 192.168.10.1

   ping 10.8.0.1
ping 192.168.10.1

37. To connect to the OpenVPN server from a Windows client computer you will need to download and install the openvpn client program from http://openvpn.net. You will find the the windows client installer at the website under community downloads. After installing the OpenVPN client for Windows you will need to copy the ca.crt, myclient.crt, myclient.key, and myclient.ovpn files to the C:\Programs and Files (x86)\OpenVPN\config\ folder, or if you installed the 64bit version of the OpenVPN client the location will be C:\Programs and Files\OpenVPN\config\.

38. Now start the Windows OpenVPN client. It will launch into the System Tray. You will right click the OpenVPN icon in the System Tray, choose the config file and select Connect.

Start > Programs > OpenVPN GUI
Right click the OpenVPN icon in the system stray, and select Connect.

 

Configure the iptables firewall to allow OpenVPN connections
===================================================

Earlier in the lab, I shutdown the iptables firewall with the intention of turning it back, after configuring it to allow OpenVPN connections.

39. to be posted soon…

 

Video Tutorial

 

 

<– Click here to go to Part 2

 

 

Install OpenVPN in a Centos 7 Virtual Machine -Page 1

Install OpenVPN Overview

OpenVPN is an incredible tool for creating securely encrypted, remote network-to-network and client-to-network tunneled connections. You can think of it like this, if you have an OpenVPN connection to a network, then you have a secure connection to that network and all the resources on that network, like printers, file servers, other host computers, etc.. To set it up, you need to install an OpenVPN access server on one computer, and then on a separate computer, install an OpenVPN client for connecting to the server remotely. The goal of the lab is to install and configure an OpenVPN server, and then from a second computer, open a tunnel to the server using an OpenVPN client. To do this, you will first need to install Centos 7 (64bit) in a VMware Player virtual machine. Since this is a test case scenario, during the Centos 7 installation, I recommend installing the Gnome Desktop instead of the default, minimal install. When creating the virtual machine with VMware Player you will need to add an additional virtual network interface (NIC) to your virtual machine. After creating the virtual machine, edit the virtual machine settings, add a second network adapter, then change it from Bridged mode to LAN Segment mode. You will need to create/add a LAN Segment, name it VLAN10, and then configure the network adapter to the LAN Segment (VLAN10) setting. The virtual machine will have two network adapters, the first in Bridged Mode, and the second in LAN Segment mode (VLAN10).

Install Centos in a VM

Start up your VMware Centos 7 virtual machine, run through the installation, install the Gnome desktop environment, create a student account as well as a root password. After the install, start Centos and login. At the desktop, go to Applications and open a terminal window. In the terminal issue an ifconfig command to verify the presence of the two network adapters, they will probably show up as eno16777736 and eno33554960. If the second network adapter did not appear after issuing the ifconfig command then shutdown Centos, edit the virtual machine settings in VMware Player, remove and then re-add the second network adapter, until the second network adapter registers as present from within Centos.

   

The diagram below represents a network hosted from a single computer using virtual machines. The single physical host computer is the laptop represented by the laptop icon and the black rectangular outline. The virtual machines are running inside the laptop using VMware Player, VMware Workstation, or Virtualbox. Notice the Centos 7 Server has two Ethernet network adapters. The bridged mode network adapter places the Centos 7 eth0 interface on the network just like any other physical computer. Notice that by configuring eth0 with a DHCP client it will obtain an IP address just like the laptop. The eth1 network adapter is in LAN Segment mode which will allow it to communicate with any other virtual machines that are similarly configured with an identical LAN Segment network adapter. In this scenario, if the the Interior Client virtual machine wishes to connect to the internet, it will need to go through the Centos 7 Server, making the Centos 7 Server a transparent proxy or gateway for any virtual machines on the LAN Segment. With 8Gb of RAM and a quad core processor on the host computer it is possible to run two virtual machines simultaneously.

Lab Steps

Change the server’s hostname
=========================
1. Get root super-user access using su. Everything in this exercise is done with root access.

   su

2. Change localhost.localdomain to a server name of your choice (eg. danscentos-s2)

   nano /etc/hostname

3. Add your new hostname to the file (eg. 127.0.0.1 danscentos-s2 localhost localhost.localdomain …)

   nano /etc/hosts

Change the Network Interfaces to eth0 and eth1
=======================================
For some strange reason the network interfaces show up as: eno16777736 and eno33554960. Thanks to some great websites, I was able to find a fix.

4. In the following file search for the line “GRUB_CMDLINE_LINUX” and append the following: net.ifnames=0 biosdevname=0
note: make sure to append the text within the ending quotation mark as such: net.ifnames=0 biosdevname=0″

   nano /etc/default/grub

   grub2-mkconfig -o /boot/grub2/grub.cfg

   reboot

5. After rebooting, use su for root access. Enter the hostname command to verify your new hostname. Do an ifconfig and you should see the following network interfaces: eth0, eth1, and Lo. If not go back to step 4 an try again.

Configure the Network Interfaces
===========================

6. To configure the network interfaces we need the network-scripts directory

   cd /etc/sysconfig/network-scripts/

7. Rename the ifcfg-en016777736 file to ifcfg-eth0 then do an ls command to verify

   mv /etc/sysconfig/network-scripts/ifcfg-eno16777736 /etc/sysconfig/network-scripts/ifcfg-eth0

8. Copy the ifcfg-eth0 file to ifcfg-eth1 so now you have a config file for each network interface. Do an ls command to verify

   cp /etc/sysconfig/network-scripts/ifcfg-eth0 ifcfg-eth1

9. Edit the ifcfg-eth1 file {loadposition adposition6}

    nano ifcfg-eth1

//change the contents of ifcfg-eth1 to the following, exit and save:

TYPE=”Ethernet”
DEVICE=”eth1″
BOOTPROTO=”static”
IPADDR=”192.168.10.1″
NETMASK=”255.255.255.0″
IPV4_FAILURE_FATAL=”no”
IPV6INIT=”yes”
IPV6_AUTOCONF=”yes”
IPV6_DEFROUTE=”yes”
IPV6_PEERDNS=”yes”
IPV6_PEERROUTES=”yes”
IPV6_FAILURE_FATAL=”no”
NAME=”eth1″
ONBOOT=”yes”

10. Edit the ifcfg-eth0 file

    nano ifcfg-eth0

//change the contents of ifcfg-eth0 to the following, exit and save:

TYPE=”Ethernet”
DEVICE=”eth0″
BOOTPROTO=”dhcp”
DEFROUTE=”yes”
PEERDNS=”yes”
PEERROUTES=”yes”
IPV4_FAILURE_FATAL=”no”
IPV6INIT=”yes”
IPV6_AUTOCONF=”yes”
IPV6_DEFROUTE=”yes”
IPV6_PEERDNS=”yes”
IPV6_PEERROUTES=”yes”
IPV6_FAILURE_FATAL=”no”
NAME=”eth0″
ONBOOT=”yes”

Remove the Network Manager
=========================

11. Since this is a server, I recommend removing the Network Manager and relying on manual network configurations instead

    systemctl stop NetworkManager
systemctl disable NetworkManager
service network restart

12. Reboot, then login and verify network connectivity and internet access. You should see that eth0 received an IP address through DHCP and that eth1 has the IP address 192.168.10.1. If not, then re-edit your ifcfg-eth0 and ifcfg-eth1 configuration files.

    reboot
ifconfig
ping yahoo.com

Note: you can manually bring a network interfaces up or down with the following commands
   ifconfig eth0 down
ifconfig eth0 up
   ifconfig eth1 down
ifconfig eth1 up

 

Video Tutorials

 

 

 

Click here to go to Part 2

How to Install WordPress in CentOS Linux

Installing WordPress in CentOS Linux Overview

WordPress is a PHP based framework for creating database driven websites. WordPress is referred to as a content management system or CMS. WordPress is free to download and install, and is the most popular CMS today, specializing in creating online blogs.

A WordPress site is created by downloading the WordPress packaged files and extracting them into a folder on a webserver. Often time the server is a Linux operating system and an Apache webserver. The server also needs PHP and MySQL installed. Having phpMyAdmin also installed is recommended.

The instructions below walk through the process of installing and configuring WordPress on a CentOS Linux webserver.

Installation Instructions

1. Open a Bash terminal and elevate to root privileges

$ su –
#

2. Using Yum install the MySQL server, PHP, and the Apache webserver.

# yum install mysql-server php httpd

3. You will need to install additional repositories in CentOS, in order to access to necessary software packages that are not available in the default repositories. Install the Extra Packages for Enterprise Linux (EPEL), the epel-release for the current version of Enterprise Linux (EL6). You can find it at the following website: http://fedoraproject.org/wiki/EPEL. A direct link to the RPM is in the command below.  Eventually the link will be outdated and need to be replaced.

# yum install http://ftp.osuosl.org/pub/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

4. Next install PhpMyAdmin. Start the MySQL server, and then initialize the server. When you run the mysql_secure_installation you will be prompted for the MySQL root user password. By default, there is no root user password, so press the enter key for none. Next you will be prompted to create a root user password for MySQL. For security reasons, it is a good idea to change the MySQL root user password. Enter Yes for all other default settings.{loadposition adposition6}

# yum install phpMyAdmin
# service mysqld start
# mysql_secure_installation

5. Next start the Apache webserver.

# service httpd start

6. These commands will make sure that the services will start on system boot.

# chkconfig httpd on
# chkconfig mysqld on

7. Next install WordPress
# yum install wordpress

8. If you cat the WordPress configuration file, the first line of output shows that the web alias to WordPress is: /wordpress. This means that the address to reach WordPress is http://localhost/wordpress. Open Firefox and go to http://localhost/wordpress, and you will get a 404 Not Found page. Restart the Apache webserver and refresh the browser window and you will see that WordPress is found, but there is a Error establishing a database connection message. This is due to the fact that you have not yet created a MySQL database, and database user and password.

# cat /etc/httpd/conf.d/wordpress.conf
#
service httpd reload

 

 


9. Go to http://localhost/phpMyAdmin and login with your MySQL root user password. Click on Databases and create a database for your WordPress site.  Next click on Users and create a new MySQL user and password. Now that you have a database and a user you need to give your new MySQL user complete access permissions to the newly created database. Click on Users to refresh the user list. Locate your new user in the user list and click on Edit Privileges. Scroll down to Database-specific privileges and under Add privileges on the following database drop-down menu, select your new database. Now select Check all for privileges and scroll down to click the accept button.

10. Using Vim or Nano, edit the WordPress configuration file to add the useraccount, password, and database name information to the file. Save and exit. Now the WordPress configuration file has the information it needs to access the MySQL database. In Vim, press the i key to get to insert mode, use the arrow keys to move the cursor to the text that you want to edit, edit the file and then press the escape key and then :wq to save and quit.

# vim /etc/wordpress/wp-config.php

11. Now open Firefox and enter the following address http://localhost/wordpress in the address bar. Enter the necessary information in the WordPress installation page to initialize the WordPress site, and populate the database with the tables and information that WordPress needs to run.

12. Start exploring, adding content, and editing your new WordPress website!

 

Route, NAT, and Transparent Proxy, with CentOS Linux – Part 2

CentOS Routing and Proxy Cont.

In the previous article, I covered installing CentOS server and converting it to a router, address translator, and transparent proxy. I also covered installing a DHCP server to serve IP addresses to the interior local network. The entire process was recorded in a series of video tutorials (see previous article) and posted to YouTube.

Now that we have configured the iptables forwarding rules, manually configured our interfaces with IP addresses, as well as the default gateway and our DNS nameservers we need to save our configurations. We also need to cover installing BIND and having our CentOS server function as a DNS server as well.


Saving your iptables configuration

You can use terminal line commands to make changes to iptables which will instantly effect the linux firewall. This is similar to the difference between a Cisco router’s startup-config file and its running-config in RAM. Changes to the running-config take effect immediately but are not permanent unless saved to the startup-config. This is a similar scenario with iptables. If you have made changes to iptables using iptables terminal commands, it will directly effect the Linux firewall, but the changes will not be permanent unless they are saved to the iptables configuration file.

There are different approaches to making changes to iptables: the approach we have been using so far is to make the changes to the iptables directly, using terminal commands; another approach is to save a test iptables configuration file and then load it, to test it out. Since we have been using the first approach we need to save our configuration to a file and then replace the default iptables configuration file. Before you replace the default file it is a good idea to create a backup. This command will take the current running iptables configuration which we have manipulated and altered, and save it to a .conf text file. You can save it to the root home folder.
iptables-save > iptables.conf

Now cat your saved iptables.conf file to look it over.
cat iptables.conf

The first command listed below makes a backup of the original default iptables configuration file, and the second command replaces the iptables configuration file with the current configuration, that was just saved as iptables.conf. Now, if the computer needs to be restarted the new configuration will be maintained.
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
mv iptables.conf /etc/sysconfig/iptables

{loadposition adposition6}You may decide that it is smarter and safer to make changes to the Linux iptables firewall indirectly, by editing a test iptables.conf file before testing it out on the actively running iptables firewall. In this way, you make all your changes to the iptables.conf file and then load it to memory, instead of using iptables terminal commands to experiment with your running configuration and possibly compromise your security or disrupt your network users. With the following commands you save the current iptables to an iptables.conf text file, then edit it with a text editor, then restore it to a running state in active memory. The iptables-restore command is a beneficial command because it loads the edited config file to the running iptables without disrupting the service and potentially dropping the running network host connections.
iptables-save > iptables.conf
nano iptables.conf (edit the iptables.conf configuration file)
iptables-restore < iptables.conf  (load the edited iptables.conf file to the running iptables) 
mv iptables.conf /etc/sysconfig/iptables
(replace the iptables configuration file with the edited version)

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP – Part 7
Saving manual network interface configurations

A regular desktop installation of CentOS Server comes with the Network Manager program. Network Manager is a graphical management tool used to manage and configure network interfaces in an easy way. It was personally recommended to me to not use the Network Manager, but instead manually configure my network interfaces, meaning Ethernet ports with IP addressing, subnet masks, default gateway address, and DNS servers. Like with iptables, you can manually configure your network interfaces using terminal line commands, but if you restart the server your configurations will not be saved. In order to configure your network interfaces in a manner that will persist, you need to configure the network interface configuration files or scripts.
ls /etc/sysconfig/network-scripts/

You should see configuration files named ifcfg-eth0, ifcfg-lo, or some other variant of ifcfg-<name> where <name> refers to the network interface name. To inspect the interface configuration you can output the text of the config file using cat
cat ls /etc/sysconfig/network-scripts/ifcfg-eth0

You will see some output like the following:
DEVICE=”eth0″
NM_CONTROLLED=”yes”
ONBOOT=”no”
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no

This information tells us that Network Manager is managing the interface, the interface is not activated by default when the system boots up, and that the system is using DHCP to acquire an IP address. In order to manually configure the network interface you will need to change these settings and add some additional settings as well. Before you change the settings of the interfaces it is a good idea to create backup configuration files.
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.bak
cp /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth1.bak

Now you can configure your interfaces by altering the configuration files in a text editor like Vim or Nano
nano /etc/sysconfig/network-scripts/ifcfg-eth0

{loadposition adposition7}Now alter and add the necessary settings and IP addressing for your outside interface. In my eth0 example below, I am on the 192.168.2.0/24 network using a static IP address of 192.168.2.98, a twenty four bit subnet mask, and a gateway located at 192.168.2.1. Changes are displayed in red:
DEVICE=”eth0″
NM_CONTROLLED=“no”
ONBOOT=“yes”
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPADDR=192.168.2.98  <whatever IP address your outside interface needs to be set at>
NETMASK=255.255.255.0
GATEWAY=192.168.2.1

IPV4_FAILURE_FATAL=yes
IPV6INIT=no
<addtional entries not listed>

Save the interface configuration file and exit.

On the inside network interface (in my case eth1), I used the following settings:
DEVICE=”eth1″
HWADDR=”00:0C:29:12:AE:75″
NM_CONTROLLED=“no”
ONBOOT=“yes”
IPADDR=192.168.111.1  //the IP address for your inside interface. I chose “.1” since I am the gateway for the inside network
NETMASK=255.255.255.0

Save the interface configuration file and exit. Now you can issue the following commands to verify your interface configurations and your default route
ifconfig
route

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP – Part 8


Manual Configuration of Network Interfaces for Trunking and VLANs

At the time of writing this article, the network manager in CentOS does not allow you to configure a network interface with subinterfaces, VLANs, and trunking. In order to configure a single network interface to function as multiple subinterfaces which allow VLANS over a trunked link you need to manually configure your network interface configuration file.

In the following scenario suppose you have one network interface eth0 and you want your router to function as a transparent proxy and a router separating an interior network from an exterior network. In the image below you can see how this would logically be arranged in the logical topology, you have the 192.168.111.0/24 network on the interior LAN side, and the 192.168.11.0/24 network on the exterior facing WAN side, of course 192.168.11.0/24 is also in a private network address range, but it is on the side of the CentOS server that is closest to the internet. However, in reality you happen to be physically limited by having only one network interface (eth0) and will therefore need to convert the one interface into multiple subinterfaces with VLANs for a trunked link (Physical Topology).

 

Looking at the physical topology in the diagram above, the CentOS server has transformed a single network interface eth0 into eth0.11 and eth0.111 for VLAN11 and VLAN111 respectively. From there the server is connected to the switch which has been configured as a trunk to allow VLAN11 and VLAN111.

Here are the commands and configuration settings needed to configure the CentOS server to fit with the scenario depicted in the diagram above. The first step is to back up your default or current network interface configuration file. THen copy the configuration file and rename it for both of the subinterface VLANs:
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.bak
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.11
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.111

Now you will need to edit all three of your configuration files ifcfg-eth0, ifcfg-eth0.11 and ifcfg-eth0.111 in turn with a text editor like vi, vim, or nano. In configuring ifcfg-eth0 you will only need to make sure that the interface is activated on startup, and that the interface is not managed by the network manager:
vim /etc/sysconfig/network-scripts/ifcfg-eth0

  DEVICE=”eth0″
NM_CONTROLLED=“no”
ONBOOT=“yes”
TYPE=Ethernet

For the inside interface, the LAN side of the router (in the diagram VLAN111 eth0.111), you will mainly need to change the interface name, the ipaddress, netmask, add a VLAN setting. The default gateway and DNS settings will be configured on the outside facing interface.
vim /etc/sysconfig/network-scripts/ifcfg-eth0.111

DEVICE=”eth0.111″
HWADDR=”00:0C:29:12:AE:75″
NM_CONTROLLED=“no”
ONBOOT=“yes”
IPADDR=192.168.111.1  //the IP address for your inside interface. I chose “.1” since I am the gateway for the inside network
NETMASK=255.255.255.0
VLAN=”yes”

For the outside facing interface, the WAN side of the router (in the diagram VLAN11 eth0.11), you will mainly need to change the interface name, the ipaddress, netmask, add a VLAN setting and add the default gateway and DNS settings.
vim /etc/sysconfig/network-scripts/ifcfg-eth0.11

 DEVICE=”eth0.11″
NM_CONTROLLED=”no”
ONBOOT=”yes”
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPADDR=192.168.11.100  <whatever IP address your outside interface needs to be set at>
NETMASK=255.255.255.0
GATEWAY=192.168.11.1
DNS=127.0.0.1  <if your CentOS server will not be running DNS services, use your normal DNS server address instead>

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP – Part 9



Video Tutorials

 In part 7, I demonstrate how to save your iptables configuration and make it permanent

In part 8, I manually configure and save the Ethernet network interfaces, IP addresses and gateway address

In part 9, I manually configure a single network interface to be multiple subinterfaces in order to support VLANs and trunking 

Route, NAT, and Transparent Proxy, with CentOS Linux

Overview

It is useful to protect your network, by filtering web requests and other types of traffic, a proxy server is designed to do this. You can create a Linux proxy server using Squid and SquidGuard, and configure network settings on your user’s browsers to access the proxy server which will then apply rules that will filter the requests. However, that can be bypassed by the host computer.

A stronger alternative is to create a transparent proxy server and configure your router to forward all web related requests to the proxy server, that way your network hosts are forced to go through the transparent proxy. A potential problem with that scenario is that you need to have a fairly decent router, which can forward interior traffic on a specified port, to the proxy server on the local area network. A third alternative is to make your transparent proxy server also handle routing, NAT, DHCP, and DNS. It would seem like that would be a huge undertaking, but it can actually be done fairly quickly, using a computer and a distribution of Linux.

transparentproxy-routing-nat

Lab Outline

To create a Linux proxy server that also functions as a router and more, it is recommended to use a server distribution of Linux like CentOS Linux, which is the freely distributed server equivalent to RedHat Enterprise Linux. Along with Debian ,CentOS is one the most popular server distributions of Linux available. For this lab, we download and burn CentOS 6.2, i386 (32bit) or x86_64 (64bit), ISO DVDs Parts 1 and 2. Pick a CentOS 6.2 mirror with Direct DVD downloads and download the DVD iso files, to burn as installation DVDs.

Once you have the CentOS installation DVD iso files downloaded and burned to DVD you need to install the operating system to a computer. You can choose to install to an actual computer or to a virtual computer (virtual machine). In order to do this lab from home, and if you do not have a lot of extra computers lying around, I recommend doing the whole project virtually through the use of virtual machines. For a virtualization platform, I recommend downloading either VMware Player or Virtualbox.

If you decide to follow along with the video tutorials and set up a CentOS server virtual machine and convert it into a router, remember that the IP addressing scheme will need to be modified to work with your personal network. Just because my wireless network uses a 192.168.2.0 /24 local addressing scheme does not mean that yours does also, in fact your network most likely uses a different scheme like 192.168.1.0 /24.

Network diagram of a CentOS proxy server and router using virtual machines

transparentproxy-routing-nat_in-a-virtual-environment

In the lab at the college we installed CentOS to actual physical
computers. Normally, I recommend using computers with two network
interface cards (NICs) installed, but the computers we had available to
us had only one network interface card (NIC). This posed a challenge
since the traffic would need to flow through the computers, from one
network to another, implying the need for two network interface cards.
We fixed this problem by configuring VLANs, and assigning IP addresses
to subinterfaces on the computer’s single NIC. We then connected to a
switchport configured for trunking with the same VLANs as we created on the
computer.

Network diagram of a CentOS proxy server-router implementation using a lab computer with only one network interface card (NIC) and a switch configured with VLANs and trunks

proxy-routing-nat_in-physical-env-w-single-nic

Lab Steps Overview (virtualized machines or physical machines)

a. Understand the benefits of a transparent proxy and a Linux server that can also route, NAT, etc. Plan and diagram your lab. See video tutorial part 1 below.

b. Download CentOS installation ISO files, i386 or x86_64, DVDs. See Lab Outline above and video tutorial part 2 below.

c. To do this lab on a physical computers you will need one computer for the CentOS server, preferably with two NICs, but one is okay too, and another computer for a test LAN host.

To do this lab virtually using a virtual platform like VMware or Virtualbox, first create a new virtual machine for the the Linux operating system. You will probably need to choose RedHat Enterprise 32 bit or 64 bit and walk through all the settings. At the end, configure your virtual CD/DVD to boot to the CentOS installation ISO file that you downloaded. Make sure to add or enable to virtual network interfaces (NICs). Set the first NIC to Bridged Networking mode and the second NIC to NAT mode (then once it is saved change it to again to LAN segment mode), in Virtualbox save the second NIC to Interior Network mode. See video tutorial part 2 below.

d. Configure network addressing on your server’s two network interfaces as well as your test host’s network addressing. See video tutorial part 3 below.

e. Configure routing and NATing using iptables on your server. See video tutorial part 4 below.

f. Install and configure Squid as a transparent proxy server. Configure iptables to port-forward web traffic to the server on port 3128 (Squid). See video tutorial part 5 below.

g. Secure your server by configuring iptables to accept and reject specific types of traffic. Install and configure DHCP server on your CentOS server in order to hand out IP addresses on your local network. See video tutorial part 6 below.

Lab Command Steps

Here is a list of the commands used in this lab project:

1. If you are working in my lab or have a computer with only one network card (NIC) jump to step 2. If you are using a virtual or physical computer with two NICs (e.g. eth0 and eth1) you will  need to configure each NIC with the command below, then jump to step 6. You can dynamically receive an IP address through DHCP coming from your router/gateway on eth0, click on the network manager in the upper right of the task bar and click “auto ethernet” or just click on “eth0” to activate DHCP. Then you will need to manually configure the second NIC using an ifconfig command from the terminal (e.g. ifconfig eth1 192.168.111.1) you will need to have root access to do this. After you have activated DHCP on eth0 and manually configured eth1 use the ifconfig command to check your interface ip addresses to see that you have an address for eth0 and eth1. You are now ready to jump to step 6.
su –
ifconfig eth1 192.168.111.1
ifconfig

2. If you are working in my lab or you have a computer with only one network interface card (NIC), you will need to configure trunking and two VLANs (e.g. 110, 111) on the CentOS Linux server (for students with a physical computer with only one NIC)
vconfig add eth0 110 (in my college lab we use VLAN110 for the 192.168.11.x network)
vconfig add eth0 111 

vconfig rem eth0 111 (removes a VLAN trunk)

3. To configure sub-interfaces in
order to assign an IP address to each VLAN, in our classroom lab we use
VLAN110 for the 192.168.11.0 network.
ifconfig eth0.110 192.168.11.xxx
ifconfig eth0.111 192.168.111.xxx 

4. To configure a default gateway/route
route add default gw 192.168.11.1

5. To configure DNS servers
echo “nameserver 4.2.2.2” > /etc/resolv.conf
echo “nameserver 8.8.8.8” >> /etc/resolv.conf

6. To add kernel support for IP forwarding (routing) we set a flag with the following command
sysctl -w net.ipv4.ip_forward=1

7. To set up NATing we can configure the iptables NAT table for masquerading.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  (assuming eth0 is the outside interface)
or
iptables -t nat -A POSTROUTING -o eth0.110 -j MASQUERADE  (assuming the eth0.110 sub-interface is the outside interface)

8. To install the Squid proxy server
yum install squid
cd /etc/squid/squid.conf

9. Edit the the squid.conf file and change the following line to enable transparent proxy mode:
http_port 3128
to
http_port 3128 intercept

10. Issuing one of the following commands will restart the Squid service or reload the configuration file
service squid restart
service squid reload

11. Add an entry to iptables NAT table to port-forward inbound traffic on the inside interface (LAN side) to the Squid server on port 3128 (assuming eth1 is the inside interface with the IP address 192.168.11.1)

iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to (cont.) 192.168.111.1:3128

12. To get routing and forwarding to work correctly you will also need to remove some statements from the iptables tables that reject traffic. The following lines will remove reject statements from the filter INPUT iptable chain and the FORWARD iptable chain.
iptables -t filter -D INPUT -j REJECT –reject-with icmp-host-prohibited
iptables -t filter -D FORWARD -j REJECT –reject-with icmp-host-prohibited

From first glance, it seems that there is a rule in the iptables INPUT chain (third line) that accepts any protocol from any source to any destination. The following statement would delete the third line of the filter table INPUT chain, the “accept any anywhere anywhere” line: <iptables -t filter -D INPUT 3> but do not use it, because as it turns out, that particular line has information that does not appear in the output of an <iptables -L> command. Try using the following command and then compare it to the results of the <iptables -L> command:
iptables-save

You can see that the third line (-A INPUT -i lo -j ACCEPT) is actually accepting all input on the loopback (lo) interface, and since it is only the loopback interface (i.e. 127.0.0.1) it is not a problem in the iptables, indiscriminately accepting all input on the outside interface. So to clarify, in the following three line commands (see below), the first command show the current iptables rules, the second command removes line 3 (-A INPUT -i lo -j ACCEPT) which is the line that ACCEPTs packets on the loopback interface, filter table, INPUT chain. Finally, the third line below replaces it. To learn how to do this I referred the man pages for iptables <man iptables>.
iptables-save
iptables -t filter -D INPUT 3
iptables -t filter -I INPUT 3 -i lo -j ACCEPT

13. Now you can look at your iptables, default filter table, and nat table, using the following commands
iptables -L -t filter
iptables -L -t nat

14. Now you can add (append) to the iptable filter table with the following commands, to accept input on port 3128 for Squid, and reject all other types of traffic
iptables -t filter -A INPUT -p tcp –dport 3128 -j ACCEPT
iptables -t filter -A INPUT -j REJECT –reject-with icmp-host-prohibited
iptables -L -t filter

iptables 

15. The following commands and instructions are used to install and configure a DHCP server in CentOS. You will need elevate to root access, run updates, then install:
su –
yum install updates
yum install dhcp

16. You should see that the DHCP server fails on starting up, this is because we have not configured it yet. To configure the DHCP server we need to edit the dhcpd.conf file located in /etc/dhcp.
cd /etc/dhcp
ls

17. You should see a file called dhcpd.conf . You will want to edit the file in a text editor like Vim or Nano.
vim /etc/dhcp/dhcpd.conf
or
nano /etc/dhcp/dhcpd.conf

Here is a screenshot of my dhcpd.conf file after I edited it in Vim. The cat command is used to output the file to the terminal for viewing. The lines that begin with # are comments and not active configurations. You could duplicate what you see in my configuration file below, replacing every line that has 192.168.11.x ip addressing with your own network number, like 192.168.1.x, etc.:
cat /etc/dhcp/dhcpd.conf

dhcp-centos

IPtables Overview

The iptables consists of four separate tables: filter, nat, mangle, and raw. Each table has a set of rules or chains.

filter – the filter table is the default table not specified by the -t argument. The filter table has three chains: INPUT for traffic destined for a local socket, FORWARD for packets being routed through the server, and OUTPUT for packets generated locally on the machine

nat – the nat table is consulted when new connections are generated. The nat table has three chains: PREROUTING, OUTPUT, and POSTROUTING

mangle – the mangle table is used for specialized packet alteration. The mangle table has the following chains: PREROUTING, POSTROUTING, INPUT, FORWARD, and OUTPUT.

raw – the raw table is used for configuring exemptions from connection tracking.

Video Tutorials

In part 1, I outline creating a Linux proxy server and router and I diagram the network

In part 2, I create the VMware virtual machine with two NICs and install CentOS

In part 3, I configure network addressing on the CentOS server and a Fedora client

In part 4, I review network addressing, how to do the lab if the server has only one network interface.
I also set up routing and NATing on the CentOS server

In part 5, I install Squid on the CentOS server and configure it to be a transparent proxy.
I configure the iptables NAT table, to portforward all local web traffic to the CentOS server on port 3128. 

In part 6, I continue to configure iptables and I install and configure DHCP server on the CentOS server.