Practical OnLine Services Incubator - eEmployment

Transcription

Practical OnLine Services Incubator - eEmployment
PROJECT: RO/03/B/P/PP175006
TITLE: New
Forms of Learning & Basic Skills
for Advanced, inclusive Lifelong eVET in
Internet Generated Occupations
Laboratory Instructions
&
Incubator Guide
ON-LINE SERVICES
YEAR 2006
BUCHAREST
On-Line Services Incubator
On-Line Services Incubator – How becoming an Internet Service Provider
On-Line Internet Connection
Ethernet Network
Wireless Internet
Web Server (HTML + ASP + PHP + MYSQL)
1
Laboratory Instructions for On-Line Services
(Incubator Guide)
Parent institution: UE-B, Bucharest, Romania,
22 Franceza St., Postal Code 030104
Authors:
1. Ciprian-Antoniade Alexandru, Member of Teaching Staff,
Fax: + 4021 315 77 30; e-mail: alexcipro@yahoo.com
2. Cristian-Teodor Păun, Member of Teaching Staff,
Fax: + 4021 315 77 30; e-mail: cristianpaun@ieee.net
Accessible for consultations daily from 9.00 to 11.00.
CONTENT OF THE ON-LINE SERVICES INCUBATOR GUIDE
1. Hardware Description of Laboratory
2. Internet Service Provider (ISP) – basic hardware architecture
2.1. External Internet connection
2.2. Server – hardware
2.3. Installing a Switch
2.4. Cable and UTP connector (RJ 45)
2.5. External modem for dial-up and remote administration
2.6. Wireless ISP
3. Installing Fedora Core 4 Server
3.1. Getting started
3.2. Installing Fedora Core 4
4. Configuring the Fedora Core 4 Server
4.1. Add the second network device
4.2. Verify the Ethernet configuration
4.3. IP forward
4.4. Configure the squid proxy server
4.5. Set-up your clients computer
5. Testing the network
5.1. Testing the network interface
5.2. Testing the other computer
6. Firewall
6.1. Introduction In Firewall
6.2. Firewall’s Services
6.3. Firewall In Linux Operating Systems
6.4. Firewall In Windows Operating Systems
6.4.1. Introduction In Windows Environment
6.4.2. Using Windows Firewall
6.4.2.1 Example In Windows XP
6.5. Testing Firewall Rules
6.6. Discussions And Conclusions
7. Library with important software package
2
1. On-Line Services Incubator - Hardware description
External Modem
for Dial-Up and
remote
administration
ADSL Modem
2.1. PC
Office
1. Server (Linux)
- Router
- FireWall
- Web
- Mail server
- MySQL
3. Multifunctional Printer
(Print, Scan, Copy, Fax)
2.3. PC
WireLess
UPS
PCI Net Card WireLess
Access Point
WireLess
SWITCH
Laptop or other wireless
devices.
4. PDA - WireLess
2. Internet Service Provider (ISP) – basic hardware architecture
To become an ISP you need an external Internet connection for the server. Second component is a Server connected to
the internet. With this steps you have the Internet in your server and from now on it must be distribute to other people.
Distributing the Internet is possible with a simple switch or hub with a adequate number of ports (one for every
computer from the network). Of course, from the switch we need some UTP – CAT5 cable, and with an important
condition: between 2 points must be maxim 100 meters.
The basic schema, with elements, for an ISP is:
External Internet
Server
Network
The basic hardware architecture for an Internet Service Provider is:
external Internet connection (ADSL, Wireless, Optical Fibre)
server – hardware
server – software (Open source solution or commercial solutions)
switch
cable (UTP)
external modem (for dial-up clients or for remote administration)
wireless (antenna or access-point for wireless clients)
3
Clients Computers
External Internet connection:
- ADSL (modem)
- Wireless (antenna)
- Optical Fiber
Server (Linux)
- Router
- FireWall
- Web
- Mail server
- MySQL
FTP and HTTP
Clients
Switch
Dial-up Clients
Modem extern
pentru Dial-Up
Wireless PC Clients
Access Point
WireLess
Wireless devices:
Laptops, PDAs,
Tablet PCs.
2.1.
External Internet connection
The external Internet connection is necessary to be a trust source for the Internet. This means a very good quality
of connection. Exists a lot of Internet connection witch are stable for a short period of time.
The main characteristics you have to be careful are:
the speed
the connection gap
the time of interventions in case of line fail (1 hour, 1 day, a.o.)
The speed of the connection could be significant diverse. Some company offer the Internet speed in share with
other clients, such as “share 256kbps”. This strategy is in general cheaper but with problems, because with the
time passing, the number of clients grow and also the Internet traffic. Consequence: your share from the
connection is in continuous degreasing.
Second characteristics is also important because your clients pay to you for non-stop internet connection. If you
don’t have a stable connection and the gap (the connection interrupting) is happening, for example once per day,
even for a very short period the clients run away.
Because nothing is perfect on this world, the connection failure is possible. In this unhappy case is imperious
necessary to have possibility to call, non-stop, a technical specialists from the company from you have the external
Internet. Also the interventions time must be as quickly as possible.
4
The are three possibilities, most used, for an external Internet connection:
ADSL with a modem of the line (Fig.1.1),
Wireless solution, with an antenna (Fig.1.2),
Optical Fiber (Fig.1.3).
Sure, the most recommended solution is the optical fiber. The connection speed is good, is most stable and the
possibilities for enlarge the Internet band is very easy.
Fig. 1.1 – ADSL modem
2.2.
Fig. 1.2 – Wireless Antenna
Fig. 1.3 - Optical Fiber
Mediaconvertor
Server - hardware
In different situations the configuration of the server could be specific to the purpose. Always were you read
documentation the hardware requirement is given at the minimum level.
Our recommendation is to use a middle way. In this days is not such expensive to have a good computer.
Hardware configuration
Description (your server or computer)
Amount of memory (RAM)
256 MB
Size of hard drive
20 GB with 7.200 or 10.000 speed/min.
Type of mouse
USB
Type of video card
ATI or nVidia with 64MB Ram, but is possible to
have on board video
Display monitor (resolution)
1024 x 800
Installed network interface (Type)
1 piece - PCI 10/100mbps or
onboard 10/100/1000mbps
1 piece - PCI 10/100mbps
Ports
Serial and Parallel port
For a good functionality of the server is strongly recommended to buy an UPS unit.
This unit protect your server for disturbance in electrical power supply. Is better to have an UPS with serial
connector and proper software for installing with Linux, but a simple one is good for beginners.
Fig. 1.4. The eIncubator Server
Fig. 1.5. The PCI Network card adapter 10/100
mbps
5
1. First network adapter.
In this picture onboard 10/100/1000 mbps.
2. This adapter is connected to the 11mbps wireless antenna (in
our example, but it could be connected to other type of external
Internet).
3. IP’s for this card is given by the company from you have the
external Internet. (in our example 141.85.130.103, but don’t
put this IP to your network card)
It’s possible to have more than one
network adapter on the server. The reason
is to have more separate network.
Each network adapter goes in separate
switch. With this method the networks
could be separate administrated.
The second network adapter connected to the switch.
In this example is a PCI adapter with local IP (192.168.0.1)
Fig. 1.6 Network adapter installed into the server
2.3.
Installing a Switch
For an ISP developed for small building or neighborhoods computer is sufficient a simple switch with adequate
number of ports (8, 16, 24, 32).
Keep in mind that you’ll need at least 2 ports for connection with the server and another switch, in case your
network expansion. In the same time in the exploitation of the equipment, it’s possible to broke down some ports
from the switch. The main cause is from the wire defection or, much rare, from the computer client damage.
Note: When you buy a switch is better to think in the perspective. For instance: for the moment let’s say that you
have 5 clients and would be enough to have a 8 ports switch. When 2 more clients comes you have to buy other
switch. So, for this example I’ll buy maybe a 16 ports switch or even witch 24 ports. Sure, if you know that all
your possible clients will be 12 is not necessary to have a more 16 ports switch.
Fig. 1.7. The simple switch with 16 ports (front side)
6
Fig. 1.8. The simple switch with 16 ports (back side)
Now, connect a cable from your server to the switch and plug the switch in the power supply.
Connecting the computer to your network is very easy, just connect a cable to the switch and to the computer.
SERVER
less than 100 meters
The network over 100 meters
If the computer that you want to connect is over 100 m far from the switch you can add another switch (maybe a
little one with fewer ports) between the main switch and the computer. (see the next diagram).
SERVER
over 100 meters
less than
100 m
2.4.
less than
100 m
less than
100 m
Cable and UTP connector (RJ 45)
For connecting the computer to the switch we need: 2 (two) RJ 45 connector, a proper length CAT 5 cable and a
special pliers for CAT 5 cable connection.
Fig. 1.9.
RJ 45 connector
Fig. 1.10.
CAT 5 cable
Fig. 1.11.
special pliers or CAT 5 connection
7
Steps for putting a RJ 45 connector on the cable.
Step 1. First we need a cable with the proper length from the switch to the computer, and are possible 2 common
situation:
a) when the length could easy determined (the computer is near by the switch or the way between the switch
and computer is straight and free for obstacle. In this situation will cut the necessary cable and then connect the
RJ 45.
b) when we could not determine the exact length (maybe we need to pass by the wall) and in this case is better
to connect the RJ45 at one end, then to rope pull to the next end of the cable. When the cable is in the right
position then cut and pass to the next step.
Step 2. Cut carefully the plastic protection with the pliers. The removed part of the
protection must by xx millimeters with ±
1 millimeter. The wires from the interior of the cable must not be cut and not even their
individual plastic protection.
Step 3. Put this 8 wire in the next order, from the left to right:
- white – orange
- orange
- white – green
- blue
- white – blue
- green
- white – brown
- brown
Step 4. Cut the ends of the eight wires to be in line, all
eight.
Step 5. Hold tight the wires and introduce slowly into
the RJ45 connector, holding the RJ45 with the metallic
side up (like in the picture).
The wires must enter each one into the special canal
from the interior of the connector.
When you push the cable, the wires must maintain the
established order form the previous step.
8
Step 6. Push hard for the wires to reach the ends of the canals from the
connector.
The cable must be lock like in the picture.
Step 7. Introduce the connector, holding the cable
in position, into the pliers.
Step 8. Clench hard the pliers, even with both
hands.
Now the connector should be ready.
Respecting this eight steps and applying to the both end of the cable, the connection between switch and computer
must be fine.
If the connection doesn’t work check again the color order form the step 3.
If a connector is bad cut the cable to the entrance of the connector, throw away, and put another connector.
For an practical example you can see the movie from the web address:
http://www.eemployment.ro/movies/cable-connection.avi
2.5.
External modem for dial-up and remote administration
The most common configuration for dial-up network of Internet is: a server with a network interface for a fast
Internet connection and more modems. The modems could be internal or external, limits coming from number of
PCI connection and serial ports which are on server. Is better to avoid the internal software modem which don’t
offer a hardware serial port because the drivers from manufacturer are difficult to install on the server.
9
Personal computer offer between 1 to 4 serial ports, that mean a limited number of users. For extend the number of
serial ports you can use the specialized interface (example: Cyclades interface can deliver over 30 ports) or change
the phone system (the digital phone line could reach from 2 to 30 phone connection on the same ISDN port).
Any method you will use the principle is the same, so in our example we use an external modem connected to the
server on serial port.
Dial-up connection work on the server with an external modem.
Firstly we must have a phone line connection.
Second step is to connect the external modem on serial port from server. We have possibility to connect on 9 pin
serial port (COM1) or 25 pin serial port (COM2) depend on hardware configuration and on availability of the
ports.
Power supply from
AC/DC adapter
The phone line
The 25 pin serial port
(for COM 2)
The 9 pin serial port
(for COM 1)
External modem
9 pin Serial port from
the back of computer
Server
If your computer doesn’t have the serial port (COM1 or COM2) you must buy a external modem with USB
connection. In general is not recommended because it’s possible to have compatibility problem with Linux.
Note: on newer computer will have only one serial ports, with 9 pins. From this point of view, at the section
“hardware configuration” we recommend to buy a server with at least one serial port and a mouse on USB. If you
buy a serial mouse and the server have just a serial port, then you don’t have any port available for the external
modem.
10
2.6.
Wireless ISP
For distribute the Internet wireless most easily is to have an wireless access point.
The access point will be connected:
directly to the network adapter from server (with 192.168.0.1 IP);
to the already installed switch (in case your final network will be wireless and non-wireless).
For more information about using and configuring a wireless connection it’s strongly recommended to see the
dedicated lesson, also present in respective package.
Antenna
Wireless access point
UTP connection,
directly from the
sever or to the switch
Power supply from
AC/DA adapter
Note: Wireless network could be very vulnerable to the intruders. For this reason is better to configure the wireless
equipment with password access and/or with encrypted data transmission.
3. Installing Fedora Core 4 Server
Becoming an ISP in our time is very easy because we have a lot of instruments around us.
Regarding the software which make your hardware work like a server for distribution of Internet to the potential clients
we present bellow the Fedora Core 4. [2.10]
Fedora Core 4 is a complete operating system produced by the Fedora Project sponsored by Red Hat, Inc. [2.11]
Fedora is based on the Linux kernel and is an open source project developed by a worldwide community of software
developers.
Linux, the kernel of a free operating system, is developed by Linus Benedict Torvalds and released to the world in
1991. [2.1]
Torvalds decide to distribute Linux under a free software license named the GNU General Public License (GPL).
[2.12]
We choose to propose to you using of open source operating systems from the following main reasons:
in the last 10 years this operating system grow continuously until overpass 50% from the Internet Servers
offer to you an excellent opportunity regarding starting investment in a business, because is free for very
low cost
you can install on how many computers do you want, but in the term of GNU licenses
in the last 3-4 years the graphical interface was very strong developed and become a special friendly to
use by a larger variety of users
by installing Fedora Core 4 you have also a lot of software for writing, office possibilities, multimedia,
graphical application and also good and powerfully instruments for programming
you have possibilities to use Fedora Core 4 as Server platform for your Internet business or as Desktop
version for your personal computer
11
Linux is stable, scalable, fast and secure
can use very old computer like Intel-based 486 with even 8Mb of RAM (see bellow our
recommendations)
Also, exists many other Open Source [2.13] operating systems which you can use for your Internet server, like
Mandrake, FreeBSD, Slackware, Debian and other.
3.1.
Getting started
Hardware Requirements
For install Fedora Core 4 we recommend to use the hardware configuration described on Part 1, on the present
lesson. Also, the Fedora Core 4 could be install on older computer with minimum 200MHz Pentium CPUs,
750MB hard drive space and 64MB RAM for using Fedora without a graphical interface. [2.1]
Before installation is good to have a list with your minimum configuration, so make a list like bellow:
Hardware configuration
Amount of memory (RAM)
Size of hard drive
Type of mouse
Type of video card
Display monitor (maximum resolution)
Installed network interface (Type)
Description (your server or computer)
128 MB (i.e.)
10 GB (i.e.)
USB (i.e.)
ATI Rage 9200 128MB RAM (i.e.)
1024 x 800 (i.e.)
RTL 8139 (i.e.)
Note: If you have a particular (brand or special) PC model or laptop is better to check if support Linux.
If you research is not concluded, read the Linux Hardware HOWTO on:
http://www.tldp.org/HOWTO/Hardware-HOWTO/
Fedora Core 4 installation software CD’s
You can download the CD’s for free from:
http://download.fedora.redhat.com/pub/fedora/linux/core/4/i386/iso/
On that link you will find four files, which are ISO images of four CD’s :
FC4-i386-disc1.iso
FC4-i386-disc2.iso
FC4-i386-disc3.iso
FC4-i386-disc4.iso
Note: Above downloaded Fedora software is compatible with Intel-based PCs. If you have other kind of computer
is better to consult the RedHat documentation to see if you can download the specific software.
After burning all of them on CD put a label on each and you can install the Fedora Core 4.
If you don’t have a large band of Internet to download the 4th CDs you can ask for help from Internet Café places.
A third solution is to obtain the software from specialized software newspaper or pc’s magazine.
Other solution is to buy the Fedora Core 4 directly from RedHat (http://www.redhat.com/fedora/).
Hard drive preparation
The installation permit to have more that one operating system on your hard drive. Anyway we recommend to
install only the Fedora Core 4 on your server because, the server will run 24 hours per day, delivering Internet to
your clients and is not necessary to have other operating systems on it.
If you plan to install the Fedora Core 4 also on your personal computer or maybe on your laptop may be consider
to have more operating systems on the same hard drive.
12
For both options you have to partition the hard drive. This operation could be done before or during installation.
Linux use for hard drive the device name:
/dev/hda for recognize the first (master) IDE hard drive on channel 0,
/dev/hdb for the second (slave) IDE hard drive on channel 0,
/dev/hdc for the third (master) IDE hard drive on channel 1,
/dev/hdd for the forth (second) IDE hard drive on channel 1.
3.2.
Installing Fedora Core 4
We choose to install Fedora from CD-ROM. There are other way to install, but not necessary for your starting
business: DOS; Network file systems (NFS); File Transfer Protocol (FTP); Hypertext Transport Protocol (HTTP);
Directly from the Internet; From a hard drive partition; or from preinstalled media (by transfer the image from a
hard to another).
IMPORTANT: For install Fedora form the CD-ROM, firstly set-up from BIOS to boot computer from CD drive.
Starting installation: Insert the first CD into CD-ROM and restart the computer for booting from CD.
After booting you should have on your screen
the next image:
Strike the Enter key to run installation.
Next image is for testing your installation
CDs. It’s more an assurance to don’t start the
installation and form different reasons one of
the 4th CDs is not working.
If you are not sure of quality of your recorded
CDs maybe it’s better to do the test and for
that you choose <OK>.
In our installation we choose <Skip>,
considering that the CDs are OK.
13
Next image is a “welcome” one.
Just go to the next with the
<Next> button in the right-down
corner.
Now, you have to make a
language selection.
Our recommendation is to choose
English (English) even if you are
not a native English language.
The reason is simple: the Internet
is almost entirely a English
language land and it’s better to
become familiar with that
language.
For “Keyboard Configuration”
we also use <U.S. English> , but
that’s depend of your specific
keyboard connected to your
computer.
So, pick-up one from the list and
click on <Next> button.
14
From this point is actually start
the installation.
Because our interest is to become
an Internet Service Provider we
install the <Server> type.
Then click on <Next> button.
The partition strategy of your hard
drive is “an art” for an
experienced Linux administrator.
From this point of view, form
now on you’ll heard a lot of
versions from different people.
Considering our intention, is not
necessary to have much trouble.
So, simply we recommend to
make <Automatically partion>
then <Next> button.
In the future keep in mind to
make separate partition for user
data, because those could be more
important that the systems itself.
(the system could be repaired or
reinstalled, but the data are lost
forever.
An warning window will be
displayed for loosing all data on
your hard drive.
If your hard drive is new and
empty or you know that are not
important data on it, proceed with
<Yes> button.
In other case choose <No> and
the installation will stop.
15
Like in the preview window, you
are informed and also ask to make
a choice.
Into
the
spirit
on
our
recommendation to install only
Fedora Core 4 on your server
system, click on <Remove all
partitions on this system> option
and then <Next> button.
In other case is better to make the
right choice for not loosing data.
Warning: maybe your image from
your display is a little different
about the “Device name”, depend
on your hardware configuration.
Specially regarding size of your
hard drive. In our example we
have a 4GB size hard drive.
IMPORTANT: We are not
responsible for data lost if you are
not use an empty or a new hard
drive.
Is very dangerous to work on the
drive with already stored data on
it. Even an experienced person
could make terrible mistake. If
you still want to work on the hard
drive with data on it, at least,
firstly, make a safe copy on other
media storage (hard drive, CD,
DVD, tape, a.o.).
Another warning message and the
<Yes> button choice.
An information window showing
results of your previous choice.
Click <Next> button.
Warning: maybe your image from
your display is a little different
about the “Device name”, depend
on your hardware configuration.
16
Again click <Next> button.
Warning: maybe your image from
your display is a little different
about the “Device name”, depend
on your hardware configuration.
Installation program find one
network interface on computer.
For configuring manually this
interface click on <Edit> button.
Otherwise the Fedora will be
installed
with
DHCP
and
automatically allocate the IP.
In the by-screen you unchecked
the check box <configure using
DHCP> and complete the <IP
Address> with: 192.168.0.1.
Also
the
<Netmask>:
255.255.255.0
like
in
the
presented example.
If the Fedora finds more than one
network adapter is possible to be
asked to configure the second
device. In that case, the device
name eth0 will be first adapter
activated when Fedora starts.
After
installation
we
can
reconfigure the network device
with a graphical tool: systemconfig-network
17
You can configure the hostname
entering a name like our example:
ldv.ueb.ro but not identical.
The IP necessary for Gateway and
Primary and eventual Secondary
DNS is given to you to your
external Internet company from
where you have the connection.
We configure the <Gateway>:
141.85.128.6 and the <Primary
DNS> with 141.85.128.1 (please
complete with your own data).
Because we want to install a
server configuration we check all
the check box from the screen
<Firewall Configuration> and
<Enable firewall>.
It is true that for becoming
Internet Service Provider you
don’t need <Web Server> or
<Mail Server>, but will help you
to understood more futures of the
Fedora Core 4.
If you don’t have much Internet
clients maybe, in the future you
want to host some small web
pages on the same server. (is not
recommended to have the web
server on the same server, but for
a started and small company with
few clients it’s helpful from
expenses point of view).
When you will have sufficient financial stability, dedicated servers are much important. (web server, mail server,
gateway). Anyway the Linux it is recognized like a stable server and from our previous experience up to 10
small and medium web pages could be hosted and also use the same computer like gateway.
18
On the <Time Zone Selection>
screen you have to select your
<Location>.
We select <Europe/Bucharest>,
but you can select anything you
want according to your country.
Setting the root password is
important for the security of your
system.
The “root” is the administrator for
the entire server and have access
to all resources.
So, the password for root is highly
desired by any possible intruders.
The root password:
must be as much as long, that
you can remember it,
with different characters,
even different sentence,
alternate
letters
with
numbers,
not containing your name or
initial.
Example: dh64rEv08nseR
From now on we start to select the
necessary package for the Fedora
Core 4.
Firstly we select the check box
<KDE
(K
Desktop
Environment)>, then click on
<Details> button.
19
From administrative point of view
select third item <kdeadminAdministrative tools for KDE>.
Then click on <OK> button.
Scroll down the screen and select:
<Editors> ,
<Engineering and Scientific> ,
<Graphical Internet> ,
<Text-based Internet> and click
on <Details> button from
<Graphical Internet>.
On “Graphical Internet” screen
select:
<kdewebdev
–
WEB
Development package for the K
Desktop Environment> and
<thunderbird
–
Mozilla
Thunderbird
mail/newsgroup
client>, then
click on <OK> button.
20
Returned on <Package Group
Selection> screen click on
<Details> from <Text-based
Internet> .
On <Text-based Internet> details
screen select <lynx – A text-based
Web browser>, then <OK>.
Scroll
down
and
select
<Office/Productivity> item, then
<Details>.
Now, select <kdepim – PIM
(Personal Information Manager)
for KDE> item, then <OK>.
21
Select :
<Sound and Video> ,
<Authoring and Publishing> ,
<Graphics> and <Details> from
<Graphics>.
On “Details for Graphics” screen
select <kdegraphics – K Desktop
Environment – Graphics
Applications> item, then <OK>.
A little bit lower select <Server
Configuration
Tools>,
then
<Details>.
22
Select first two items: <systemconfig-bind> and <system-configboot>, then <OK>.
Select <Web Server> item, then
<Details>.
On “Web Server” screen select:
<mod_auth_mysql>, scroll down.
<php-mysql> and
<php-odbc>, then <OK>.
23
Select <Mail
<Details>.
Server>,
then
Select <postfix> and
<squirrelmail>, then <OK>.
Select items:
<Windows File Server> ,
<DNS Name Server> ,
<FTP server>
24
Scroll down and select <MySQL
Database> , then <Details>.
Select:
<mod_auth_mysql> and
<php-mysql> items, then <OK>.
Select <News Server> and
<Network Servers> , then
<Details>.
25
Select <dhcp> and <vnc-server>,
then <OK>.
If you want, select a different
<Language Support>, then
<Details>. Selecting a language
support doesn’t mean that you
renounce to English, but you’ll
have possibility to have other
Language.
In out example we select
<Romanian Support>, but you
select anything you want
according, maybe, with your natal
language.
26
Select <Administrative Tools>,
then <Details>.
Select <system-config-kickstart>,
then <OK>.
Select <System Tools>, then
<Details>.
27
On “System Tools” screen select:
- <iptraf> , <mc> and <mrtg>
items, then scroll down, and select
also:
<uucp> and <vnc>, then <OK>.
Now, your Packages selection is
ready, then click <Next>.
The installation software will
verify what is necessary for
installing Fedora Core 4 conform
your selected packages.
28
This is an information screen so,
click <Next>.
Again, an information screen,
where is written that are necessary
all 4 CDs for installing the system
and the packages selected.
If you have all four CDs ready
click on <Continue> button,
otherwise click <Reboot>.
After all this operations, the Fedora Core 4 start installation and you have to wait between 30 to 90 minutes to
perform all jobs (depending your hardware performance).
During the installation other information will be displayed and everything must go on smoothly. If something is
wrong try to see what is the error message and fix the problem. Maybe you must restart from beginning the all
installation, but not before check the hardware compatibility describe in the beginning of the lesson-part 1.
When the installation will end you’ll be asked to restart computer and after restarting are running post-installation
operation. All processes will end with login screen presented bellow.
Tips:
change the root password monthly;
don’t write the password on computer, on keyboard or something like that (we see that often at the
beginners).
29
4. Configuring the Fedora Core 4 Server
To configure the Fedora Core 4 Server to deliver Internet from your location to other computer we need a second
network interface. The first network interface you are already configure previous in this lesson, part 2.
Place your network interface on a free slot of PCI and the power on the computer.
Your new interface will recognized automatically all what you have to do is to configure it.
Follow the next steps, after you are login as root from starting your computer.
4.1.
Add the second network device
Add the second network device.
Firstly we have to add the device into your systems.
For that, start from the main, clicking the red hat on the leftdown corner, menu item <System Settings>, than menu item
“Network”.
On the screen “Network Configuration”, select from left-up
corner the <New> button.
In the next screen select <Ethernet connection>, then
<Forward> button.
Most probable this screen will show two “Ethernet card”, but
surely the name of it are different. We have, on our computer
form OnLine Service Laboratory, two Ethernet card from
Realtek Semiconductor Co., the RTL-8139 model. This is not
important, because not the model counts, but the functioning.
You must select the “Ethernet card” with the name different
from eth0. In our screen the device name is: “dev2729” and
maybe at your computer is “eth1”. So, select the second
Ethernet card then the <Forward> button.
30
Now, we need the IP address and gateway address given by
the Internet Service Provider which deliver to you the Internet.
Introduce to the text Address the IP address, to <Subnet
mask>: 255.255.255.0 and to <Default gateway address> the
correspondent IP.
Please we careful to do not introduce our IPs from the
laboratory.
Click on <Forward>.
This is just an information screen and click on <Apply>
button.
The Network device is added to your list, but is not active. For
that click on <Activate> button.
A confirmation screen
where you select <Yes>
button.
Next is an information
screen. Just <OK>.
31
4.2.
Verify the Ethernet configuration
Verify the Ethernet configuration
It’s recommended to verify the
settings that you just made with
some text editor. One easy way is to
open from graphical mode a
console. Right-click somewhere on
the desktop and select <Konsole>
item.
The screen is like the next one. Start
a small program with the command:
# mc then <Enter> key from
keyboard
The program Midnight Commander
starts and change the directory with
the command:
# cd
/etc/sysconfig/networkin
g /devices
On the screen are two files:
ifcfg-eth0 and ifcfgeth1
We edit each one step by step with
the Edit, pressing the <F4> from
keyboard. Start with: ifcfgeth0.
Look just for the DEVICE keyword.
This must have the eth0 value. If is
not change it and check IPADDR
keyword
with
the
value
192.168.0.1, NETMASK with
255.255.255.0
value
and
NETWORK with 192.168.0.0.
Don’t change other values.
After you are finished press <F2>
from the keyboard for saving the
modification, then <Enter> key for
the <SAVE> option.
32
Pass to the next file: ifcfg-eth1, and
check again:
DEVICE=eth1
IPADDR=<your IPADDR given by
your Internet Service Provider>
NOT the 141.85.130.103 IP
because this is from authors
example.
NETMASK=255.255.255.0
GATEWAY=<your Gateway address
given by your Internet Service
Provider>
NOT
the
141.85.130.6 IP because this is
from authors example
Don’t change other values.
After you are finished press <F2>
from the keyboard for saving the
modification, then <Enter> key for
the <SAVE> option.
Restarting computer
For all this changes should have effect you can restart some services or more simply is to restart your computer.
Please restart the computer from then Fedora menu not from computer button.
4.3.
IP forward
IP forward
After booting you should start again
the Konsole with right-click on the
desktop and choosing Konsole. Then
give the command:
# mc
then <Enter> key from
keyboard
Change the directory with the
command.
# cd /etc/rc.d
from keyboard
then <Enter> key
Now you have on screen three files and the one you are that is interesting is: rc.local. Select it and edit with
<F4> key.
Add this:
/sbin/route del –net 169.254.0.0 netmask 255.255.0.0 dev eth1
and
/bin/echo 1> /proc/sys/net/ipv4/ip_forward
Don’t change other values.
After you are finished press <F2> from the keyboard for saving the modification, then <Enter> key for the
<SAVE> option.
33
4.4.
Configure the squid proxy server
Configure the squid proxy
server.
Change again the directory with the
command.
# cd /etc/squid then <Enter>
key from keyboard
Find and select the squid.conf
file, then edit with <F4> key.
Now we have to change some
configuration into this file which is
big enough to find something a little
bit difficult. But, with a patience,
look after the section “INSERT
YOUR RULE(S) HERE TO
ALLOW ACCESS FROM YOUR
CLIENTS”, like in the next image.
Uncomment
the
row
acl
our_networks by deleting the “#”
sign from the beginning of the row.
Also, change the IP class after the
src with your class which is:
192.168.0.0/24.
Uncomment the next row and your
screen should look like the next
image.
Don’t change other values.
After you are finished press <F2> from the keyboard for saving the modification, then <Enter> key for the
<SAVE> option.
We finish to configuring all stuff and exit from Midnight Commander with <F10> key and confirm with then
<Enter>. Close the Konsole with combination Ctrl+D or with exit command follow by <Enter>.
34
Starting the squid and snmpd
services
From the red hat menu:
Select <System Settings>, then
<Server Settings>, than <Services>
item.
Scroll the list from left side of the
screen until find snmpd, select it,
check the right check box and select
the <Start> button from up-left
screen.
The same operation with the squid
item with three row bellow.
After that, save the settings with
<Save> button from up-middle
screen, then close the window.
Now, your server is ready.
Plug in the cable from your Internet Service Provider into the first network interface and the second network adapter
into the switch from where you delivered the Internet to the clients.
Success !
4.5.
Set-up your clients computer
Your computer clients must be configured in two places.
Each your client must have an unique IP delivered by you. The interval of the IP number is between 192.168.0.2 and
192.168.0.255, mean from 2 to 255. We recommend to keep for your possible future use couple IP number or to begin
even from 192.168.0.10.
Firstly the network adapter (interface) on your clients computer must be configured with:
IP address: 192.168.0.xxx, but be careful, do not give the 192.168.0.1 IP because is your server address
Subnet mask: 255.255.255.0
Default gateway: 192.168.0.1
The second configuration is about the proxy server from the web browser.
Address of the proxy is: 192.168.0.1 and the port is: 3128.
5. Testing the network
The necessary command to test the network is ping. This command is described detailed in other lesson from this
eEmployment package.
5.1.
Test the network interface
First test is to your two network interfaces.
Open the Konsole and do the command:
# ping 192.168.0.1 <Enter> key
then the second interface:
# ping <your gateway IP introduced during the configuration on your Fedora Core
4 Server> <Enter> key
35
5.2.
Test the other computer
After you have the cable connected between switch and the computer and made all the configuration described in the
previous section you can make a test.
The test can be made bidirectional.
Once from computer to the server with the command:
# ping 192.168.0.1 <Enter> key
Then, from server to the computer:
# ping 192.168.0.xxx <Enter> (i.e. 192.168.0.10)
6. Firewall
6.1.
Introduction In Firewall
Definition: a firewall is a system that is used to prevent malicious access from “outside” to the computers from
“inside”.
This is the simplest definition of a firewall. From the beginning, you see that the firewall is created to make the
difference between „inside” and „outside”. What do we mean by the “inside”? A single computer or a small size
computer network or more computers linked together in a LAN. And, what is the „outside”? Simple, this may be
viewed as the rest of the world or more commonly known as the INTERNET, an unprotected network, a world of free
data interchange. This system monitors the network activities and filters incoming data packages and outgoing
packages as well.
In a more sophisticated wording, the firewall system implements the rules the machines abide by while interchanging
data on the network. Firewall is vital mechanism that grants permission to pass the data entities through the network or
not. In order to be effective, the firewall must be the single place where all data packages must arrive, in a pipelined
manner. These packages can be accepted and forwarded, or dropped. All dropped packages disappear, the attackers
receive no answer and the server is not loaded with extra-tasks.
In other words, we can say the firewall is the connection point between our network (the „inside”) and the others (the
Internet).
In each network a security policy is established and through the firewall this is put at work.
In the following section, you will discover the security rules and you will able to implement your own security
policies.
There are a few rules in internetworking connectivity.
The first rule is to write down everything you do. If you establish a new rule, write down what it is, when you apply it,
what is its purpose, and how you test the effects of the rule.
Always start your work by setting simple and general rules. Test the effects of these rules. If the results are
satisfactory, then you can get to the next step and set a new security rule.
Set security rules only if they are strictly necessary. If you have a ”big tree” of security rules you can’t see the fruits!
Don’t block your traffic with a new rule! Save and write down the last good functional situation on your machine. Set
up the new rule and after that test it. If possible, test it thoroughly. If this last modification is good, make a log about
what you do and keep it updated.
Use a book with records on your daily activities in this field.
Review your records from time to time and notice if there exist mismatches between how you desire the computers of
your LAN to work and the real situation.
It is better to know when something is working well, some users don’t see it, and they try to improve the situation. I’m
talking about your colleagues eager to “help you out”. This is another subject and it may be defined as “internal
security”: within an organization or working group there should be only one entity in charge of and accountable for
security issues.
If you don’t have or you can’t implement a single firewall for your network, it is recommend to implement firewall
rules on each machine of the LAN.
36
Understanding the difference between firewall and security
In this moment, you can make the difference between the firewall system and security system. The firewall implements
part of the security rules especially those which are focused on network traffic. The rules implemented in firewall
mechanism are set for a long time period and are invisible to internal and, especially, external network users.
This lesson shows how to protect your computers in the internetworking environment. Any computer must be linked to
the others computers but any time you must know how to avoid being the victim of hacker’s activities or to avoid the
deadly attacks of the crashers. After taking this lesson you will be able to implement and set up your own firewall.
You must know that a “hacker” is a creative person, like a dreamer in art but his art is in computer land. A “cracker” is
not a very nice person. His target is always to destroy. In the last time, we can see the new generation of pseudocrackers. Young persons without real cracker’s skills but they have a lot of tools with may automatic destroy the
security system on your computer.
6.2.
Firewall’s services
Fig.2.1 Using “firewall” with routing function or a separate “router”
In modern network the role of an elementary firewall can be played by a router, witch filters packets of network (at the
transport and network levels from OSI model). More perfect firewall can be implemented in gateway, witch operate at
application layer of OSI model and can provide filtering of information.
From the figure 2.1 you must understand that the firewall should be placed between the protected network of an
organization and the external network that could be hostile. All traffic between the two networks is carried through the
firewall. From this point you must know that all protected networks have incorporated firewall.
Is possible to have different situations gave by difference between the communication protocol. So, in out network we
can use SPC/IPX protocol and the external network using TCP/IP protocol. In this situation we have an asymmetric
firewall that is working like relay. In one of his side accepts packets in SPX/IPX format and after receiving packet strip
it by the application, transport, network information layer from ISO/OSI model and take only the information. After
this, packed information back, again, with application, transport, network information layer for TCP/IP protocol. We
can say that are two group of function for a firewall:
- filtering of information passing through the firewall;
- mediating at implementing of internetworking actions.
Depending on the firewall type, these functions can be performed up to different stage. Simple firewalls are oriented to
execute only one of these functions. Like a little conclusion, we may say that a completed and accurate control require
a complex firewall must be able to analyze and use the following items:
- information on connection (that could be information from all layers of ISO/OSI model that are implemented,
if is possible from all seven layers);
- history of connection (it must store the information about the last connection);
- status of application level (information collected from other application. For example, the user authentication
for current moment can be given the rights of access through a firewall only for authorized sorts of tools.);
- aggregating all items.
A device similar to a firewall can also be used for protection of an individual computer. In this case, we have an
installed firewall on protected computer. We shall see this in Windows environment.
Protecting your computer
The first step in protecting a computer is to identify the tasks to be executed on the machine and the persons that have
the right to launch programs on this computer. At the appropriate moment, we will learn about computer users and
their specific access rights by their membership in specified groups.
37
So, one must understand the grouping polices that are implemented in the kernel of the operating system. You must
know that the policies and rules designed to protect your computer are similar to those implemented on any other
computer. On the other hand, these rules are different in Microsoft environment and Open Source/Linux environment.
The firewall is a special mechanism which is strictly dependent on the operating system. If you want to link a computer
to other computer/computers you must activate the firewall rules. You must choose the right rules to protect the
activities on those computers.
Separating computers of your LAN from the INTERNET
The most important service provided by a firewall mechanism is to separate the computer from the outside world. In
any moment, the firewall receives messages from the net device and makes fast decisions on forwarding or dropping
them. So, behind the closed door we can hear what is happening outdoors and if the message is acceptable the firewall
will open the door. Also, if a message tries to go out without the permission to travel on the net the firewall won’t open
the door, and if it is correctly set up you will always know all about the unauthorized penetrations in either direction.
2.2a Any computer must have it’s own 2.2b A LAN must have a dedicated computer called “server” where are
firewall system when this is connect to implemented the “firewall” system with specific security rules
INTERNET
You can understand an internetworking situation regarding figure 2.3.
Fig.2.3 This is a little part of the internetworking world (including INTERNET)
38
6.3.
Firewall in Linux operating systems
In Linux, the firewall rules are not set up from the very beginning as it happens with Windows XP. You must
activate some daemons that protect your computer. If you connect your computer to the INTERNET without setting up
your own firewall rules is likely you will leave the doors of your own house wide open and have a little trip to Monte Carlo
forgetting anybody and everything. Of course, after coming back you will probably have to purchase a new house. But you
know why? Because you’ll find all the doors closed, somebody else will be living there and that intruder won’t leave his
new propriety.
So, we must draw a line of defense between us and the unknown. Starting from this point, we will view the
firewall as a bastion of defense which is really important for protecting your system.
Passwords are an important and the first instrument in security on any system. From the beginning you met and
discover the passwords. Any really import task on the computer ask a password from you. Any time, when the system give
you the possibility to setup a password you must use it.
The password must be selected with care and must be “new words” like in the next exmple:
The PASSWORD
How to remember it?!
MoCh10Y!
My old Car have 10 year !
MiMNgASiBL%!
Mary is My New girlfriend And She is Blonde 100%!
Certainly you may be more creative and use secret sentences (probably longer), nobody know what is in your
mind.
To change the password of a user “Lily” you can use the next syntax:
cristi@mpt cristi> passwd lily <enter>
…
After this the system will ask from Lily to introduce her password twice (second time for confirmation). You can
force Lily to change the password time to time, e.g. 4 days. So, tape the next sentence:
cristi@mpt cristi> chage –W 4 lily
#
Next time when Lily logon to the system, it will prompt her:
Warning: your password will expire in 4 days
If Lily will operate on the system until 2005, on 30 June, is better to specify this like in the next example:
#
cristi@mpt cristi> change –M 20 –W 5 E 30/06/2005 <enter>
#
In these conditions, Lily must change the password in 20 days and her password also expires on 30 June, 2005.
Supplementary, the system will prompt Lily with 5 days earlier to change her password.
The password will be stored in a “shadow” file where only the “root user” has access. For a cracker is important to
have a copy of your password, so don’t leave the password files in public places. In case you use the shadow file (e.g.
/etc/shadow) and the password file will be display like:
#
cristi@mpt cristi> more /etc/passwd<enter>
root:x:0:0:root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
.
.
.
lily:x:450:150:Liliana Ionescu:/home/lily:/bin/sh
.
To learn more about these commands you can use man and the name of command you need (e.g. man change
<enter>).
Other important way to protect your computer is to use the filtering mechanism. The most important filtering
mechanism is the firewall system and the proxy servers. The following section explains very simple how to use the firewall
mechanism.
IPFWADM
In Linux 2.0.x you will work with ipfwadm systems, IP firewall administration tool. If you have an older
computer, do not throw it away. With Linux 2.0.x kernel you can put it to good use.
The configuration options you will need to set for the 2.0-series kernel are:
CONFIG_EXPERIMENTAL=y
CONFIG_FIREWALL=y
39
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_CHAINS=y
IPCHAIN
You need a kernel which has the new IP firewall chains in it, like Linux 2.1.x or Linux 2.2.x kernels. You can tell
if the kernel you are running right now has this facility installed by looking for the file `/proc/net/ip_fwchains'. If it exists,
you're in. If not, you need to “make” a kernel that has IP firewall chains. First, download the source of the kernel you want.
If you have a kernel numbered 2.1.102 or higher, you won't need to patch it (it's in the mainstream kernel now). Otherwise,
apply the patch from the web page listed above, and set the configuration as detailed below. If you don't know how to do
it, don't panic -- read the Kernel-HOWTO.
For the 2.1 or 2.2 series kernels:
CONFIG_FIREWALL=y
CONFIG_IP_FIREWALL=y
The tool ipchains talks to the kernel and tells it what packets to filter. Unless you are a programmer, or overly
curious, this is how you will control the packet filtering. The ipchains tool inserts and deletes rules from the kernel's packet
filtering section. This means that whatever you set up, it will be lost upon reboot and for that reason you must select the
option “Making Rules Permanent”, and they are restored the next time Linux is booted.
Ipchains replaces ipfwadm, which was used for the old IP Firewall code.
This contains a shell script called ipfwadm-wrapper which allows you to do packet filtering as it was done before.
You probably shouldn't use this script unless you want a quick way of upgrading a system which uses ipfwadm.
It is important to make your own rules permanent and set them up in the firewall system. Your current firewall
setup is stored in the kernel, and thus will be lost on reboot. We recommend using the “ipchains-save” and “ipchainsrestore” scripts to make your rules permanent. To do this, set up your rules, then run (as root):
cristi@mpt cristi> ipchains-save > /etc/ipchains.rules
#
Create a script like the following (with any text editor like “vi”):
#! /bin/sh
# Script to control packet filtering.
# If no rules, do nothing.
[ -f /etc/ipchains.rules ] || exit 0
case "$1" in
start)
echo -n "Turning on packet filtering:"
/sbin/ipchains-restore < /etc/ipchains.rules || exit 1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "."
;;
stop)
echo -n "Turning off packet filtering:"
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
echo "."
;;
*)
echo "Usage: /etc/init.d/packetfilter {start|stop}"
exit 1
;;
exit 0
Make sure this is run early in the booting procedure.
40
IPTABLES
Netfilter and iptables are the building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This
framework enables packet filtering, network address [and port] translation (NAT or NATP) and other packet mangling.
Netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the
network stack. A registered callback function is then called back for every packet that traverses the respective hook within
the network stack.
Iptables is a generic table structure for the definition of rule sets. Each rule within an IP table consists of a number
of classifiers (iptables matches) and one connected action (iptables target).
Netfilter, iptables and the connection tracking as well as the NAT subsystem build together the whole framework.
The most important features that are implemented with iptables are:
•
packet filtering for IPv4 and IPv6
•
all kinds of network address and port translation (NAT/NAPT)
•
flexible and extensible infrastructure with multiple layers of API's for 3rd party extensions
By using the iptables facilities you can:
•
build internet firewalls packet filtering.
•
use NAT and masquerading for sharing internet access if you don't have enough public IP addresses.
•
use NAT to implement transparent proxies.
•
aid the tc and iproute2 systems used to build sophisticated QoS and policy routers.
•
do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header.
Iptables program is newer like ipchain or ipfwadm programs. So, we shall show exactly how to setup iptables. The
common application that you shall meet is to connect (and necessary to protect) a local network to INTERNET (other
network). See the figure 1 to understand the situation. If you don’t have enough public IP address you shall use private IP
address (e.g. 192.168.0.0,192.168.0.31 and so on). For solve this situation you shall make a translation of IP addresses from
the private address to public IP address or from the public to private.
First step for make forwarding the messages between your LAN and INTERNET is to modify the line in
“/etc/sysctl.conf” file:
cristi@mpt cristi> vi /etc/sysctl.conf<enter>
# Kernel sysctl configuration file for Mandrakelinux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding [HERE IS THE LINE WHERE YOU MUST CHANGE]
net.ipv4.ip_forward = 0
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 0
# Disable ECN
net.ipv4.tcp_ecn = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Controls the System Request debugging functionality of the kernel
#kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed. Setting this to 1 is not advised as it has been
# known to cause problems when supermount is enabled.
dev.cdrom.autoclose=0
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)
dev.cdrom.lock=0
net.ipv4.icmp_ignore_bogus_error_responses=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_echo_ignore_all=0
net.ipv4.conf.all.log_martians=1
41
kernel.sysrq=1
.
Find the line where “net.ipv4.ip_forward=0” and change “zero” with “one” like “net.ipv4.ip_forward=1”. Save
your changing (with <ctrl>+: and wq write and quit file.) Now the system is able to forwarding packets. To active your
iptables firewall is necessary to:
#
# cristi@mpt cristi> /etc/init.d/iptables start<enter>
.
If you save your rules in “/etc/sysconfig/iptables” file any time your system starts also the firewall will be active.
In this lesson we don’t explain all the rules but we shall give you a very good example that you can use it. The
understanding of this example is a second step to really protect your computers. In this example is implemented the
situation from the figure 1.
Fig.3.1 This is an example how a LAN is connected to the INTERNET and the firewall filtering all traffic
cristi@mpt cristi> vi /etc/sysconfig/iptables<enter>
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Fig.3.2 IPTABLES file made by the operation system FEDORA core 3 from the beging…
42
So, in figure 3.2 is presented an automatic iptabes made by system. In figure 3.3 is presented other style of iptables
and you can compare these two files. In practice, is better to have your own “style”. You must understand the real situation
of the network and build step by step this file.
# every lines that have “#” character in first position is a comment for understand or an explanation
# every lines that do not have “#“ character in first position is a command and must be included in iptable file
# in this example you must have in mind figure 3.1
#our policies is to DROP any massage
#
iptables –P INPUT DROP
iptables –P OUTPUT DROP
iptables –P FORWARD DROP
#
# in this moment all the traffic is blocked. No traffic. No packet comes and no packet goes!
# Let open a little bit the “filtering pipe”
# First step defines a chain for accepted TCP packets
#
iptables –N ok
iptables –A ok –p TCP --syn -j ACCEPT
iptables –A ok –p TCP –m state --state ESTABLISHED,RELATED –j ACCEPT
iptables –A ok –p TCP –j DROP
#
# is accepted only TCP packets in the connections already established and related or “syn” packets
# is time to setup the chain of the firewall: INPUT, OUTPUT, FORWARD and POSTROUTING
# second step in setting up the INPUT chain
#
iptables -A INPUT -p ALL -i eth0 192.168.0.1/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1-j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 123.45.54.213 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
#
# with above lines is accepted the traffic initiated by local interface, inside or outside Ethernet interfaces and broadcasting
# but is necessary to establish what is doing with the traffic coming from INTERNET
# so, the firewall will accept only the TCP traffic already established and related connections made by user of your
network
#
iptables -A INPUT -p ALL –m state --state ESTABLISHED,RELATED -d 123.45.54.213 -j ACCEPT
#
# third step: establish the rules for TCP packets
#
iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 21 -j ok
iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 22 -j ok
iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 80 -j ok
iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 110 -j ok
#
#the accepted port are standard for web application about you already know
#
iptables -A INPUT -p UDP -i eth1 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth1 -s 0/0 --destination-port 531 -j ACCEPT
iptables -A INPUT -p UDP -i eth1 -s 0/0 --destination-port 2053 -j ACCEPT
iptables -A INPUT -p UDP -i eth1 -s 0/0 --destination-port 32323 -j ACCEPT
#
# the firewall accept the standard port 53 and other 3 port for specificated application (e.g DanteHD listen and accept
# connection on 32323 port)
#foreth step: ICMP rules
#
iptables -A INPUT -p ICMP -i eth1 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth1 -s 0/0 -- icmp-type 10 -j ACCEPT
#
# fivith step: FORWARDing rules
# is important to make packets to move through the firewall
#
43
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#sixth step is to open the OUTPUT chain
#
iptables -A OUTPUT -p ALL -s 127.0.0.1-j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 123.45.54.213 -j ACCEPT
#
#the last step is to make routing inside of your network and translate the external address to internal address
#this process is POSTROUTING chain.
#
iptables -t NAT -A POSTROUTING -o eth1 -j SNAT –to-source 123.45.54.213
Figure 3.3 IPTABLES file with a personal style of firewall rules
In this example is used SNAT (Source Network Address Translation) because is present a static IP address for
connection with INTERNET. If the firewall is a client of other network where is used a dynamic protocol to give the
addresses is necessary to use MASQUERADE table.
# IP address by DHCP server
#
iptables -t NAT -A POSTROUTING -o eth1 -j MASQUERADE
#
Is possible to have other computer where is offered the INTERNET services like Web, FTP or DNS, not the same
computer where the packets are filtered. In this case is necessary to specify the address of the server:
iptables -t NAT -A PREROUTING -p tcp -d 198.168.0.1 -dport 80 -j DNAT --to-destination 192.168.0.3
For using a intermediary firewall (filtering options on squid, samba and other servers) is necessary to prevent
sending the packets to firewall directly and its must be redirect to this special servers by the port destination:
iptables -t NAT -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
It possible to observe in this moment that protection of the network is an important task but it consumes a lot of
time. The art is to use limited number of lines in the filtering process but to keep safety of the system.
6.4.
Firewall in Windows operating system
6.4.1. Introduction in Windows environment
The firewall rules included in the versions of Windows operating system were implemented and improved along
the different stages of operating system’s evolution. As an example, “Windows Firewall” is a replacement of the Internet
Connection Firewall (ICF) from the previous versions of Windows XP.
The firewall system is an important component of the operating system that works like a host-based firewall that
provides the following facilities:
discards unsolicited incoming traffic
provides a level of protection for computers against malicious users or programs
In order to provide a better protection for computers connected to a network (such as the Internet or a LAN which
can be either a little home network or a larger organization network). Windows XP with Service Pack 2 (SP2) enables
Windows Firewall on all network connections by default. In the figure 1, “Network Connections”, three different network
connections that have activated firewall rules are shown. As mentioned above, this setting is by default. This is signaled to
the user by the lock in the right upper corner of each icon. The lock disappears as soon as the firewall rules are de-activated
by the user. We urge the readers not to try this at home. Beware that by de-activating the firewall rules for a connection in
the picture below, de-activation of the firewall rules for all the other connections will take place as well. As a result, you
would place your system at risk.
44
Figure 1. Network connection
Network administrators can use the Windows Firewall INF file (Netfw.inf) to modify default settings either while
installing the operating system or after installation. In this lesson, we describe the best way of using the Windows Firewall
INF file.
6.4.2. Using Windows Firewall
6.4.2.1.
EXAMPLE: Setup Firewall in Windows XP
In Windows XP SP2 (Service Pack 2, that is available on Microsoft web site and you may download from
http://www.microsoft.com/download if is not installed on your computer), there are many new features for Windows
Firewall, including the following:
Enabled by default for all the connections of the computer
New global configuration options that apply to all connections
New set of dialog boxes for local configuration
New operating mode
Startup security
Excepted traffic can be specified by scope
Excepted traffic can be specified by application filename
Built-in support for Internet Protocol version 6 (IPv6) traffic
New configuration options with Group Policy
In the left part of the previous figure you can see a column with a few “Network Task”, from where you may
select “Change Windows Firewall Setting” (from the third position of this column). You thumbnail with a red wall in front
of the globe that suggest “the firewall options”. If you click on this it will be display on your screen a windows with the
active title “Windows Firewall” (see figure 2).
45
Figure 2. “Windows Firewall” the point from where start the firewall to be set up
From this point you can configure the firewall on your machine. Also, you can find the “Windows Firewall”
starting from “Control Panel’, where you must see in the bottom of the specific windows the same thumbnail like in the
figure 3.
Figure 2. “Control Panel” window frame
Also, if you are setting up a local network connection like in the figure 5a you may select the “Advanced” tag (see
fig. 5b) and start from there to setup your firewall rules.
46
(a) All connections on your system
(b) Start to set up a firewall for a selected connection
Figure 5. Setting up your network connections
You must select the “Advanced” tab (from the top of the left picture, fig.5a) and the figure from the right side
(fig.5b) will be display on your screen from where you may select “Settings…” to protect your computer with the firewall
facilities included in the operating system.
The settings for ICF in Windows XP with SP1 and Windows XP with no service packs installed consist of a single
checkbox (the Protect my computer and network by limiting or preventing access to this computer from the Internet check
box on the Advanced tab of the properties of a connection) and a Settings button from which you can configure excepted
traffic, logging settings, and allowed ICMP traffic.
The Windows Firewall dialog box (fig.6) contains three tabs:
• General
• Exceptions
• Advanced
The General tab with its default settings is shown in the following figure 6.
•
•
•
From the General tab, you may select the following:
On (recommended). Select to enable Windows Firewall for all of the network connections that are selected on the
Advanced tab. Windows Firewall is enabled to allow only solicited and excepted incoming traffic. Excepted
traffic is configured on the Exceptions tab. Notice that the default setting for Windows Firewall is On
(recommended) for all the connections of a computer running Windows XP with SP2 and for newly created
connections. This can impact the communications of programs or services that rely on unsolicited incoming
traffic. In this case, you must identify those programs that are no longer working and add them or their traffic as
excepted traffic. Many programs, such as Internet browsers and email clients (such as Outlook Express), do not
rely on unsolicited incoming traffic and operate properly with Windows Firewall enabled
Don’t allow exceptions. Click to allow only solicited incoming traffic. Excepted incoming traffic is not allowed.
The settings on the Exceptions tab are ignored and all of the network connections are protected, regardless of the
settings on the Advanced tab.
Off (not recommended). Select to disable Windows Firewall. This is not recommended, especially for network
connections that are directly accessible from the Internet, unless you are already using a third-party host firewall
product.
47
Figure 6. General settings of Windows Firewall
If you are using Group Policy to configure Windows Firewall for computers running Windows XP with SP2, the
Group Policy settings you configure might not allow local configuration. In this case, the options on the General tab and the
other tabs might be grayed out and unavailable, even when you log on with an account that is a member of the local
Administrators group (a local administrator). Group Policy-based Windows Firewall settings allow you to configure a
domain profile (a set of Windows Firewall settings that are applied when you are attached to a network that contains
domain controllers) and standard profile (a set of Windows Firewall settings that are applied when you are attached to a
network that does not contain domain controllers, such as the Internet). You can determine which profile is in effect from
the text in the lower part of the General tab. If the text displayed is “Windows Firewall is using your domain settings,” the
domain profile is in effect. If the text displayed is “Windows Firewall is using your non-domain settings,” the standard
profile is in effect.
The configuration dialog boxes only display the Windows Firewall settings of the currently applied profile. To
view the settings of the profile that are not currently applied, use netsh firewall show commands. To change the settings of
the profile that are not currently applied, use netsh firewall set commands. The Exceptions tab with its default settings is
shown in the following figure 7.
48
Figure 7. The Exceptions tab of Windows Firewall
From the Exceptions tab, you can enable or disable an existing program (an application or service) or port or
maintain the list of programs and ports that define excepted traffic. The excepted traffic is not allowed when the Don’t
allow exceptions option is selected on the General tab.
With Windows XP with SP1 and Windows XP with no service packs installed, you could define the excepted
traffic only in terms of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports. With Windows XP
with SP2, you can define excepted traffic in terms of TCP and UDP ports or by the file name of a program (an application
or service). This configuration flexibility makes it easier to configure excepted traffic when the TCP or UDP ports of the
program are not known or are dynamically determined when the program is started as is showed in next figure:
There are a set of pre-defined programs, which include:
• File and Print Sharing
• Remote Assistance (enabled by default)
• Remote Desktop
• UPnP framework
These predefined exceptions can be disabled, but not deleted. If allowed by Group Policy, you can create
additional exceptions based on specifying a program name by clicking “Add Program…” and exceptions based on
specifying a TCP or UDP port by clicking “Add Port…” When you click “Add Program…”, the Add Program dialog box
is displayed from which you can select a program or browse for a program’s file name. An example is shown in the figure 8
(a).
49
(b) Add a new port in your firewall rules
(a) Adding a new program in firewall rules
(b) Allowing a new port in firewall rules
Figure 8. Changing the scope in firewall
When you click Add Port, the Add a Port dialog box is displayed, from which you can configure a TCP or UDP
port. An example is shown in the figure 8 (b). In this case the station from your network shall know to connect to a server
(where running an application DanteHD) to the port 32323. Other station could not to connect to specified port because
these “don’t know” it. Certainly, it is possible to exist a malicious activity in the network and somebody try to scan the port
and find that 32323 is an active port but he could not connect any way to the DanteHD server if he is not a client of the
server. He shall try to use UDP protocol but on this port only TCP is allowed.
The new Windows Firewall allows you to specify the scope of excepted traffic. The scope defines the portion of
the network from which the excepted traffic is allowed to originate. You may define the scope for any program or selected
port clicking on “Change Scope”. On the screen it will be display windows with the title “Change Scope”. An example is
shown in the figure 9.
•
•
Figure 9. New rule for excepted traffic
You have three options when defining the scope for a program or a port:
Any computer (including those on the Internet). That option will allow network traffic from any IPv4 or IPv6
address. You must know that this setting might make your computer vulnerable to attacks from malicious users or
programs from the Internet.
My network (subnet) only. That option will allow network traffic from IPv4 or IPv6 addresses that are directly
reachable by your computer. Windows Firewall determines whether the source IPv4 or IPv6 address of the
incoming packet is directly reachable by querying the IPv4 and IPv6 routing tables. The set of addresses
considered directly reachable depends on the contents of your IPv4 and IPv6 routing tables. For example, for a
computer that is only directly connected to a private home network, the set of directly reachable unique casting
addresses is confined to those that match the IPv4 network ID of the private subnet. If the network connection is
configured with an IPv4 address of 192.168.0.21 with a subnet mask of 255.255.255.0, the configured excepted
50
•
traffic is only allowed from IPv4 addresses in the range 192.168.0.0 to 192.168.0.255. As another example, for a
computer that is directly connected to both a private home network and the Internet through a cable modem, the
set of directly reachable unique casting addresses are those that match either the network ID of the private subnet
or the cable modem provider subnet. For example, if the private network connection is configured with an IPv4
address of 192.168.0.1 and a subnet mask of 255.255.255.0 and the cable modem connection is configured with an
IPv4 address of 84.247.80.1 and a subnet mask of 255.255.255.0, the configured excepted traffic received by
either network connection is allowed from IPv4 addresses in the ranges from 192.168.0.0 to 192.168.0.255 and
from 84.247.80.0 to 84.247.80.255.
Custom list. You can specify one or more IPv4 addresses or IPv4 address ranges separated by commas. This IPv4
address ranges typically correspond to subnets. You cannot specify a custom list for IPv6 traffic.
Before enabling any exception, carefully consider whether the exception is needed at all. Every enabled exception
exposes your computer to attack, regardless of the scope. There is no way to guarantee invulnerability once the exception is
enabled.
When you configure and enable an exception, you are instructing the Windows Firewall to allow specific
unsolicited incoming traffic sent from the specified scope: from any address, from a directly reachable address, or from a
custom list. For any scope, enabling an exception makes the computer vulnerable to attacks based on incoming unsolicited
traffic from computers that are assigned the allowed addresses and from malicious computers that spoof traffic. There is no
way to prevent spoofed attacks from the Internet on connections assigned public IPv4 addresses, except to disable the
exception. Therefore, you should very carefully consider and properly configure the scope of each Windows Firewall
exception to minimize the associated exposure.
Once the program or port is added, it is disabled by default in the Programs and Services list.
All of the programs or services enabled from the Exceptions tab are enabled for all of the connections that are
selected on the Advanced tab. The Advanced tab is shown in the following figure 10.
•
•
•
•
Fig.10 All settings for a network conection
The Advanced tab contains the following sections:
Network Connection Settings
Security Logging
ICMP
Default Settings
51
In Network Connection Settings, you can:
o Specify the set of interfaces on which Windows Firewall is enabled. To enable, select the check box next
to the network connection name. You can see in the previous figure all the network connections are
selected. To disable, clear the check box. By default, all of the network connections have Windows
Firewall enabled and our recommendation is to keep it enable. If a network connection does not appear in
this list, then it is not a standard networking connection.
o Configure advanced settings of an individual network connection by clicking the network connection
name, and then clicking Settings, like you see in the previous figure.
Fig.11 Allowed services on your computer
If you clear all of the check boxes in the Network Connection Settings, then Windows Firewall is not protecting
your computer, regardless of whether you have selected On (recommended) on the General tab, because Windows don’t
have any network connection to apply firewall rules.
Fig.12 Setup the active port and protocol on the machine
52
The settings in Network Connection Settings are ignored if you have selected “Don’t allow” exceptions on the
“General” tab, in which case all interfaces are protected. When you click Settings, the Advanced Settings dialog box is
displayed, as shown in the figure 10.
From the Advanced Settings dialog box, you can configure specific services from the Services tab (by TCP or
UDP port only) or enable specific types of ICMP traffic from the ICMP tab. These two tabs are equivalent to the settings
tabs for ICF configuration in Windows XP with SP1 and Windows XP with no service packs installed.
In “Security Logging”, click Settings to specify the configuration of Windows Firewall logging in the Log
Settings dialog box, as shown in the following figure 12.
Fig.12 Setup your “login security” file
From the Log Settings dialog box, you can configure whether to log discarded (dropped) packets or successful
connections by selections in the up left corner the option desired. Also, you can specify a name and a location for the log
file for example “my_firewall.log” like in fig.12. Note that by default this option is set to Systemroot\pfirewall.log. You
must know that you can specify maximum size of login file.
In ICMP, click Settings to specify the types of ICMP traffic that are allowed in the ICMP dialog box, as shown in
the following figure 13.
(a)
(b)
Fig.13 ICMP option from Advanced tag from Windows Firewall!
53
From the ICMP dialog box, you can enable and disable the types of incoming ICMP messages that Windows
Firewall allows for all the connections selected on the Advanced tab. ICMP messages are used for diagnostics, reporting
error conditions, and configuration. By default, no ICMP messages in the list are allowed for the protection of computer
(see 13 a).
A common step in troubleshooting connectivity problems is to use the Ping tool to ping the address of the
computer to which you are trying to connect. When you ping, you send an ICMP Echo message and get an ICMP Echo
Reply message in response. By default, Windows Firewall does not allow incoming ICMP Echo messages and therefore the
computer cannot send an ICMP Echo Reply in response. To configure Windows Firewall to allow the incoming ICMP
Echo message, you must enable the Allow incoming echo request setting like in fig.13b.
If you are not sure what did you do in the firewall rules for more security is better to click on “Restore Defaults”.
You will reset Windows Firewall back to its originally installed state. When you click Restore Defaults, you are prompted
to verify your decision before Windows Firewall settings are changed.
Applications can use Windows Firewall application programming interface (API) function calls to automatically
add exceptions. When an application make exception from Windows Firewall rules and it attempts to listen on TCP or UDP
ports, Windows Firewall prompts you with a Windows Security Alert dialog box. You can choose one of the following:
• Keep Blocking Adds the application to the exceptions list but in a Disabled state so that the ports are not
opened. Unsolicited incoming traffic for the application is blocked unless the local administrator
specifically enables the exception on the Exceptions tab. By adding the application to the exceptions list,
Windows Firewall does not prompt the user every time the application is run.
• Unblock Adds the application to the exceptions list but in an Enabled state so that the ports are opened.
• Ask Me Later Block unsolicited incoming traffic for the application and do not add it to the exceptions
list. The local administrator will be prompted again the next time the application is run.
To determine the path of the application from the Windows Security Alert dialog box, place the mouse pointer
over the name or description of the application. The displayed tool tip text indicates the path to the application. If the user is
not a local administrator, the Windows Security Alert dialog box informs the user that the traffic is being blocked, and to
contact their network administrator for more information.
54
Fig.14 Windows prompt you when the Windows Firewall is OFF
6.5.
TESTING FIREWALL RULES
You must generate enough situations for testing the functions of the firewall. This situation must test only the
functions that are “accepted” from you’re your security point of view. You must “close” from the beginning all the access
ways to your computer or network. After this we will start to give rights or rules for access. A strong firewall system will
give all information you need to protect the network. Keep separately the password file or other vital information in shadow
file. Change the password time to time. The life period of a password you must feel how time is needed. If you have any
doubt change the password, ports of the services, block the traffic and so in.
6.6.
DISCUSSIONS AND CONCLUSIONS
In this section we will discus the balance flexibility and costs. We put in mirror what means to use Microsoft with
understanding of Open Source products.
We can implement firewall rules that protect our network that minimize the risk to be attack from outside area.
These mechanisms filter all the packets that pass through it. The filtering policies are established to compare the source and
the destination of the messages, the used ports and protocols. The firewall system is invisible for the network users, so they
don’t detect it presence or it activities. The computer on is implemented the firewall mechanism is named „router” and this
manage the routing mechanism, too. The firewall filters all incoming and outgoing packets.
Application Level Firewall. When we thing to these type of firewall we must implement proxy-servers. Proxyserver can authentificate and monitories at a high level the network connections. All our communications are perform by
proxy-servers.
55
7. Library with important software package
Fedora core 3
Fedora core 4
Mandrake
Slackware
RedHat Linux 7.2
MySQL for Windows
Administrative MySQL for Windows.
Administrative MySQL for Linux.
56