======Gateway functionality on CentOS 7====== This wiki describes a gateway installaion to function as HTTP-proxy, time-server, DNS-forwarder, HTML5 RDP/SSH/VNC gateway. The gateway will NOT route between the two interfaces. =====Minimal===== ====Installation==== Do a minimal installation of CentOS 7. I am using a VM in this example. yum install open-vm-tools ====Configuration==== useradd -g users -c "Herwarth Heitmann" -m -d /home/herwarth herwarth passwd herwarth


PermitRootLogin no

systemctl restart sshd systemctl disable kdump


herwarth ALL=(ALL) ALL

===Network settings=== network manager cannot handle zones properly so after configuring the network with nmtui, edit the files and disable network manager:


TYPE=Ethernet
NM_CONTROLLED=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no
NAME=ens192
UUID=19975f59-4ac8-4c86-b3eb-aa8107ec4408
ONBOOT=yes
IPADDR0=172.16.3.102
PREFIX0=24
HWADDR=00:0C:29:EC:43:BB
ZONE=local


TYPE=Ethernet
NM_CONTROLLED=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=ens224
UUID=aa0c6edb-9b36-424c-b331-d7989db83218
ONBOOT=yes
IPADDR0=10.108.108.5
PREFIX0=24
HWADDR=00:0C:29:EC:43:C5
ZONE=zorgnet


# Created by anaconda
NOZEROCONF=yes
GATEWAY=172.16.3.1
DNS1=208.67.222.222
DNS2=208.67.220.220
DOMAIN=lz.local

=====MSMTP===== We want to be able to mail using an mailserver on the outside and not using an internal one. This is for reporting only, so no incoming mail required. ====Installation==== yum remove postfix yum install msmtp mailx ====Configuration====


account default
tls on
tls_trust_file /etc/pki/tls/certs/ca-bundle.crt
auth on
host mail.helux.nl
port 587
user noreply@helux.nl
from noreply@helux.nl
password

chmod 644 /etc/msmtprc


default: noreply@helux.nl

ln -s /bin/msmtp /sbin/sendmail =====ARCCONF===== This is for monitoring the hardware health of the RAID controller. ====Installation==== Download the necessary software [[https://www.adaptec.com/en-us/speed/raid/storage_manager/cim_vmware_v7_31_18856_zip.php]] Unzip it and we need only the following: remote-arcconf-7.31-18856.x86_64.bin chmod 755 remote-arcconf-7.31-18856.x86_64.bin ./remote-arcconf-7.31-18856.x86_64.bin ====Configuration====


#!/bin/bash
export ARCCONF_PATH=/usr/RemoteArcconf/

DATE=$(date +"%F (%H:%M:%Sh)")
RAID=/var/tmp/aac_check_$(date +"%F_%H-%M-%Sh").txt
RAIDSTATUSFILE=/var/tmp/aac_status.txt
ARCCONF=/usr/RemoteArcconf/arcconf
RECIPIENT="herwarth@helux.nl herwarth@heitmann.nl"
$ARCCONF getconfig 1 al > $RAID
CTRLSTAT=$(grep 'Controller Status' $RAID| cut -d\: -f2 | cut -d' ' -f2)

## Optimal
echo "Adaptec Status $DATE :" >$RAIDSTATUSFILE
echo "----------------------------------------" >>$RAIDSTATUSFILE
echo "Controller status : $CTRLSTAT" >>$RAIDSTATUSFILE
CTRLBATINFO=$(grep -A 2 'Controller Battery' $RAID|grep 'Status'| cut -d\: -f2)
CTRTEMP=$(grep 'Temperature' $RAID| awk '{print $7}' | sed -e 's/^.*(\(.*\)),*/\1/')
CTRTEMPERATURE=$(grep 'Temperature' $RAID) >>$RAIDSTATUSFILE
## Normal
echo "Battery status: $CTRLBATINFO" >>$RAIDSTATUSFILE
echo $CTRTEMPERATURE >>$RAIDSTATUSFILE
LOGICSTAT=$(grep 'Status of logical device' $RAID| cut -d\: -f2 | cut -d' ' -f2)
## Optimal
echo "Status of logical device : $LOGICSTAT" >>$RAIDSTATUSFILE
LOGICSTR=$(grep 'Failed stripes' $RAID| cut -d\: -f2 | cut -d' ' -f2)
## No
echo "Failed stripes : $LOGICSTR" >>$RAIDSTATUSFILE

# number of drives
DRIVESNO=$(grep -B 1 -A 1 'Device is a Hard' $RAID | grep -c 'Device #')

echo "Devices found : $DRIVESNO" >>$RAIDSTATUSFILE
if [ "$CTRLSTAT" = "Optimal" ] ; then
  # when everything is OK send the status message on Wednesday and Saturday (Wed / Sat) on 02.00 hrs, which is set to run in CRON every hour (15 * * * * /usr/local/bin/arctest_status.sh >/dev/null )
  # if you don't want to get emails if nothing wrong then don't use this block if ... fi
  # this should be all in 1 line
  if ( [ "$(date +"%H")" = "02" ] && [ "$(date +"%a")" = "Wed" ] ) || ( [ "$(date +"%H")" = "02" ] && [ "$(date +"%a")" = "Sat" ] ) ; then
    i="0"
    while [ $i -lt "$DRIVESNO" ] ; do
      CURDRIVE=DRIVE$i
      # this should be all in 1 line
      echo "$CURDRIVE : $(grep -A 2 "Device #$i" $RAID | grep 'State' | cut -d\: -f2 | cut -d' ' -f2)" >>$RAIDSTATUSFILE
      i=$[$i+1]
    done
    # this should be all in 1 line
    mail -s "Adaptec RAID status $DATE " $RECIPIENT < $RAIDSTATUSFILE
  fi
  $(rm $RAID)
  elif [ "$CTRLSTAT" != "Optimal" ] ; then
    ## SENDTHEMAIL
    cat $RAID >>$RAIDSTATUSFILE
    # this should be all in 1 line
    mail -s "RAID FAILURE - Adaptec RAID error $DATE !" $RECIPIENT < $RAIDSTATUSFILE
  else
    cat $RAID >>$RAIDSTATUSFILE
    # this should be all in 1 line
    mail -s "RAID FAILURE - Adaptec RAID error $DATE !" $RECIPIENT < $RAIDSTATUSFILE
fi

=====DHCP server===== ====Installation==== yum install dhcp ====Configuration====


# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
# option definitions common to all supported networks...

option domain-name "lz.zorgnet";
option domain-name-servers 10.108.108.15;
option local-proxy-config code 252 = text;
default-lease-time 86400;
max-lease-time 172800;
authoritative;

subnet 10.108.108.0 netmask 255.255.255.0 {
  range dynamic-bootp 10.108.108.151 10.108.108.200;
  option broadcast-address 10.108.108.255;
  option routers 10.108.108.254;
  option local-proxy-config "http://10.108.108.5/proxy.pac";
}

host admin1 {
  hardware ethernet 00:0c:29:c9:ee:dc;
  fixed-address 10.108.108.151;
}

systemctl start dhcpd systemctl enable dhcpd =====Squid===== ====Installation==== yum install squid ====Configuration====


.
visible_hostname gateway.lz.local
http_port 0.0.0.0:3128
.
#enable only (adapt to zorgnet subnet)
acl localnet src 10.108.108.0/24     # RFC1918 possible internal network
.
#enable 1024MB cache-size
cache_dir ufs /var/spool/squid 1024 16 256
.
# Diable IPv6
dns_v4_first on
.

systemctl enable squid systemctl start squid On the Windows client set the proxy server as the Administrator user in IE. After that run command-box with the following command: netsh winhttp import proxy source=ie Or use a proxy.pac file:


function FindProxyForURL(url, host) {
 
// If the requested website is hosted within the internal network, send direct.
    if (isPlainHostName(host) ||
	shExpMatch(host, "10.*") ||
	shExpMatch(host, "127.*") ||
	shExpMatch(host, "0.0.0.0"))
        return "DIRECT";
    else
        return "PROXY 10.108.108.5:3128";
}

cd /var/www/html ln -s proxy.pac wpad.dat =====Guacamole===== This is the HTML5 RDP/SSH/VNC gateway application using Tomcat and Apache as reverse-proxy. ====Installation==== rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm yum install guacd libguac-client-rdp libguac-client-vnc libguac-client-ssh guacamole echo "export GUACAMOLE_HOME=/etc/guacamole" > /etc/profile.d/guacamole.sh echo "setenv GUACAMOLE_HOME /etc/guacamole" > /etc/profile.d/guacamole.csh ====Configuration==== Create md5 passwords for users: echo -n 'password' | md5sum



  
    
      rdp
      10.108.108.201
    
    
      ssh
      10.108.108.15

systemctl restart guacd systemctl restart tomcat systemctl enable guacd systemctl enable tomcat =====Apache reverse-proxy===== ====Installation==== yum install httpd mod_ssl mod_proxy mod_proxy_html setsebool -P httpd_can_network_connect 1 ====Configuration====



    ServerAdmin webmaster@helux.nl

    
        AllowOverride All
        Options MultiViews FollowSymlinks SymLinksIfOwnerMatch IncludesNoExec
        Options -Indexes
        Order allow,deny
        Allow from all
    

    
        AddType application/x-ns-proxy-autoconfig pac
    
    
        AddType application/x-ns-proxy-autoconfig dat
    

    ErrorLog /var/log/httpd/default-error.log
    CustomLog /var/log/httpd/default-access.log common



    ServerAdmin webmaster@helux.nl

    SSLEngine On
    SSLCertificateFile    /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

    
        Order allow,deny
        Allow from all
        ProxyPass http://localhost:8080/guacamole/ max=20 flushpackets=on
        ProxyPassReverse http://localhost:8080/guacamole/
        ProxyPassReverseCookiePath /guacamole/ /
    

    ErrorLog /var/log/httpd/guacd-error.log
    CustomLog /var/log/httpd/guacd-access.log common

systemctl restart http systemctl enable http =====DNS forwarder===== ====Installation==== yum install bind bind-libs bind-utils ====Configuration====


options {
.
.
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-query     { any; };
forwarders { 208.67.222.222; 208.67.220.220; };
.
.
}

systemctl enable named systemctl restart named =====NTP server===== ====Installation==== yum install chrony ====Configuration====


# Allow NTP client access from local network.
#allow 192.168/16
allow 10.108.108.0/24

# Listen for commands only on localhost.
#bindcmdaddress 127.0.0.1
#bindcmdaddress ::1

systemctl enable chronyd systemctl restart chronyd =====Firewall configuration===== ====Remove all default rules==== firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client firewall-cmd --permanent --zone=home --remove-service=ipp-client firewall-cmd --permanent --zone=home --remove-service=mdns firewall-cmd --permanent --zone=home --remove-service=samba-client firewall-cmd --permanent --zone=home --remove-service=ssh firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client firewall-cmd --permanent --zone=internal --remove-service=ipp-client firewall-cmd --permanent --zone=internal --remove-service=mdns firewall-cmd --permanent --zone=internal --remove-service=samba-client firewall-cmd --permanent --zone=internal --remove-service=ssh firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client firewall-cmd --permanent --zone=work --remove-service=ipp-client firewall-cmd --permanent --zone=work --remove-service=ssh firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client firewall-cmd --permanent --zone=public --remove-service=ssh firewall-cmd --permanent --zone=external --remove-masquerade firewall-cmd --permanent --zone=external --remove-service=ssh firewall-cmd --permanent --zone=dmz --remove-service=ssh ====Create new zones==== firewall-cmd --permanent --new-zone=zorgnet ====Add subnets to zones==== firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0 firewall-cmd --permanent --zone=public --add-source=::/0 firewall-cmd --permanent --zone=zorgnet --add-source=10.108.108.0/24 ====Create additional services====




  squid
  Squid proxy

====Enable services on zones==== firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-service=ssh firewall-cmd --permanent --zone=zorgnet --add-service=ssh firewall-cmd --permanent --zone=zorgnet --add-service=ntp firewall-cmd --permanent --zone=zorgnet --add-service=http firewall-cmd --permanent --zone=zorgnet --add-service=https firewall-cmd --permanent --zone=zorgnet --add-service=dns firewall-cmd --permanent --zone=zorgnet --add-service=squid firewall-cmd --permanent --zone=zorgnet --add-service=dhcp ====Set default zone==== firewall-cmd --set-default-zone=public systemctl enable firewalld =====Fail2ban===== yum install -y fail2ban fail2ban-systemd yum update -y selinux-policy* Configure fail2ban, we decide to use FirewallD which is implemented by default in CentOS 7. Put the following lines in /etc/fail2ban/jail.d/sshd.local


[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

systemctl enable fail2ban systemctl start fail2ban {{tag>centos}}