gateway_centos_7
Table of Contents
Gateway functionality on CentOS 7
This wiki describes a gateway installaion to function as HTTP-proxy, time-server, DNS-forwarder, HTML5 RDP/SSH/VNC gateway. The gateway will NOT route between the two interfaces.
Minimal
Installation
Do a minimal installation of CentOS 7. I am using a VM in this example.
yum install open-vm-tools
Configuration
useradd -g users -c "Herwarth Heitmann" -m -d /home/herwarth herwarth passwd herwarth
- /etc/ssh/sshd_config
PermitRootLogin no
systemctl restart sshd systemctl disable kdump
- /etc/sudoers.d/users
herwarth ALL=(ALL) ALL
Network settings
network manager cannot handle zones properly so after configuring the network with nmtui, edit the files and disable network manager:
- /etc/sysconfig/network-scripts/ifcfg-ens192
TYPE=Ethernet NM_CONTROLLED=no BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=no IPV6_AUTOCONF=no IPV6_DEFROUTE=no IPV6_FAILURE_FATAL=no NAME=ens192 UUID=19975f59-4ac8-4c86-b3eb-aa8107ec4408 ONBOOT=yes IPADDR0=172.16.3.102 PREFIX0=24 HWADDR=00:0C:29:EC:43:BB ZONE=local
- /etc/sysconfig/network-scripts/ifcfg-ens224
TYPE=Ethernet NM_CONTROLLED=no BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=no IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no NAME=ens224 UUID=aa0c6edb-9b36-424c-b331-d7989db83218 ONBOOT=yes IPADDR0=10.108.108.5 PREFIX0=24 HWADDR=00:0C:29:EC:43:C5 ZONE=zorgnet
- /etc/sysconfig/network
# Created by anaconda NOZEROCONF=yes GATEWAY=172.16.3.1 DNS1=208.67.222.222 DNS2=208.67.220.220 DOMAIN=lz.local
MSMTP
We want to be able to mail using an mailserver on the outside and not using an internal one. This is for reporting only, so no incoming mail required.
Installation
yum remove postfix yum install msmtp mailx
Configuration
- /etc/msmtprc
account default tls on tls_trust_file /etc/pki/tls/certs/ca-bundle.crt auth on host mail.helux.nl port 587 user noreply@helux.nl from noreply@helux.nl password <PASSWORD>
chmod 644 /etc/msmtprc
- /etc/aliases
default: noreply@helux.nl
ln -s /bin/msmtp /sbin/sendmail
ARCCONF
This is for monitoring the hardware health of the RAID controller.
Installation
Download the necessary software https://www.adaptec.com/en-us/speed/raid/storage_manager/cim_vmware_v7_31_18856_zip.php Unzip it and we need only the following: remote-arcconf-7.31-18856.x86_64.bin
chmod 755 remote-arcconf-7.31-18856.x86_64.bin ./remote-arcconf-7.31-18856.x86_64.bin
Configuration
- /etc/cron.hourly/arctest_status.sh
#!/bin/bash export ARCCONF_PATH=/usr/RemoteArcconf/ DATE=$(date +"%F (%H:%M:%Sh)") RAID=/var/tmp/aac_check_$(date +"%F_%H-%M-%Sh").txt RAIDSTATUSFILE=/var/tmp/aac_status.txt ARCCONF=/usr/RemoteArcconf/arcconf RECIPIENT="herwarth@helux.nl herwarth@heitmann.nl" $ARCCONF getconfig 1 al > $RAID CTRLSTAT=$(grep 'Controller Status' $RAID| cut -d\: -f2 | cut -d' ' -f2) ## Optimal echo "Adaptec Status $DATE :" >$RAIDSTATUSFILE echo "----------------------------------------" >>$RAIDSTATUSFILE echo "Controller status : $CTRLSTAT" >>$RAIDSTATUSFILE CTRLBATINFO=$(grep -A 2 'Controller Battery' $RAID|grep 'Status'| cut -d\: -f2) CTRTEMP=$(grep 'Temperature' $RAID| awk '{print $7}' | sed -e 's/^.*(\(.*\)),*/\1/') CTRTEMPERATURE=$(grep 'Temperature' $RAID) >>$RAIDSTATUSFILE ## Normal echo "Battery status: $CTRLBATINFO" >>$RAIDSTATUSFILE echo $CTRTEMPERATURE >>$RAIDSTATUSFILE LOGICSTAT=$(grep 'Status of logical device' $RAID| cut -d\: -f2 | cut -d' ' -f2) ## Optimal echo "Status of logical device : $LOGICSTAT" >>$RAIDSTATUSFILE LOGICSTR=$(grep 'Failed stripes' $RAID| cut -d\: -f2 | cut -d' ' -f2) ## No echo "Failed stripes : $LOGICSTR" >>$RAIDSTATUSFILE # number of drives DRIVESNO=$(grep -B 1 -A 1 'Device is a Hard' $RAID | grep -c 'Device #') echo "Devices found : $DRIVESNO" >>$RAIDSTATUSFILE if [ "$CTRLSTAT" = "Optimal" ] ; then # when everything is OK send the status message on Wednesday and Saturday (Wed / Sat) on 02.00 hrs, which is set to run in CRON every hour (15 * * * * /usr/local/bin/arctest_status.sh >/dev/null ) # if you don't want to get emails if nothing wrong then don't use this block if ... fi # this should be all in 1 line if ( [ "$(date +"%H")" = "02" ] && [ "$(date +"%a")" = "Wed" ] ) || ( [ "$(date +"%H")" = "02" ] && [ "$(date +"%a")" = "Sat" ] ) ; then i="0" while [ $i -lt "$DRIVESNO" ] ; do CURDRIVE=DRIVE$i # this should be all in 1 line echo "$CURDRIVE : $(grep -A 2 "Device #$i" $RAID | grep 'State' | cut -d\: -f2 | cut -d' ' -f2)" >>$RAIDSTATUSFILE i=$[$i+1] done # this should be all in 1 line mail -s "Adaptec RAID status $DATE " $RECIPIENT < $RAIDSTATUSFILE fi $(rm $RAID) elif [ "$CTRLSTAT" != "Optimal" ] ; then ## SENDTHEMAIL cat $RAID >>$RAIDSTATUSFILE # this should be all in 1 line mail -s "RAID FAILURE - Adaptec RAID error $DATE !" $RECIPIENT < $RAIDSTATUSFILE else cat $RAID >>$RAIDSTATUSFILE # this should be all in 1 line mail -s "RAID FAILURE - Adaptec RAID error $DATE !" $RECIPIENT < $RAIDSTATUSFILE fi
DHCP server
Installation
yum install dhcp
Configuration
- /etc/dhcp/dhcpd.conf
# DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page # # option definitions common to all supported networks... option domain-name "lz.zorgnet"; option domain-name-servers 10.108.108.15; option local-proxy-config code 252 = text; default-lease-time 86400; max-lease-time 172800; authoritative; subnet 10.108.108.0 netmask 255.255.255.0 { range dynamic-bootp 10.108.108.151 10.108.108.200; option broadcast-address 10.108.108.255; option routers 10.108.108.254; option local-proxy-config "http://10.108.108.5/proxy.pac"; } host admin1 { hardware ethernet 00:0c:29:c9:ee:dc; fixed-address 10.108.108.151; }
systemctl start dhcpd systemctl enable dhcpd
Squid
Installation
yum install squid
Configuration
- /etc/squid/squid.conf
. visible_hostname gateway.lz.local http_port 0.0.0.0:3128 . #enable only (adapt to zorgnet subnet) acl localnet src 10.108.108.0/24 # RFC1918 possible internal network . #enable 1024MB cache-size cache_dir ufs /var/spool/squid 1024 16 256 . # Diable IPv6 dns_v4_first on .
systemctl enable squid systemctl start squid
On the Windows client set the proxy server as the Administrator user in IE. After that run command-box with the following command:
netsh winhttp import proxy source=ie
Or use a proxy.pac file:
- /var/www/html/proxy.pac
function FindProxyForURL(url, host) { // If the requested website is hosted within the internal network, send direct. if (isPlainHostName(host) || shExpMatch(host, "10.*") || shExpMatch(host, "127.*") || shExpMatch(host, "0.0.0.0")) return "DIRECT"; else return "PROXY 10.108.108.5:3128"; }
cd /var/www/html ln -s proxy.pac wpad.dat
Guacamole
This is the HTML5 RDP/SSH/VNC gateway application using Tomcat and Apache as reverse-proxy.
Installation
rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm yum install guacd libguac-client-rdp libguac-client-vnc libguac-client-ssh guacamole
echo "export GUACAMOLE_HOME=/etc/guacamole" > /etc/profile.d/guacamole.sh echo "setenv GUACAMOLE_HOME /etc/guacamole" > /etc/profile.d/guacamole.csh
Configuration
Create md5 passwords for users:
echo -n 'password' | md5sum
- /etc/guacamole/user-mapping.xml
<user-mapping> <authorize username="herwarth" password="ae17a12b89597e7539a9900ed5da9489" encoding="md5"> <connection name="RDP: admin1"> <protocol>rdp</protocol> <param name="hostname">10.108.108.201</param> </connection> <connection name="SSH: nas"> <protocol>ssh</protocol> <param name="hostname">10.108.108.15</param> </connection> </authorize> </user-mapping>
systemctl restart guacd systemctl restart tomcat
systemctl enable guacd systemctl enable tomcat
Apache reverse-proxy
Installation
yum install httpd mod_ssl mod_proxy mod_proxy_html setsebool -P httpd_can_network_connect 1
Configuration
- /etc/httpd/conf.d/default.conf
<VirtualHost *:80> ServerAdmin webmaster@helux.nl <Directory "/var/www/html"> AllowOverride All Options MultiViews FollowSymlinks SymLinksIfOwnerMatch IncludesNoExec Options -Indexes Order allow,deny Allow from all </Directory> <Files "proxy.pac"> AddType application/x-ns-proxy-autoconfig pac </Files> <Files "wpad.dat"> AddType application/x-ns-proxy-autoconfig dat </Files> ErrorLog /var/log/httpd/default-error.log CustomLog /var/log/httpd/default-access.log common </VirtualHost>
- /etc/httpd/conf.d/guacamolo.conf
<VirtualHost *:443> ServerAdmin webmaster@helux.nl SSLEngine On SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key <Location /> Order allow,deny Allow from all ProxyPass http://localhost:8080/guacamole/ max=20 flushpackets=on ProxyPassReverse http://localhost:8080/guacamole/ ProxyPassReverseCookiePath /guacamole/ / </Location> ErrorLog /var/log/httpd/guacd-error.log CustomLog /var/log/httpd/guacd-access.log common </VirtualHost>
systemctl restart http systemctl enable http
DNS forwarder
Installation
yum install bind bind-libs bind-utils
Configuration
- /etc/named.conf
options { . . listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; allow-query { any; }; forwarders { 208.67.222.222; 208.67.220.220; }; . . }
systemctl enable named systemctl restart named
NTP server
Installation
yum install chrony
Configuration
- /etc/chrony.conf
# Allow NTP client access from local network. #allow 192.168/16 allow 10.108.108.0/24 # Listen for commands only on localhost. #bindcmdaddress 127.0.0.1 #bindcmdaddress ::1
systemctl enable chronyd systemctl restart chronyd
Firewall configuration
Remove all default rules
firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client firewall-cmd --permanent --zone=home --remove-service=ipp-client firewall-cmd --permanent --zone=home --remove-service=mdns firewall-cmd --permanent --zone=home --remove-service=samba-client firewall-cmd --permanent --zone=home --remove-service=ssh
firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client firewall-cmd --permanent --zone=internal --remove-service=ipp-client firewall-cmd --permanent --zone=internal --remove-service=mdns firewall-cmd --permanent --zone=internal --remove-service=samba-client firewall-cmd --permanent --zone=internal --remove-service=ssh
firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client firewall-cmd --permanent --zone=work --remove-service=ipp-client firewall-cmd --permanent --zone=work --remove-service=ssh
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=external --remove-masquerade firewall-cmd --permanent --zone=external --remove-service=ssh
firewall-cmd --permanent --zone=dmz --remove-service=ssh
Create new zones
firewall-cmd --permanent --new-zone=zorgnet
Add subnets to zones
firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0 firewall-cmd --permanent --zone=public --add-source=::/0
firewall-cmd --permanent --zone=zorgnet --add-source=10.108.108.0/24
Create additional services
- /etc/firewalld/services/squid.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>squid</short> <description>Squid proxy</description> <port protocol="tcp" port="3128"/> </service>
Enable services on zones
firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --permanent --zone=zorgnet --add-service=ssh firewall-cmd --permanent --zone=zorgnet --add-service=ntp firewall-cmd --permanent --zone=zorgnet --add-service=http firewall-cmd --permanent --zone=zorgnet --add-service=https firewall-cmd --permanent --zone=zorgnet --add-service=dns firewall-cmd --permanent --zone=zorgnet --add-service=squid firewall-cmd --permanent --zone=zorgnet --add-service=dhcp
Set default zone
firewall-cmd --set-default-zone=public
systemctl enable firewalld
Fail2ban
yum install -y fail2ban fail2ban-systemd yum update -y selinux-policy*
Configure fail2ban, we decide to use FirewallD which is implemented by default in CentOS 7. Put the following lines in /etc/fail2ban/jail.d/sshd.local
- /etc/fail2ban/jail.d/sshd.local
[sshd] enabled = true port = ssh logpath = %(sshd_log)s maxretry = 5 bantime = 86400
systemctl enable fail2ban systemctl start fail2ban
gateway_centos_7.txt · Last modified: by herwarth
