User Tools

Site Tools

Trace: nas_centos7 gateway_centos_7
gateway_centos_7

This is an old revision of the document!

Table of Contents

Gateway functionality on CentOS 7

This wiki describes a gateway installaion to function as HTTP-proxy, time-server, DNS-forwarder, HTML5 RDP/SSH/VNC gateway. The gateway will NOT route between the two interfaces.

Minimal

Installation

Do a minimal installation of CentOS 7. I am using a VM in this example. 

yum install open-vm-tools

Configuration

useradd -g users -c "Herwarth Heitmann" -m -d /home/herwarth herwarth
passwd herwarth
/etc/ssh/sshd_config
PermitRootLogin no
systemctl restart sshd
/etc/sudoers.d/users
herwarth ALL=(ALL) ALL

Network settings

network manager cannot handle zones properly so after configuring the network with nmtui, edit the files and disable network manager:

/etc/sysconfig/network-scripts/ifcfg-ens192
TYPE=Ethernet
NM_CONTROLLED=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no
NAME=ens192
UUID=19975f59-4ac8-4c86-b3eb-aa8107ec4408
ONBOOT=yes
IPADDR0=172.16.3.102
PREFIX0=24
HWADDR=00:0C:29:EC:43:BB
ZONE=local
/etc/sysconfig/network-scripts/ifcfg-ens224
TYPE=Ethernet
NM_CONTROLLED=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=ens224
UUID=aa0c6edb-9b36-424c-b331-d7989db83218
ONBOOT=yes
IPADDR0=10.0.0.2
PREFIX0=24
HWADDR=00:0C:29:EC:43:C5
ZONE=zorgnet
/etc/sysconfig/network
# Created by anaconda
NOZEROCONF=yes
GATEWAY=172.16.3.1
DNS1=208.67.222.222
DNS2=208.67.220.220
DOMAIN=lz.local

Squid

Installation

yum install squid

Configuration

/etc/squid/squid.conf
.
visible_hostname gateway.lz.local
http_port 3128
.
#enable only (adapt to zorgnet subnet)
acl localnet src 10.0.0.0/24     # RFC1918 possible internal network
.
#enable 1024MB cache-size
cache_dir ufs /var/spool/squid 1024 16 256
.
systemctl enable squid
systemctl start squid

On the Windows client set the proxy server as the Administrator user in IE. After that run command-box with the following command: 

netsh winhttp import proxy source=ie

Guacamole

This is the HTML5 RDP/SSH/VNC gateway application using Tomcat and Apache as reverse-proxy.

Installation

rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install guacd libguac-client-rdp libguac-client-vnc libguac-client-ssh guacamole
echo "export GUACAMOLE_HOME=/etc/guacamole" > /etc/profile.d/guacamole.sh
echo "setenv GUACAMOLE_HOME /etc/guacamole" > /etc/profile.d/guacamole.csh

Configuration

Create md5 passwords for users: 

echo -n 'password' | md5sum
/etc/guacamole/user-mapping.xml
<user-mapping>
  <authorize
    username="herwarth"
    password="ae17a12b89597e7539a9900ed5da9489"
    encoding="md5">
    <connection name="RDP: desktop1">
      <protocol>rdp</protocol>
      <param name="hostname">10.0.0.200</param>
    </connection>
    <connection name="SSH: nas">
      <protocol>ssh</protocol>
      <param name="hostname">10.0.0.3</param>
    </connection>
  </authorize>
</user-mapping>
systemctl restart guacd
systemctl restart tomcat
systemctl enable guacd
systemctl enable tomcat

Apache reverse-proxy

Installation

yum install httpd mod_ssl mod_proxy mod_proxy_html
setsebool -P httpd_can_network_connect 1

Configuration

/etc/httpd/conf.d/guacamolo.conf
<VirtualHost *:80>
    ServerAdmin webmaster@helux.nl

    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

    ErrorLog /var/log/httpd/guacd-error.log
    CustomLog /var/log/httpd/guacd-access.log common
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@helux.nl

    SSLEngine On
    SSLCertificateFile    /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

    <Location />
        Order allow,deny
        Allow from all
        ProxyPass http://localhost:8080/guacamole/ max=20 flushpackets=on
        ProxyPassReverse http://localhost:8080/guacamole/
        ProxyPassReverseCookiePath /guacamole/ /
    </Location>

    ErrorLog /var/log/httpd/guacd-error.log
    CustomLog /var/log/httpd/guacd-access.log common
</VirtualHost>
systemctl restart http
systemctl enable http

DNS forwarder

Installation

yum install bind bind-libs bind-utils

Configuration

/etc/named.conf
options {
.
.
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-query     { any; };
forwarders { 208.67.222.222; 208.67.220.220; };
.
.
}
systemctl enable named
systemctl restart named

NTP server

Installation

yum install chrony

Configuration

/etc/chronyd.conf
# Allow NTP client access from local network.
#allow 192.168/16
allow 10.0.0.0/8

# Listen for commands only on localhost.
#bindcmdaddress 127.0.0.1
#bindcmdaddress ::1
systemctl enable chronyd
systemctl restart chronyd

Firewall configuration

Remove all default rules

firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=home --remove-service=ipp-client
firewall-cmd --permanent --zone=home --remove-service=mdns
firewall-cmd --permanent --zone=home --remove-service=samba-client
firewall-cmd --permanent --zone=home --remove-service=ssh
firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=internal --remove-service=ipp-client
firewall-cmd --permanent --zone=internal --remove-service=mdns
firewall-cmd --permanent --zone=internal --remove-service=samba-client
firewall-cmd --permanent --zone=internal --remove-service=ssh
firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=work --remove-service=ipp-client
firewall-cmd --permanent --zone=work --remove-service=ssh
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=external --remove-masquerade
firewall-cmd --permanent --zone=external --remove-service=ssh
firewall-cmd --permanent --zone=dmz --remove-service=ssh

Create new zones

firewall-cmd --permanent --new-zone=local
firewall-cmd --permanent --new-zone=zorgnet

Add subnets to zones

firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0
firewall-cmd --permanent --zone=public --add-source=::/0
firewall-cmd --permanent --zone=local --add-source=172.16.3.0/24
firewall-cmd --permanent --zone=zorgnet --add-source=10.0.0.0/24

Create additional services

/etc/firewalld/services/squid.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>squid</short>
  <description>Squid proxy</description>
  <port protocol="tcp" port="3128"/>
</service>

Enable services on zones

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=local --add-service=ssh
firewall-cmd --permanent --zone=local --add-service=http
firewall-cmd --permanent --zone=local --add-service=https
firewall-cmd --permanent --zone=zorgnet --add-service=ssh
firewall-cmd --permanent --zone=zorgnet --add-service=ntp
firewall-cmd --permanent --zone=zorgnet --add-service=http
firewall-cmd --permanent --zone=zorgnet --add-service=https
firewall-cmd --permanent --zone=zorgnet --add-service=dns
firewall-cmd --permanent --zone=zorgnet --add-service=squid

Set default zone

firewall-cmd --set-default-zone=local
systemctl enable firewalld
gateway_centos_7.1427450528.txt.gz · Last modified: by herwarth

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki