gateway_centos_7
This is an old revision of the document!
Table of Contents
Gateway functionality on CentOS 7
This wiki describes a gateway installaion to function as HTTP-proxy, time-server, DNS-forwarder, HTML5 RDP/SSH/VNC gateway. The gateway will NOT route between the two interfaces.
Minimal
Installation
Do a minimal installation of CentOS 7. I am using a VM in this example.
yum install open-vm-tools
Configuration
useradd -g users -c "Herwarth Heitmann" -m -d /home/herwarth herwarth passwd herwarth
- /etc/ssh/sshd_config
PermitRootLogin no
systemctl restart sshd systemctl disable kdump
- /etc/sudoers.d/users
herwarth ALL=(ALL) ALL
Network settings
network manager cannot handle zones properly so after configuring the network with nmtui, edit the files and disable network manager:
- /etc/sysconfig/network-scripts/ifcfg-ens192
TYPE=Ethernet NM_CONTROLLED=no BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=no IPV6_AUTOCONF=no IPV6_DEFROUTE=no IPV6_FAILURE_FATAL=no NAME=ens192 UUID=19975f59-4ac8-4c86-b3eb-aa8107ec4408 ONBOOT=yes IPADDR0=172.16.3.102 PREFIX0=24 HWADDR=00:0C:29:EC:43:BB ZONE=local
- /etc/sysconfig/network-scripts/ifcfg-ens224
TYPE=Ethernet NM_CONTROLLED=no BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=no IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no NAME=ens224 UUID=aa0c6edb-9b36-424c-b331-d7989db83218 ONBOOT=yes IPADDR0=10.0.0.2 PREFIX0=24 HWADDR=00:0C:29:EC:43:C5 ZONE=zorgnet
- /etc/sysconfig/network
# Created by anaconda NOZEROCONF=yes GATEWAY=172.16.3.1 DNS1=208.67.222.222 DNS2=208.67.220.220 DOMAIN=lz.local
DHCP server
Installation
yum install dhcp
Configuration
- /etc/dhcp/dhcpd.conf
# DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page # # option definitions common to all supported networks... # specify domain name option domain-name "lz.zorgnet"; # specify name server's hostname or IP address option domain-name-servers 10.108.108.15; # default lease time default-lease-time 600; # max lease time max-lease-time 7200; # this DHCP server to be declared valid authoritative; # specify network address and subnet mask subnet 10.108.108.0 netmask 255.255.255.0 { # specify the range of lease IP address range dynamic-bootp 10.108.108.151 10.108.108.200; # specify broadcast address option broadcast-address 10.108.108.255; # specify default gateway option routers 10.108.108.254; }
Squid
Installation
yum install squid
Configuration
- /etc/squid/squid.conf
. visible_hostname gateway.lz.local http_port 3128 . #enable only (adapt to zorgnet subnet) acl localnet src 10.0.0.0/24 # RFC1918 possible internal network . #enable 1024MB cache-size cache_dir ufs /var/spool/squid 1024 16 256 .
systemctl enable squid systemctl start squid
On the Windows client set the proxy server as the Administrator user in IE. After that run command-box with the following command:
netsh winhttp import proxy source=ie
Guacamole
This is the HTML5 RDP/SSH/VNC gateway application using Tomcat and Apache as reverse-proxy.
Installation
rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm yum install guacd libguac-client-rdp libguac-client-vnc libguac-client-ssh guacamole
echo "export GUACAMOLE_HOME=/etc/guacamole" > /etc/profile.d/guacamole.sh echo "setenv GUACAMOLE_HOME /etc/guacamole" > /etc/profile.d/guacamole.csh
Configuration
Create md5 passwords for users:
echo -n 'password' | md5sum
- /etc/guacamole/user-mapping.xml
<user-mapping> <authorize username="herwarth" password="ae17a12b89597e7539a9900ed5da9489" encoding="md5"> <connection name="RDP: desktop1"> <protocol>rdp</protocol> <param name="hostname">10.0.0.200</param> </connection> <connection name="SSH: nas"> <protocol>ssh</protocol> <param name="hostname">10.0.0.3</param> </connection> </authorize> </user-mapping>
systemctl restart guacd systemctl restart tomcat
systemctl enable guacd systemctl enable tomcat
Apache reverse-proxy
Installation
yum install httpd mod_ssl mod_proxy mod_proxy_html setsebool -P httpd_can_network_connect 1
Configuration
- /etc/httpd/conf.d/guacamolo.conf
<VirtualHost *:80> ServerAdmin webmaster@helux.nl RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] ErrorLog /var/log/httpd/guacd-error.log CustomLog /var/log/httpd/guacd-access.log common </VirtualHost> <VirtualHost *:443> ServerAdmin webmaster@helux.nl SSLEngine On SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key <Location /> Order allow,deny Allow from all ProxyPass http://localhost:8080/guacamole/ max=20 flushpackets=on ProxyPassReverse http://localhost:8080/guacamole/ ProxyPassReverseCookiePath /guacamole/ / </Location> ErrorLog /var/log/httpd/guacd-error.log CustomLog /var/log/httpd/guacd-access.log common </VirtualHost>
systemctl restart http systemctl enable http
DNS forwarder
Installation
yum install bind bind-libs bind-utils
Configuration
- /etc/named.conf
options { . . listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; allow-query { any; }; forwarders { 208.67.222.222; 208.67.220.220; }; . . }
systemctl enable named systemctl restart named
NTP server
Installation
yum install chrony
Configuration
- /etc/chronyd.conf
# Allow NTP client access from local network. #allow 192.168/16 allow 10.0.0.0/8 # Listen for commands only on localhost. #bindcmdaddress 127.0.0.1 #bindcmdaddress ::1
systemctl enable chronyd systemctl restart chronyd
Firewall configuration
Remove all default rules
firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client firewall-cmd --permanent --zone=home --remove-service=ipp-client firewall-cmd --permanent --zone=home --remove-service=mdns firewall-cmd --permanent --zone=home --remove-service=samba-client firewall-cmd --permanent --zone=home --remove-service=ssh
firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client firewall-cmd --permanent --zone=internal --remove-service=ipp-client firewall-cmd --permanent --zone=internal --remove-service=mdns firewall-cmd --permanent --zone=internal --remove-service=samba-client firewall-cmd --permanent --zone=internal --remove-service=ssh
firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client firewall-cmd --permanent --zone=work --remove-service=ipp-client firewall-cmd --permanent --zone=work --remove-service=ssh
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=external --remove-masquerade firewall-cmd --permanent --zone=external --remove-service=ssh
firewall-cmd --permanent --zone=dmz --remove-service=ssh
Create new zones
firewall-cmd --permanent --new-zone=local firewall-cmd --permanent --new-zone=zorgnet
Add subnets to zones
firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0 firewall-cmd --permanent --zone=public --add-source=::/0
firewall-cmd --permanent --zone=local --add-source=172.16.3.0/24
firewall-cmd --permanent --zone=zorgnet --add-source=10.0.0.0/24
Create additional services
- /etc/firewalld/services/squid.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>squid</short> <description>Squid proxy</description> <port protocol="tcp" port="3128"/> </service>
Enable services on zones
firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=local --add-service=ssh firewall-cmd --permanent --zone=local --add-service=http firewall-cmd --permanent --zone=local --add-service=https
firewall-cmd --permanent --zone=zorgnet --add-service=ssh firewall-cmd --permanent --zone=zorgnet --add-service=ntp firewall-cmd --permanent --zone=zorgnet --add-service=http firewall-cmd --permanent --zone=zorgnet --add-service=https firewall-cmd --permanent --zone=zorgnet --add-service=dns firewall-cmd --permanent --zone=zorgnet --add-service=squid
Set default zone
firewall-cmd --set-default-zone=local
systemctl enable firewalld
gateway_centos_7.1427480519.txt.gz · Last modified: by herwarth
