This wiki describes a gateway installaion to function as HTTP-proxy, time-server, DNS-forwarder, HTML5 RDP/SSH/VNC gateway. The gateway will NOT route between the two interfaces.

Do a minimal installation of CentOS 7. I am using a VM in this example.

yum install open-vm-tools

useradd -g users -c "Herwarth Heitmann" -m -d /home/herwarth herwarth
passwd herwarth

/etc/ssh/sshd_config

PermitRootLogin no

systemctl restart sshd
systemctl disable kdump

/etc/sudoers.d/users

herwarth ALL=(ALL) ALL

network manager cannot handle zones properly so after configuring the network with nmtui, edit the files and disable network manager:

/etc/sysconfig/network-scripts/ifcfg-ens192

TYPE=Ethernet
NM_CONTROLLED=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no
NAME=ens192
UUID=19975f59-4ac8-4c86-b3eb-aa8107ec4408
ONBOOT=yes
IPADDR0=172.16.3.102
PREFIX0=24
HWADDR=00:0C:29:EC:43:BB
ZONE=local

/etc/sysconfig/network-scripts/ifcfg-ens224

TYPE=Ethernet
NM_CONTROLLED=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=ens224
UUID=aa0c6edb-9b36-424c-b331-d7989db83218
ONBOOT=yes
IPADDR0=10.108.108.5
PREFIX0=24
HWADDR=00:0C:29:EC:43:C5
ZONE=zorgnet

/etc/sysconfig/network

# Created by anaconda
NOZEROCONF=yes
GATEWAY=172.16.3.1
DNS1=208.67.222.222
DNS2=208.67.220.220
DOMAIN=lz.local

We want to be able to mail using an mailserver on the outside and not using an internal one. This is for reporting only, so no incoming mail required.

yum remove postfix
yum install msmtp mailx

/etc/msmtprc

account default
tls on
tls_trust_file /etc/pki/tls/certs/ca-bundle.crt
auth on
host mail.helux.nl
port 587
user noreply@helux.nl
from noreply@helux.nl
password <PASSWORD>

chmod 644 /etc/msmtprc

/etc/aliases

default: noreply@helux.nl

ln -s /bin/msmtp /sbin/sendmail

yum install dhcp

/etc/dhcp/dhcpd.conf

# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
# option definitions common to all supported networks...
# specify domain name
option domain-name "lz.zorgnet";
# specify name server's hostname or IP address
option domain-name-servers 10.108.108.15;
# default lease time
default-lease-time 86400;
# max lease time
max-lease-time 172800;
# this DHCP server to be declared valid
authoritative;
# specify network address and subnet mask
subnet 10.108.108.0 netmask 255.255.255.0 {
# specify the range of lease IP address
range dynamic-bootp 10.108.108.151 10.108.108.200;
# specify broadcast address
option broadcast-address 10.108.108.255;
# specify default gateway
option routers 10.108.108.254;
}

systemctl start dhcpd
systemctl enable dhcpd

yum install squid

/etc/squid/squid.conf

.
visible_hostname gateway.lz.local
http_port 3128
.
#enable only (adapt to zorgnet subnet)
acl localnet src 10.108.108.0/24     # RFC1918 possible internal network
.
#enable 1024MB cache-size
cache_dir ufs /var/spool/squid 1024 16 256
.

systemctl enable squid
systemctl start squid

On the Windows client set the proxy server as the Administrator user in IE. After that run command-box with the following command:

netsh winhttp import proxy source=ie

This is the HTML5 RDP/SSH/VNC gateway application using Tomcat and Apache as reverse-proxy.

rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install guacd libguac-client-rdp libguac-client-vnc libguac-client-ssh guacamole

echo "export GUACAMOLE_HOME=/etc/guacamole" > /etc/profile.d/guacamole.sh
echo "setenv GUACAMOLE_HOME /etc/guacamole" > /etc/profile.d/guacamole.csh

Create md5 passwords for users:

echo -n 'password' | md5sum

/etc/guacamole/user-mapping.xml

<user-mapping>
  <authorize
    username="herwarth"
    password="ae17a12b89597e7539a9900ed5da9489"
    encoding="md5">
    <connection name="RDP: admin1">
      <protocol>rdp</protocol>
      <param name="hostname">10.108.108.201</param>
    </connection>
    <connection name="SSH: nas">
      <protocol>ssh</protocol>
      <param name="hostname">10.108.108.15</param>
    </connection>
  </authorize>
</user-mapping>

systemctl restart guacd
systemctl restart tomcat

systemctl enable guacd
systemctl enable tomcat

yum install httpd mod_ssl mod_proxy mod_proxy_html
setsebool -P httpd_can_network_connect 1

/etc/httpd/conf.d/guacamolo.conf

<VirtualHost *:80>
    ServerAdmin webmaster@helux.nl

    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

    ErrorLog /var/log/httpd/guacd-error.log
    CustomLog /var/log/httpd/guacd-access.log common
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@helux.nl

    SSLEngine On
    SSLCertificateFile    /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

    <Location />
        Order allow,deny
        Allow from all
        ProxyPass http://localhost:8080/guacamole/ max=20 flushpackets=on
        ProxyPassReverse http://localhost:8080/guacamole/
        ProxyPassReverseCookiePath /guacamole/ /
    </Location>

    ErrorLog /var/log/httpd/guacd-error.log
    CustomLog /var/log/httpd/guacd-access.log common
</VirtualHost>

systemctl restart http
systemctl enable http

yum install bind bind-libs bind-utils

/etc/named.conf

options {
.
.
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-query     { any; };
forwarders { 208.67.222.222; 208.67.220.220; };
.
.
}

systemctl enable named
systemctl restart named

yum install chrony

/etc/chrony.conf

# Allow NTP client access from local network.
#allow 192.168/16
allow 10.108.108.0/24

# Listen for commands only on localhost.
#bindcmdaddress 127.0.0.1
#bindcmdaddress ::1

systemctl enable chronyd
systemctl restart chronyd

firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=home --remove-service=ipp-client
firewall-cmd --permanent --zone=home --remove-service=mdns
firewall-cmd --permanent --zone=home --remove-service=samba-client
firewall-cmd --permanent --zone=home --remove-service=ssh

firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=internal --remove-service=ipp-client
firewall-cmd --permanent --zone=internal --remove-service=mdns
firewall-cmd --permanent --zone=internal --remove-service=samba-client
firewall-cmd --permanent --zone=internal --remove-service=ssh

firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=work --remove-service=ipp-client
firewall-cmd --permanent --zone=work --remove-service=ssh

firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=public --remove-service=ssh

firewall-cmd --permanent --zone=external --remove-masquerade
firewall-cmd --permanent --zone=external --remove-service=ssh

firewall-cmd --permanent --zone=dmz --remove-service=ssh

firewall-cmd --permanent --new-zone=local
firewall-cmd --permanent --new-zone=zorgnet

firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0
firewall-cmd --permanent --zone=public --add-source=::/0

firewall-cmd --permanent --zone=local --add-source=172.16.3.0/24

firewall-cmd --permanent --zone=zorgnet --add-source=10.108.108.0/24

/etc/firewalld/services/squid.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>squid</short>
  <description>Squid proxy</description>
  <port protocol="tcp" port="3128"/>
</service>

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https

firewall-cmd --permanent --zone=local --add-service=ssh
firewall-cmd --permanent --zone=local --add-service=http
firewall-cmd --permanent --zone=local --add-service=https

firewall-cmd --permanent --zone=zorgnet --add-service=ssh
firewall-cmd --permanent --zone=zorgnet --add-service=ntp
firewall-cmd --permanent --zone=zorgnet --add-service=http
firewall-cmd --permanent --zone=zorgnet --add-service=https
firewall-cmd --permanent --zone=zorgnet --add-service=dns
firewall-cmd --permanent --zone=zorgnet --add-service=squid
firewall-cmd --permanent --zone=zorgnet --add-service=dhcp

firewall-cmd --set-default-zone=local

systemctl enable firewalld