Syed Jahanzaib Personnel Blog to Share Knowledge !

October 7, 2010

ZAiB Secure Firewall & DHCP Process for personnel reference

Filed under: Linux Related — Syed Jahanzaib / Pinochio~:) @ 8:15 AM

#!/bin/sh
echo “Starting ZAIB’s Secure Firewall . . .”
#set -x
IPT=”/sbin/iptables”
DHCP_SERVER=”10.0.8.1″
FILE=`cat path | awk ‘/FINAL_FILE/’ | cut -d”=” -f2`
LOOPBACK=”lo”

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# ALLOW LOOPBACK
$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT

# ALLOW WAN (eth2)
$IPT -A INPUT -i eth2 -j ACCEPT
$IPT -A FORWARD -i eth2 -j ACCEPT

# ALLOW PPTPD (TEST FLIGHT)
#$IPT -I INPUT -p tcp –dport 1723 -j ACCEPT
#$IPT -I OUTPUT -p tcp –dport 1723 -j ACCEPT
#$IPT -I INPUT -p 47 -j ACCEPT
#$IPT -I OUTPUT -p 47 -j ACCEPT
#$IPT -A INPUT -i ppp+ -p all -s 0/0 -d 0/0 -j ACCEPT
#$IPT -A FORWARD -i ppp+ -p all -s 0/0 -d 0/0 -j ACCEPT

# ALLOW DHCP
$IPT -A INPUT -p udp -s $DHCP_SERVER –sport 67 -d 255.255.255.255 –dport 68 -j ACCEPT
$IPT -A OUTPUT -p udp -s 255.255.255.255 –sport 68 -d $DHCP_SERVER –dport 67 -j ACCEPT

# DANGER PORTS WILL BE REJECTED
for i in 23 123 135 137 138; do
$IPT -A INPUT -p tcp -s 0/0 -d 0/0 –dport $i -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 –dport $i -j DROP
$IPT -A INPUT -p udp -s 0/0 -d 0/0 –dport $i -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 –dport $i -j DROP
done

#ICMP REPLY LIMITING
$IPT -A INPUT -p icmp -m icmp –icmp-type echo-request -m limit –limit 60/s -m length –length 100:65500 -j DROP
$IPT -A FORWARD -p icmp -m icmp –icmp-type echo-request -m limit –limit 60/s -m length –length 100:65500 -j DROP

cat $FILE | while read MACS
do
IP=`echo $MACS | awk ‘{print $2}’`
MAC=`echo $MACS | awk ‘{print $1}’`
#arp -i br0 -s $IP $MAC
#arp -i eth0 -s $IP $MAC
#arp -i eth1 -s $IP $MAC
$IPT -t mangle -A PREROUTING -s $IP -m mac –mac-source $MAC -j MARK –set-mark 1
done

# SECURENAT SCRIPT START
$IPT -A FORWARD -m state –state NEW -p tcp \
-d 10.0.0.1 –dport 53 -j ACCEPT
$IPT -A FORWARD -p udp -d 10.0.0.1 –dport 53 -j ACCEPT
$IPT -A FORWARD -p udp -d 10.0.0.1 –sport 53 -j ACCEPT
$IPT -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state –state NEW -i eth0 -j ACCEPT

#Allow WAN Interface for web site hosting
#for i in 80 10000 1234; do
#$IPT -A INPUT -p tcp -i eth2 –dport $i -j ACCEPT
#$IPT -A FORWARD -p tcp -i eth2 –dport $i -j ACCEPT
#done

# Allow Marked Packets to be allowed
$IPT -A INPUT -m mark –mark 1 -j ACCEPT
$IPT -A FORWARD -m mark –mark 1 -j ACCEPT
$IPT -A INPUT -m mark ! –mark 1 -j DROP
$IPT -A FORWARD -m mark ! –mark 1 -j DROP

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
echo “ZAiB Secure Firewall & DHCP Process Complete.”

inux Backup Script (Personnel) just for reference.

Filed under: Linux Related — Syed Jahanzaib / Pinochio~:) @ 8:07 AM

############################################
# AACABLE.NETWORK Backup Program v1.0 #
############################################

echo -e ” Backing up Data of GW.aacablenet.org . . . “
# mount server4 d drive
# Directory for copying file
/usr/sbin/server4d
rm -fr /firewall/aacable/firewall.tar
cp -vr /firewall/aacable/* /mnt/server4/backup/mac/firewall/aacable/ –reply=yes
cp -vr /usr/local/mrtg-2/bin/* /mnt/server4/backup/mac/firewall/aacable/mrtgbackup –reply=yes
cp -vr /etc/httpd/conf/httpd.conf /mnt/server4/backup/mac/firewall/aacable/ –reply=yes
cp -vr /etc/samba/smb.conf /mnt/server4/backup/mac/firewall/aacable/ –reply=yes
cp -vr /var/named/chroot/var/named/aacablenet.org.hosts /mnt/server4/backup/mac/firewall/aacable/ –reply=yes
cp -vr /etc/mail/sendmail.cf /mnt/server4/backup/mac/firewall/aacable/ –reply=yes
cp -vr /etc/mail/sendmail.mc /mnt/server4/backup/mac/firewall/aacable/ –reply=yes

# tar / zip All Directories . . .
cd /firewall/aacable
tar zcvf /firewall/aacable/firewall.tar /firewall/ /usr/local/mrtg-2/bin /etc/httpd/conf/httpd.conf /etc/mail/sendmail.cf /etc/mail/access /etc/samba/smb.conf /etc/named.conf /var/named/chroot/var/named/aacablenet.org.hosts /mnt/server4/backup/mac/firewall/aacable/macbackup/
# Email to johny_reico@yahoo.com :d
# gzip -v9 /firewall/aacable/firewall.tar
mutt -s “Daily Backup of gw.aacablenet.org” -a /firewall/aacable/firewall.tar johny_reico@yahoo.com < /firewall/aacable/dobackup
rm -fr /firewall/aacable/firewall.tar
echo “Bakcup & email Done”

howto install simple DHCP server in Ubuntu

Filed under: Linux Related — Syed Jahanzaib / Pinochio~:) @ 8:03 AM

This is a custom made configuration guide on howto install simple DHCP server in Ubuntu. I hope it will help you guys.

How to Install and Configure DHCP Server in Ubuntu Server

Install DHCP server in ubuntu

# apt-get install dhcp3-server

This will complete the installation.

Configuring DHCP server

If you have two network cards in your ubuntu server you need to select which interface you want to use for DHCP server listening.By default it listens to eth0.

You can change this by editing /etc/default/dhcp3-server file

# nano /etc/default/dhcp3-server

Find this line

INTERFACES=”eth0″

Replace with the following line

INTERFACES=”eth1″

Save and exit. (This is optional )

+++++++++++++++++++++++++++++++++++++++++++++++++++

Now to setup dhcp parameters, Edit /etc/dhcp3/dhcpd.conf file using the following command

# nano /etc/dhcp3/dhcpd.conf

Using address pool method:

You need to change the following sections in /etc/dhcp3/dhcpd.conf file

default-lease-time 900;

max-lease-time 7200;

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.1.255;

option routers 192.168.1.254;

option domain-name-servers 192.168.1.1, 192.168.1.2;

option domain-name “yourdomainname.com”;

subnet 192.168.1.0 netmask 255.255.255.0 {

range 192.168.1.20 192.168.1.250;

}

Save and exit the file

Now you need to restart DHCP server using the following command

# service dhcp3-server restart

DHCP server Ready to serve, J Alhamdolillah

This will result in the DHCP server giving a client an IP address from the range 192.168.1.20-192.168.1.250 . It will lease an IP address for 600 seconds if the client doesn’t ask for a specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also “advise” the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and 192.168.1.1 and 192.168.1.2 as its primary & secondary DNS servers.

+++++++++++++++++++++++++++++++++++++++++++++++++++

Using MAC address method:

This method is you can reserve some of the machines or all the machines with fixed ip address.
In the following example i am using fixed ip address for PC1,PC2,printer1 and printer2

default-lease-time 600;

max-lease-time 7200;

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.1.255;

option routers 192.168.1.254;

option domain-name-servers 192.168.1.1, 192.168.1.2;

option domain-name “yourdomainname.com”;

subnet 192.168.1.0 netmask 255.255.255.0 {

range 192.168.1.10 192.168.1.200;

}

host PC1 {

hardware ethernet 00:1b:63:ef:db:54;

fixed-address 192.168.1.20;

}

host PC2 {

hardware ethernet 00:0a:95:b4:d4:b0;

fixed-address 192.168.1.21;

}

host printer1 {

hardware ethernet 00:16:cb:aa:2a:cd;

fixed-address 192.168.1.22;

}

host printer2 {

hardware ethernet 00:0a:95:f5:8f:b3;

fixed-address 192.168.1.23;

}

Now Again, you need to restart DHCP server using the following command

# service dhcp3-server restart

This time DHCP will give pc1 pc2 printer1 printer2 the same ip every time they request from dhcp server. Other pc’s or devices will get dynamic ip’s.

Regards,
SYED JAHANZAIB

Network Engineer
LG – New Allied Electronics Industries (Pvt) Ltd.
Web: http://www.nae.com.pk
Linkdein: http://pk.linkedin.com/pub/syed-jahanzaib/24/3b/407

اور آپ کا رب آپ کو نصیحت کر رہا ہے
فَاسْتَبِقُواْ الْخَيْرَاتِ
نیکیوں کی طرف د و ڑ و

From: speedzonenetwork@hotmail.com
To: aacable@hotmail.com
Subject: Support For Linux Server On Ubuntu
Date: Thu, 7 Oct 2010 03:10:16 -0400

Sir,

Please send me linux server tutorial on ubuntu.

Sincerely,

Fahad Khan

How To Install Squid in Ubuntu Linux

Filed under: Linux Related — Syed Jahanzaib / Pinochio~:) @ 7:40 AM

++++++++++++++++++++++++++++++++++++

How To Install Squid in Ubuntu Linux

1. Install & Configure Squid

First login as root.

a) Then install squid:

apt-get install squid

b) configure:

* gedit /etc/squid/squid.conf
o change squid port: from http_port 3128 to http_port 8080

o find the http_access section, uncomment the following 2 lines and add your own networks (for example 192.168.0.0/24):

acl our_networks src 192.168.0.0/24
http_access allow our_networks

o change hostname in the visible_hostname section after:

#Default: # none hota hay, just add:
visible_hostname localhost # or any other valid hostaname

c) restart squid:

service squid restart

Configure Squid as Transparent Proxy (Squid version >= 2.6)

* gedit /etc/squid/squid.conf

o change from: http_port 3128 to,
http_port 3128 transparent

o add line:
always_direct allow all

* add this line to iptables:

o iptables -t nat -A PREROUTING -i eth0 -p tcp – -dport 80 -d ! 192.168.0.0/255.255.0.0 -j REDIRECT – -to-port 3128

+ + -i eth0 – adjust to the interface where it will be listening
+ + -d ! 192.168.0.0/255.255.0.0 – excludes this address range from caching

* save the new iptables:
iptables-save

++++++++++++++++++++++++++++++++++++

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 2,267 other followers