docPractical OnLine Services Incubator - eEmployment
download 
Report Transcription
Practical OnLine Services Incubator - eEmployment
PROJECT: RO/03/B/P/PP175006 TITLE: New Forms of Learning & Basic Skills for Advanced, inclusive Lifelong eVET in Internet Generated Occupations Laboratory Instructions & Incubator Guide ON-LINE SERVICES YEAR 2006 BUCHAREST On-Line Services Incubator On-Line Services Incubator – How becoming an Internet Service Provider On-Line Internet Connection Ethernet Network Wireless Internet Web Server (HTML + ASP + PHP + MYSQL) 1 Laboratory Instructions for On-Line Services (Incubator Guide) Parent institution: UE-B, Bucharest, Romania, 22 Franceza St., Postal Code 030104 Authors: 1. Ciprian-Antoniade Alexandru, Member of Teaching Staff, Fax: + 4021 315 77 30; e-mail: [email protected] 2. Cristian-Teodor Păun, Member of Teaching Staff, Fax: + 4021 315 77 30; e-mail: [email protected] Accessible for consultations daily from 9.00 to 11.00. CONTENT OF THE ON-LINE SERVICES INCUBATOR GUIDE 1. Hardware Description of Laboratory 2. Internet Service Provider (ISP) – basic hardware architecture 2.1. External Internet connection 2.2. Server – hardware 2.3. Installing a Switch 2.4. Cable and UTP connector (RJ 45) 2.5. External modem for dial-up and remote administration 2.6. Wireless ISP 3. Installing Fedora Core 4 Server 3.1. Getting started 3.2. Installing Fedora Core 4 4. Configuring the Fedora Core 4 Server 4.1. Add the second network device 4.2. Verify the Ethernet configuration 4.3. IP forward 4.4. Configure the squid proxy server 4.5. Set-up your clients computer 5. Testing the network 5.1. Testing the network interface 5.2. Testing the other computer 6. Firewall 6.1. Introduction In Firewall 6.2. Firewall’s Services 6.3. Firewall In Linux Operating Systems 6.4. Firewall In Windows Operating Systems 6.4.1. Introduction In Windows Environment 6.4.2. Using Windows Firewall 6.4.2.1 Example In Windows XP 6.5. Testing Firewall Rules 6.6. Discussions And Conclusions 7. Library with important software package 2 1. On-Line Services Incubator - Hardware description External Modem for Dial-Up and remote administration ADSL Modem 2.1. PC Office 1. Server (Linux) - Router - FireWall - Web - Mail server - MySQL 3. Multifunctional Printer (Print, Scan, Copy, Fax) 2.3. PC WireLess UPS PCI Net Card WireLess Access Point WireLess SWITCH Laptop or other wireless devices. 4. PDA - WireLess 2. Internet Service Provider (ISP) – basic hardware architecture To become an ISP you need an external Internet connection for the server. Second component is a Server connected to the internet. With this steps you have the Internet in your server and from now on it must be distribute to other people. Distributing the Internet is possible with a simple switch or hub with a adequate number of ports (one for every computer from the network). Of course, from the switch we need some UTP – CAT5 cable, and with an important condition: between 2 points must be maxim 100 meters. The basic schema, with elements, for an ISP is: External Internet Server Network The basic hardware architecture for an Internet Service Provider is: external Internet connection (ADSL, Wireless, Optical Fibre) server – hardware server – software (Open source solution or commercial solutions) switch cable (UTP) external modem (for dial-up clients or for remote administration) wireless (antenna or access-point for wireless clients) 3 Clients Computers External Internet connection: - ADSL (modem) - Wireless (antenna) - Optical Fiber Server (Linux) - Router - FireWall - Web - Mail server - MySQL FTP and HTTP Clients Switch Dial-up Clients Modem extern pentru Dial-Up Wireless PC Clients Access Point WireLess Wireless devices: Laptops, PDAs, Tablet PCs. 2.1. External Internet connection The external Internet connection is necessary to be a trust source for the Internet. This means a very good quality of connection. Exists a lot of Internet connection witch are stable for a short period of time. The main characteristics you have to be careful are: the speed the connection gap the time of interventions in case of line fail (1 hour, 1 day, a.o.) The speed of the connection could be significant diverse. Some company offer the Internet speed in share with other clients, such as “share 256kbps”. This strategy is in general cheaper but with problems, because with the time passing, the number of clients grow and also the Internet traffic. Consequence: your share from the connection is in continuous degreasing. Second characteristics is also important because your clients pay to you for non-stop internet connection. If you don’t have a stable connection and the gap (the connection interrupting) is happening, for example once per day, even for a very short period the clients run away. Because nothing is perfect on this world, the connection failure is possible. In this unhappy case is imperious necessary to have possibility to call, non-stop, a technical specialists from the company from you have the external Internet. Also the interventions time must be as quickly as possible. 4 The are three possibilities, most used, for an external Internet connection: ADSL with a modem of the line (Fig.1.1), Wireless solution, with an antenna (Fig.1.2), Optical Fiber (Fig.1.3). Sure, the most recommended solution is the optical fiber. The connection speed is good, is most stable and the possibilities for enlarge the Internet band is very easy. Fig. 1.1 – ADSL modem 2.2. Fig. 1.2 – Wireless Antenna Fig. 1.3 - Optical Fiber Mediaconvertor Server - hardware In different situations the configuration of the server could be specific to the purpose. Always were you read documentation the hardware requirement is given at the minimum level. Our recommendation is to use a middle way. In this days is not such expensive to have a good computer. Hardware configuration Description (your server or computer) Amount of memory (RAM) 256 MB Size of hard drive 20 GB with 7.200 or 10.000 speed/min. Type of mouse USB Type of video card ATI or nVidia with 64MB Ram, but is possible to have on board video Display monitor (resolution) 1024 x 800 Installed network interface (Type) 1 piece - PCI 10/100mbps or onboard 10/100/1000mbps 1 piece - PCI 10/100mbps Ports Serial and Parallel port For a good functionality of the server is strongly recommended to buy an UPS unit. This unit protect your server for disturbance in electrical power supply. Is better to have an UPS with serial connector and proper software for installing with Linux, but a simple one is good for beginners. Fig. 1.4. The eIncubator Server Fig. 1.5. The PCI Network card adapter 10/100 mbps 5 1. First network adapter. In this picture onboard 10/100/1000 mbps. 2. This adapter is connected to the 11mbps wireless antenna (in our example, but it could be connected to other type of external Internet). 3. IP’s for this card is given by the company from you have the external Internet. (in our example 141.85.130.103, but don’t put this IP to your network card) It’s possible to have more than one network adapter on the server. The reason is to have more separate network. Each network adapter goes in separate switch. With this method the networks could be separate administrated. The second network adapter connected to the switch. In this example is a PCI adapter with local IP (192.168.0.1) Fig. 1.6 Network adapter installed into the server 2.3. Installing a Switch For an ISP developed for small building or neighborhoods computer is sufficient a simple switch with adequate number of ports (8, 16, 24, 32). Keep in mind that you’ll need at least 2 ports for connection with the server and another switch, in case your network expansion. In the same time in the exploitation of the equipment, it’s possible to broke down some ports from the switch. The main cause is from the wire defection or, much rare, from the computer client damage. Note: When you buy a switch is better to think in the perspective. For instance: for the moment let’s say that you have 5 clients and would be enough to have a 8 ports switch. When 2 more clients comes you have to buy other switch. So, for this example I’ll buy maybe a 16 ports switch or even witch 24 ports. Sure, if you know that all your possible clients will be 12 is not necessary to have a more 16 ports switch. Fig. 1.7. The simple switch with 16 ports (front side) 6 Fig. 1.8. The simple switch with 16 ports (back side) Now, connect a cable from your server to the switch and plug the switch in the power supply. Connecting the computer to your network is very easy, just connect a cable to the switch and to the computer. SERVER less than 100 meters The network over 100 meters If the computer that you want to connect is over 100 m far from the switch you can add another switch (maybe a little one with fewer ports) between the main switch and the computer. (see the next diagram). SERVER over 100 meters less than 100 m 2.4. less than 100 m less than 100 m Cable and UTP connector (RJ 45) For connecting the computer to the switch we need: 2 (two) RJ 45 connector, a proper length CAT 5 cable and a special pliers for CAT 5 cable connection. Fig. 1.9. RJ 45 connector Fig. 1.10. CAT 5 cable Fig. 1.11. special pliers or CAT 5 connection 7 Steps for putting a RJ 45 connector on the cable. Step 1. First we need a cable with the proper length from the switch to the computer, and are possible 2 common situation: a) when the length could easy determined (the computer is near by the switch or the way between the switch and computer is straight and free for obstacle. In this situation will cut the necessary cable and then connect the RJ 45. b) when we could not determine the exact length (maybe we need to pass by the wall) and in this case is better to connect the RJ45 at one end, then to rope pull to the next end of the cable. When the cable is in the right position then cut and pass to the next step. Step 2. Cut carefully the plastic protection with the pliers. The removed part of the protection must by xx millimeters with ± 1 millimeter. The wires from the interior of the cable must not be cut and not even their individual plastic protection. Step 3. Put this 8 wire in the next order, from the left to right: - white – orange - orange - white – green - blue - white – blue - green - white – brown - brown Step 4. Cut the ends of the eight wires to be in line, all eight. Step 5. Hold tight the wires and introduce slowly into the RJ45 connector, holding the RJ45 with the metallic side up (like in the picture). The wires must enter each one into the special canal from the interior of the connector. When you push the cable, the wires must maintain the established order form the previous step. 8 Step 6. Push hard for the wires to reach the ends of the canals from the connector. The cable must be lock like in the picture. Step 7. Introduce the connector, holding the cable in position, into the pliers. Step 8. Clench hard the pliers, even with both hands. Now the connector should be ready. Respecting this eight steps and applying to the both end of the cable, the connection between switch and computer must be fine. If the connection doesn’t work check again the color order form the step 3. If a connector is bad cut the cable to the entrance of the connector, throw away, and put another connector. For an practical example you can see the movie from the web address: http://www.eemployment.ro/movies/cable-connection.avi 2.5. External modem for dial-up and remote administration The most common configuration for dial-up network of Internet is: a server with a network interface for a fast Internet connection and more modems. The modems could be internal or external, limits coming from number of PCI connection and serial ports which are on server. Is better to avoid the internal software modem which don’t offer a hardware serial port because the drivers from manufacturer are difficult to install on the server. 9 Personal computer offer between 1 to 4 serial ports, that mean a limited number of users. For extend the number of serial ports you can use the specialized interface (example: Cyclades interface can deliver over 30 ports) or change the phone system (the digital phone line could reach from 2 to 30 phone connection on the same ISDN port). Any method you will use the principle is the same, so in our example we use an external modem connected to the server on serial port. Dial-up connection work on the server with an external modem. Firstly we must have a phone line connection. Second step is to connect the external modem on serial port from server. We have possibility to connect on 9 pin serial port (COM1) or 25 pin serial port (COM2) depend on hardware configuration and on availability of the ports. Power supply from AC/DC adapter The phone line The 25 pin serial port (for COM 2) The 9 pin serial port (for COM 1) External modem 9 pin Serial port from the back of computer Server If your computer doesn’t have the serial port (COM1 or COM2) you must buy a external modem with USB connection. In general is not recommended because it’s possible to have compatibility problem with Linux. Note: on newer computer will have only one serial ports, with 9 pins. From this point of view, at the section “hardware configuration” we recommend to buy a server with at least one serial port and a mouse on USB. If you buy a serial mouse and the server have just a serial port, then you don’t have any port available for the external modem. 10 2.6. Wireless ISP For distribute the Internet wireless most easily is to have an wireless access point. The access point will be connected: directly to the network adapter from server (with 192.168.0.1 IP); to the already installed switch (in case your final network will be wireless and non-wireless). For more information about using and configuring a wireless connection it’s strongly recommended to see the dedicated lesson, also present in respective package. Antenna Wireless access point UTP connection, directly from the sever or to the switch Power supply from AC/DA adapter Note: Wireless network could be very vulnerable to the intruders. For this reason is better to configure the wireless equipment with password access and/or with encrypted data transmission. 3. Installing Fedora Core 4 Server Becoming an ISP in our time is very easy because we have a lot of instruments around us. Regarding the software which make your hardware work like a server for distribution of Internet to the potential clients we present bellow the Fedora Core 4. [2.10] Fedora Core 4 is a complete operating system produced by the Fedora Project sponsored by Red Hat, Inc. [2.11] Fedora is based on the Linux kernel and is an open source project developed by a worldwide community of software developers. Linux, the kernel of a free operating system, is developed by Linus Benedict Torvalds and released to the world in 1991. [2.1] Torvalds decide to distribute Linux under a free software license named the GNU General Public License (GPL). [2.12] We choose to propose to you using of open source operating systems from the following main reasons: in the last 10 years this operating system grow continuously until overpass 50% from the Internet Servers offer to you an excellent opportunity regarding starting investment in a business, because is free for very low cost you can install on how many computers do you want, but in the term of GNU licenses in the last 3-4 years the graphical interface was very strong developed and become a special friendly to use by a larger variety of users by installing Fedora Core 4 you have also a lot of software for writing, office possibilities, multimedia, graphical application and also good and powerfully instruments for programming you have possibilities to use Fedora Core 4 as Server platform for your Internet business or as Desktop version for your personal computer 11 Linux is stable, scalable, fast and secure can use very old computer like Intel-based 486 with even 8Mb of RAM (see bellow our recommendations) Also, exists many other Open Source [2.13] operating systems which you can use for your Internet server, like Mandrake, FreeBSD, Slackware, Debian and other. 3.1. Getting started Hardware Requirements For install Fedora Core 4 we recommend to use the hardware configuration described on Part 1, on the present lesson. Also, the Fedora Core 4 could be install on older computer with minimum 200MHz Pentium CPUs, 750MB hard drive space and 64MB RAM for using Fedora without a graphical interface. [2.1] Before installation is good to have a list with your minimum configuration, so make a list like bellow: Hardware configuration Amount of memory (RAM) Size of hard drive Type of mouse Type of video card Display monitor (maximum resolution) Installed network interface (Type) Description (your server or computer) 128 MB (i.e.) 10 GB (i.e.) USB (i.e.) ATI Rage 9200 128MB RAM (i.e.) 1024 x 800 (i.e.) RTL 8139 (i.e.) Note: If you have a particular (brand or special) PC model or laptop is better to check if support Linux. If you research is not concluded, read the Linux Hardware HOWTO on: http://www.tldp.org/HOWTO/Hardware-HOWTO/ Fedora Core 4 installation software CD’s You can download the CD’s for free from: http://download.fedora.redhat.com/pub/fedora/linux/core/4/i386/iso/ On that link you will find four files, which are ISO images of four CD’s : FC4-i386-disc1.iso FC4-i386-disc2.iso FC4-i386-disc3.iso FC4-i386-disc4.iso Note: Above downloaded Fedora software is compatible with Intel-based PCs. If you have other kind of computer is better to consult the RedHat documentation to see if you can download the specific software. After burning all of them on CD put a label on each and you can install the Fedora Core 4. If you don’t have a large band of Internet to download the 4th CDs you can ask for help from Internet Café places. A third solution is to obtain the software from specialized software newspaper or pc’s magazine. Other solution is to buy the Fedora Core 4 directly from RedHat (http://www.redhat.com/fedora/). Hard drive preparation The installation permit to have more that one operating system on your hard drive. Anyway we recommend to install only the Fedora Core 4 on your server because, the server will run 24 hours per day, delivering Internet to your clients and is not necessary to have other operating systems on it. If you plan to install the Fedora Core 4 also on your personal computer or maybe on your laptop may be consider to have more operating systems on the same hard drive. 12 For both options you have to partition the hard drive. This operation could be done before or during installation. Linux use for hard drive the device name: /dev/hda for recognize the first (master) IDE hard drive on channel 0, /dev/hdb for the second (slave) IDE hard drive on channel 0, /dev/hdc for the third (master) IDE hard drive on channel 1, /dev/hdd for the forth (second) IDE hard drive on channel 1. 3.2. Installing Fedora Core 4 We choose to install Fedora from CD-ROM. There are other way to install, but not necessary for your starting business: DOS; Network file systems (NFS); File Transfer Protocol (FTP); Hypertext Transport Protocol (HTTP); Directly from the Internet; From a hard drive partition; or from preinstalled media (by transfer the image from a hard to another). IMPORTANT: For install Fedora form the CD-ROM, firstly set-up from BIOS to boot computer from CD drive. Starting installation: Insert the first CD into CD-ROM and restart the computer for booting from CD. After booting you should have on your screen the next image: Strike the Enter key to run installation. Next image is for testing your installation CDs. It’s more an assurance to don’t start the installation and form different reasons one of the 4th CDs is not working. If you are not sure of quality of your recorded CDs maybe it’s better to do the test and for that you choose <OK>. In our installation we choose <Skip>, considering that the CDs are OK. 13 Next image is a “welcome” one. Just go to the next with the <Next> button in the right-down corner. Now, you have to make a language selection. Our recommendation is to choose English (English) even if you are not a native English language. The reason is simple: the Internet is almost entirely a English language land and it’s better to become familiar with that language. For “Keyboard Configuration” we also use <U.S. English> , but that’s depend of your specific keyboard connected to your computer. So, pick-up one from the list and click on <Next> button. 14 From this point is actually start the installation. Because our interest is to become an Internet Service Provider we install the <Server> type. Then click on <Next> button. The partition strategy of your hard drive is “an art” for an experienced Linux administrator. From this point of view, form now on you’ll heard a lot of versions from different people. Considering our intention, is not necessary to have much trouble. So, simply we recommend to make <Automatically partion> then <Next> button. In the future keep in mind to make separate partition for user data, because those could be more important that the systems itself. (the system could be repaired or reinstalled, but the data are lost forever. An warning window will be displayed for loosing all data on your hard drive. If your hard drive is new and empty or you know that are not important data on it, proceed with <Yes> button. In other case choose <No> and the installation will stop. 15 Like in the preview window, you are informed and also ask to make a choice. Into the spirit on our recommendation to install only Fedora Core 4 on your server system, click on <Remove all partitions on this system> option and then <Next> button. In other case is better to make the right choice for not loosing data. Warning: maybe your image from your display is a little different about the “Device name”, depend on your hardware configuration. Specially regarding size of your hard drive. In our example we have a 4GB size hard drive. IMPORTANT: We are not responsible for data lost if you are not use an empty or a new hard drive. Is very dangerous to work on the drive with already stored data on it. Even an experienced person could make terrible mistake. If you still want to work on the hard drive with data on it, at least, firstly, make a safe copy on other media storage (hard drive, CD, DVD, tape, a.o.). Another warning message and the <Yes> button choice. An information window showing results of your previous choice. Click <Next> button. Warning: maybe your image from your display is a little different about the “Device name”, depend on your hardware configuration. 16 Again click <Next> button. Warning: maybe your image from your display is a little different about the “Device name”, depend on your hardware configuration. Installation program find one network interface on computer. For configuring manually this interface click on <Edit> button. Otherwise the Fedora will be installed with DHCP and automatically allocate the IP. In the by-screen you unchecked the check box <configure using DHCP> and complete the <IP Address> with: 192.168.0.1. Also the <Netmask>: 255.255.255.0 like in the presented example. If the Fedora finds more than one network adapter is possible to be asked to configure the second device. In that case, the device name eth0 will be first adapter activated when Fedora starts. After installation we can reconfigure the network device with a graphical tool: systemconfig-network 17 You can configure the hostname entering a name like our example: ldv.ueb.ro but not identical. The IP necessary for Gateway and Primary and eventual Secondary DNS is given to you to your external Internet company from where you have the connection. We configure the <Gateway>: 141.85.128.6 and the <Primary DNS> with 141.85.128.1 (please complete with your own data). Because we want to install a server configuration we check all the check box from the screen <Firewall Configuration> and <Enable firewall>. It is true that for becoming Internet Service Provider you don’t need <Web Server> or <Mail Server>, but will help you to understood more futures of the Fedora Core 4. If you don’t have much Internet clients maybe, in the future you want to host some small web pages on the same server. (is not recommended to have the web server on the same server, but for a started and small company with few clients it’s helpful from expenses point of view). When you will have sufficient financial stability, dedicated servers are much important. (web server, mail server, gateway). Anyway the Linux it is recognized like a stable server and from our previous experience up to 10 small and medium web pages could be hosted and also use the same computer like gateway. 18 On the <Time Zone Selection> screen you have to select your <Location>. We select <Europe/Bucharest>, but you can select anything you want according to your country. Setting the root password is important for the security of your system. The “root” is the administrator for the entire server and have access to all resources. So, the password for root is highly desired by any possible intruders. The root password: must be as much as long, that you can remember it, with different characters, even different sentence, alternate letters with numbers, not containing your name or initial. Example: dh64rEv08nseR From now on we start to select the necessary package for the Fedora Core 4. Firstly we select the check box <KDE (K Desktop Environment)>, then click on <Details> button. 19 From administrative point of view select third item <kdeadminAdministrative tools for KDE>. Then click on <OK> button. Scroll down the screen and select: <Editors> , <Engineering and Scientific> , <Graphical Internet> , <Text-based Internet> and click on <Details> button from <Graphical Internet>. On “Graphical Internet” screen select: <kdewebdev – WEB Development package for the K Desktop Environment> and <thunderbird – Mozilla Thunderbird mail/newsgroup client>, then click on <OK> button. 20 Returned on <Package Group Selection> screen click on <Details> from <Text-based Internet> . On <Text-based Internet> details screen select <lynx – A text-based Web browser>, then <OK>. Scroll down and select <Office/Productivity> item, then <Details>. Now, select <kdepim – PIM (Personal Information Manager) for KDE> item, then <OK>. 21 Select : <Sound and Video> , <Authoring and Publishing> , <Graphics> and <Details> from <Graphics>. On “Details for Graphics” screen select <kdegraphics – K Desktop Environment – Graphics Applications> item, then <OK>. A little bit lower select <Server Configuration Tools>, then <Details>. 22 Select first two items: <systemconfig-bind> and <system-configboot>, then <OK>. Select <Web Server> item, then <Details>. On “Web Server” screen select: <mod_auth_mysql>, scroll down. <php-mysql> and <php-odbc>, then <OK>. 23 Select <Mail <Details>. Server>, then Select <postfix> and <squirrelmail>, then <OK>. Select items: <Windows File Server> , <DNS Name Server> , <FTP server> 24 Scroll down and select <MySQL Database> , then <Details>. Select: <mod_auth_mysql> and <php-mysql> items, then <OK>. Select <News Server> and <Network Servers> , then <Details>. 25 Select <dhcp> and <vnc-server>, then <OK>. If you want, select a different <Language Support>, then <Details>. Selecting a language support doesn’t mean that you renounce to English, but you’ll have possibility to have other Language. In out example we select <Romanian Support>, but you select anything you want according, maybe, with your natal language. 26 Select <Administrative Tools>, then <Details>. Select <system-config-kickstart>, then <OK>. Select <System Tools>, then <Details>. 27 On “System Tools” screen select: - <iptraf> , <mc> and <mrtg> items, then scroll down, and select also: <uucp> and <vnc>, then <OK>. Now, your Packages selection is ready, then click <Next>. The installation software will verify what is necessary for installing Fedora Core 4 conform your selected packages. 28 This is an information screen so, click <Next>. Again, an information screen, where is written that are necessary all 4 CDs for installing the system and the packages selected. If you have all four CDs ready click on <Continue> button, otherwise click <Reboot>. After all this operations, the Fedora Core 4 start installation and you have to wait between 30 to 90 minutes to perform all jobs (depending your hardware performance). During the installation other information will be displayed and everything must go on smoothly. If something is wrong try to see what is the error message and fix the problem. Maybe you must restart from beginning the all installation, but not before check the hardware compatibility describe in the beginning of the lesson-part 1. When the installation will end you’ll be asked to restart computer and after restarting are running post-installation operation. All processes will end with login screen presented bellow. Tips: change the root password monthly; don’t write the password on computer, on keyboard or something like that (we see that often at the beginners). 29 4. Configuring the Fedora Core 4 Server To configure the Fedora Core 4 Server to deliver Internet from your location to other computer we need a second network interface. The first network interface you are already configure previous in this lesson, part 2. Place your network interface on a free slot of PCI and the power on the computer. Your new interface will recognized automatically all what you have to do is to configure it. Follow the next steps, after you are login as root from starting your computer. 4.1. Add the second network device Add the second network device. Firstly we have to add the device into your systems. For that, start from the main, clicking the red hat on the leftdown corner, menu item <System Settings>, than menu item “Network”. On the screen “Network Configuration”, select from left-up corner the <New> button. In the next screen select <Ethernet connection>, then <Forward> button. Most probable this screen will show two “Ethernet card”, but surely the name of it are different. We have, on our computer form OnLine Service Laboratory, two Ethernet card from Realtek Semiconductor Co., the RTL-8139 model. This is not important, because not the model counts, but the functioning. You must select the “Ethernet card” with the name different from eth0. In our screen the device name is: “dev2729” and maybe at your computer is “eth1”. So, select the second Ethernet card then the <Forward> button. 30 Now, we need the IP address and gateway address given by the Internet Service Provider which deliver to you the Internet. Introduce to the text Address the IP address, to <Subnet mask>: 255.255.255.0 and to <Default gateway address> the correspondent IP. Please we careful to do not introduce our IPs from the laboratory. Click on <Forward>. This is just an information screen and click on <Apply> button. The Network device is added to your list, but is not active. For that click on <Activate> button. A confirmation screen where you select <Yes> button. Next is an information screen. Just <OK>. 31 4.2. Verify the Ethernet configuration Verify the Ethernet configuration It’s recommended to verify the settings that you just made with some text editor. One easy way is to open from graphical mode a console. Right-click somewhere on the desktop and select <Konsole> item. The screen is like the next one. Start a small program with the command: # mc then <Enter> key from keyboard The program Midnight Commander starts and change the directory with the command: # cd /etc/sysconfig/networkin g /devices On the screen are two files: ifcfg-eth0 and ifcfgeth1 We edit each one step by step with the Edit, pressing the <F4> from keyboard. Start with: ifcfgeth0. Look just for the DEVICE keyword. This must have the eth0 value. If is not change it and check IPADDR keyword with the value 192.168.0.1, NETMASK with 255.255.255.0 value and NETWORK with 192.168.0.0. Don’t change other values. After you are finished press <F2> from the keyboard for saving the modification, then <Enter> key for the <SAVE> option. 32 Pass to the next file: ifcfg-eth1, and check again: DEVICE=eth1 IPADDR=<your IPADDR given by your Internet Service Provider> NOT the 141.85.130.103 IP because this is from authors example. NETMASK=255.255.255.0 GATEWAY=<your Gateway address given by your Internet Service Provider> NOT the 141.85.130.6 IP because this is from authors example Don’t change other values. After you are finished press <F2> from the keyboard for saving the modification, then <Enter> key for the <SAVE> option. Restarting computer For all this changes should have effect you can restart some services or more simply is to restart your computer. Please restart the computer from then Fedora menu not from computer button. 4.3. IP forward IP forward After booting you should start again the Konsole with right-click on the desktop and choosing Konsole. Then give the command: # mc then <Enter> key from keyboard Change the directory with the command. # cd /etc/rc.d from keyboard then <Enter> key Now you have on screen three files and the one you are that is interesting is: rc.local. Select it and edit with <F4> key. Add this: /sbin/route del –net 169.254.0.0 netmask 255.255.0.0 dev eth1 and /bin/echo 1> /proc/sys/net/ipv4/ip_forward Don’t change other values. After you are finished press <F2> from the keyboard for saving the modification, then <Enter> key for the <SAVE> option. 33 4.4. Configure the squid proxy server Configure the squid proxy server. Change again the directory with the command. # cd /etc/squid then <Enter> key from keyboard Find and select the squid.conf file, then edit with <F4> key. Now we have to change some configuration into this file which is big enough to find something a little bit difficult. But, with a patience, look after the section “INSERT YOUR RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS”, like in the next image. Uncomment the row acl our_networks by deleting the “#” sign from the beginning of the row. Also, change the IP class after the src with your class which is: 192.168.0.0/24. Uncomment the next row and your screen should look like the next image. Don’t change other values. After you are finished press <F2> from the keyboard for saving the modification, then <Enter> key for the <SAVE> option. We finish to configuring all stuff and exit from Midnight Commander with <F10> key and confirm with then <Enter>. Close the Konsole with combination Ctrl+D or with exit command follow by <Enter>. 34 Starting the squid and snmpd services From the red hat menu: Select <System Settings>, then <Server Settings>, than <Services> item. Scroll the list from left side of the screen until find snmpd, select it, check the right check box and select the <Start> button from up-left screen. The same operation with the squid item with three row bellow. After that, save the settings with <Save> button from up-middle screen, then close the window. Now, your server is ready. Plug in the cable from your Internet Service Provider into the first network interface and the second network adapter into the switch from where you delivered the Internet to the clients. Success ! 4.5. Set-up your clients computer Your computer clients must be configured in two places. Each your client must have an unique IP delivered by you. The interval of the IP number is between 192.168.0.2 and 192.168.0.255, mean from 2 to 255. We recommend to keep for your possible future use couple IP number or to begin even from 192.168.0.10. Firstly the network adapter (interface) on your clients computer must be configured with: IP address: 192.168.0.xxx, but be careful, do not give the 192.168.0.1 IP because is your server address Subnet mask: 255.255.255.0 Default gateway: 192.168.0.1 The second configuration is about the proxy server from the web browser. Address of the proxy is: 192.168.0.1 and the port is: 3128. 5. Testing the network The necessary command to test the network is ping. This command is described detailed in other lesson from this eEmployment package. 5.1. Test the network interface First test is to your two network interfaces. Open the Konsole and do the command: # ping 192.168.0.1 <Enter> key then the second interface: # ping <your gateway IP introduced during the configuration on your Fedora Core 4 Server> <Enter> key 35 5.2. Test the other computer After you have the cable connected between switch and the computer and made all the configuration described in the previous section you can make a test. The test can be made bidirectional. Once from computer to the server with the command: # ping 192.168.0.1 <Enter> key Then, from server to the computer: # ping 192.168.0.xxx <Enter> (i.e. 192.168.0.10) 6. Firewall 6.1. Introduction In Firewall Definition: a firewall is a system that is used to prevent malicious access from “outside” to the computers from “inside”. This is the simplest definition of a firewall. From the beginning, you see that the firewall is created to make the difference between „inside” and „outside”. What do we mean by the “inside”? A single computer or a small size computer network or more computers linked together in a LAN. And, what is the „outside”? Simple, this may be viewed as the rest of the world or more commonly known as the INTERNET, an unprotected network, a world of free data interchange. This system monitors the network activities and filters incoming data packages and outgoing packages as well. In a more sophisticated wording, the firewall system implements the rules the machines abide by while interchanging data on the network. Firewall is vital mechanism that grants permission to pass the data entities through the network or not. In order to be effective, the firewall must be the single place where all data packages must arrive, in a pipelined manner. These packages can be accepted and forwarded, or dropped. All dropped packages disappear, the attackers receive no answer and the server is not loaded with extra-tasks. In other words, we can say the firewall is the connection point between our network (the „inside”) and the others (the Internet). In each network a security policy is established and through the firewall this is put at work. In the following section, you will discover the security rules and you will able to implement your own security policies. There are a few rules in internetworking connectivity. The first rule is to write down everything you do. If you establish a new rule, write down what it is, when you apply it, what is its purpose, and how you test the effects of the rule. Always start your work by setting simple and general rules. Test the effects of these rules. If the results are satisfactory, then you can get to the next step and set a new security rule. Set security rules only if they are strictly necessary. If you have a ”big tree” of security rules you can’t see the fruits! Don’t block your traffic with a new rule! Save and write down the last good functional situation on your machine. Set up the new rule and after that test it. If possible, test it thoroughly. If this last modification is good, make a log about what you do and keep it updated. Use a book with records on your daily activities in this field. Review your records from time to time and notice if there exist mismatches between how you desire the computers of your LAN to work and the real situation. It is better to know when something is working well, some users don’t see it, and they try to improve the situation. I’m talking about your colleagues eager to “help you out”. This is another subject and it may be defined as “internal security”: within an organization or working group there should be only one entity in charge of and accountable for security issues. If you don’t have or you can’t implement a single firewall for your network, it is recommend to implement firewall rules on each machine of the LAN. 36 Understanding the difference between firewall and security In this moment, you can make the difference between the firewall system and security system. The firewall implements part of the security rules especially those which are focused on network traffic. The rules implemented in firewall mechanism are set for a long time period and are invisible to internal and, especially, external network users. This lesson shows how to protect your computers in the internetworking environment. Any computer must be linked to the others computers but any time you must know how to avoid being the victim of hacker’s activities or to avoid the deadly attacks of the crashers. After taking this lesson you will be able to implement and set up your own firewall. You must know that a “hacker” is a creative person, like a dreamer in art but his art is in computer land. A “cracker” is not a very nice person. His target is always to destroy. In the last time, we can see the new generation of pseudocrackers. Young persons without real cracker’s skills but they have a lot of tools with may automatic destroy the security system on your computer. 6.2. Firewall’s services Fig.2.1 Using “firewall” with routing function or a separate “router” In modern network the role of an elementary firewall can be played by a router, witch filters packets of network (at the transport and network levels from OSI model). More perfect firewall can be implemented in gateway, witch operate at application layer of OSI model and can provide filtering of information. From the figure 2.1 you must understand that the firewall should be placed between the protected network of an organization and the external network that could be hostile. All traffic between the two networks is carried through the firewall. From this point you must know that all protected networks have incorporated firewall. Is possible to have different situations gave by difference between the communication protocol. So, in out network we can use SPC/IPX protocol and the external network using TCP/IP protocol. In this situation we have an asymmetric firewall that is working like relay. In one of his side accepts packets in SPX/IPX format and after receiving packet strip it by the application, transport, network information layer from ISO/OSI model and take only the information. After this, packed information back, again, with application, transport, network information layer for TCP/IP protocol. We can say that are two group of function for a firewall: - filtering of information passing through the firewall; - mediating at implementing of internetworking actions. Depending on the firewall type, these functions can be performed up to different stage. Simple firewalls are oriented to execute only one of these functions. Like a little conclusion, we may say that a completed and accurate control require a complex firewall must be able to analyze and use the following items: - information on connection (that could be information from all layers of ISO/OSI model that are implemented, if is possible from all seven layers); - history of connection (it must store the information about the last connection); - status of application level (information collected from other application. For example, the user authentication for current moment can be given the rights of access through a firewall only for authorized sorts of tools.); - aggregating all items. A device similar to a firewall can also be used for protection of an individual computer. In this case, we have an installed firewall on protected computer. We shall see this in Windows environment. Protecting your computer The first step in protecting a computer is to identify the tasks to be executed on the machine and the persons that have the right to launch programs on this computer. At the appropriate moment, we will learn about computer users and their specific access rights by their membership in specified groups. 37 So, one must understand the grouping polices that are implemented in the kernel of the operating system. You must know that the policies and rules designed to protect your computer are similar to those implemented on any other computer. On the other hand, these rules are different in Microsoft environment and Open Source/Linux environment. The firewall is a special mechanism which is strictly dependent on the operating system. If you want to link a computer to other computer/computers you must activate the firewall rules. You must choose the right rules to protect the activities on those computers. Separating computers of your LAN from the INTERNET The most important service provided by a firewall mechanism is to separate the computer from the outside world. In any moment, the firewall receives messages from the net device and makes fast decisions on forwarding or dropping them. So, behind the closed door we can hear what is happening outdoors and if the message is acceptable the firewall will open the door. Also, if a message tries to go out without the permission to travel on the net the firewall won’t open the door, and if it is correctly set up you will always know all about the unauthorized penetrations in either direction. 2.2a Any computer must have it’s own 2.2b A LAN must have a dedicated computer called “server” where are firewall system when this is connect to implemented the “firewall” system with specific security rules INTERNET You can understand an internetworking situation regarding figure 2.3. Fig.2.3 This is a little part of the internetworking world (including INTERNET) 38 6.3. Firewall in Linux operating systems In Linux, the firewall rules are not set up from the very beginning as it happens with Windows XP. You must activate some daemons that protect your computer. If you connect your computer to the INTERNET without setting up your own firewall rules is likely you will leave the doors of your own house wide open and have a little trip to Monte Carlo forgetting anybody and everything. Of course, after coming back you will probably have to purchase a new house. But you know why? Because you’ll find all the doors closed, somebody else will be living there and that intruder won’t leave his new propriety. So, we must draw a line of defense between us and the unknown. Starting from this point, we will view the firewall as a bastion of defense which is really important for protecting your system. Passwords are an important and the first instrument in security on any system. From the beginning you met and discover the passwords. Any really import task on the computer ask a password from you. Any time, when the system give you the possibility to setup a password you must use it. The password must be selected with care and must be “new words” like in the next exmple: The PASSWORD How to remember it?! MoCh10Y! My old Car have 10 year ! MiMNgASiBL%! Mary is My New girlfriend And She is Blonde 100%! Certainly you may be more creative and use secret sentences (probably longer), nobody know what is in your mind. To change the password of a user “Lily” you can use the next syntax: cristi@mpt cristi> passwd lily <enter> … After this the system will ask from Lily to introduce her password twice (second time for confirmation). You can force Lily to change the password time to time, e.g. 4 days. So, tape the next sentence: cristi@mpt cristi> chage –W 4 lily # Next time when Lily logon to the system, it will prompt her: Warning: your password will expire in 4 days If Lily will operate on the system until 2005, on 30 June, is better to specify this like in the next example: # cristi@mpt cristi> change –M 20 –W 5 E 30/06/2005 <enter> # In these conditions, Lily must change the password in 20 days and her password also expires on 30 June, 2005. Supplementary, the system will prompt Lily with 5 days earlier to change her password. The password will be stored in a “shadow” file where only the “root user” has access. For a cracker is important to have a copy of your password, so don’t leave the password files in public places. In case you use the shadow file (e.g. /etc/shadow) and the password file will be display like: # cristi@mpt cristi> more /etc/passwd<enter> root:x:0:0:root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: . . . lily:x:450:150:Liliana Ionescu:/home/lily:/bin/sh . To learn more about these commands you can use man and the name of command you need (e.g. man change <enter>). Other important way to protect your computer is to use the filtering mechanism. The most important filtering mechanism is the firewall system and the proxy servers. The following section explains very simple how to use the firewall mechanism. IPFWADM In Linux 2.0.x you will work with ipfwadm systems, IP firewall administration tool. If you have an older computer, do not throw it away. With Linux 2.0.x kernel you can put it to good use. The configuration options you will need to set for the 2.0-series kernel are: CONFIG_EXPERIMENTAL=y CONFIG_FIREWALL=y 39 CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_CHAINS=y IPCHAIN You need a kernel which has the new IP firewall chains in it, like Linux 2.1.x or Linux 2.2.x kernels. You can tell if the kernel you are running right now has this facility installed by looking for the file `/proc/net/ip_fwchains'. If it exists, you're in. If not, you need to “make” a kernel that has IP firewall chains. First, download the source of the kernel you want. If you have a kernel numbered 2.1.102 or higher, you won't need to patch it (it's in the mainstream kernel now). Otherwise, apply the patch from the web page listed above, and set the configuration as detailed below. If you don't know how to do it, don't panic -- read the Kernel-HOWTO. For the 2.1 or 2.2 series kernels: CONFIG_FIREWALL=y CONFIG_IP_FIREWALL=y The tool ipchains talks to the kernel and tells it what packets to filter. Unless you are a programmer, or overly curious, this is how you will control the packet filtering. The ipchains tool inserts and deletes rules from the kernel's packet filtering section. This means that whatever you set up, it will be lost upon reboot and for that reason you must select the option “Making Rules Permanent”, and they are restored the next time Linux is booted. Ipchains replaces ipfwadm, which was used for the old IP Firewall code. This contains a shell script called ipfwadm-wrapper which allows you to do packet filtering as it was done before. You probably shouldn't use this script unless you want a quick way of upgrading a system which uses ipfwadm. It is important to make your own rules permanent and set them up in the firewall system. Your current firewall setup is stored in the kernel, and thus will be lost on reboot. We recommend using the “ipchains-save” and “ipchainsrestore” scripts to make your rules permanent. To do this, set up your rules, then run (as root): cristi@mpt cristi> ipchains-save > /etc/ipchains.rules # Create a script like the following (with any text editor like “vi”): #! /bin/sh # Script to control packet filtering. # If no rules, do nothing. [ -f /etc/ipchains.rules ] || exit 0 case "$1" in start) echo -n "Turning on packet filtering:" /sbin/ipchains-restore < /etc/ipchains.rules || exit 1 echo 1 > /proc/sys/net/ipv4/ip_forward echo "." ;; stop) echo -n "Turning off packet filtering:" echo 0 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F /sbin/ipchains -X /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT echo "." ;; *) echo "Usage: /etc/init.d/packetfilter {start|stop}" exit 1 ;; exit 0 Make sure this is run early in the booting procedure. 40 IPTABLES Netfilter and iptables are the building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network address [and port] translation (NAT or NATP) and other packet mangling. Netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack. Iptables is a generic table structure for the definition of rule sets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target). Netfilter, iptables and the connection tracking as well as the NAT subsystem build together the whole framework. The most important features that are implemented with iptables are: • packet filtering for IPv4 and IPv6 • all kinds of network address and port translation (NAT/NAPT) • flexible and extensible infrastructure with multiple layers of API's for 3rd party extensions By using the iptables facilities you can: • build internet firewalls packet filtering. • use NAT and masquerading for sharing internet access if you don't have enough public IP addresses. • use NAT to implement transparent proxies. • aid the tc and iproute2 systems used to build sophisticated QoS and policy routers. • do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header. Iptables program is newer like ipchain or ipfwadm programs. So, we shall show exactly how to setup iptables. The common application that you shall meet is to connect (and necessary to protect) a local network to INTERNET (other network). See the figure 1 to understand the situation. If you don’t have enough public IP address you shall use private IP address (e.g. 192.168.0.0,192.168.0.31 and so on). For solve this situation you shall make a translation of IP addresses from the private address to public IP address or from the public to private. First step for make forwarding the messages between your LAN and INTERNET is to modify the line in “/etc/sysctl.conf” file: cristi@mpt cristi> vi /etc/sysctl.conf<enter> # Kernel sysctl configuration file for Mandrakelinux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding [HERE IS THE LINE WHERE YOU MUST CHANGE] net.ipv4.ip_forward = 0 # Disables IP dynaddr net.ipv4.ip_dynaddr = 0 # Disable ECN net.ipv4.tcp_ecn = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Controls the System Request debugging functionality of the kernel #kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # If you set this variable to 1 then cd tray will close automatically when the # cd drive is being accessed. Setting this to 1 is not advised as it has been # known to cause problems when supermount is enabled. dev.cdrom.autoclose=0 # removed to fix some digital extraction problems # dev.cdrom.check_media=1 # to be able to eject via the device eject button (magicdev) dev.cdrom.lock=0 net.ipv4.icmp_ignore_bogus_error_responses=0 net.ipv4.conf.all.rp_filter=1 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_echo_ignore_all=0 net.ipv4.conf.all.log_martians=1 41 kernel.sysrq=1 . Find the line where “net.ipv4.ip_forward=0” and change “zero” with “one” like “net.ipv4.ip_forward=1”. Save your changing (with <ctrl>+: and wq write and quit file.) Now the system is able to forwarding packets. To active your iptables firewall is necessary to: # # cristi@mpt cristi> /etc/init.d/iptables start<enter> . If you save your rules in “/etc/sysconfig/iptables” file any time your system starts also the firewall will be active. In this lesson we don’t explain all the rules but we shall give you a very good example that you can use it. The understanding of this example is a second step to really protect your computers. In this example is implemented the situation from the figure 1. Fig.3.1 This is an example how a LAN is connected to the INTERNET and the firewall filtering all traffic cristi@mpt cristi> vi /etc/sysconfig/iptables<enter> # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Fig.3.2 IPTABLES file made by the operation system FEDORA core 3 from the beging… 42 So, in figure 3.2 is presented an automatic iptabes made by system. In figure 3.3 is presented other style of iptables and you can compare these two files. In practice, is better to have your own “style”. You must understand the real situation of the network and build step by step this file. # every lines that have “#” character in first position is a comment for understand or an explanation # every lines that do not have “#“ character in first position is a command and must be included in iptable file # in this example you must have in mind figure 3.1 #our policies is to DROP any massage # iptables –P INPUT DROP iptables –P OUTPUT DROP iptables –P FORWARD DROP # # in this moment all the traffic is blocked. No traffic. No packet comes and no packet goes! # Let open a little bit the “filtering pipe” # First step defines a chain for accepted TCP packets # iptables –N ok iptables –A ok –p TCP --syn -j ACCEPT iptables –A ok –p TCP –m state --state ESTABLISHED,RELATED –j ACCEPT iptables –A ok –p TCP –j DROP # # is accepted only TCP packets in the connections already established and related or “syn” packets # is time to setup the chain of the firewall: INPUT, OUTPUT, FORWARD and POSTROUTING # second step in setting up the INPUT chain # iptables -A INPUT -p ALL -i eth0 192.168.0.1/8 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 127.0.0.1-j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 123.45.54.213 -j ACCEPT iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT # # with above lines is accepted the traffic initiated by local interface, inside or outside Ethernet interfaces and broadcasting # but is necessary to establish what is doing with the traffic coming from INTERNET # so, the firewall will accept only the TCP traffic already established and related connections made by user of your network # iptables -A INPUT -p ALL –m state --state ESTABLISHED,RELATED -d 123.45.54.213 -j ACCEPT # # third step: establish the rules for TCP packets # iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 21 -j ok iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 22 -j ok iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 80 -j ok iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 110 -j ok # #the accepted port are standard for web application about you already know # iptables -A INPUT -p UDP -i eth1 -s 0/0 --destination-port 53 -j ACCEPT iptables -A INPUT -p UDP -i eth1 -s 0/0 --destination-port 531 -j ACCEPT iptables -A INPUT -p UDP -i eth1 -s 0/0 --destination-port 2053 -j ACCEPT iptables -A INPUT -p UDP -i eth1 -s 0/0 --destination-port 32323 -j ACCEPT # # the firewall accept the standard port 53 and other 3 port for specificated application (e.g DanteHD listen and accept # connection on 32323 port) #foreth step: ICMP rules # iptables -A INPUT -p ICMP -i eth1 -s 0/0 --icmp-type 8 -j ACCEPT iptables -A INPUT -p ICMP -i eth1 -s 0/0 -- icmp-type 10 -j ACCEPT # # fivith step: FORWARDing rules # is important to make packets to move through the firewall # 43 iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # #sixth step is to open the OUTPUT chain # iptables -A OUTPUT -p ALL -s 127.0.0.1-j ACCEPT iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT iptables -A OUTPUT -p ALL -s 123.45.54.213 -j ACCEPT # #the last step is to make routing inside of your network and translate the external address to internal address #this process is POSTROUTING chain. # iptables -t NAT -A POSTROUTING -o eth1 -j SNAT –to-source 123.45.54.213 Figure 3.3 IPTABLES file with a personal style of firewall rules In this example is used SNAT (Source Network Address Translation) because is present a static IP address for connection with INTERNET. If the firewall is a client of other network where is used a dynamic protocol to give the addresses is necessary to use MASQUERADE table. # IP address by DHCP server # iptables -t NAT -A POSTROUTING -o eth1 -j MASQUERADE # Is possible to have other computer where is offered the INTERNET services like Web, FTP or DNS, not the same computer where the packets are filtered. In this case is necessary to specify the address of the server: iptables -t NAT -A PREROUTING -p tcp -d 198.168.0.1 -dport 80 -j DNAT --to-destination 192.168.0.3 For using a intermediary firewall (filtering options on squid, samba and other servers) is necessary to prevent sending the packets to firewall directly and its must be redirect to this special servers by the port destination: iptables -t NAT -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 It possible to observe in this moment that protection of the network is an important task but it consumes a lot of time. The art is to use limited number of lines in the filtering process but to keep safety of the system. 6.4. Firewall in Windows operating system 6.4.1. Introduction in Windows environment The firewall rules included in the versions of Windows operating system were implemented and improved along the different stages of operating system’s evolution. As an example, “Windows Firewall” is a replacement of the Internet Connection Firewall (ICF) from the previous versions of Windows XP. The firewall system is an important component of the operating system that works like a host-based firewall that provides the following facilities: discards unsolicited incoming traffic provides a level of protection for computers against malicious users or programs In order to provide a better protection for computers connected to a network (such as the Internet or a LAN which can be either a little home network or a larger organization network). Windows XP with Service Pack 2 (SP2) enables Windows Firewall on all network connections by default. In the figure 1, “Network Connections”, three different network connections that have activated firewall rules are shown. As mentioned above, this setting is by default. This is signaled to the user by the lock in the right upper corner of each icon. The lock disappears as soon as the firewall rules are de-activated by the user. We urge the readers not to try this at home. Beware that by de-activating the firewall rules for a connection in the picture below, de-activation of the firewall rules for all the other connections will take place as well. As a result, you would place your system at risk. 44 Figure 1. Network connection Network administrators can use the Windows Firewall INF file (Netfw.inf) to modify default settings either while installing the operating system or after installation. In this lesson, we describe the best way of using the Windows Firewall INF file. 6.4.2. Using Windows Firewall 6.4.2.1. EXAMPLE: Setup Firewall in Windows XP In Windows XP SP2 (Service Pack 2, that is available on Microsoft web site and you may download from http://www.microsoft.com/download if is not installed on your computer), there are many new features for Windows Firewall, including the following: Enabled by default for all the connections of the computer New global configuration options that apply to all connections New set of dialog boxes for local configuration New operating mode Startup security Excepted traffic can be specified by scope Excepted traffic can be specified by application filename Built-in support for Internet Protocol version 6 (IPv6) traffic New configuration options with Group Policy In the left part of the previous figure you can see a column with a few “Network Task”, from where you may select “Change Windows Firewall Setting” (from the third position of this column). You thumbnail with a red wall in front of the globe that suggest “the firewall options”. If you click on this it will be display on your screen a windows with the active title “Windows Firewall” (see figure 2). 45 Figure 2. “Windows Firewall” the point from where start the firewall to be set up From this point you can configure the firewall on your machine. Also, you can find the “Windows Firewall” starting from “Control Panel’, where you must see in the bottom of the specific windows the same thumbnail like in the figure 3. Figure 2. “Control Panel” window frame Also, if you are setting up a local network connection like in the figure 5a you may select the “Advanced” tag (see fig. 5b) and start from there to setup your firewall rules. 46 (a) All connections on your system (b) Start to set up a firewall for a selected connection Figure 5. Setting up your network connections You must select the “Advanced” tab (from the top of the left picture, fig.5a) and the figure from the right side (fig.5b) will be display on your screen from where you may select “Settings…” to protect your computer with the firewall facilities included in the operating system. The settings for ICF in Windows XP with SP1 and Windows XP with no service packs installed consist of a single checkbox (the Protect my computer and network by limiting or preventing access to this computer from the Internet check box on the Advanced tab of the properties of a connection) and a Settings button from which you can configure excepted traffic, logging settings, and allowed ICMP traffic. The Windows Firewall dialog box (fig.6) contains three tabs: • General • Exceptions • Advanced The General tab with its default settings is shown in the following figure 6. • • • From the General tab, you may select the following: On (recommended). Select to enable Windows Firewall for all of the network connections that are selected on the Advanced tab. Windows Firewall is enabled to allow only solicited and excepted incoming traffic. Excepted traffic is configured on the Exceptions tab. Notice that the default setting for Windows Firewall is On (recommended) for all the connections of a computer running Windows XP with SP2 and for newly created connections. This can impact the communications of programs or services that rely on unsolicited incoming traffic. In this case, you must identify those programs that are no longer working and add them or their traffic as excepted traffic. Many programs, such as Internet browsers and email clients (such as Outlook Express), do not rely on unsolicited incoming traffic and operate properly with Windows Firewall enabled Don’t allow exceptions. Click to allow only solicited incoming traffic. Excepted incoming traffic is not allowed. The settings on the Exceptions tab are ignored and all of the network connections are protected, regardless of the settings on the Advanced tab. Off (not recommended). Select to disable Windows Firewall. This is not recommended, especially for network connections that are directly accessible from the Internet, unless you are already using a third-party host firewall product. 47 Figure 6. General settings of Windows Firewall If you are using Group Policy to configure Windows Firewall for computers running Windows XP with SP2, the Group Policy settings you configure might not allow local configuration. In this case, the options on the General tab and the other tabs might be grayed out and unavailable, even when you log on with an account that is a member of the local Administrators group (a local administrator). Group Policy-based Windows Firewall settings allow you to configure a domain profile (a set of Windows Firewall settings that are applied when you are attached to a network that contains domain controllers) and standard profile (a set of Windows Firewall settings that are applied when you are attached to a network that does not contain domain controllers, such as the Internet). You can determine which profile is in effect from the text in the lower part of the General tab. If the text displayed is “Windows Firewall is using your domain settings,” the domain profile is in effect. If the text displayed is “Windows Firewall is using your non-domain settings,” the standard profile is in effect. The configuration dialog boxes only display the Windows Firewall settings of the currently applied profile. To view the settings of the profile that are not currently applied, use netsh firewall show commands. To change the settings of the profile that are not currently applied, use netsh firewall set commands. The Exceptions tab with its default settings is shown in the following figure 7. 48 Figure 7. The Exceptions tab of Windows Firewall From the Exceptions tab, you can enable or disable an existing program (an application or service) or port or maintain the list of programs and ports that define excepted traffic. The excepted traffic is not allowed when the Don’t allow exceptions option is selected on the General tab. With Windows XP with SP1 and Windows XP with no service packs installed, you could define the excepted traffic only in terms of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports. With Windows XP with SP2, you can define excepted traffic in terms of TCP and UDP ports or by the file name of a program (an application or service). This configuration flexibility makes it easier to configure excepted traffic when the TCP or UDP ports of the program are not known or are dynamically determined when the program is started as is showed in next figure: There are a set of pre-defined programs, which include: • File and Print Sharing • Remote Assistance (enabled by default) • Remote Desktop • UPnP framework These predefined exceptions can be disabled, but not deleted. If allowed by Group Policy, you can create additional exceptions based on specifying a program name by clicking “Add Program…” and exceptions based on specifying a TCP or UDP port by clicking “Add Port…” When you click “Add Program…”, the Add Program dialog box is displayed from which you can select a program or browse for a program’s file name. An example is shown in the figure 8 (a). 49 (b) Add a new port in your firewall rules (a) Adding a new program in firewall rules (b) Allowing a new port in firewall rules Figure 8. Changing the scope in firewall When you click Add Port, the Add a Port dialog box is displayed, from which you can configure a TCP or UDP port. An example is shown in the figure 8 (b). In this case the station from your network shall know to connect to a server (where running an application DanteHD) to the port 32323. Other station could not to connect to specified port because these “don’t know” it. Certainly, it is possible to exist a malicious activity in the network and somebody try to scan the port and find that 32323 is an active port but he could not connect any way to the DanteHD server if he is not a client of the server. He shall try to use UDP protocol but on this port only TCP is allowed. The new Windows Firewall allows you to specify the scope of excepted traffic. The scope defines the portion of the network from which the excepted traffic is allowed to originate. You may define the scope for any program or selected port clicking on “Change Scope”. On the screen it will be display windows with the title “Change Scope”. An example is shown in the figure 9. • • Figure 9. New rule for excepted traffic You have three options when defining the scope for a program or a port: Any computer (including those on the Internet). That option will allow network traffic from any IPv4 or IPv6 address. You must know that this setting might make your computer vulnerable to attacks from malicious users or programs from the Internet. My network (subnet) only. That option will allow network traffic from IPv4 or IPv6 addresses that are directly reachable by your computer. Windows Firewall determines whether the source IPv4 or IPv6 address of the incoming packet is directly reachable by querying the IPv4 and IPv6 routing tables. The set of addresses considered directly reachable depends on the contents of your IPv4 and IPv6 routing tables. For example, for a computer that is only directly connected to a private home network, the set of directly reachable unique casting addresses is confined to those that match the IPv4 network ID of the private subnet. If the network connection is configured with an IPv4 address of 192.168.0.21 with a subnet mask of 255.255.255.0, the configured excepted 50 • traffic is only allowed from IPv4 addresses in the range 192.168.0.0 to 192.168.0.255. As another example, for a computer that is directly connected to both a private home network and the Internet through a cable modem, the set of directly reachable unique casting addresses are those that match either the network ID of the private subnet or the cable modem provider subnet. For example, if the private network connection is configured with an IPv4 address of 192.168.0.1 and a subnet mask of 255.255.255.0 and the cable modem connection is configured with an IPv4 address of 84.247.80.1 and a subnet mask of 255.255.255.0, the configured excepted traffic received by either network connection is allowed from IPv4 addresses in the ranges from 192.168.0.0 to 192.168.0.255 and from 84.247.80.0 to 84.247.80.255. Custom list. You can specify one or more IPv4 addresses or IPv4 address ranges separated by commas. This IPv4 address ranges typically correspond to subnets. You cannot specify a custom list for IPv6 traffic. Before enabling any exception, carefully consider whether the exception is needed at all. Every enabled exception exposes your computer to attack, regardless of the scope. There is no way to guarantee invulnerability once the exception is enabled. When you configure and enable an exception, you are instructing the Windows Firewall to allow specific unsolicited incoming traffic sent from the specified scope: from any address, from a directly reachable address, or from a custom list. For any scope, enabling an exception makes the computer vulnerable to attacks based on incoming unsolicited traffic from computers that are assigned the allowed addresses and from malicious computers that spoof traffic. There is no way to prevent spoofed attacks from the Internet on connections assigned public IPv4 addresses, except to disable the exception. Therefore, you should very carefully consider and properly configure the scope of each Windows Firewall exception to minimize the associated exposure. Once the program or port is added, it is disabled by default in the Programs and Services list. All of the programs or services enabled from the Exceptions tab are enabled for all of the connections that are selected on the Advanced tab. The Advanced tab is shown in the following figure 10. • • • • Fig.10 All settings for a network conection The Advanced tab contains the following sections: Network Connection Settings Security Logging ICMP Default Settings 51 In Network Connection Settings, you can: o Specify the set of interfaces on which Windows Firewall is enabled. To enable, select the check box next to the network connection name. You can see in the previous figure all the network connections are selected. To disable, clear the check box. By default, all of the network connections have Windows Firewall enabled and our recommendation is to keep it enable. If a network connection does not appear in this list, then it is not a standard networking connection. o Configure advanced settings of an individual network connection by clicking the network connection name, and then clicking Settings, like you see in the previous figure. Fig.11 Allowed services on your computer If you clear all of the check boxes in the Network Connection Settings, then Windows Firewall is not protecting your computer, regardless of whether you have selected On (recommended) on the General tab, because Windows don’t have any network connection to apply firewall rules. Fig.12 Setup the active port and protocol on the machine 52 The settings in Network Connection Settings are ignored if you have selected “Don’t allow” exceptions on the “General” tab, in which case all interfaces are protected. When you click Settings, the Advanced Settings dialog box is displayed, as shown in the figure 10. From the Advanced Settings dialog box, you can configure specific services from the Services tab (by TCP or UDP port only) or enable specific types of ICMP traffic from the ICMP tab. These two tabs are equivalent to the settings tabs for ICF configuration in Windows XP with SP1 and Windows XP with no service packs installed. In “Security Logging”, click Settings to specify the configuration of Windows Firewall logging in the Log Settings dialog box, as shown in the following figure 12. Fig.12 Setup your “login security” file From the Log Settings dialog box, you can configure whether to log discarded (dropped) packets or successful connections by selections in the up left corner the option desired. Also, you can specify a name and a location for the log file for example “my_firewall.log” like in fig.12. Note that by default this option is set to Systemroot\pfirewall.log. You must know that you can specify maximum size of login file. In ICMP, click Settings to specify the types of ICMP traffic that are allowed in the ICMP dialog box, as shown in the following figure 13. (a) (b) Fig.13 ICMP option from Advanced tag from Windows Firewall! 53 From the ICMP dialog box, you can enable and disable the types of incoming ICMP messages that Windows Firewall allows for all the connections selected on the Advanced tab. ICMP messages are used for diagnostics, reporting error conditions, and configuration. By default, no ICMP messages in the list are allowed for the protection of computer (see 13 a). A common step in troubleshooting connectivity problems is to use the Ping tool to ping the address of the computer to which you are trying to connect. When you ping, you send an ICMP Echo message and get an ICMP Echo Reply message in response. By default, Windows Firewall does not allow incoming ICMP Echo messages and therefore the computer cannot send an ICMP Echo Reply in response. To configure Windows Firewall to allow the incoming ICMP Echo message, you must enable the Allow incoming echo request setting like in fig.13b. If you are not sure what did you do in the firewall rules for more security is better to click on “Restore Defaults”. You will reset Windows Firewall back to its originally installed state. When you click Restore Defaults, you are prompted to verify your decision before Windows Firewall settings are changed. Applications can use Windows Firewall application programming interface (API) function calls to automatically add exceptions. When an application make exception from Windows Firewall rules and it attempts to listen on TCP or UDP ports, Windows Firewall prompts you with a Windows Security Alert dialog box. You can choose one of the following: • Keep Blocking Adds the application to the exceptions list but in a Disabled state so that the ports are not opened. Unsolicited incoming traffic for the application is blocked unless the local administrator specifically enables the exception on the Exceptions tab. By adding the application to the exceptions list, Windows Firewall does not prompt the user every time the application is run. • Unblock Adds the application to the exceptions list but in an Enabled state so that the ports are opened. • Ask Me Later Block unsolicited incoming traffic for the application and do not add it to the exceptions list. The local administrator will be prompted again the next time the application is run. To determine the path of the application from the Windows Security Alert dialog box, place the mouse pointer over the name or description of the application. The displayed tool tip text indicates the path to the application. If the user is not a local administrator, the Windows Security Alert dialog box informs the user that the traffic is being blocked, and to contact their network administrator for more information. 54 Fig.14 Windows prompt you when the Windows Firewall is OFF 6.5. TESTING FIREWALL RULES You must generate enough situations for testing the functions of the firewall. This situation must test only the functions that are “accepted” from you’re your security point of view. You must “close” from the beginning all the access ways to your computer or network. After this we will start to give rights or rules for access. A strong firewall system will give all information you need to protect the network. Keep separately the password file or other vital information in shadow file. Change the password time to time. The life period of a password you must feel how time is needed. If you have any doubt change the password, ports of the services, block the traffic and so in. 6.6. DISCUSSIONS AND CONCLUSIONS In this section we will discus the balance flexibility and costs. We put in mirror what means to use Microsoft with understanding of Open Source products. We can implement firewall rules that protect our network that minimize the risk to be attack from outside area. These mechanisms filter all the packets that pass through it. The filtering policies are established to compare the source and the destination of the messages, the used ports and protocols. The firewall system is invisible for the network users, so they don’t detect it presence or it activities. The computer on is implemented the firewall mechanism is named „router” and this manage the routing mechanism, too. The firewall filters all incoming and outgoing packets. Application Level Firewall. When we thing to these type of firewall we must implement proxy-servers. Proxyserver can authentificate and monitories at a high level the network connections. All our communications are perform by proxy-servers. 55 7. Library with important software package Fedora core 3 Fedora core 4 Mandrake Slackware RedHat Linux 7.2 MySQL for Windows Administrative MySQL for Windows. Administrative MySQL for Linux. 56
