Archive for June, 2009

This howto goes over how to setup a router/gateway on a home or small business network that will filter content through tinyproxy and Dan’s Guardian. The awesome thing about this setup is that you can run this on any old piece of crap pc in your garage or house. A 486 will effectively run this for a household, and a older pentium class machine for a small business network. This howto was written specifically for CentOS 4.x however you can use the same instructions to do this on a RedHat ES 4.x server or any CentOS 5.x or RedHat ES 5.x server. The only changes that would need to be made in regards to a new version is getting the updated rpms for the distro from a repository such as http://dag.wieers.com/rpm

About my system:

MotherBoard: Asrock K7S41GX
Processor: Socket A (Socket 462) AMD Sempron(tm) 2800+
Ram: 2x 333  ddr1 512 MB for a total of 1gb
Drives: 2x 250.0 GB drives 1x 500GB drive 1x dvdrw drive
Network: 2x 100mbps network adapters

Getting the router/gateway up and running

Step1. Setting up an extra network interface ( if you have already done this move to step 2)

If you have just installed a new network interface you will need to get the system to properly see the device.  Use lspci or cat /etc/sysconfig/hwconf and look for the new device and if it is not listed do a service kudzu restart and follow the prompts if necessary. Once you have positively identified that it is detecting in the system, you can add the device by creating this file

/etc/sysconfig/network-scripts/ifcfg-eth1

This file can then be formatted as shown below:

# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=STATIC
ONBOOT=yes
TYPE=Ethernet
IPADDR=10.0.0.1
NETMASK=255.255.255.0

The network information is what I am going to use for this setup. You can adjust this to be any subnet value you wish – to get this up and running restart networking with

# service network restart

Step2. Installing and configuring the dhcp server

We first need to get the dhcp servcer package installed. We can do this by issuing the following command:

# yum -y install dhcp

This will install the server we need to run the dhcp server. This will not start without modication of a few files. We will go over these files below:

The main configuration file for the dhcp server /etc/dhcpd.conf – I have posted and example of mine below that can easily be adapted for your network:

# cat /etc/dhcpd.conf
ddns-update-style interim;
ignore client-updates;

subnet 10.0.0.0 netmask 255.255.255.0 {

# --- default gateway
option routers                  10.0.0.1;
option subnet-mask              255.255.255.0;

option nis-domain               "larmeir.com";
option domain-name              "larmeir.com";
option domain-name-servers      10.0.0.1;

option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              10.0.0.1;
#       option netbios-name-servers     10.0.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

range dynamic-bootp 10.0.0.100 10.0.0.254;
default-lease-time 21600;
max-lease-time 43200;

# we want the nameserver to appear at a fixed address
host ns {
next-server home.larmeir.com;
hardware ethernet 12:34:56:78:AB:CD;
fixed-address 10.0.0.1;
}
}

Once we have this file configured we will need to set the device that will host the dhcp service. The file that controls this is /etc/sysconfig/dhcpd
Below is an example of mine:

# cat /etc/sysconfig/dhcpd
# Command line options here
DHCPDARGS=eth1

Step 3. Modifying sysctl and iptables

In order to get the dhcp requests forwarded through the correct adapter sysctl and iptables has to be configured to do this. To enable ipv4 forwarding issue the following command:

#echo 1 > /proc/sys/net/ipv4/ip_forward

Then to get iptables routing the requets properly issue the following commands:

# /sbin/iptables -P FORWARD ACCEPT
# /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save

If everything went right you should now have a functioning dhcp server. To get everything running we need to do the following commands:

# chkconfig dhcpd on
# service network restart
# service dhcpd restart

In my above example dhcpd.conf I specified an internal DNS server, but if you dont want to run one you can easily point this to your isp’s dns resolvers. If you do wish to host your dns, lets move on to the next step.

Step 4. Setting up a basic DNS server.

This part is easy, just do the following commands:

# yum -y install bind
# chkconfig named on
# service named start

No configuration is needed here unless you have specific requirements.

Step 5. Installing TinyProxy

This part is very easy as well. For larger networks squid is more appropriate but for a small office or home network tinyproxy is highly effective. To get TinyProxy installed you will need to get it form a 3rd party repo. I am hosting the rpm on this site for CentOS 4.x for convenience. To get this rolling perform the commands below:

# wget http://larmeir.com/downloads/centos4/tinyproxy-1.6.4-1.of.el4.i386.rpm
# rpm -ivh tinyproxy-1.6.4-1.of.el4.i386.rpm
#chkconfig tinyproxy on

Now we need to configure the configuration file for tiny proxy in /etc/tinyproxy/tinyproxy.conf with the following directives:

User root
Group root
Port 3128
ViaProxyName "tinyproxy"

Once this has been set you can start up tiny proxy with the command below:

# service tinyproxy start

Step 6. Setting up Dan’s Guardian.

To get dansguardian we need to obtain this from the Dag repositories. To do this follow the commands below:

# rpm -Uhv http://apt.sw.be/redhat/el4/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el4.rf.i386.rpm
# yum update
# yum install dansguardian
# chkconfig dansguardian on

Then we need to modify the /etc/dansguardian/dansguardian.conf file and make sure the following directives are set:

# the port that DansGuardian listens to.
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 3128

Finally we need to start dansguardian with the following command:

# service dansguardian start

And setup iptables to route all requests through the Dan’s guardian filter:

# /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
# service iptables save

This will now force all connection on the dhcp network through the Dan’s Guardian filter. Now, just to make sure everything is working let’s restart everything:

service network restart
service dhcpd restart
service tinyproxy restart
service dansguardian restart

If you receive no errors you now have a gateway with dhcp, dns, a transparent proxy and content filtering. Give yourself a pat on the back. You can easily test the filer by going google and type in a banned keyword such as sex. For more information on everything used in this article check out these links:

TinyProxy https://www.banu.com/tinyproxy/

Dans Guardian: http://dansguardian.org/

dhcpd http://en.wikipedia.org/wiki/Dhcpd

CentOS http://www.centos.org/

I was in the mood for a blonde lager today. This heineken 24oz. can hit the spot.