II. Basic Setup
7. Linux Basic Install (fw-01, fw-02, fw-console)
Install 3 Linux servers (CentOS 5.4). More information on:
7.1 With kickstart:
Put the kickstart config files (available on the end of this document) on a web server.
Boot from a CentOS 5.4 iso. Wait for de fist screen:
[F1-Main] [F2-Options] [F3-General] [F4-Kernel] [F5-Rescue]
boot:
Then write:
You will be asked for re-write partition table (answer yes), your keyboard type, root password and timezone. All other thinks will be answered by .cfg.
Do the same thing for fw-02 and fw-console.
7.2 Without kickstart:
If you don’t want to use the kickstart .cfg , just install CentOS selecting :
Server and customize now
Set:
Applications
Editors
Text-internet
Servers
Mail-server
Base System
Base
System Tools
Net-snmp-utils
Iptraf
Ntp
Sysstat
8. Linux post-install Setup (fw-01, fw-02, fw-console)
Do some “post install” configuration to improve host safety (take a look on http://www.cisecurity.org).
Customize ntp, syslog, sendmail, ssh and snmp.
Create fwadmin user.
8.1 Copy config files (available on the end of this document) (/etc/hosts, /etc/hosts.allow, /etc/snmp/snmpd.conf, /etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/ntp.conf, /etc/ntp/ntpservers ) to fw-01, fw-02 and fw-console
8.2 Run the commands above on each host as root user:
# patch the system (internet connectivity is need)
yum update -y
#disable IPv6
cp -p /etc/sysconfig/network /tmp/network.$$
cat /tmp/network.$$|sed s/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/g>/etc/sysconfig/network
# no graphical is needed
cp -p /etc/inittab /tmp/inittab.$$
cat /tmp/inittab.$$|sed s/id:5:initdefault:/id:3:initdefault:/g >/etc/inittab
cp -p /etc/passwd /etc/passwd.BKP
sed s=news:x:9:13:news:/etc/news:=news:x:9:13:news_x:/etc/news:/sbin/nologin=g /etc/passwd.BKP > /etc/passwd
#disable unnecessary services
rpm -ev system-config-network-tui firstboot-tui
for srv in `chkconfig --list | awk '{print $1}'|sed s/://g|sort -u`
do
chkconfig --level 35 $srv off
done
#enable necessary services
for srv in acpid anacron atd crond firstboot haldaemon iptables irqbalance kudzu lm_sensors messagebus microcode_ctl network ntpd psacct readahead_early readahead_later sendmail snmpd sshd syslog sysstat
do
chkconfig --level 35 $srv on
done
#complement network config
for a in `ls /etc/sysconfig/network-scripts/ifcfg-eth[0-9]`
do
echo -e "#ETHTOOL_OPTS=\"speed 1000 duplex full\"">> $a
echo -e "#ETHTOOL_OPTS=\"speed 100 duplex full autoneg off\"">> $a
done
#protect some files
chmod o-rwx /root
chmod og-rw /etc/crontab /etc/sysctl.conf
rm /etc/at.deny /etc/cron.deny
echo -e "root" > /etc/cron.allow
echo -e "root" > /etc/at.allow
echo -e "#\nALL:\tALL\n#" >/etc/hosts.deny
chmod 400 /etc/cron.allow /etc/at.allow
chmod 444 /etc/hosts.allow /etc/hosts.deny
ln -s /dev/null /etc/hosts.equiv
ln -s /dev/null /etc/shosts.equiv
ln -s /dev/null /root/.shosts
ln -s /dev/null /root/.rhosts
echo -e "\n(Authorized Only)\n" > /etc/issue
echo -e "\n(Authorized Only)\n" > /etc/issue.net
echo -e "\n(Authorized Only)\n" > /etc/motd
#create FWbuilder home
mkdir /opt/FWbuilder /opt/FWbuilder/home /opt/FWbuilder/home/.ssh
echo -e "fwadmin:x:2001:fwadmin" >> /etc/group
useradd \
-c "fwadmin" \
-d /opt/FWbuilder/home \
-g 2001 \
-u 2001 \
-p FirstPassword \
-m \
fwadmin
chown -R fwadmin:fwadmin /opt/FWbuilder
chmod 700 /opt/FWbuilder/home/.ssh/
echo y | grpck
>/var/log/local0.log
>/var/log/local1.log
>/var/log/local2.log
>/var/log/local3.log
>/var/log/local4.log
>/var/log/local5.log
>/var/log/local6.log
# all mails to fw-console
echo "fwadmin@fw-console">/root/.forward
chmod 444 /root/.forward
8.3 Set user “fwadmin” password:
passwd fwadmin
8.4 Add this lines on the end of /etc/sysctl.conf
# Security
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
#net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Performance tuning
net.core.rmem_default=4194304
net.core.wmem_default=4194304
net.core.rmem_max=4194304
net.core.wmem_max=4194304
#net.ipv4.tcp_rmem = 4096 87380 16777216
#net.ipv4.tcp_wmem = 4096 65536 16777216
#net.core.netdev_max_backlog = 2500
#net.ipv4.tcp_no_metrics_save = 1
8.5 Configure speed and duplex or each eth.
To avoid some interface errors, set the speed and duplex configuration for each interface. On /etc/sysconfig/network-scripts/ifcfg-eth? , uncomment the appropriated line (fast or giga Ethernet).
*If you are using a Cisco switch, here some configuration example:
For a gigabit access port:
Enable
Conf t
interface GigabitEthernet 1/0/2
description FW-01 eth0
switchport access vlan 100
speed 1000
duplex full
spanning-tree portfast
end
wr
For a fast access port:
Enable
Conf t
interface FastEthernet 0/2
description FW-01 eth0
switchport mode trunk
speed 100
duplex full
spanning-tree portfast trunk
end
wr
8.6 “Reboot” the systems
reboot
*At this point, to access the tree boxes, you need to be on PC-01 and login as fwadmin user, then (if need more privileges) “su - root”. To change this behavior, you need to modify /etc/hosts.allow and /etc/ssh/sshd_config.
9. fw-console setup
user fwadmin from fw-console need ssh access to fw-01 and fw-02 without ask for password.
fw-console will accept syslogd messages.
fwbuilder is needed on fw-console.
Logrotate will be customized to compress and keep logs for 30 days.
9.1 ssh keys
Login on fw-console as fwadmin user
Generate ssh keys for user fwadmin and copy to the nodes (fw-01 and fw-02).
echo -e "\n\n\n\n" | ssh-keygen -b 1024 -t dsa
scp -p .ssh/id_dsa.pub fw-01:.ssh/authorized_keys
scp -p .ssh/id_dsa.pub fw-02:.ssh/authorized_keys
Answer “yes” when asked to continue, and the password of user fwadmin on remore host.
ssh fw-01 "chmod 400 .ssh/authorized_keys"
ssh fw-02 "chmod 400 .ssh/authorized_keys"
*This way you can copy and apply firewall rules from fwbuilder GUI securely without giving passwords.
9.2 syslogd
Login on fw-console as root user
Copy config files (/etc/logrotate.d/syslog /etc/syslog.conf /etc/sysconfig/syslog) (available on the end of this document) to fw-console as root user.
*This will enable fw-console to receive syslog messages from fw-nodes and daily “rotate” /var/log/messages, compressing and keeping the last 30 days log.
9.3 fwbuilder
Login on fw-console as root user
If you are using x86_64, need install those dependences first:
yum install net-snmp-tools.i386 libxml2.i386 libxslt.i386
Download and install fwbuilder.
*When I write this document fwbuilder 4 was under development. There was new builds almost every day. You find it on http://www.fwbuilder.org/nightly_builds/fwbuilder-4.0/. When passed to stable state; you will find it on http://www.fwbuilder.org/rpm/stable/.
mkdir /sw
cd /sw
wget http://www.fwbuilder.org/nightly_builds/fwbuilder-4.0/build-2558/fwbuilder-4.0.0-b2558.el5.i386.rpm
rpm -Uvh fwbuilder-4.0.0-b2558.el5.i386.rpm libfwbuilder-4.0.0-b2558.el5.i386.rpm
9.4 fw database
Login on fw-console as fwadmin user
Copy /opt/FWbuilder/fw-db.fwb (available on the end of this document) to fw-console
chown fwadmin:fwadmin /opt/FWbuilder/fw-db.fwb
9.5 Sendmail
Login on each wall (fw-01 and fw-02) as root user
Configure fw-console to accept mails from firewall-nodes (fw-01 and fw-02)
cp -p /etc/mail/sendmail.cf /tmp/sendmail.$$
cat /tmp/sendmail.$$|sed s/O\ DaemonPortOptions=Port=smtp,Addr=127.0.0.1,\ Name=MTA/\#O\ DaemonPortOptions=Port=smtp,Addr=127.0.0.1,\ Name=MTA/g|sed s/\#Dj\$w.Foo.COM/Dj`hostname`/g>/etc/mail/sendmail.cf
echo -e "`hostname`\nlocalhost" >> /etc/mail/local-host-names
echo -e "fw-01\nfw-02" >> /etc/mail/ relay-domains
9.6 Re-boot
reboot
10. fw-nodes setup ( fw-01 and fw-02 )
fw-01 and fw02 will send syslog messages to fw-console (consolidated log management)
Logrotate will be customized to compress and keep logs for 30 days.
Heartbeat will be installed for manage resources
Conntrack-tools will be installed for replicate conntrack tables.
10.1 syslogd
Login on each wall (fw-01 and fw-02) as root user
Copy config files (/etc/logrotate.d/syslog /etc/syslog.conf) (available on the end of this document) to fw-console
*This will enable fw-nodes to send syslog messages to fw-console and daily “rotate” /var/log/messages, compressing and keeping the last 30 days log.
10.2 heartbeat
Login on each wall (fw-01 and fw-02) as root user
Install heartbeat.
yum install heartbeat -y
yum install heartbeat -y
*I done know why, but you need to do 2 times.
*You can also install from de CD/rpms. You will need heartbeat-2.1.3-3.el5.centos heartbeat-stonith-2.1.3-3.el5.centos heartbeat-pils-2.1.3-3.el5.centos from CentOS/extras.
Copy config files (available on the end of this document) ( /etc/ha.d/ha.cf , /etc/ha.d/haresources, /etc/ha.d/authkeys, /etc/ha.d/logd.cf ). The ha.cf is different from fw-01 and fw-02 because I prefer use unicast. There are 3 paths for heartbeats to avoid “split brain”.
/etc/ha.d/authkeys is the same for the 2 nodes. Has the key for security heartbeat packets between the 2 nodes.
/etc/ha.d/ha.cf is different for each node. Have same time-outs values and the IP addresses and interfaces of the other node to send heartbeat packets. Is recommended at least two interfaces sending heartbeat packets. This example uses 3. A dedicated one and 2 internal lans.
/etc/ha.d/haresources is the same for 2 nodes. Has the hostname of the “master” node and “virtual” IP address for each network. This example use vIPs for inside, outside and dmz networks. You must use hostname exactly as show in “uname –n” of the node-1.
Secure config files
chmod 644 /etc/ha.d/ha.cf /etc/ha.d/haresources /etc/ha.d/logd.cf
chmod 600 /etc/ha.d/authkeys
ln -s /etc/ha.d/logd.cf /etc
Active heartbeat at startup
chkconfig --add heartbeat --level 35
10.3 conntrack-tools
Login on each wall (fw-01 and fw-02) as root user
Download and install heartbeat.
mkdir /sw
cd /sw
rpm -Uvh conntrack-tools-0.9.11-dm2.i386.rpm libnetfilter_conntrack-0.0.99-1.dm.i386.rpm libnfnetlink-0.0.41-1.dm.i386.rpm
Copy config files (available on the end of this document) (/etc/conntrackd/conntrackd.conf, /etc/conntrackd/conntrackd.init, /etc/conntrackd/primary-backup.sh). conntrackd.conf are different from fw-01 and fw-02.
/etc/conntrackd/conntrackd.conf is different on each node. It has the local IP address on sync network and all IPs that exist on local interfaces plus virtual IPs managed for heartbeat.
Active conntrackd on startup:
chmod 555 /etc/conntrackd/conntrackd.init
chmod 555 /etc/conntrackd/primary-backup.sh
ln -s /etc/conntrackd/conntrackd.init /etc/init.d/conntrackd.init
ln -s /etc/conntrackd/primary-backup.sh /etc/init.d/primary-backup.sh
ln -s /etc/init.d/conntrackd.init /etc/rc3.d/S75conntrackd.init
ln -s /etc/init.d/conntrackd.init /etc/rc5.d/S75conntrackd.init
10.4 fwbuilder
Login on each wall (fw-01 and fw-02) as root user
Active firewall polices at startup:
cd /etc/rc3.d
ln -s ../init.d/firewall S10firewall
ln -s ../init.d/firewall S11firewall
cd /etc/rc5.d
ln -s ../init.d/firewall S10firewall
ln -s ../init.d/firewall S11firewall
Give permission for fwadmin user to run firewall script as root.
echo -e "Host_Alias FIREWALLS = fw-01,fw-02,fw-console,localhost" >>/etc/sudoers
echo -e "Defaults:%fwadmin !lecture" >>/etc/sudoers
Only on fw-01:
ln -s /opt/FWbuilder/fw-01.fw /etc/init.d/firewall
echo -e "%fwadmin FIREWALLS = NOPASSWD:/opt/FWbuilder/fw-01.fw" >>/etc/sudoers
Only on fw-02:
ln -s /opt/FWbuilder/fw-02.fw /etc/init.d/firewall
echo -e "%fwadmin FIREWALLS = NOPASSWD:/opt/FWbuilder/fw-02.fw" >>/etc/sudoers
*This way you can apply firewall rules from fwbuilder GUI on fw-console.
10.5 Sendmail
Login on each wall (fw-01 and fw-02) as root user
Redirect all local generated mail to fwadmin user on fw-console
echo "fwadmin@fw-console">/opt/FWbuilder/home/.forward
chmod 444 /opt/FWbuilder/home/.forward
chown fwadmin:fwadmin /opt/FWbuilder/home/.forward
cat /tmp/sendmail.$$|sed s/\#Dj\$w.Foo.COM/Dj`hostname`/g|sed s/^DS/DSfw-console/g>/etc/mail/sendmail.cf
echo -e "`hostname`\nlocalhost" >> /etc/mail/local-host-names
*a dns server must be “up & running” for sendmail work correctly.
10.6 Re-boot
reboot
11. Check that everything is Ok until now.
11.1 Connectivity
Login as fwadmin on fw-01
Do a “ping” test against all IPs of fw-02
ping 192.168.100.12
ping 192.168.150.12
ping 192.168.255.12
ping 200.201.202.12
If don’t work:
Problem with network config, cables or switches
See /etc/sysconfig/network-scripts/ifcfg-eth* on fw-01 and fw-02
Check your cables
Check your switch config
11.2 Syslog messages from nodes to console
Login as fwadmin on fw-01
Send a message to syslog
Logger TestFromFW01
Login on fw-console as root
Search “TestFromFW01” on messages
grep “TestFromFW01” /var/log/messages
You will find a line with IP address of fw-01 and the message
Feb 14 21:24:01 192.168.100.11 logger: TestFromFW01
Feb 14 21:25:23 192.168.100.12 logger: TestFromFW02
If don’t work:
Problem with syslogd config
fw-01 don´t send messages to fw-console
fw-console don´t accept the message
See /etc/syslog.conf /etc/sysconfig/syslog on fw-01 and fw-console
See /var/log/messages on fw-console
Do the same on fw-02
11.3 ssh keys, IPs and routes for fw-01
Login as fwadmin on fw-console
ssh fw-01 "/sbin/ifconfig|grep addr ; netstat -rn"
Expected results:
No password will be necessary
The “banner” “(Authorized Only)” will be displayed
Information about fw-01 interfaces will be displayed
MAC, IP and broadcast address and netmask of all physical and virtual interfaces
Information about routes will be displayed
Default gateway has to be 200.201.202.1
(Authorized Only)
eth0 Link encap:Ethernet HWaddr 00:16:36:5C:9A:6E
inet addr:192.168.100.11 Bcast:192.168.100.255 Ma
inet6 addr: fe80::216:36ff:fe5c:9a6e/64 Scope:Link
eth0:0 Link encap:Ethernet HWaddr 00:16:36:5C:9A:6E
inet addr:192.168.100.10 Bcast:192.168.100.255 Ma
eth1 Link encap:Ethernet HWaddr 00:16:36:3A:27:03
inet addr:200.201.202.11 Bcast:200.201.202.15 Mas
inet6 addr: fe80::216:36ff:fe3a:2703/64 Scope:Link
eth1:0 Link encap:Ethernet HWaddr 00:16:36:3A:27:03
inet addr:200.201.202.10 Bcast:200.201.202.15 Mas
eth2 Link encap:Ethernet HWaddr 00:16:36:09:AF:DF
inet addr:192.168.150.11 Bcast:192.168.150.255 Ma
inet6 addr: fe80::216:36ff:fe09:afdf/64 Scope:Link
eth2:0 Link encap:Ethernet HWaddr 00:16:36:09:AF:DF
inet addr:192.168.150.10 Bcast:192.168.150.255 Ma
eth3 Link encap:Ethernet HWaddr 00:16:36:74:2C:88
inet addr:192.168.255.11 Bcast:192.168.255.255 Ma
inet6 addr: fe80::216:36ff:fe74:2c88/64 Scope:Link
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
200.201.202.0 0.0.0.0 255.255.255.240 U 0 0 0 eth1
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.150.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.255.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
0.0.0.0 200.201.202.1 0.0.0.0 UG 0 0 0 eth1
If don’t work:
If a password is asked:
Problem with ssh keys
See /opt/FWbuilder/home/.ssh/authorized_keys on fw-01
If any physical IP don´t appear:
Problem with network config
See /etc/sysconfig/network-scripts/ifcfg-eth* on fw-01
If any virtual IP don´t appear:
Problem with heartbeat config
See /etc/ha.d/ha.cf, /etc/ha.d/haresources, /etc/ha.d/authkeys on fw-01
See /var/log/ha-log on fw-01
See /var/log/messages on fw-console
If default gateway don´t appear or is incorrect:
Problem with network config
See /etc/sysconfig/network and /etc/sysconfig/network-scripts/ifcfg-eth1 on fw-01
Do the same on fw-02 (*Here will not appear the virtual IPs)
11.4 heartbeat fail-over
Login as fwadmin on fw-02
poweroff fw-01
wait 30 seconds
/sbin/ifconfig|grep addr
*now the virtual IPs has to be on fw-02
Expected results:
Information about fw-02 interfaces will be displayed
MAC assress, IP address, netmask, broadcast address of all physical and virtual interfaces
Information about routes will be displayed
Default gateway have to be 200.201.202.1
eth0 Link encap:Ethernet HWaddr 00:16:36:2D:04:F2
inet addr:192.168.100.12 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::216:36ff:fe2d:4f2/64 Scope:Link
eth0:0 Link encap:Ethernet HWaddr 00:16:36:2D:04:F2
inet addr:192.168.100.10 Bcast:192.168.100.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr 00:16:36:05:1F:77
inet addr:200.201.202.12 Bcast:200.201.202.15 Mask:255.255.255.240
inet6 addr: fe80::216:36ff:fe05:1f77/64 Scope:Link
eth1:0 Link encap:Ethernet HWaddr 00:16:36:05:1F:77
inet addr:200.201.202.10 Bcast:200.201.202.15 Mask:255.255.255.240
eth2 Link encap:Ethernet HWaddr 00:16:36:7D:CC:84
inet addr:192.168.150.12 Bcast:192.168.150.255 Mask:255.255.255.0
inet6 addr: fe80::216:36ff:fe7d:cc84/64 Scope:Link
eth2:0 Link encap:Ethernet HWaddr 00:16:36:7D:CC:84
inet addr:192.168.150.10 Bcast:192.168.150.255 Mask:255.255.255.0
eth3 Link encap:Ethernet HWaddr 00:16:36:14:94:8F
inet addr:192.168.255.12 Bcast:192.168.255.255 Mask:255.255.255.0
inet6 addr: fe80::216:36ff:fe14:948f/64 Scope:Link
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
If don’t work:
If any virtual IP don´t appear:
Problem with heartbeat config
See /etc/ha.d/ha.cf, /etc/ha.d/haresources, /etc/ha.d/authkeys, /var/log/ha-log on fw-02
See /var/log/messages on fw-console
11.5 heartbeat fail-back
poweron fw-01
Login as fwadmin on fw-01
wait 30 seconds
/sbin/ifconfig|grep addr
*now the virtual IPs has come back to fw-01
If don’t work:
Problem with heartbeat config
11.6 conntrackd
login as root on fw-01 and fw-02
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
conntrack –L
you will see both conntrack entry on both nodes
If don´t work:
Conntrackd config problem
See /var/log/conntrackd.log on fw-01 and fw-02
See /var/log/messages on fw-console
11.7 All together
Login as fwadmin on fw-console
ping to outside host
ping gw-01
Powerroff fw-01
Your ping will continue working (can lost 1 o 2 packets )
Wait 60 seconds
Poweronn fw-01
Your ping will continue working (can lost 1 o 2 packets )
Wait 120 seconds
If don’t work:
Something is wrong with heartbeat
Open an ssh (or telnet) connection to outside host (like gw-01)
Poweroff fw-01
Your connection will continue working
Wait 60 seconds
Poweronn fw-01
Your connection will continue working
Wait 120 seconds
If don’t work:
No comments:
Post a Comment