Chinaunix首页 | 论坛 | 博客
  • 博客访问: 103643911
  • 博文数量: 19283
  • 博客积分: 9968
  • 博客等级: 上将
  • 技术积分: 196062
  • 用 户 组: 普通用户
  • 注册时间: 2007-02-07 14:28
文章分类

全部博文(19283)

文章存档

2011年(1)

2009年(125)

2008年(19094)

2007年(63)

分类: LINUX

2008-05-02 18:33:31

文章分类:

Includes: Shorewall, NAT, Caching NameServer, DHCP Server, VPN Server, Webmin, Munin, Apache (SSL enabled), Squirrelmail, Postfix setup with virtual domains, courier imap imaps pop3 pop3s, sasl authentication for road warriors, MailScanner as a wrapper for SpamAssassin, Razor, ClamAv, etc. Samba installed, not configured.

Needs very little maintenance and is extendable beyond your wildest imagination. All depending on the hardware used, of course.

This is a COPY&PASTE howto. For info use the net. I did... However, contributions and suggestions are allways welcome! I know this can be done better, so feel free.

If anyone of you can find the time to add a good install and config for snort AND snortsam, including a comprehensive controll panel, I would be very greathfull.

Scope: creating a firewall/(mail)gateway for a small network (say 10 to 15 users or so on a PIII 450MHz, 512 MB ram and two identical network interface cards, broadband connection, fully featured, for a bussines environment. Better specs of your hardware (notably the amount of ram) will improve the performance of your server significantly. The specs mentioned ar a bare minimum for not so demanding customers, yust to indicate that if you really want, it can be done indeed (need to do some tweaking afterwards though).

Expected audience: (beginning) sysop.

This tuto leads towards a solid 'ready to go' sytem. The fun part, I think, (tweaking and tuning etc.) starts when you are done. You may wish to inspect your logs to find clues as to where the tuning should start. Munin might tell you a lot as well.

Have Fun!

First, do a clean install using Ubuntu-Server 6.10. During installation, proper settings for eth0 will be detected automatically. If this fails, change your network cables and try again. There is a very small chance that your ISP does not run a DHCP server (never seen that happen), or it just might be down (seen that quite a few times, also they may screw up their DNS every now and then), in which case you are on your one, best to wait till they are done fixing it.

So we start out with a DHCP assigned address for eth0. This is just an easy way to figure out which NIC is actually eth0. If you already know which is which you better start out with a static address for eth0. If your ISP isn't crappy, you have the proper settings for it.

Now proceed and accept all defaults (but you may want to do your own partitioning) At the end of the process you will be asked if you want to install extra packages. Select "LAMP" and finish.

Now login as the new user you just made and do:

sudo passwd

Now enter your password again. Next enter the new password for user "root" and confirm. So we dropped the nasty sudo experience (bit strange on a server, isn’t it?) Now logout and login again as root with the new root password.

Do:

apt-get install vim

Using vim (or your favorite editor) edit /etc/apt/sources.list Comment out the cd repository. Next add "universe" (without the quotes) to all lines that aren't commented out. Save the file.

Now do:

apt-get update

apt-get install openssh-server

Edit /etc/network/interfaces and add the following at the bottom:

auto eth1
iface eth1 inet static
 address  192.168.1.1
 netmask         255.255.255.0
 broadcast 192.168.1.255
 network  192.168.1.0

Note that the rest of this tuto assumes that you actually make the settings for eth1 as shown.

My full/etc/network/interfaces looks like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
 address  192.168.1.1
 netmask  255.255.255.0
 broadcast 192.168.1.255
 network  192.168.1.0

As you can see my eth0 gets its settings using DHCP.

Save the file. Next do:

/etc/init.d/networking restart

You can do the rest of this tuto from your workstation, either linux or the other one (must have putty), so you can actually copy and paste. Just login to 192.168.1.1 as root and get on with it.

Make sure that the network settings of your workstation match the settings of your server's eth1

If you are confused here, first configure and start your DHCP server as shown in this article (page 9), and let your workstation detect the proper settings automatically.

Now do:

apt-get install libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq

wget

"surfnet" is the dutch server. Change that to "heanet"(for Ireland), "belnet"(for Belgium), "mesh" (for Germany) and so on.

dpkg -i webmin_1.300_all.deb

cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/

cd /etc/shorewall

gunzip interfaces.gz masq.gz rules.gz policy.gz

Now open your browser and login to webmin at as root with your root password and, using webmin's shorewall module, change the policy's and rules of your firewall as needed (for now, I only set the policy file to the example as shown, you may copy and paste my policy file for starters, if you don't like webmin).

Also set in /etc/shorewall.conf  the line "IP_FORWARDING=Keep"  to  "IP_FORWARDING=On" (without quotes) and enable the firewall in /etc/default/shorewall.

My /etc/shorewall/policy  now looks like this:

###############################################################################
#SOURCE  DEST  POLICY  LOG LEVEL LIMIT:BURST
#
# Note about policies and logging:
# This file contains an explicit policy for every combination of
# zones defined in this sample.  This is solely for the purpose of
# providing more specific messages in the logs.  This is not
# necessary for correct operation of the firewall, but greatly
# assists in diagnosing problems.
#
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc  net  ACCEPT
loc $FW ACCEPT
loc  all  REJECT  info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW loc ACCEPT
$FW  all  REJECT  info
#
# Policies for traffic originating from the Internet zone (net)
#
net  $FW  DROP  info
net  loc  DROP  info
net  all  DROP  info
# THE FOLLOWING POLICY MUST BE LAST
all  all  REJECT  info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Next do:

/etc/init.d/shorewall start

You should be able now to surf the net.

DO NOT PROCEED UNTILL YOU SUCCEED IN SURFING THE NET.  SINCE THIS IS YOUR FRAMEWORK. IT HAS TO BE OK.

So now we need some packages. Do (all in one line!):

apt-get install postfix postfix-doc courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-modules-sql sasl2-bin libpam-mysql build-essential dpkg-dev fakeroot debhelper libdb4.2-dev libgdbm-dev libldap2-dev libpcre3-dev libmysqlclient12-dev libssl-dev libsasl2-dev postgresql-dev po-debconf dpatch zoo unzip arj rdate fetchmail unzip zip ncftp libarchive-zip-perl zlib1g-dev libpopt-dev nmap lynx fileutils curl mail-audit-tools libwww-perl imagemagick squirrelmail squirrelmail-locales munin munin-node ntp samba spamassassin razor pyzor unzoo spamc libio-string-perl libnet-ident-perl libio-socket-ssl-perl libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl libwww-perl php-pear mailscanner mailx libzzip-dev libgmp3c2 libgmp3-dev dhcp3-server pptpd

Accept all defaults.

Now do:

mysqladmin -u root password yourrootsqlpassword ##USE A REAL PASSWORD HERE!

Now configure Apache and Squirrelmail.

/usr/sbin/squirrelmail-configure

Set it to courier (option D) and make ik otherwise as you like it. Don't forget to enable some plugins and to set a default language if desired. Also I suggest to set this:

$show_contain_subfolders_option = true;

My/etc/squirrelmail/config.php now looks like this:
(Just my current config. Don't copy this, use it as a reference.)


/**
* SquirrelMail Configuration File
* Created using the configure script, conf.pl
*/

global $version;
$config_version = '1.4.0';
$config_use_color = 2;

$org_name = "Lürsen";
$org_logo = SM_PATH . 'images/sm_logo.png';
$org_logo_width = '564';
$org_logo_height = '261';
$org_title = "Lürsen";
$signout_page = '';
$frame_top = '_top';

$provider_uri = '';

$provider_name = 'SquirrelMail';

$motd = "";

$squirrelmail_default_language = 'nl_NL';
$default_charset = 'iso-8859-1';
$lossy_encoding = false;

$domain = 'lursen.net';
$imapServerAddress = 'localhost';
$imapPort = 143;
$useSendmail = false;
$smtpServerAddress = 'localhost';
$smtpPort = 25;
$sendmail_path = '/usr/sbin/sendmail';
$sendmail_args = '-i -t';
$pop_before_smtp = false;
$imap_server_type = 'courier';
$invert_time = false;
$optional_delimiter = '.';
$encode_header_key = '';

$default_folder_prefix = 'INBOX.';
$trash_folder = 'Trash';
$sent_folder = 'Sent';
$draft_folder = 'Drafts';
$default_move_to_trash = true;
$default_move_to_sent = true;
$default_save_as_draft = true;
$show_prefix_option = false;
$list_special_folders_first = true;
$use_special_folder_color = true;
$auto_expunge = true;
$default_sub_of_inbox = false;
$show_contain_subfolders_option = true;
$default_unseen_notify = 2;
$default_unseen_type = 1;
$auto_create_special = true;
$delete_folder = true;
$noselect_fix_enable = false;

$data_dir = '/var/lib/squirrelmail/data/';
$attachment_dir = '/var/spool/squirrelmail/attach/';
$dir_hash_level = 0;
$default_left_size = '150';
$force_username_lowercase = false;
$default_use_priority = true;
$hide_sm_attributions = false;
$default_use_mdn = true;
$edit_identity = true;
$edit_name = true;
$hide_auth_header = false;
$allow_thread_sort = false;
$allow_server_sort = false;
$allow_charset_search = true;
$uid_support = true;

$plugins[0] = 'abook_take';
$plugins[1] = 'delete_move_next';
$plugins[2] = 'calendar';
$plugins[3] = 'filters';
$plugins[4] = 'message_details';
$plugins[5] = 'mail_fetch';
$plugins[6] = 'newmail';

$theme_css = '';
$theme_default = 0;
$theme[0]['PATH'] = SM_PATH . 'themes/default_theme.php';
$theme[0]['NAME'] = 'Default';
$theme[1]['PATH'] = SM_PATH . 'themes/plain_blue_theme.php';
$theme[1]['NAME'] = 'Plain Blue';
$theme[2]['PATH'] = SM_PATH . 'themes/sandstorm_theme.php';
$theme[2]['NAME'] = 'Sand Storm';
$theme[3]['PATH'] = SM_PATH . 'themes/deepocean_theme.php';
$theme[3]['NAME'] = 'Deep Ocean';
$theme[4]['PATH'] = SM_PATH . 'themes/slashdot_theme.php';
$theme[4]['NAME'] = 'Slashdot';
$theme[5]['PATH'] = SM_PATH . 'themes/purple_theme.php';
$theme[5]['NAME'] = 'Purple';
$theme[6]['PATH'] = SM_PATH . 'themes/forest_theme.php';
$theme[6]['NAME'] = 'Forest';
$theme[7]['PATH'] = SM_PATH . 'themes/ice_theme.php';
$theme[7]['NAME'] = 'Ice';
$theme[8]['PATH'] = SM_PATH . 'themes/seaspray_theme.php';
$theme[8]['NAME'] = 'Sea Spray';
$theme[9]['PATH'] = SM_PATH . 'themes/bluesteel_theme.php';
$theme[9]['NAME'] = 'Blue Steel';
$theme[10]['PATH'] = SM_PATH . 'themes/dark_grey_theme.php';
$theme[10]['NAME'] = 'Dark Grey';
$theme[11]['PATH'] = SM_PATH . 'themes/high_contrast_theme.php';
$theme[11]['NAME'] = 'High Contrast';
$theme[12]['PATH'] = SM_PATH . 'themes/black_bean_burrito_theme.php';
$theme[12]['NAME'] = 'Black Bean Burrito';
$theme[13]['PATH'] = SM_PATH . 'themes/servery_theme.php';
$theme[13]['NAME'] = 'Servery';
$theme[14]['PATH'] = SM_PATH . 'themes/maize_theme.php';
$theme[14]['NAME'] = 'Maize';
$theme[15]['PATH'] = SM_PATH . 'themes/bluesnews_theme.php';
$theme[15]['NAME'] = 'BluesNews';
$theme[16]['PATH'] = SM_PATH . 'themes/deepocean2_theme.php';
$theme[16]['NAME'] = 'Deep Ocean 2';
$theme[17]['PATH'] = SM_PATH . 'themes/blue_grey_theme.php';
$theme[17]['NAME'] = 'Blue Grey';
$theme[18]['PATH'] = SM_PATH . 'themes/dompie_theme.php';
$theme[18]['NAME'] = 'Dompie';
$theme[19]['PATH'] = SM_PATH . 'themes/methodical_theme.php';
$theme[19]['NAME'] = 'Methodical';
$theme[20]['PATH'] = SM_PATH . 'themes/greenhouse_effect.php';
$theme[20]['NAME'] = 'Greenhouse Effect (Changes)';
$theme[21]['PATH'] = SM_PATH . 'themes/in_the_pink.php';
$theme[21]['NAME'] = 'In The Pink (Changes)';
$theme[22]['PATH'] = SM_PATH . 'themes/kind_of_blue.php';
$theme[22]['NAME'] = 'Kind of Blue (Changes)';
$theme[23]['PATH'] = SM_PATH . 'themes/monostochastic.php';
$theme[23]['NAME'] = 'Monostochastic (Changes)';
$theme[24]['PATH'] = SM_PATH . 'themes/shades_of_grey.php';
$theme[24]['NAME'] = 'Shades of Grey (Changes)';
$theme[25]['PATH'] = SM_PATH . 'themes/spice_of_life.php';
$theme[25]['NAME'] = 'Spice of Life (Changes)';
$theme[26]['PATH'] = SM_PATH . 'themes/spice_of_life_lite.php';
$theme[26]['NAME'] = 'Spice of Life - Lite (Changes)';
$theme[27]['PATH'] = SM_PATH . 'themes/spice_of_life_dark.php';
$theme[27]['NAME'] = 'Spice of Life - Dark (Changes)';
$theme[28]['PATH'] = SM_PATH . 'themes/christmas.php';
$theme[28]['NAME'] = 'Holiday - Christmas';
$theme[29]['PATH'] = SM_PATH . 'themes/darkness.php';
$theme[29]['NAME'] = 'Darkness (Changes)';
$theme[30]['PATH'] = SM_PATH . 'themes/random.php';
$theme[30]['NAME'] = 'Random (Changes every login)';
$theme[31]['PATH'] = SM_PATH . 'themes/midnight.php';
$theme[31]['NAME'] = 'Midnight';
$theme[32]['PATH'] = SM_PATH . 'themes/alien_glow.php';
$theme[32]['NAME'] = 'Alien Glow';
$theme[33]['PATH'] = SM_PATH . 'themes/dark_green.php';
$theme[33]['NAME'] = 'Dark Green';
$theme[34]['PATH'] = SM_PATH . 'themes/penguin.php';
$theme[34]['NAME'] = 'Penguin';
$theme[35]['PATH'] = SM_PATH . 'themes/minimal_bw.php';
$theme[35]['NAME'] = 'Minimal BW';
$theme[36]['PATH'] = SM_PATH . 'themes/redmond.php';
$theme[36]['NAME'] = 'Redmond';
$theme[37]['PATH'] = SM_PATH . 'themes/netstyle_theme.php';
$theme[37]['NAME'] = 'Net Style';
$theme[38]['PATH'] = SM_PATH . 'themes/silver_steel_theme.php';
$theme[38]['NAME'] = 'Silver Steel';
$theme[39]['PATH'] = SM_PATH . 'themes/simple_green_theme.php';
$theme[39]['NAME'] = 'Simple Green';
$theme[40]['PATH'] = SM_PATH . 'themes/wood_theme.php';
$theme[40]['NAME'] = 'Wood';
$theme[41]['PATH'] = SM_PATH . 'themes/bluesome.php';
$theme[41]['NAME'] = 'Bluesome';
$theme[42]['PATH'] = SM_PATH . 'themes/simple_green2.php';
$theme[42]['NAME'] = 'Simple Green 2';
$theme[43]['PATH'] = SM_PATH . 'themes/simple_purple.php';
$theme[43]['NAME'] = 'Simple Purple';
$theme[44]['PATH'] = SM_PATH . 'themes/autumn.php';
$theme[44]['NAME'] = 'Autumn';
$theme[45]['PATH'] = SM_PATH . 'themes/autumn2.php';
$theme[45]['NAME'] = 'Autumn 2';
$theme[46]['PATH'] = SM_PATH . 'themes/blue_on_blue.php';
$theme[46]['NAME'] = 'Blue on Blue';
$theme[47]['PATH'] = SM_PATH . 'themes/classic_blue.php';
$theme[47]['NAME'] = 'Classic Blue';
$theme[48]['PATH'] = SM_PATH . 'themes/classic_blue2.php';
$theme[48]['NAME'] = 'Classic Blue 2';
$theme[49]['PATH'] = SM_PATH . 'themes/powder_blue.php';
$theme[49]['NAME'] = 'Powder Blue';
$theme[50]['PATH'] = SM_PATH . 'themes/techno_blue.php';
$theme[50]['NAME'] = 'Techno Blue';
$theme[51]['PATH'] = SM_PATH . 'themes/turquoise.php';
$theme[51]['NAME'] = 'Turquoise';

$default_use_javascript_addr_book = false;
$abook_global_file = '';
$abook_global_file_writeable = false;

$addrbook_dsn = '';
$addrbook_table = 'address';

$prefs_dsn = '';
$prefs_table = 'userprefs';
$prefs_user_field = 'user';
$prefs_key_field = 'prefkey';
$prefs_val_field = 'prefval';
$addrbook_global_dsn = '';
$addrbook_global_table = 'global_abook';
$addrbook_global_writeable = false;
$addrbook_global_listing = false;

$no_list_for_subscribe = false;
$smtp_auth_mech = 'none';
$imap_auth_mech = 'login';
$use_imap_tls = false;
$use_smtp_tls = false;
$session_name = 'SQMSESSID';

$config_location_base = '';

@include SM_PATH . 'config/config_local.php';

/**
* Make sure there are no characters after the PHP closing
* tag below (including newline characters and whitespace).
* Otherwise, that character will cause the headers to be
* sent and regular output to begin, which will majorly screw
* things up when we try to send more headers later.
*/
?>

Next do:

apache2-ssl-certificate -days 3650

Fill in the right server name!!!

That is: the addres on which you plan to give your users access to Squirrelmail or any other service by apache on port 443. (also we are going to use this one for postfix, imaps and pop3s) Just the domain will do (MUST EXIST IN DNS). Not domain/webmail

If anything went wrong, just delete the certificate and repeat this step.

Now enter:

a2enmod ssl

a2enmod rewrite

a2enmod include

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/https

ln -s /etc/apache2/sites-available/https /etc/apache2/sites-enabled/https

ln -s /etc/squirrelmail/apache.conf /etc/apache2/sites-enabled/squirrelmail

原文链接:

阅读(495) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~