Ubuntu-Server 6.10 防火墙系统安装

Includes: Shorewall, NAT, Caching NameServer, DHCP Server, VPN Server, Webmin, Munin, Apache (SSL enabled), Squirrelmail, Postfix setup with virtual domains, courier imap imaps pop3 pop3s, sasl authentication for road warriors, MailScanner as a wrapper for SpamAssassin, Razor, ClamAv, etc. Samba installed, not configured.

Needs very little maintenance and is extendable beyond your wildest imagination. All depending on the hardware used, of course.

This is a COPY&PASTE howto. For info use the net. I did... However, contributions and suggestions are allways welcome! I know this can be done better, so feel free.

If anyone of you can find the time to add a good install and config for snort AND snortsam, including a comprehensive controll panel, I would be very greathfull.

Scope: creating a firewall/(mail)gateway for a small network (say 10 to 15 users or so on a PIII 450MHz, 512 MB ram and two identical network interface cards, broadband connection, fully featured, for a bussines environment. Better specs of your hardware (notably the amount of ram) will improve the performance of your server significantly. The specs mentioned ar a bare minimum for not so demanding customers, yust to indicate that if you really want, it can be done indeed (need to do some tweaking afterwards though).

Expected audience: (beginning) sysop.

This tuto leads towards a solid 'ready to go' sytem. The fun part, I think, (tweaking and tuning etc.) starts when you are done. You may wish to inspect your logs to find clues as to where the tuning should start. Munin might tell you a lot as well.

Have Fun!

First, do a clean install using Ubuntu-Server 6.10. During installation, proper settings for eth0 will be detected automatically. If this fails, change your network cables and try again. There is a very small chance that your ISP does not run a DHCP server (never seen that happen), or it just might be down (seen that quite a few times, also they may screw up their DNS every now and then), in which case you are on your one, best to wait till they are done fixing it.

So we start out with a DHCP assigned address for eth0. This is just an easy way to figure out which NIC is actually eth0. If you already know which is which you better start out with a static address for eth0. If your ISP isn't crappy, you have the proper settings for it.

Now proceed and accept all defaults (but you may want to do your own partitioning) At the end of the process you will be asked if you want to install extra packages. Select "LAMP" and finish.

Now login as the new user you just made and do:

sudo passwd

Now enter your password again. Next enter the new password for user "root" and confirm. So we dropped the nasty sudo experience (bit strange on a server, isn’t it?) Now logout and login again as root with the new root password.

Do:

apt-get install vim

Using vim (or your favorite editor) edit /etc/apt/sources.list Comment out the cd repository. Next add "universe" (without the quotes) to all lines that aren't commented out. Save the file.

Now do:

apt-get update

apt-get install openssh-server

Edit /etc/network/interfaces and add the following at the bottom:

auto eth1
iface eth1 inet static
	address		192.168.1.1
	netmask	        255.255.255.0
	broadcast	192.168.1.255
	network		192.168.1.0

Note that the rest of this tuto assumes that you actually make the settings for eth1 as shown.

My full/etc/network/interfaces looks like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
	address		192.168.1.1
	netmask		255.255.255.0
	broadcast	192.168.1.255
	network		192.168.1.0

As you can see my eth0 gets its settings using DHCP.

Save the file. Next do:

/etc/init.d/networking restart

You can do the rest of this tuto from your workstation, either linux or the other one (must have putty), so you can actually copy and paste. Just login to 192.168.1.1 as root and get on with it.

Make sure that the network settings of your workstation match the settings of your server's eth1

If you are confused here, first configure and start your DHCP server as shown in this article (page 9), and let your workstation detect the proper settings automatically.

Now do:

apt-get install libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq

wget http://surfnet.dl.sourceforge.net/sourceforge/webadmin/webmin_1.300_all.deb

"surfnet" is the dutch server. Change that to "heanet"(for Ireland), "belnet"(for Belgium), "mesh" (for Germany) and so on.