Are you a world traveler? ZoneTick is a cool utility that'll help you stay in touch over multiple time zones!
 
Installing Firewall  
Nik Okuntseff  Windows 2000 Security Programming 

Installing Firewall

After I am done with the installation of a 2-node isolated Windows 2000 network it is time to install the firewall system. This should provide Internet connectivity for Windows 2000 systems, as well as provide means to transfer files between the production network and Windows 2000 network (through SAMBA software on the firewall machine).

Installing the firewall system

  • Backup old data if necessary. This installation procedure formats the entire hard disk on the system. All data there will be lost.
  • Have the hardware ready. Notice that a system with 2 network cards is required now. Insert both network cards in the system and make sure it starts.
  • Configure the system so that it boots from a CD-ROM. On my system I needed to use the Delete key to enter BIOS setup screen, then go to Boot page, and change the First Boot Device entry to be ATAPI CD-ROM Drive. On other systems with different BIOS you might need to change the boot sequence entry to start form CD-ROM, for example: CDROM,C,A.
  • Boot the system with Redhat Linux 7.0 CD 1 inserted into the drive. Installation choices:

    Language - default.
    Keyboard - default. Install type - server (this is not default).
    Automatic Partitioning - default (automatically partition and REMOVE DATA).
    Network Configuration - NOT DEFAULT.

    For eth0 select "Configure using DHCP" and "Activate on boot".
    For eth1 select "Activate on boot". Use IP address: 192.168.2.1, Netmask: 255.255.255.0, Network: 192.168.2.0, and Broadcast: 192.168.2.255.

    Configure time as desired. I used Pacific Time - West British Columbia. UTC offset -08. US Pacific. Use Daylight Saving time.
    Account Configuration - type in password for root. You may also introduce other accounts at this point. I introduced niko.
    Package Group Selection - default. Only Web Server is selected.
    Create a boot disk when asked (provide a formatted (formatting on NT or Windows 2000 machine is fine) floppy disk for that).

  • Establish eth0 connectivity with production network. Connect network cable, reboot the system, make sure eth0 starts okay. Notice that there might be some confusion here in regards to which network card is using eth0. Resolving this might require a few reboots.
  • If the above worked for you then you are fine. There might be problems, though. For example, I could not manage DHCP connection to the production network at the place of my employment (DHCP server was timing out). However, the same setup process was succeeding at my home via ADSL connection to an ISP. If you find yourself in the same situation (can't get DHCP connection working) there is another thing to try, and this is a fixed IP address for eth0. Use a fixed IP address, an appropriate network mask, gateway and DNS entires that apply to you. For example, it may look like this: IP 10.1.3.2, Netmask 255.255.0.0, Network 10.1.0.0, Broadcast 10.1.255.255, Hostname NikLinux, Gateway 10.1.1.3, Primary DNS 10.1.2.6, Secondary and Ternary DNS entries empty. An important thing here is getting eth0 interface working properly.
  • Edit the file /etc/sysconfig/network to reflect correct hostname. Instead of localhost.localdomain I use something like 00-50-04-75-bc-3f.bconnected.net at home and NikLinux at work. The funny beginning 00-50-04-75-bc-3f here identifies the network card used for eth0. Detailed discussion of such setup is out of scope of this book.
  • Reboot the system and make sure the hostname is set up correctly. To check hostname type: hostname
  • Check system functionality by trying to use the lynx browser. You can try to visit any available web site, for example, lynx www.intel.com (Control-C to exit). If you see lynx browser working properly it means that name resolution works and connectivity to the Internet is established.
  • httpd server (local Apache web server) would probably have a problem starting on the new system because of hostname conflict. This is okay for now. Refer to Apache doccumentation on how to resolve it.

Connecting the firewall to the internal network

  • The next step is connecting the firewall system to the internal network through a hub. The goal here is connecting all cables as necessary and make sure you can ping each machine from each machine. For example, the domain controller should be able to ping the firewall system and vice versa.

Setting up IP Masquerading

  • Add the following three lines to the file /etc/rc.d/rc.local:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    ipchains -P forward DENY
    ipchains -A forward -j MASQ -s 192.168.2.0/24 -d 0.0.0.0/0

    rc.local script is executed at boot time. The first line (echo 1 > ...) writes a 1 into a file named /proc/sys/net/ipv4/ip_forward. This enables IP forwarding. The remaining 2 lines configure IP masquerading on all ports from all systems on 192.168.2.0 network. Reboot the system and examine the file /proc/sys/net/ipv4/ip_forward. Notice that it must contain 1 instead of 0 now.

  • For all internal systems on 192.168.2.0 network configure default gateway for TCP/IP to be 192.168.2.1 (meaning the firewall machine is the gateway). Also configure DNS server entries as desired. One DNS server (Preferred DNS server) is probably enough. DNS servers may live outside 192.168.2.0 network. The important point is that they should be able to communicate to you. Try them from the firewall machine first using nslookup. If names are resolved fine try to make a change on one of the internal machines and see whether nslookup works from there. Finally, try browsing the Internet from the internal machine. If everything works duplicates settings to other internal machines.
  • Syntax is important in the additions to rc.local. For example, I have made a mistake typing in echo > 1 /proc/sys/net/ipv4/ip_forward instead of echo 1 > /proc/sys/net/ipv4/ip_forward. I then wasted the remainder of the day trying to figure out why IP forwarding does not work. If things go wrong you may try executing the above commands from the command line to see whether it can get you any further.

Setting up SAMBA server

  • Once Internet browsing from the internal network is working it's time to set up SAMBA server. It allows for file sharing. SAMBA makes configured Linux directories visible from Microsoft Windows networks. For example, you can move Windows files to Linux and vice versa using Windows drag and drop feature. If SAMBA server is set up on the firewall machine then you can access its shares from external and internal networks. This might be useful if you wanted to move files between networks.
  • Samba packages do not get installed by the installation process described above. Two RPM packages are required: samba-common-2.0.7-21ssl.i386.rpm and samba-2.0.7-21ssl.i386.rpm. Both RPMs are on Redhat Linux 7.0 CD1 under RedHat/RPMS directory. To install mount the CD, change to the specified directory, then use rpm commands:

    mount /dev/cdrom /mnt/cdrom
    cd /mnt/cdrom/RedHat/RPMS
    rpm -i samba-common-2.0.7-21ssl.i386.rpm
    rpm -i samba-2.0.7-21ssl.i386.rpm

  • SAMBA server comes with default /etc/samba/smb.conf configuration file. Rename it:

    cd /etc/samba
    mv smb.conf smb.conf.orig

  • Introduce a new smb.conf with the following in it: 
    #============= Global Settings ===========================
[global]
   workgroup = MYRESEARCH
   netbios name = NIKLINUX
   server string = Samba Server
   log file = /var/log/samba/%m.log
   max log size = 50
   security = user
   encrypt passwords = yes
      
#============== Share Definitions ========================
[tmp]
   comment = Temporary Files
   path = /tmp
   read only = no
   public = yes

#============== End of File ==============================

    Some comment in regards to the above commands.
    workgroup defines the NT domain where this SAMBA server is operating.
    netbios name defines the name for the machine. You should see a machine named NIKLINUX in network neighborhood of MYRESEARCH domain assuming everything is working correctly.
    The remainder of the file defines a file share. Modify this as required or introduce other file shares.

  • Add SAMBA users (at least one, you). To add users to SAMBA server type (being root):

    smbpasswd -a username

    For example, when adding niko:

    smbpasswd -a niko

    The system should ask for a password, and then for a confirmation. If successful, the file named smbpasswd would now contain an encrypted password for niko.

  • Start 2 SMBA processes by typing:

    smbd -D; nmbd -D

  • To observe SAMBA operation go to a Windows NT machine when logged on as SAMBA user, then use Windows explorer to browse the firewall machine. Attempt to put some files in and verify that the files get there.

  • To make SAMBA server start at boot add the following lines to /etc/rc.d/rc.local:

    # This is what Nik added to start SAMBA server
    echo "Nik code: Starting SAMBA Server:"
    smbd -D; nmbd -D

    Make sure SAMBA starts properly at boot. Reboot the machine and try accessing the shares. If there is a need to restart SAMBA server processes use:

    killall -HUP nmbd
    killall - HUP smbd

  • If everything works out as planned you should be able to browse the tmp share on the firewall machine from the intrernal network (MYRESEARCH). The machine will just look as another machine in the domain. To access the share from the outside network you can use the "Map Network Drive" feature providing \\NikLinux\tmp path. For "Enter Network Password" dialog provide intenal domain user name and password.

 
[ Contents | Home ]
Send comments and suggestions to niko@wrconsulting.com
Copyright © 2000 by Nik Okuntseff


Contact: info@wrconsulting.com