Apt makes adding things to an Ubuntu install very easy. Almost too easy. The first step was to check that it had the repositories set up right in /etc/apt/sources.list. Its inclined to comment out things if it can’t reach them, and if you don’t want to leave the CD in the drive its a good idea to comment that out, or it will ask for it. Its also worth checking that the line
net.ipv4.conf.default.forwarding=1
in /etc/sysctl.conf is uncommented. Without it no routing will happen.
Then we need to get everything up to date:
apt-get update apt-get upgrade
The first requisite for a router like this is a DHCP server, so it can hand out IP addresses to client machines and tell them where to get DNS service and how to get out to the Internet. This was pretty simple:
apt-get install dhcp3-server
and edit /etc/dhcp3/dhcpd.conf to say:
ddns-update-style none;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
option domain-name-servers 10.11.12.1;
option broadcast-address 10.11.12.255;
option routers 10.11.12.1;
# Allow for up to 10 dynamic devices
subnet 10.11.12.0 netmask 255.255.255.0 {
interface eth1;
range 10.11.12.2 10.11.12.12;
}
# Fixed addresses for known hardware
host FirstPC {
hardware ethernet 00:0A:E6:83:0C:55;
fixed-address 10.11.12.17;
}
host BlackSilverPC {
hardware ethernet 00:0C:76:CD:82:61;
fixed-address 10.11.12.18;
}
The “host” clauses above are a nice way to give known computers the same IP addresses every time they start up, which helps in tracking who is using bandwidth, while the “subnet” clause allows arbitrary new computers to connect to a pool of free addresses.
Having the router act as a DNS cache is not a bad idea, as long as its done properly. Having selected DNS service when Ubuntu was being installed, the only other thing we need to do is to tell bind where to get it from. In /etc/bind/named.conf.options we uncomment the forwarders section and add our ISPs nameservers:
forwarders {
191.202.34.3
191.202.34.4
};
Ubuntu has a comprehensive firewall built-in, called iptables, but it isn’t terribly friendly to set up. I thought I would try shorewall, which is a front end that hides a lot of the details. It comes with a bunch of example setups, and the two-interfaces one is just about right:
apt-get install shorewall cd /usr/share/doc/shorewall/examples/two-interfaces cp * /etc/shorewall
Editing this a bit to reflect my arbitrary prejudices gives the following for /etc/shorewall/rules
#------------------- Firewall rules --------------------- # Policy is to reject everything not specifically permitted here # Accept DNS connections from the firewall to the network DNS/ACCEPT $FW net # Let the firewall make outgoing http so we can apt-get ACCEPT $FW net tcp www,https # Let the firewall do NTP so we can sync time ACCEPT $FW net udp ntp # Let the firewall send mail ACCEPT $FW net tcp smtp,smtps #Let the firewall send BOOTP datagram and get replies ACCEPT $FW loc UDP 68 ACCEPT loc $FW UDP 67 # Local machines use the firewall as a DNS server DNS/ACCEPT loc $FW # Accept SSH connections from the local network for administration SSH/ACCEPT loc $FW # Allow locals to ping us Ping/ACCEPT loc $FW # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping/REJECT net $FW # But otherwise let the firewall do ICMP ACCEPT $FW loc icmp ACCEPT $FW net icmp #------------------- Local net rules ------------------- # Policy is to allow everything not specifically forbidden here # Force local machines to use the router as their nameserver DNS/REJECT loc net # Do not let NetBIOS protocols out because they are evil REJECT loc net tcp 137,445 REJECT loc net udp 137:139 # Do not let low-port UDP out generally, with an exception for NTP REJECT loc net udp 0:122 REJECT loc net udp 124:1024 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
If I add a file called “accounting” in /etc/shorewall, it will do per-IP traffic measurement:
#ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE# PORT PORT# Overall Internet traffic counts COUNT - eth0 - all COUNT - - eth0 all # By-machine breakdown DONE - 192.168.1.32 eth0 all - - DONE - eth0 192.168.1.32 all - - DONE - 10.11.12.1 eth0 all - - DONE - eth0 10.11.12.1 all - - DONE - eth1:10.11.12.2 eth0 all - - DONE - eth0 eth1:10.11.12.2 all - - DONE - eth1:10.11.12.3 eth0 all - - DONE - eth0 eth1:10.11.12.3 all - - DONE - eth1:10.11.12.4 eth0 all - - DONE - eth0 eth1:10.11.12.4 all - -
etc…
Making shorewall run requires a little more effort, as they want you to be quite sure you have configured it first. In /etc/shorewall/shorewall.conf you have to set
STARTUP_ENABLED=Yes
and in /etc/default/shorewall set
startup=1
From there a
shorewall start
command will check the rule set and either tell you whats wrong with it or activate it.
Its nice to have accurate time on a security system, which is as simple as:
apt-get install ntp
It would also be nice to get e-mail from the system to assure us that all is well. First we need a mailer. We don’t need anything as advanced – or complicated – as exim4 or sendmail, just something that can forward mail to our ISPs mail server.
apt-get install nullmailer
Then we need to make a file called /etc/nullmailer/remotes that contains one line with the name of our ISPs mail server:
smtp.myisp.co.nz
and another file called /etc/nullmailer/adminaddr which should contain your e-mail address. Administrative emails will then get forwarded to you instead of getting lost or hanging around in a queue.
Now if we add this line to /etc/rc.local
date | mail -s "Starting up" myname@myisp.co.nz
… we will get mail (with a timestamp in it) every time the system restarts, which shouldn’t happen often (or at all). Something a bit more detailed from the firewall would be nice. This is easily done with a shell script. If we become root:
sudo -i
and make a file called daily in /root that looks like:
#!/bin/sh /sbin/shorewall show log > outgoing /sbin/shorewall show accounting >> outgoing /sbin/shorewall reset mail -s "Logs" myname@myisp.co.nz < outgoing
then its only a matter of making it executable:
chmod a+x daily
and installing a crontab entry for it:
crontab -u root -e
In the editor window we insert the line:
00 02 * * * /root/daily
to get the script to run every day at 2am. It will send a summary of the days firewall rejects and traffic, broken down by IP.
We now have a router, a DHCP server, a monitored firewall, and a DNS cache. If it ever stops working, you’ll certainly know about it. It should be utterly reliable – my system has run without a hitch since I set it up and has only been down during power failures.
Installing ZoneMinder isn’t very difficult, but a bit more complicated. I found this set of commands on one of the ZoneMinder forums, and they work just fine for Gutsy Gibbon. ZoneMinder is available via apt, so:
apt-get install zoneminder
… this will ask for a mysql password which you can make anything reasonably secure and you won’t need to know again. From there we need to do a few vaguely magical incantations:
ln -s /etc/zm/apache.conf /etc/apache2/conf.d/zoneminder.conf apache2ctl restart chmod 4755 /usr/bin/zmfix zmfix -a chown www-data.www-data /usr/share/zoneminder/temp
Zoneminder uses more shared memory than most programs, so its a good idea to edit /etc/sysctl.conf and add
kernel.shmall = 134217728 kernel.shmmax = 134217728
After a restart the ZoneMinder console can be found with a web browser at http://<firewall address>/zm. From this point, literally everything else is done in a civilised manner from the web console, where you can set up cameras, define motion-sensing zones, and so on. Theres a pretty good manual available from the website, and the whole package works very well. Some of the web interface can be a bit obscure, but the defaults generally work and the online forums are very helpful.
The only thing that held me up for a bit was that the bttv driver that connects the ImpactVCB card to the system had to be explicitly told how to deal with a PAL camera. The ImpactVCB card came with an NTSC crystal, which wasn’t really right because we use PAL here. This caused trouble because the driver quite sensibly assumes that the attached cameras use the same video standard as the card. The card can actually switch standards, but you have to explicitly tell it to do so by adding
options bttv pll=1
to /etc/modprobe.d/options. After that it just worked…
0 Responses to “Ubuntu! Part Two: The Gathering”