Ubuntu! Part Two: The Gathering

Apt makes adding things to an Ubuntu install very easy. Almost too easy. The first step was to check that it had the repositories set up right in /etc/apt/sources.list. Its inclined to comment out things if it can’t reach them, and if you don’t want to leave the CD in the drive its a good idea to comment that out, or it will ask for it. Its also worth checking that the line

net.ipv4.conf.default.forwarding=1

in /etc/sysctl.conf is uncommented. Without it no routing will happen.

Then we need to get everything up to date:

apt-get update
apt-get upgrade

The first requisite for a router like this is a DHCP server, so it can hand out IP addresses to client machines and tell them where to get DNS service and how to get out to the Internet. This was pretty simple:

apt-get install dhcp3-server

and edit /etc/dhcp3/dhcpd.conf to say:

ddns-update-style none;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).

log-facility local7;
option domain-name-servers 10.11.12.1;
option broadcast-address 10.11.12.255;
option routers 10.11.12.1;

# Allow for up to 10 dynamic devices
subnet 10.11.12.0 netmask 255.255.255.0 {
interface eth1;
range 10.11.12.2 10.11.12.12;
}

# Fixed addresses for known hardware
host FirstPC {
hardware ethernet 00:0A:E6:83:0C:55;
fixed-address 10.11.12.17;
}

host BlackSilverPC {
hardware ethernet 00:0C:76:CD:82:61;
fixed-address 10.11.12.18;
}

The “host” clauses above are a nice way to give known computers the same IP addresses every time they start up, which helps in tracking who is using bandwidth, while the “subnet” clause allows arbitrary new computers to connect to a pool of free addresses.

Having the router act as a DNS cache is not a bad idea, as long as its done properly. Having selected DNS service when Ubuntu was being installed, the only other thing we need to do is to tell bind where to get it from. In /etc/bind/named.conf.options we uncomment the forwarders section and add our ISPs nameservers:

forwarders {
     191.202.34.3
     191.202.34.4
};

Ubuntu has a comprehensive firewall built-in, called iptables, but it isn’t terribly friendly to set up. I thought I would try shorewall, which is a front end that hides a lot of the details. It comes with a bunch of example setups, and the two-interfaces one is just about right:

apt-get install shorewall
cd /usr/share/doc/shorewall/examples/two-interfaces
cp * /etc/shorewall

Editing this a bit to reflect my arbitrary prejudices gives the following for /etc/shorewall/rules

#------------------- Firewall rules ---------------------
# Policy is to reject everything not specifically permitted here
# Accept DNS connections from the firewall to the network

DNS/ACCEPT      $FW             net   # Let the firewall make outgoing http so we can apt-get
ACCEPT          $FW             net             tcp     www,https   # Let the firewall do NTP so we can sync time
ACCEPT          $FW             net             udp     ntp

# Let the firewall send mail
ACCEPT          $FW             net             tcp     smtp,smtps

#Let the firewall send BOOTP datagram and get replies
ACCEPT          $FW             loc             UDP     68
ACCEPT          loc             $FW             UDP     67

# Local machines use the firewall as a DNS server
DNS/ACCEPT      loc             $FW

# Accept SSH connections from the local network for administration
SSH/ACCEPT      loc             $FW

# Allow locals to ping us
Ping/ACCEPT     loc             $FW

# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping/REJECT     net             $FW

# But otherwise let the firewall do ICMP
ACCEPT          $FW             loc             icmp
ACCEPT          $FW             net             icmp

#------------------- Local net rules -------------------
# Policy is to allow everything not specifically forbidden here
# Force local machines to use the router as their nameserver
DNS/REJECT      loc             net

# Do not let NetBIOS protocols out because they are evil
REJECT          loc             net             tcp     137,445
REJECT          loc             net             udp     137:139

# Do not let low-port UDP out generally, with an exception for NTP
REJECT          loc             net             udp     0:122
REJECT          loc             net             udp     124:1024

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

If I add a file called “accounting” in /etc/shorewall, it will do per-IP traffic measurement:

#ACTION CHAIN   SOURCE                  DESTINATION             PROTOCOL        DEST            SOURCE#                                                                               PORT            PORT# Overall Internet traffic counts
COUNT  -       eth0                     -                      all
COUNT  -       -                        eth0                   all # By-machine breakdown
DONE   -       192.168.1.32            eth0                    all             -               -
DONE   -       eth0                    192.168.1.32            all             -               -
DONE   -       10.11.12.1              eth0                    all             -               -
DONE   -       eth0                    10.11.12.1              all             -               -
DONE   -       eth1:10.11.12.2         eth0                    all             -               -
DONE   -       eth0                    eth1:10.11.12.2         all             -               -
DONE   -       eth1:10.11.12.3         eth0                    all             -               -
DONE   -       eth0                    eth1:10.11.12.3         all             -               -
DONE   -       eth1:10.11.12.4         eth0                    all             -               -
DONE   -       eth0                    eth1:10.11.12.4         all             -               -

etc…
Making shorewall run requires a little more effort, as they want you to be quite sure you have configured it first. In /etc/shorewall/shorewall.conf you have to set

STARTUP_ENABLED=Yes

and in /etc/default/shorewall set

startup=1

From there a

shorewall start

command will check the rule set and either tell you whats wrong with it or activate it.

Its nice to have accurate time on a security system, which is as simple as:

apt-get install ntp

It would also be nice to get e-mail from the system to assure us that all is well. First we need a mailer. We don’t need anything as advanced – or complicated – as exim4 or sendmail, just something that can forward mail to our ISPs mail server.

apt-get install nullmailer

Then we need to make a file called /etc/nullmailer/remotes that contains one line with the name of our ISPs mail server:

smtp.myisp.co.nz

and another file called /etc/nullmailer/adminaddr which should contain your e-mail address. Administrative emails will then get forwarded to you instead of getting lost or hanging around in a queue.
Now if we add this line to /etc/rc.local

date | mail -s "Starting up" myname@myisp.co.nz

… we will get mail (with a timestamp in it) every time the system restarts, which shouldn’t happen often (or at all). Something a bit more detailed from the firewall would be nice. This is easily done with a shell script. If we become root:

sudo -i

and make a file called daily in /root that looks like:

#!/bin/sh
/sbin/shorewall show log > outgoing
/sbin/shorewall show accounting >> outgoing
/sbin/shorewall reset
mail -s "Logs" myname@myisp.co.nz < outgoing

then its only a matter of making it executable:

chmod a+x daily

and installing a crontab entry for it:

crontab -u root -e

In the editor window we insert the line:

00 02 * * * /root/daily

to get the script to run every day at 2am. It will send a summary of the days firewall rejects and traffic, broken down by IP.
We now have a router, a DHCP server, a monitored firewall, and a DNS cache. If it ever stops working, you’ll certainly know about it. It should be utterly reliable – my system has run without a hitch since I set it up and has only been down during power failures.

Installing ZoneMinder isn’t very difficult, but a bit more complicated. I found this set of commands on one of the ZoneMinder forums, and they work just fine for Gutsy Gibbon. ZoneMinder is available via apt, so:

apt-get install zoneminder

… this will ask for a mysql password which you can make anything reasonably secure and you won’t need to know again. From there we need to do a few vaguely magical incantations:

ln -s /etc/zm/apache.conf /etc/apache2/conf.d/zoneminder.conf
apache2ctl restart
chmod 4755 /usr/bin/zmfix
zmfix -a
chown www-data.www-data /usr/share/zoneminder/temp

Zoneminder uses more shared memory than most programs, so its a good idea to edit /etc/sysctl.conf and add

kernel.shmall = 134217728
kernel.shmmax = 134217728

After a restart the ZoneMinder console can be found with a web browser at http://<firewall address>/zm. From this point, literally everything else is done in a civilised manner from the web console, where you can set up cameras, define motion-sensing zones, and so on. Theres a pretty good manual available from the website, and the whole package works very well. Some of the web interface can be a bit obscure, but the defaults generally work and the online forums are very helpful.

The only thing that held me up for a bit was that the bttv driver that connects the ImpactVCB card to the system had to be explicitly told how to deal with a PAL camera. The ImpactVCB card came with an NTSC crystal, which wasn’t really right because we use PAL here. This caused trouble because the driver quite sensibly assumes that the attached cameras use the same video standard as the card. The card can actually switch standards, but you have to explicitly tell it to do so by adding

options bttv pll=1

to /etc/modprobe.d/options. After that it just worked…

Advertisements

, , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: