Friday , 29 March 2024
Home 4 Open source 4 Set Up Ubuntu-Server 6.06 LTS As A Firewall/Gateway

Set Up Ubuntu-Server 6.06 LTS As A Firewall/Gateway

Includes: Shorewall, NAT, Caching NameServer, DHCP Server, VPN Server, Webmin, Munin, Apache (SSL enabled), Squirrelmail, Postfix setup with virtual domains, courier imap imaps pop3 pop3s, sasl authentication for road warriors, MailScanner as a wrapper for SpamAssassin, Razor, ClamAV, etc. Samba installed, not configured.

Needs very little maintenance and is extendable beyond your wildest imagination. All depending on the hardware used, of course.

This is just a COPY&PASTE howto. For more info use the net. I did… However, contributions and suggestions are allways welcome! I know this can be done better, so feel free.

I should have based this tuto on 6.06 LTS right away, because of the LTS. Sorry for that. Due to some minor but important changes needed to make this work with Ubuntu 6.06 LTS, I wrote it again.

If anyone of you can find the time to add a good install and config for snort AND snortsam, including a comprehensive control pannel, I would be grateful.

Scope: creating a firewall/(mail)gateway for a small network (say 10 to 15 users or so on a PIII 450MHz, 512 MB ram and two identical network interface cards, broadband connection, fully featured, for a business environment. Better specs of your hardware (notably the amount of ram) will improve the performance of your server significantly. The specs mentioned ar a bare minimum for not so demanding customers, yust to indicate that if you really want, it can be done indeed (need to do some tweaking afterwards though).

Expected audience: (beginning) sysop.
This tuto leads towards a solid ‘ready to go’ sytem. The fun part, I think, (tweaking and tuning etc.) starts when you are done. You may wish to inspect your logs to find clues as to where the tuning should start. Munin might tell you a lot as well.

Have Fun!

First, do a clean install using Ubuntu-Server 6.06 LTS. During installation, proper settings for eth0 will be detected automatically. If this fails, change your network cables and try again. There is a very small chance that your ISP does not run a DHCP server (never seen that happen), or it just might be down (seen that quite a few times, also they may screw up their DNS every now and then), in which case you are on your one, best to wait till they are done fixing it. So we start out with a DHCP assigned address for eth0. This is just an easy way to figure out which NIC is actually eth0. If you already know which is which you better start out with a static address for eth0. If your ISP isn’t crappy, you have the proper settings for it.

Now proceed and accept all defaults (but you may want to do your own partitioning), don’t install LAMP.

Now login as the new user you just made and do:

sudo passwd

Now enter your password again. Next enter the new password for user “root” and confirm. So we dropped the nasty sudo experience (bit strange on a server, isn’t it?) Now logout and login again as root with the new root password.

Using vim (or your favorite editor) edit /etc/apt/sources.list. Comment out the cd repository. Next add “universe” (without the quotes) to all lines that aren’t commented out. Save the file.

Edit /etc/network/interfaces and add the following at the bottom:

auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
network 192.168.1.0

Note that the rest of this tuto assumes that you actually make the settings for eth1 as shown.

My full/etc/network/interfaces looks like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
network 192.168.1.0

As you can see my eth0 gets its settings using DHCP.

Save the file. Next do:

apt-get update

apt-get install openssh-server

apt-get upgrade

During the upgrade process a new kernel image is installed. So next do:

reboot

The rest of this you can do from your workstation, either linux or the other one (must have putty), so you can actually copy and paste. Just login to 192.168.1.1 as root and get on with it.

Make sure that the network settings of your workstation match the settings of your server’s eth1

If you are confused here, first configure and start your DHCP server as shown in this article, and let your workstation detect proper settings automatically.

Now do:

apt-get install libmd5-perl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq openssl

wget http://surfnet.dl.sourceforge.net/sourceforge/webadmin/webmin_1.310_all.deb

“surfnet” is the dutch server. Change that to “heanet”(for Ireland), “belnet”(for Belgium), “mesh” (for Germany) and so on.

dpkg -i webmin_1.310_all.deb

cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/

cd /etc/shorewall

gunzip interfaces.gz masq.gz rules.gz

Now open your browser and login to webmin at https://192.168.1.1:10000 as root with your root password and, using webmin’s shorewall module, change the policy’s and rules of your firewall as needed (for now, I only set the policy file to the example as shown, you may copy and paste my policy file for starters, if you don’t like webmin).

Also set in /etc/shorewall.conf the line “IP_FORWARDING=Keep” to “IP_FORWARDING=On” (without quotes)
and enable the firewall in /etc/default/shorewall.

My /etc/shorewall/policy now looks like this:

###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Note about policies and logging:
# This file contains an explicit policy for every combination of
# zones defined in this sample. This is solely for the purpose of
# providing more specific messages in the logs. This is not
# necessary for correct operation of the firewall, but greatly
# assists in diagnosing problems.
#
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW ACCEPT
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ‘info’ LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW loc ACCEPT
$FW all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

Next do:

rm /etc/shorewall/README.txt Makefile

/etc/init.d/shorewall start

You should be able now to surf the net.

DO NOT PROCEED UNTILL YOU SUCCEED IN SURFING THE NET. SINCE THIS IS YOUR FRAMEWORK. IT HAS TO BE OK.

So now we need some packages. Do (all in one line!):

apt-get install razor pyzor mailscanner spamc libsys-hostname-long-perl libnet-ident-perl libdb-file-lock-perl libio-socket-ssl-perl libdbi-perl spamassassin postfix postfix-doc courier-authmysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-modules-sql sasl2-bin libpam-mysql build-essential dpkg-dev fakeroot debhelper libdb4.2-dev libgdbm-dev libldap2-dev libpcre3-dev libmysqlclient12-dev libssl-dev libsasl2-dev postgresql-dev po-debconf dpatch zoo unzip arj rdate fetchmail unzip zip ncftp zlib1g-dev libpopt-dev nmap lynx fileutils curl imagemagick squirrelmail squirrelmail-locales munin munin-node ntp samba unzoo mysql-server mysql-client libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl php-pear mailx libzzip-dev libgmp3c2 libgmp3-dev dhcp3-server pptpd

Accept all defaults.

Now do:

mysqladmin -u root password yourrootsqlpassword

USE A REAL PASSWORD HERE!

Now configure Apache and Squirrelmail.

/usr/sbin/squirrelmail-configure

Set it to courier (option D) and make ik otherwise as you like it.
Don’t forget to enable some plugins and to set a default language if desired. Also I suggest to set this:

$show_contain_subfolders_option = true;

My/etc/squirrelmail/config.php now looks like this: (Just my current config. Don’t copy this, use it as a reference.)

Next do:

apache2-ssl-certificate -days 3650

Fill in the right server name!!!

That is: the addres on which you plan to give your users access to Squirrelmail or any other service by apache on port 443. Just the domain will do (MUST EXIST IN DNS). Not domain/webmail.

If anything went wrong, just delete the certificate and repeat this step.

Now enter:

a2enmod ssl

a2enmod rewrite

a2enmod include

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/https

ln -s /etc/apache2/sites-available/https /etc/apache2/sites-enabled/https

ln -s /etc/squirrelmail/apache.conf /etc/apache2/sites-enabled/squirrelmail

Next edit /etc/courier/imapd-ssl and change the following:

TLS_CERTFILE=/etc/apache2/ssl/apache.pem

Now do the same with your /etc/courier/pop3d-ssl.

Now edit /etc/apache2/sites-available/default. The top has to be changed so that it reads:
NameVirtualHost *:80

Edit /etc/apache2/sites-available/https as well, the top of the file should read:

NameVirtualHost *:443

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

Edit /etc/squirrelmail/apache.conf It should look like this:

Alias /webmail /usr/share/squirrelmail


php_flag register_globals off
Options Indexes FollowSymLinks

DirectoryIndex index.php

# access to configtest is limited by default to prevent information leak

order deny,allow
deny from all
allow from 127.0.0.1


# users will prefer a simple URL like http://webmail.example.com
#
# DocumentRoot /usr/share/squirrelmail
# ServerName webmail.example.com
#

# redirect to https when available (thanks omen@descolada.dartmouth.edu)
#
# Note: There are multiple ways to do this, and which one is suitable for
# your site’s configuration depends. Consult the apache documentation if
# you’re unsure, as this example might not work everywhere.
#



RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC] RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]


Now make sure that the DirectoryIndex line in /etc/apache2/apache2.conf reads:

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml

Edit /etc/apache2/ports.conf and add Listen 443:

Listen 80
Listen 443

Now make squirrelmail talk your language. If you only use English you can skip the last line in the file of course.

Edit /var/lib/locales/supported.d/local.

It should look like this: (if you are Dutch, otherwise adjust as desired). Main thing is to enable your locale with the charset ISO-8859-1.

en_US.UTF-8 UTF-8
en_US.ISO-8859-1 ISO-8859-1
nl_NL.ISO-8859-1 ISO-8859-1

dpkg-reconfigure locales

Now we configure postfix.

postconf -e ‘mynetworks = 127.0.0.0/8, 192.168.1.0/24’

postconf -e ‘smtpd_sasl_local_domain =’

postconf -e ‘smtpd_sasl_auth_enable = yes’

postconf -e ‘smtpd_sasl_security_options = noanonymous’

postconf -e ‘broken_sasl_auth_clients = yes’

postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination’

postconf -e ‘inet_interfaces = all’

echo ‘pwcheck_method: saslauthd’ >> /etc/postfix/sasl/smtpd.conf

echo ‘mech_list: plain login’ >> /etc/postfix/sasl/smtpd.conf

postconf -e ‘smtpd_tls_auth_only = no’

postconf -e ‘smtp_use_tls = yes’

postconf -e ‘smtpd_use_tls = yes’

postconf -e ‘smtp_tls_note_starttls_offer = yes’

postconf -e ‘smtpd_tls_key_file = /etc/apache2/ssl/apache.pem’

postconf -e ‘smtpd_tls_cert_file = /etc/apache2/ssl/apache.pem’

postconf -e ‘smtpd_tls_loglevel = 1’

postconf -e ‘smtpd_tls_received_header = yes’

postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’

postconf -e ‘tls_random_source = dev:/dev/urandom’

postconf -e ‘home_mailbox = Maildir/’

postconf -e ‘mailbox_command =’

postconf -e ‘header_checks = regexp:/etc/postfix/header_checks’

postconf -e ‘relayhost =’

postconf -e ‘virtual_alias_domains = hash:/etc/postfix/virtual’

postconf -e ‘virtual_alias_maps = hash:/etc/postfix/virtual’

touch /etc/postfix/header_checks

touch /etc/postfix/virtual

Now edit etc/postfix/header_checks.

It should look like this:

/^Received:/ HOLD

cd /root

Now install ClamAV from source. Version numbers mentioned in the next commands aply to the latest stable source at the time of writing this article. Adjust as needed.

wget http://surfnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.6.tar.gz

Like before, pick a mirror close to you.

groupadd clamav

useradd -g clamav -s /bin/false -c “Clam Antivirus” clamav

tar -zxvf clamav-0.88.6.tar.gz

cd clamav-0.88.6

./configure –sysconfdir=/etc

make

make install

touch /var/log/freshclam.log

chmod 600 /var/log/freshclam.log

chown clamav /var/log/freshclam.log

Now edit /etc/clamd.conf. Comment out “Example” (without qoutes). Next do the same in/etc/freshclam.conf

Next do:

/usr/local/bin/freshclam

Now make this a cron job and run it every hour. Preferably not on the hour or anywhere near, as the clamav servers will be flooded when everybody does so. Choose a smart time for this job. The service is absolutely FREE! Let’s keep it that way.

perl -MCPAN -e shell

Accept all defaults, except for UNINST=1 It is very important to always do UNINST=1

install ExtUtils::CBuilder

reload cpan

After each install command in the cpan shell, do reload cpan

install ExtUtils::MakeMaker

install Bundle::CPAN

Accept all defaults.

q

perl -MCPAN -e shell

Accept all defaults like before, except UNINST=1 now changed to –uninst 1 Do it!

Still doing reload cpan?

o conf commit

install Bundle::LWP

install Mail::ClamAV

q

Do not install Mail::SpamAssassin from cpan. It will break your system!

cd /root

Now configure MailScanner.

chown postfix.postfix /var/spool/MailScanner/incoming

chown postfix.postfix /var/spool/MailScanner/quarantine

mkdir /var/spool/MailScanner/spamassassin

ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/spamassassin/mailscanner.cf

chown postfix.postfix /var/spool/MailScanner/spamassassin

Now edit /etc/MailScanner/MailScanner.conf and set the following lines as shown:

Run As User = postfix
Run As Group = postfix
Queue Scan Interval = 120
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
Virus Scanners = clamav
Always Include SpamAssassin Report = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

Uncomment the line # run_mailscanner=1 in your /etc/default/mailscanner.

Now make a cron job of /usr/sbin/check_mailscanner and run it every 20 minutes.

Now we are going to fool the startup script of MailScanner. This is necessary because MailScanner refuses to start, due to an exim aimed script, I suspect (I’ve never actually used Exim, so I’m not sure about that). I don’t want to modify the script itself, as it might be replaced with another ‘not starting’ update in the future. Just to be on the safe side.

touch /etc/init.d/mailscanner_pre

Edit /etc/init.d/mailscanner_pre. It should look like this:

#!/bin/sh
mkdir /var/lock/subsys
mkdir /var/lock/subsys/MailScanner
mkdir /var/run/MailScanner
chown postfix.postfix /var/run/MailScanner
chown postfix.postfix /var/lock/subsys/MailScanner

chmod 755 /etc/init.d/mailscanner_pre

mv /etc/rc2.d/S20mailscanner /etc/rc2.d/S99mailscanner

mv /etc/rc3.d/S20mailscanner /etc/rc3.d/S99mailscanner

mv /etc/rc4.d/S20mailscanner /etc/rc4.d/S99mailscanner

mv /etc/rc5.d/S20mailscanner /etc/rc5.d/S99mailscanner

ln -s /etc/init.d/mailscanner_pre /etc/rc2.d/S20mailscanner_pre

chown postfix.postfix /var/spool/MailScanner

chown postfix.postfix /var/lib/MailScanner

That should do the trick now, don’t you agree?
Now configure sasl authentication.

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd. It should look like this:
# This needs to be uncommented before saslauthd will be run automatically
START=yes
PARAMS=”-m /var/spool/postfix/var/run/saslauthd -r”
# You must specify the authentication mechanisms you wish to use.
# This defaults to “pam” for PAM support, but may also include
# “shadow” or “sasldb”, like this:
# MECHANISMS=”pam shadow”
MECHANISMS=”pam”

Next edit /etc/init.d/saslauthd and change the location of saslauthd’s PID file. Change the value of PIDFILE to /var/spool/postfix/var/run/${NAME}/saslauthd.pid, so that it reads:

PIDFILE=”/var/spool/postfix/var/run/${NAME}/saslauthd.pid”

Now populate your system with real users. Set the users shell to /bin/false to avoid security holes.

Next fill /etc/postfix/virtual as you like. I love Webmin for this. You can edit it directly too, of course. However, webmin does a great job.

Gotcha!: “some.domain” etc. can not equal to anything mentioned in the “mydestination” line in

/etc/postfix/main.cf

My /etc/postfix/virtual has the following structure:

some.domain virtual domain
some.other.domain virtual domain
some.really.other.domain virtual domain
user@some.domain user
otheruser@some.domain otheruser
user@some.other.domain user
otheruser@some.other.domain otheruser
somealias@some.other.domain user
info@some.other.domain someoneidontlike
info@some.domain someoneidontlike otheruser@foo.bar
differentuser@some.domain differentuser differentusers@home.addres someoneidontlike
@some.really.other.domain someonidontlike someoneidontlikes@home.address

and so on. So I only have to set an alias for root and postmaster in /etc/aliases All other aliases should be in this file. Forwarding and delivering mail to multiple addresses and so fort can (and should, I believe) be set in this file too.

Note that in this kind of setup your users can have as many aliases as they like (untill you get sick of them), but for each user you still have to add a real user, with a home directory.

Don’t forget to do

postmap /etc/postfix/virtual

when you are done.

Now we want some rules for spamassassin to do a better job.

First edit /etc/MailScanner/spam.assassin.prefs.conf.

Comment out dcc_path /usr/bin/dccproc. Also comment out razor_timeout 10 and
score RCVD_IN_RSL 0.

Next do:

cd ..

wget http://www.fsl.com/support/Rules_Du_Jour.tar.gz

tar -zxvf Rules_Du_Jour.tar.gz

cd rules_du_jour

mkdir /etc/rulesdujour

cp config /etc/rulesdujour/config

cp rules_du_jour /usr/bin

cp rules_du_jour_wrapper /etc/cron.daily

/etc/cron.daily/rules_du_jour_wrapper

Next we configure the DHCP server.

Edit /etc/dhcp3/dhcpd.conf. Mine now looks like this:

# Local Network
subnet 192.168.1.0 netmask 255.255.255.0 {
option netbios-name-servers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name “your.domain.here”;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
range 192.168.1.100 192.168.1.130;
}

Edit /etc/default/dhcp3-server. It should read
INTERFACES=eth1

Next do:

/etc/init.d/dhcp3-server start

Next install dcc from source

cd /root

wget http://www.dcc-servers.net/dcc/source/dcc.tar.Z

gunzip dcc.tar.Z

tar -xvf dcc.tar

cd dcc-1.3.45 ##ore whatever version is current.

./configure

make

make install

shutdown -r now

and wait until it is up again.

Now you have to send each real user a welcome message, thus creating the Maildir structures in their home directorys needed to be able to login to their accounts. You can use webmin’s postfix module for this. No need to send anything to their aliases.

Your Webmail Server is located at https://your.domain/webmail (first send those messages!)

Munin is at http://your.domain/munin

Webmin is at https://your.domain:10000

If you haven’t set any domains, use https://192.168.1.1/webmail etc.

Check that you can log in to your webmail and actually send and receive mail within your local network. If you’re satisfied, open port 25 on your firewall for incoming tcp traffic (postfix) and port 6277 for incoming udp traffic (dcc). You may wish to make your webmail server available to your users from the outside world. Open port 443 for incoming tcp traffic as well (apache ssl). Opening port 993 is also a good idea for tcp connections, as it facilitates imaps.

My /etc/shorewall/rules now looks like this: (just to begin with, all firewall settings shown in this article are just ment to get you up and running, you might want to adjust these settings once you are done!)

##############################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 443
ACCEPT net $FW udp 6277
DNS/ACCEPT $FW net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the “bad” net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

Restart the firewall:

/etc/init.d/shorewall restart

Next do:

/var/dcc/libexec/updatedcc

Now we configure your VPN Server.

Edit /etc/pptpd.conf. It should look like this now:

#############################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
#############################################################
# TAG: ppp
# Path to the pppd program, default ‘/usr/sbin/pppd’ on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in ‘/etc/ppp/options’
#
option /etc/ppp/options.pptpd
# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
# Suppress the passing of the client’s IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
# logwtmp ## comment this out!! broken deb package!!
# TAG: bcrelay
# Turns on broadcast relay to clients from interface
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that’s ok – all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 192.168.1.1
remoteip 192.168.1.90-99
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
speed 115200

Next edit /etc/ppp/options. It should look like this:
lock

Now do:

touch /etc/ppp/options.pptpd

Now edit /etc/ppp/options.pptpd. It should look like this:

lock
ms-dns 192.168.1.1
ms-wins 192.168.1.1
domain your.domain.here
debug
name pptp-vpn
auth
proxyarp
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
chapms-strip-domain
lcp-echo-failure 10
lcp-echo-interval 30
nobsdcomp

Next, edit /etc/ppp/chap-secrets. It should look like this:
# Secrets for authentication using CHAP
# client server secret IP addresses
user pptp-vpn abcdefg “*”

Now do:

/etc/init.d/pptpd restart

You must be able now to setup a vpn connection to your new server from the inside of your firewall as “user” with password “abcdefg” (without the quotes) Change this initial username and password and add some users, if you like. Maybe you’ll have to reboot some machines to make it work.

Now open your firewall for incoming vpn connections. To do this, set your /etc/shorewall/rules as shown.

My /etc/shorewall/rules at this time:

###############################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 443
ACCEPT net $FW tcp 993
ACCEPT net $FW udp 6277
DNAT net loc:192.168.1.1 tcp 1723
DNAT net loc:192.168.1.1 47
DNS/ACCEPT $FW net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the “bad” net zone.. and prevent your log from being flooded..
#

o comlete this step, do:

/etc/init.d/shorewall restart

So now your customers will be able to do their job at home as well.

Note, that this only makes sense when your server has a reliable broadband connection to the internet, which in The Netherlands is the defacto standard, even for very tiny offices and most home addresses. In this respect we are way ahead of the rest of the world.

Now edit your /etc/MailScanner/spam.assassin.prefs.conf and add the following lines at the bottom:

score RCVD_IN_SORBS_WEB 10
score RCVD_IN_WHOIS_INVALID 10
score RCVD_IN_WHOIS_BOGONS 10
score RCVD_IN_NJABL_PROXY 10
score RCVD_IN_DSBL 10
score RCVD_IN_XBL 10
score RCVD_IN_NJABL_DUL 10
score RCVD_IN_BL_SPAMCOP_NET 10
score RCVD_IN_SORBS_DUL 10
score SARE_LWSYMFMT 3
score SARE_MLB_Stock4 3
score SARE_BAYES_5x8 3
score SARE_BAYES_6x8 3
score URIBL_SC_SURBL 10
score URIBL_WS_SURBL 10
score URIBL_PH_SURBL 10
score URIBL_OB_SURBL 10
score URIBL_AB_SURBL 10
score URIBL_JP_SURBL 10
score URIBL_SBL 10
score ALL_TRUSTED 0
uridnsbl_timeout 6

Now clean your /root directory. That’s where all the downloads went.

Samba is installed. As every setup of Samba is unique, I can’t help you out here. Don’t know how to do it? This is a good starting point.

To complete all of this, do:

/etc/init.d/mailscanner restart

Now watch the spam reports in the headers of incoming mail (but make sure your users agree to this, as you will be violating some postal and maybe other laws) to adjust the last edit (and add some) to make it work as you like. Especially false negatives and even more false positives should draw your attention. When you are done you may wish to send most spam, if not all, to /dev/null.

Check Also

The Future of Precious Metals Trading

The Golden Horizon: Predicting the Future of Precious Metals Trading The future of precious metals trading is a topic of great interest and speculation. As the financial landscape evolves, so too does the approach to trading gold, silver, platinum, and palladium. Precious Metal Recycling Technological Advancements and Precious Metals Trading The rise of digital technology …

What No One Knows About

Charity is a good deed The Bible has a lot to say about charitable giving. …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.