CentOS 7 – Linux for Different Purposes

How to Create MySQL Users Accounts and Grant Privileges

The plans we make to set up a server infrastructure or a data center are generally the same. We always try to organize services between the servers that we are running, respecting our needs. Servers operating on a Linux system can be used to run multiple services at once or just one depending on how much processing power that service will need and its position inside the network. Following the needs of the users, system administrators should always be ready to set up or to take down services in their infrastructure. Usually, for a basic system installation, there will be a number of services already installed but not well configured.

This chapter will cover some of the main Linux services that most users are in need of, and also how to set up, configure, and operate them. Then we are going to explore some of those service’s aspects, how to secure them, and how to operate them in the best way possible.

In this chapter, we are going to learn to:

  • Configure a Gateway server using iptables and IP masquerading
  • Install a VPN server
  • Implement BIND as a DNS server
  • Set up and use a web server using Apache-MySQL-PHP with ModSecurity
  • Install an FTP server
  • Implement OpenSSL in Apache and FTP

Configuring a gateway server

In many network infrastructures, system administrators need to separate their servers and workstation inside multiple subnetworks. Others use private network addresses that can be associated with public addresses using the
Network Address Translation ( NAT) technology. A Linux gateway server is one of the common solutions that can help set up this kind of configuration. The following screenshot is a presentation of an example of an architecture where the Gateway server serves to pass through both local and external networks:

As per the requirement, we are in need of a Linux server with at least two network interfaces (as a best practice). We then need to make a bridge between the two networks associated with them. During this section, we will be working on setting up a gateway between public (external) and private (local) addresses using IP forwarding and NAT rules to route the traffic from the private network to the public network. We will call the external network
Wide Area Network ( WAN) and the local network Local Area Network ( LAN).

Note

The traffic generated from the local network will appear to originate from the Gateway server to the external network. In this example, we will need another machine to present a server inside the LAN network.

First, we will set up the network configuration of the WAN interface. To do so, there will be two options: either the interface will take its IP configuration via DHCP (automatic) or we set it ourselves manually (static). In our case, we will do the automatic configuration since our WAN network is provided by a router that serves DHCP configuration.

We will start by editing the configuration file of the designated interface eth0:


$ sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0

The file will contain the following lines:


HWADDR="XX:XX:XX:XX:XX:XX"
TYPE="Ethernet"
BOOTPROTO="dhcp"
DEFROUTE="yes"
PEERDNS="yes"
PEERROUTES="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_FAILURE_FATAL="no"
DEVICE="eth0"
UUID="01f7dbb3-7ac8-406d-a88b-76082e0fa6eb"
ONBOOT="yes"

We should focus on the line where BOOTPROTO is written, which is the protocol to use for the network configuration, and we need to make sure that it is set on dhcp.

The default installation sets all the interfaces to the DHCP configuration unless they have been modified during the installation or later.

Also, we need to make sure that the DEVICE is set to the interface name that we are going to use to serve the DHCP server and as named in our server (for our case it is eth0). Then the option ONBOOT is set to yes.

Note

After editing the file, if needed, make sure to save the modifications before leaving the text editor.

After making sure that all changes are successfully set, we need to restart the network manager so the machine can take the DHCP configuration:


$ sudo systemctl restart network.service

During the execution of this step, the network connection may be lost. We need to make sure that we do not need it in the meantime.

Now we can move to the configuration of the second network interface of the gateway server connected to the LAN. For this configuration, we need to use a static IP address.

In a similar way to the first interface, we are going to edit the configuration file of this interface eth1:


$ sudo nano /etc/sysconfig/network-scripts/ifcfg-eth1

Also, this file will contain some configuration files, but we will be interested in only some of them:


HWADDR="XX:XX:XX:XX:XX:XX"
TYPE="Ethernet"
BOOTPROTO="dhcp"
DEFROUTE="yes"
PEERDNS="yes"
PEERROUTES="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_FAILURE_FATAL="no"
DEVICE="eth1"
UUID=" b3fcc00e-a7d9-4b55-a32c-1e88e394aaf6"
ONBOOT="yes"

This is the default configuration, so we need to change it from a dynamic configuration to a static one.

The modification will consist of modifying some lines and adding others.

We start by changing the configuration protocol from dhcp to static to look like this:

BOOTPROTO="static"

Then we add the static IP address with this line: IPADDR="10.0.1.1".

Then the network mask, NETMASK="255.255.255.0".

And, finally, we make sure that the option DEVICE is set to eth1 and the option ONBOOT is set to yes.

Again, to make sure that this configuration is successfully applied, we need to restart the network service:


$ sudo systemctl restart network.service

Note

If the configuration does not take effect when typing ifconfig, to check the interfaces’ configuration we need to run this command:


$ sudo systemctl restart network.service
$ sudo systemctl status network.service

Now we move on to the configuration of a client, the machine that will be using the gateway server. So we need to configure its interface for the LAN network. Since we are not limited to one specific client, if we have a graphical interface we can just go to the connected interface and enter these configurations:

IP address: 10.0.1.2

Network Mask: 255.255.255.0

Gateway: 10.0.1.1

For the DNS server, we will go with Google DNS, which is very reliable:

DNS server: 8.8.8.8

Note

It is not an obligation to enter the Google DNS server address. Some sites may be blocking it, others may be using their local DNS server. Depending on the need and if we don’t have any, Google DNS will be fine.

If we need to use another CentOS 7 server, we may need to do the same steps during the static server configuration.

We edit the configuration file of the interface:


$ sudo nano /etc/sysconfig/network-scripts/ifcfg-eth1

By changing the configuration protocol to static and add these two lines:


IPADDR="10.0.1.2"
NETMASK="255.255.255.0"

We also sure that ONBOOT=yes and DEVICE=eth0.

To use the Google DNS server, we can edit the /etc/resolv.conf file:


$ nano /etc/resolv.conf

To add these two lines:


nameserver 8.8.8.8
nameserver 8.8.4.4

Then restart the network service:


$ sudo systemctl restart network.service

We go back to our Gateway server, then start doing the configuration of the IP forwarding. First, we need to enable it for the IPv4 packet forwarding:


$ sudo sysctl -w net.ipv4.ip_forward=1

To hold maintain configuration on every system restart we need to make a modification to the IP forwarding configuration file:


$ sudo nano /etc/sysctl.conf

Then add this line and save:


net.ipv4.ip_forward = 1

To reload the configuration made to the file, we need to run this command:


$ sudo sysctl –w

The current configuration can be visualized via this command:


$ sudo cat /proc/sys/net/ipv4/ip_forward

Now we go to enabling NAT configuration. Using iptables, we need to enable the IP masquerading. firewalld is a service that allows easy configuration of iptables easily. To use firewalld we will rely on the command firewalld-cmd, then we enter the required configuration.

We start by configuring the NAT in firewalld. First, we will set the LAN network as a trusted zone:


$ sudo firewall-cmd --permanent --zone=trusted --add-source=10.0.1.0/24

Then we integrate the LAN interface eth1 to a zone called internal:


$ sudo firewall-cmd --change-interface=eth1 --zone=internal --permanent

We do the same for the WAN interface eth0 to a zone called external:


$ sudo firewall-cmd --change-interface=eth0 --zone=external --permanent

Then we configure the masquerade option for the external WAN:


$ sudo firewall-cmd --zone=external --add-masquerade --permanent

For an optional DNS configuration, we can make it pass through the internal zone:


$ sudo firewall-cmd --zone=internal --add-service=dns –-permanent

Before we finish, we make sure that the NAT is configured to pass through traffic from the LAN to the WAN interface:


$ sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.1.0/24 

Finally, we need to reload the firewall service so that the configuration takes effect:


$ sudo firewall-cmd –reload

After this point, the Gateway server should be running well. To test the configuration, we need to ping any website from any machine located on the LAN network:


$ ping www.google.com

Then we need to see the following kind of output to know that our Gateway server is working correctly:


PING www.google.com (216.58.210.196): 56 data bytes
64 bytes from 216.58.210.196: seq=0 ttl=50 time=55.799 ms
64 bytes from 216.58.210.196: seq=1 ttl=50 time=65.751 ms
64 bytes from 216.58.210.196: seq=2 ttl=50 time=54.878 ms
64 bytes from 216.58.210.196: seq=3 ttl=50 time=54.186 ms
64 bytes from 216.58.210.196: seq=4 ttl=50 time=93.656 ms
--- www.google.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 54.186/64.854/93.656 ms

We would recommend the use of a DHCP server to set up the configuration for all the clients if we are using a desktop machine and are not in need of static configuration. Even for a more advanced DHCP configuration we can associate specific IP addresses to the servers via their interfaces’ MAC address.

Comments are closed.