VPN Server

Server

1. apt-get   install   ppp
2. apt-get   install   pptpd
   
3. vi   /etc/pptpd.conf

option /etc/ppp/pptpd-options –> (default). Location of the PPP Options file.

speed 115200 –> (default)

debug –> (default)

logwtmp –> (default). Use wtmp(5) to record client connections and disconnections

localip 7.7.7.10 à If chap Secrete IP is set dynamically then pool IP from this range

remoteip 7.7.7.10-100

#or

#localip 192.168.0.1

#remoteip 192.168.0.234-238,192.168.0.245

#or

#localip 192.168.0.234-238,192.168.0.245

#remoteip 192.168.1.234-238,192.168.1.245

4.  vi   /etc/ppp/pptpd-options

name PPTP –> Name of the local system for authentication purposes (must match

The second field in /etc/ppp/chap-secrets entries)

ms-dns 221.120.96.2

ms-dns 221.120.96.3

netmask 255.255.255.0

proxyarp  –> (default)

nodefaultroute  –> (default)

lock  –> (default)

nobsdcomp  –> (default)

5.  vi   /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client            server  secret                      IP addresses

########        #####   ######                  #############

pavel               PPTP    pavel321              192.168.104.6

eximit              PPTP   exim321               221.120.97.28 àGive static IP to client

sum                 PPTP   sum321 * à pull an IP from remote IP range of
/etc/pptd.cong file of VPN server.

6.  /etc/init.d/pptpd   restart

Client
Linux

1. apt-get install ppp
2. apt-get install pptp-linux
3. vi   /etc/ppp/peers/provider –> Delete all line and just write the following lines. pty “pptp 10.0.38.130 –nolaunchpppd” à IP of VPN server.

name eximit à Client name as same of VPN server chap-secrete.

remotename PPTP à As same of  /etc/ppp/pptpd-options of VPN server

file /etc/ppp/options.pptp

ipparam provider

noauth

persist

115200

defaultroute

proxyarp

!

1. vi   /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client            server        secret                     IP addresses

eximit          PPTP       exim321                 * à Get IP from remote IP range of

pptpd.conf file or get a static IP from chap-secrete of VPN server.

1. vi   /etc/ppp/options.pptp  –> Delete all line and just write the following line.
   lock noauth nobsdcomp nodeflate
   !
2. /etc/init.d/ppp restart

Windows

Network Connection –> Create a New connection –> Connect to the network at my workspace –> Virtual Private Network Connection –> Company name (sum) –> Do net dial the initial connection –> Host name/IP (221.120.96.236)

Debian

Debian 5.0 CD/DVD download

http://cdimage.debian.org/debian-cd/5.0.0/i386/iso-dvd/ >>>For Debian 5 DVD ISO

http://cdimage.debian.org/debian-cd/5.0.0/i386/iso-cd/ >>>>>For Debian 5 CD ISO

[#]   vi   /etc/apt/sources.list

Debian 4
deb http://ftp2.de.debian.org/debian/ etch main

deb-src http://ftp2.de.debian.org/debian/ etch main

Debian 5

Source 1:

            deb     http://ftp.debian.org/debian/  stable main contrib non-free
            deb-src http://ftp.debian.org/debian/  stable main contrib non-free
            deb     http://security.debian.org/    stable/updates main contrib non-free
            deb-src http://security.debian.org/    stable/updates main contrib non-free

Source 2:

deb http://ftp.nl.debian.org/debian/ lenny main contrib non-free
deb http://security.debian.org/ lenny/updates main contrib non-free

            Source 3:

            deb http://http.us.debian.org/debian stable main contrib non-free
            deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free
            deb http://security.debian.org stable/updates main contrib non-free

      Source 4:
      Latest debian apt source list

deb http://ftp.fr.debian.org/debian/ lenny main
deb-src http://ftp.fr.debian.org/debian/ lenny main

deb http://security.debian.org/ lenny/updates main
deb-src http://security.debian.org/ lenny/updates main

deb http://volatile.debian.org/debian-volatile lenny/volatile main
deb-src http://volatile.debian.org/debian-volatile lenny/volatile main

!

[#]   apt-get update àupdate the package lists

[#] apt-get upgrade àupgrade all installed packages

[#]   apt-get   install   package name

[#]   apt-get   remove package name à Remove package

[#]   dpkg –purge package name à Remove package

[#]   dpkg –l à show all installed and removed packages

[#]   dpkg –l   package name à Show the package is installed or not.

[#]   dpkg -L pkg à List of files in package

[#]   dpkg -s pkg à Show status of package

[#]   dpkg -p pkg à Show details of package

[#]   apt-cache search dhcp à Search for package

[#]   apt-get source pkg à get the source of package

Package name List

1. portmap
2. sysv-rc-conf  à Show the port status.
3. traceroute
4. openssl
5. libssl-dev
6. iproute
7. iptraf
8. tcpdump
9. zip
10. unzip
11. php4-apc
12. libpng
13. libjpeg
14. minicom
15. mgetty
16. dhcp3-server
17. libnet-ssleay-perl
18. rdate
19. perl-suid
20. ncurses
21. mrtg
22. snmpd
23. zlib1g-dev
24. pptp-linux
25. namp
26. squid
27. wget
28. vim
29. psmisc
30. sysv-rc-conf
31. gcc
32. tcptrack
33. iftop
34. mtr

PGF server

NAT, Firewall, Proxy

1^st Step: Setup IP in Interface

auto lo

iface lo inet loopback

auto eth0

iface eth0 inet static

address 221.120.99.72

netmask 255.255.255.224

network 221.120.99.64

gateway 221.120.99.65

auto eth1

iface eth1 inet static

address 192.168.100.1

netmask 255.255.255.0

auto eth1:0

iface eth1:0 inet static

address 192.168.0.1

netmask 255.255.255.0

auto eth1:1

iface eth1:1 inet static

OR
auto eth1:aknet
iface eth1:aknet

address 192.168.110.1

netmask 255.255.255.0

2^nd Step: Squid Configuration

1. apt-get   install squid
2. vi   /etc/squid/squid.conf

3^rd Step: Rules.sh Configuration

1. 1. vi   /etc/init.d/rules.sh OR any name of the file

#!/bin/sh

any=0.0.0.0/0.0.0.0

local_net=192.168.0.0/24

echo 1 > /proc/sys/net/ipv4/ip_forward

#echo 163760 > /proc/sys/net/ipv4/ip_conntrack_max

#echo 3072 > /proc/sys/net/ipv4/neigh/default/gc_thresh1

#echo 4608 > /proc/sys/net/ipv4/neigh/default/gc_thresh2

#echo 6144 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

########################### Flush all rules ###############################

/sbin/iptables   -F à Flash all firewall (INPUT, OUTPUT, FORWARD)

/sbin/iptables -F INPUT

/sbin/iptables -F OUTPUT

/sbin/iptables -F FORWARD

/sbin/iptables -F -t nat

########################## Set default policy ############################

iptables   -P   INPUT   ACCEPT or  iptables – -policy INPUT ACCEPT Accept

All incoming packet from internet inside gateway server.
iptables   -P   OUTPUT   ACCEPT – Accept all output from gateway server to internet
iptables   -P   FORWARD   DROP – Drop all forward packet.

################# Accept all internal communications with loop back ############

/sbin/iptables -A INPUT -j ACCEPT -i lo

/sbin/iptables -A OUTPUT -o lo -p all -j ACCEPT

######################## Rules for external interface ########################

/sbin/iptables -A INPUT -p ip -i eth0 -j ACCEPT

/sbin/iptables -A INPUT -p ip -i eth1 -j ACCEPT

/sbin/iptables -A INPUT -p ip -i ppp+ -j ACCEPT

##################### Accept Forwarding WAN interface ####################

iptables   -A   FORWARD   -i   eth0 –  Allow all packet from Local  PC to internet

Connected by Gateway server.

iptables   -A   FORWARD   -i   eth0   -j   ACCEPT – Allow all packet from local pc to Internet connected by Gateway server.

iptables   -A   FORWAD   -s   0/0   -d   0/0   -j   ACCEPT – Allow all packet from
Local PC to internet connected by Gateway server.

iptables   -A   FORWAD   -s   192.168.100.0/24   -d   0/0   -j   ACCEPT à Allow  all

Packets from 192.168.100.0/24 block Local PC to all destinations (internet).

iptables   -A   FORWAD   -s   192.168.100.2/32   -d   4.2.2.2   -j   ACCEPT à Allow all Packet from 192.168.100.2 local pc to only 4.2.2.2 (destination)

########################   MAC base firewall   ############################

iptables   -A   FORWAD   -s   192.168.100.2  -d 0/0   -m  mac  – -mac-source
00:02:21:D4:C2:11  -j ACCEPT – Allow the packet from a single local  PC whose

(IP- 192.168.100.2 and MAC – 00:02:21:D4:C2:11) to all destination (internet)

##########################   Rules for PPP interface   ######################

/sbin/iptables -A INPUT -p ip -i ppp+ -j ACCEPT

/sbin/iptables -A OUTPUT -p ip -o ppp+ -j ACCEPT

/sbin/iptables -A FORWARD -p ip -i ppp+ -j ACCEPT

####################### Rules for unnecessary ports ######################

NETBIOS_TCP=”135,136,137,138,139,445,3127,3198,5100,5001″

NETBIOS_UDP=”60,66,72,78,100,135,136,137,138,139,5100,5001″

/sbin/iptables -A INPUT -s 0/0 -p tcp -m multiport –dport $NETBIOS_TCP -j DROP

/sbin/iptables -A INPUT -s 0/0 -p udp -m multiport –dport $NETBIOS_UDP -j DROP

/sbin/iptables -A FORWARD -s 0/0 -p tcp -m multiport –dport $NETBIOS_TCP -j DROP

/sbin/iptables -A FORWARD -s 0/0 -p udp -m multiport –dport $NETBIOS_UDP -j DROP

########################### Trojan Block ###################

TROJAN_PORTS_TCP=”12345,12346,1524,27665,31337,19006,3969,9996,5554″

TROJAN_PORTS_UDP=”12345,12346,27444,31337,19006,3969,9996,5554″

/sbin/iptables -A INPUT -p tcp -s 0/0 -m multiport –dport $TROJAN_PORTS_TCP -j DROP

/sbin/iptables -A INPUT -p udp -s 0/0 -m multiport –dport $TROJAN_PORTS_UDP -j DROP

/sbin/iptables -A FORWARD -p tcp -s 0/0 -m multiport –dport $TROJAN_PORTS_TCP -j DROP

/sbin/iptables -A FORWARD -p udp -s 0/0 -m multiport –dport $TROJAN_PORTS_UDP -j DROP

######################## Block Susser worm  ################

#/sbin/iptables -A INPUT -p tcp –dport 9996 -s 0/0 -d 0/0 -j DROP

#/sbin/iptables -A INPUT -p tcp –dport 5554 -s 0/0 -d 0/0 -j DROP

####################### Allow ping replies on BOTH interface ################

iptables -A INPUT -p ICMP -i eth0 -j ACCEPT

iptables -A INPUT -p ICMP -i eth1 -j ACCEPT

#################### Open ftp port OUTSIDE interface ######################

iptables -A INPUT -p tcp -i eth0 –dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 –dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth1 –dport 21 -j ACCEPT

################## Open secure shell port BOTH Interfaces ##################

iptables -A INPUT -p tcp -i eth0 –dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 –dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth1 –dport 22 -j ACCEPT

######################### IP/ URL block ###############

iptables -A INPUT -s 192.168.0.5/32 -d 0/0 -j DROP

iptables -A FORWARD -s 192.168.0.5/32 -d 0/0 -j DROP

iptables -A INPUT -s 0/0  -d 192.168.2.11/32 -j DROP

iptables -A FORWARD -s 0/0 -d 192.168.2.11/32  -j DROP

iptables -A INPUT -s 192.168.0.0/24 -d facebook.com  -p tcp –dport 443 -j DROP

iptables -A FORWARD -s 192.168.0.0/24 -d facebook.com  -p tcp –dport 443 -j DROP

########################## Proxy rules #################

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -s 192.168.0.0/24   –dport 80 -j REDIRECT –to-port 8080

######################## Rules for Nating / Maquerading ####

#iptables -t   nat   -A   POSTROUTING   -s   192.168.100.0/24 -o eth0 -j   MASQUERADE

#/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s ${any} -d ${any}

#/sbin/iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE -s ${local_net} -d ${any}

/sbin/iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -d 0/0 -j SNAT –to-source 221.120.99.72 – without proxy

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j SNAT –to-source 221.120.99.72 – using proxy server

# iptables -t nat –A PREROUTING –i eth1 –p tcp –d 0/0 – -dport 80 –j DNAT – -to
192.168.0.3:3128 – 192.168.0.1 is Gateway and 192.168.0.3 is Proxy server

1. 2. chmod 744 rules.sh OR chmode   +x   rules.sh – Give executable permission to the file rules.sh.
2. 3. /etc/init.d/rules.sh
   

1. 4. Execute the sonic file during startup the machine

Debian

ln -s   /etc/init.d/rules.sh   /etc/rc2.d/S98rules.sh –Run this file during startup.

Red Hat

[#]   cp   rules.sh   /usr/bin/rules.sh– for give command by file name Ex – sonic.

[#]   vi   /etc/rc.local
rules.sh
!