Installing and Configuring an Internet Gateway with Ubuntu
Overview
All homes have internet access these days. With browsing comes other requirements like sharing, downloading and security. In this tutorial I will explain how to install a linux server to give your home network some security, bandwidth sharing and torrent downloading facilities. Well while there are many ways to accomplish this here is a cheap and effective way to accomplish this. And when I say cheap I mean absolutely no cost for software! This is how the setup will look like.
Requirements
Hardware
Basic PC with at least 2 HDDs and 2 NICs. For this tutorial I will assume that the first NIC is connected to your ADSL router.
Software
Latest Ubuntu release (11.10 at the time of the writing)
Component list
- Ubuntu (Operating System)
- Webmin (Web based remote management system)
- OpenSSH (Remote command line server)
- Shorewall (Firewall)
- Squid (Proxy Server)
- SARG (Squid Log Report Generator)
- DHCP3 (DHCP Server)
- Bind9 (DNS Server)
- MySQL (SQL Server for TorrentFlux-b4rt)
- Apache (Web Server for TorrentFlux-b4rt)
- Full PHP Base (TorrentFlux-b4rt runs on this)
- TorrentFlux-b4rt (Torrent Server)
Installing Ubuntu
Download the latest Ubuntu release from
here. Burn the ISO to a CD and boot your PC of the CD. Please see the following screenshots and follow it to install the operating system. Please note that the screenshots have been taken from 11.04 but the 11.10 installation screens look very similar. Alternatively you could also look
here and
here for further installation details.
Highlight English and hit enter.
Highlight Install Ubuntu Server and hit enter.
I've chosen English here. But you could customize it to fit your needs. I will skip to the meat and potatoes of the installation.
Highlight eth0 and hit enter. Please note that the name of the adapter is not important. What really matters is the real device name of the adapter which in this case is eth0.
Type a name for the server and hit enter. Note that the name cannot contain spaces.
Usually you could just hit enter here.
Highlight Guided - use entire disk and set up LVM.
Usually you could highlight the first entry. Make sure that it says (0,0,0). Or the highest possible in your case. This means that you are installing Ubuntu on the first hard disk.
Select Yes and press enter.
Backspace whatever that's in by default and type in max. Hit enter.
Highlight Yes and hit enter. Once this is done the installer will initiate the actual installation. Sit back and relax while it's been done for you.
Give your user a name and hot enter. I've user the name user in this tutorial.Once you hit enter you will get a very similar screen to the one above. hit enter again. Please note that you could change the user name for the account you created. I prefer to keep both names the same to avoid complications.
Give the new account a secure password. Note that the password you type is displayed as asterisks. Once the password is typed hit enter and enter the same password in the confirmation box as well.
Select No when prompted to encrypt your home directory. This will avoid any complications.
Just hit enter here. The installation will start downloading additional files and resume the installation process.
Select No automatic updates and hit enter.
Hit the tab key to highlight Continue and hit enter.
Highlight Yes to install the GRUB boot loader and hit enter.
Congratulations!!! The installation is complete. Highlight Continue and hit enter to reboot the server.
Initial Setup
Once the server reboots and you log in with the user credentials provided during the setup process execute the following commands. When running a command in sudo context you will have to enter the logged in user's password to continue.
sudo apt-get update
sudo apt-get upgrade -y
this might take some time to complete.
IP Configuration
Since we have two NICs on the server we need to configure it before continuing any further. Execute the following commands to configure the network settings.
sudo pico /etc/network/interface
Once the configuration file opens edit the contents as shown below. Ignore the lines with the '#' since these are all comments.
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
Once edited press Ctrl+x. This will bring up a small prompt asking to save the file press y and hit enter to close the file. Then run the following command to restart the networking service and apply the changes. If you receive any warnings about the command been deprecated it can be safely ignored.
sudo /etc/init.d/networking restart
Type the following command to verify the connections are up and the changes have been applied.
ip addr
This should display the IP addresses per each adapter. Make sure the new IP has been applied.
Installing Webmin
Webmin is the web based GUI interface for managing the system remotely. Mainly there are a couple of ways to install Webmin, manually or via the Ubuntu repository. We will be using the Ubuntu repository to install Webmin. But since Webmin is not added to the Ubuntu repository buy default we will first make the repository aware of Webmin. Please run the following command to open up the repository source list to add the Webmin part to it.
sudo pico /etc/apt/sources.list
Once the file opens add the following lines to the bottom of the file.
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
Press Ctrl+x. This will bring up a small prompt asking to save the file press y and hit enter to close the file.
Run the following commands to add the security key for the repository. This is essential since the repository will not update appropriately without the key.
sudo su
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
Afterwords run the below commands to update the repository and install Webmin.
sudo apt-get update
sudo apt-get install webmin
Once the installation is complete run the following commands to reset the root password for Webmin.
cd /usr/share/webmin
sudo ./changepass.pl /etc/webmin root <new_password>
replace <new_password> with a preferred password. Open up a web browser on a PC on the internal network and point the browser to https://192.168.2.1:10000
If you receive a warning ignore it (in Firefox add an exception).
Then log in with root and the password you provided when resetting the Webmin root's password. Once logged in Go to Webmin > Webmin Users
Then add a new Webmin group called WebminAdmins and expand the available modules. Click on select all and click create. Then click on convert unix users to webmin users and select Only users and click on the button to select the users. This should bring up a popup with all the system users. Make sure you click on the user you created during the initial setup process and click Ok. Then click on the Convert Now button. You should see a list of users and the selected user been converted to a Webmin user. Then click on Logout at the bottom left corner of the page and log in as the user you logged in to the server console. Welcome to Webmin!!! You should see something similar to this.
Installing OpenSSH Server
Run the following command to install OpenSSH Server.
sudo apt-get install openssh-server.
Once this is done go to a PC on the internal network and download Putty. You could download it from
here. Run putty and enter the internal IP address of the server and click on Open. See the screenshot below.
You will receive a warning the first time you connect. Accept the certificate. Then log in using the same credentials used to log in to the server console.
ShoreWall Installation
ShoreWall or Shoreline Firewall is a simple to configure firewall which will basically provide some security and internet sharing. Let's go ahead and install it.
sudo apt-get install shorewall
Configuring ShoreWall.
Usually configuration takes heaps of typing (which I love!!). But for any GUI freaks I will show the GUI way of doing it. Go to your Webmin site and expand Networking and click on Shoreline Firewall.
Network Zones: This section defines zones to which we will assign "levels of trust". We will create three zones: the firewall, Internet, and local zones.
Click Add a new network zone. You will be provided with a number of options. We are interested in the Zone ID field and the Zone type list. For each zone, enter the options as follows, and click Create before returning to the page to create the next.
Zone ID = fwall; Zone type = Firewall system
Zone ID = net; Zone type = IPv4
Zone ID = loc; Zone type = IPv4
Network Interfaces: This section tells the firewall which Ethernet card is connected to the Internet, and which one to the LAN. In our case, we have only two interfaces.
Click Add a new network interface, and again you will be presented with a vast array of options. We will define only Interface, Zone name, and Broadcast address. Here, also, you will have to setup one interface at a time, clicking Create before returning to configure the next. Configure as follows:
Interface = eth0; Zone name = net; Broadcast address = Automatic
Interface = eth1; Zone name = loc; Broadcast address = Automatic
Default Policies: The default policies tell the firewall what to do with packets coming from various sources. We will set it to drop all requests from the Internet, and accept all from the LAN and the firewall itself. Click Add a new default policy. As before, we will define one policy at a time, clicking Create before proceeding. Configure the policies as follows:
Source zone = net; Destination zone = Any; Policy = DROP
Source zone = fwall; Destination zone = Any; Policy = ACCEPT
Source zone = loc; Destination zone = Any; Policy = ACCEPT
Source zone = Any; Destination zone = Any; Policy = REJECT
Firewall Rules: This section defines specific rules for specific services. We will enable them as the need arises, later. Make sure the lines are entered identical to the given order or you will not have access to your box at all!
TOS: This section optimizes Web browsing as much as you can on your end. Click Add a new type of service, and we will proceed to configure the services one by one.
Source zone = Any; Destination zone = Any; Protocol = TCP, Source ports = Any; Destination ports = with the Ports or ranges radio button selected enter www; Type of service = Maximize-Throughput
Source zone = Any; Destination zone = Any; Protocol = TCP, Source ports = Any; Destination ports = with the Ports or ranges radio button selected enter www; Type of service = Minimize-Delay
Source zone = Any; Destination zone = Any; Protocol = TCP, Source ports = with the Ports or ranges radio button selected enter www; Destination ports = Any; Type of service = Maximize-Throughput
Source zone = Any; Destination zone = Any; Protocol = TCP, Source ports = with the Ports or ranges radio button selected enter www; Destination ports = Any; Type of service = Minimize-Delay
Masquerading: This tells the server to forward requests from the LAN to the Internet, which is required for Internet connection-sharing. Click Add a new masquerading rule, and enter the following rule.
Outgoing interface = eth0; Network to masquerade = with Subnet on interface selected, choose eth1; leave the rest unchanged
When Stopped: This allows machines whose IP addresses are specified to access the server even when the firewall is not running. No other IP addresses will have access. Add as many as you want, but there should be at least one, just in case. In the example below, I have allowed access from two IP addresses on the LAN. Click Add a new stopped address, and configure as follows:
Interface = eth1; select Listed addresses and networks, and enter 192.168.0.2,192.168.0.3 and/or any other addresses you wish.
Back on the Shorewall main page, click
"Check Firewall". You
should get the thumbs up. Note that an "OK" result here does
not
guarantee the firewall will work properly, or will work at all. It
simply checks the rules syntax.
There is a security feature that prevents an unconfigured Shorewall
from being started up, when booting. This has to be changed manually. For
this, you will need a Java-enabled Web browser to do it using Webmin, or
you could resort to using vim from the CLI.
What you have to do is change the line
startup=0
in the file
/etc/default/shorewall to
startup=1
In Webmin, go to
Others > File Manager. This will give you a
nice Java-based file manager. Navigate to the above mentioned file, and
click the
"Edit" button at the top. A text editor window will
pop up. (Disable pop-up blocker.) Make the change, and then save and
close.
Again, using this browser, browse to the file
/etc/shorewall/shorewall.conf, click
"Edit", and find
the line
IP_FORWARDING=Keep. Change the value from
Keep to
On. Save and close.
Now, let us make sure that Shorewall is set to start at bootup. Go to
System > Bootup and Shutdown, look for
shorewall in the
list. Tick the checkbox, and click
"Start Now and On Boot" at
the bottom. Go back to the
Networking > Shorewall Firewall page,
and you should see six buttons where there were previously only two. Click
"Show Status", to verify that all is running well. Your Internet
connection sharing should be set up, now. Try it out!
Squid Proxy Server
Run the following command to install Squid.
sudo apt-get install squid
After the installation completes go to Servers > Squid in Webmin. We will configure Squid from here.
Ports and Networking: Here we will tell Squid which port it will be listening on. The default is port 3128. We will stick to this, but you can change it. In the "Options for port" field, enter transparent. This will make Squid a transparent proxy server, which eliminates the need to configure machines on your LAN. Save the changes.
Memory Usage: Here, you can define memory usage limits for Squid, or choose to go with the default settings. I would draw attention to the "Maximum cached object size" option. Here, you can define the maximum size of cached files.
Cache Options: The option I would recommend you changing here is the "Cache Directories" one. Squid defaults to a 100MB cache, which is pretty minuscule for our caching proxy objective. Decide how much of your hard disk you wish to use for the cache; I use 5GB out of my 40GB hard disk. In the "Directory" field, enter /var/spool/squid, "Type" as UFS, in "Size (MB)", enter however much you decided on in megabytes, for the 1st- and 2nd-level directories, enter one of the following numbers; 16,32,64,128 or 256 (defaults being 16 and 256, respectively). These numbers basically define the file structure of your cache. Read the help documentation, for more information on this and other options. Save your changes.
Helper Programs: In the "DNS server addresses" field, enter 192.168.0.1, select the radio button, and save. This tells Squid to send DNS requests to the BIND DNS server running on your server.
Access Control: Here, we will define which LAN machines will be able to use Squid, by their IP addresses. At the bottom of the "Access Control Lists" section, select Client Address from the drop down list, and click "Create new ACL". In the page that appears, enter a name of your choice in the "ACL Name" field (e.g., Local_Network), define the range of IP addresses you wish to grant access to, and the Netmask, e.g., From = 192.168.0.2, To = 192.168.0.7, Netmask = 255.255.255.0. If you would like to grant access to all machines on your LAN, enter as follows; From = 192.168.0.0, To = *leave blank*, Netmask = 255.255.255.0. Save your changes.
Having defined the machines on our LAN, we will now tell Squid what to do with requests from these machines. Click "Add proxy restriction" in the "Proxy Restrictions" section. Select the "Allow" action, and the ACL you just created (Local_Network) from the "Match ACLs" list. Save your changes.
Your new restriction will be at the bottom of the restrictions list, and, since they are effectuated in order, you will have to move your new rule up the list to third place. Do this using the "Move" arrows, to the right of the defined restrictions.
Next go to Networking>Shorewall Firewall>Firewall Rules>Manually Edit File, and paste the following rule:
Next run the following command on the server console or putty.
sudo pico /etc/shorewall/rules
Add the following line above the line which says "END OF FILE" Also make sure that ther spaces between each of the parameters is a tab space.
#squid transparent proxy redirect
REDIRECT loc 3128 tcp www -
Now restart ShoreWall by running this command
sudo shorewall restart
Installing SARG
What is SARG? SARG stands for Squid Analysis Report Generator. When all users browse via your server and Squid does all the proxying for them Squid will generate logs. SARG is simply a nice way to look at them. SARG is used to generate HTML reports from Squid logs. This is very easy to install and use. Run the following command to install SARG.
sudo apt-get install sarg -y
Refresh the modules in Webmin and you should see SARG under the Servers category. If not go to un-used modules and click on SARG. If you see a message about an incorrect module configuration change the SARG configuration to /etc/sarg/sarg.conf and save it. Then log out and log in back to Webmin. Enjoy SARG.
Installing the DHCP Server
Run the following command to install DHCP server.
sudo apt-get install isc-dhcp-server -y
The DHCP Server will fail when attempted to start. This is normal and expected since the server is not configured.
Then in Webmin go to unused modules and click DHCP Server. Make tho following changes.
DHCP Server Config File = /etc/dhcp/dhcpd.conf
DHCP Server Executable = /usr/sbin/dhcpd
Command to start DHCP server = /etc/init.d/isc-dhcp-server start
Command to apply configuration = /etc/init.d/isc-dhcp-server restart
Command to stop DHCP server = /etc/init.d/isc-dhcp-server stop
Path to DHCP server PID file = /var/run/dhcp-server/dhcpd.pid
Click save.
This DHCP Server has all the options of a normal DHCP server including MAC address binding. Look in to these possibilities under hosts and host groups. Let's configure the DHCP server before we could start it. Go to Webmin and go to the DHCP server configuration. Then click on add a new subnet under subnets and shared networks.Make the following changes.
Network Address = 192.168.2.0
Address Ranges = 192.168.2.10 - 192.168.2.250
Netmask = 255.255.255.0
Click Save. Click on Edit Clien Options on the mail DHCP configuration page. Make the following changes.
Subnet Mask = 255.255.255.0
Domain Name = <A_Name_For_Your_Domain>
Default Routers = 192.168.2.1
DNS Servers = 192.168.2.1
Click on Save. Now on the main DHCP configuration page click on Start Server. Your DHCP server is up and running!!!
Installing DNS
First install the DNS server.
sudo apt-get install bind9 -y
Go to the Webmin page for BIND DNS Server (typically under the servers category) and click on Forwarding and Transfers. Under IP Address enter 208.67.222.222 for the first entry and 208.67.220.220 fr the second entry. Leave everything else on their default values. Click Save. One on the main BIND DNS Server page click Stop Bind, then Start Bind. This completes the DNS server setup.
Next we need to install the necessary components for the TorrentFlux-b4rt server, which will be MySQL, Apache and PHP. We will do this in one single step. Run the following command in either the server's console or in Putty.
sudo tasksel
You should see the following screen.
Highlight the LAMP Server via your arrow keys and press the space bar to select it. Then Press the tab key to highlight OK and hit enter. Tasksel will start downloading the necessary files and commence installation. You will be prompted for the MySQL root's password.
Type a new password for the MySQL root account and hit enter. Please note that this is not the password for the server's root password! once you hit enter you will be prompted with another windows to retype the password. Retype the password and hit enter.
The installation will resume and complete. Once completed it will return you to the command prompt.
TorrentFlux-b4rt Installation
To get the full functionality of TorrentFlux-b4rt we will have to install a few additional software. Run the following command to install the dependencies.
sudo apt-get install unrar-free unzip cksfv vlc uudeview -y
You can download TorrentFlux-b4rt from
here. Once the download completes, On Webmin go to "Others > Uploads and Downloads". Click on the "Upload to server" tab. Browse to the file you downloaded. "On File or Directory to upload to" select your home folder (usually this is under /home/<user_name>. Under "Extract archive or compressed files?" select "Yes, then delete". Finally click on Upload and wait for the upload to complete. Still in Webmin go to Others > File Manager. Navigate to your home folder and select the TorrentFlux-b4rt extracted folder. Click Copy on the file browser's tool bar. Then navigate to /var/www and click paste on the file manager's tool bar.
While the folder is still selected click on Info on the tool bar. Under Permissions click all three Read, Write and List check boxes. Then under the "apply changes to" drop down select "This folder and all sub folders". Finally click Save.
TorrentFlux will also need a writable directory to store downloads. On the Webmin file manager go to /usr/local and create a new directory and name it as torrentflux. Now go the info of the folder and under Ownership type www-data in to the user and group fields. Then check all check boxes for read, write and list. Also make sure to change the "Apply changes to" drop down to "This folder and all sub folders". Click Save.
Now navigate to Servers > Apache Web Server. Under Existing Virtual Hosts click on the Virtual Server. Under Virtual Server Details click on the box next to "Document Root" and navigate to /var/www/<torrentflux-b4rt_directory>/html and click OK. Then Click Save. Finally restart Apache by clicking Stop Apache and then Start Apache.
Now comes the final setup portion for TorrentFlux-b4rt! Point a web browser on the LAN to your server's IP address, in this case 192.168.2.1. And you should receive the TorrentFlux-b4rt setup page.
Click Continue on the first page and on the second page. The third page is to select the database type. Please make sure you select MySQL ad click Continue. The 4th page will confirm that our PHP setup is compatible with MySQL. Click Continue again. The next page will ask for the connection parameters to connect to the MySQL server. Make the following changes and click Continue.
Host = localhost
Name = torrentfluxb4rt
Username = root
Password = <MySQL root's password>
Check the Create Database check box.
Click Continue.
You should receive a green OK! Click Continue on the next two pages. On the Database - Config File page click Continue.Click Continue again on the Database - Create Tables page. Click Continue on the Database - Insert Data Into Database page. Click Continue on the Server Configuration page and the torrentflux-b4rt 1.0-beta2 - Setup page. Click Continue until you reach the "Installation End page. The final page will direct you to the actual TorrentFlux-b4rt site we just setup! Voila!!! Note that the initial log in will be treated as the administrator log in. So be careful and enter a new admin user name and a new password for the admin user.
You will notice on the initial page there is Red "path is not valid" error under "transmissioncli". Let's rectify it. Again this calls for a few prerequisites to be installed prior to going ahead.
sudo apt-get install gcc pkg-config libssl-dev make -y
Download the transmission client from
here. once you download it upload it to the server via Webmin's file upload page and extract it in the same process used earlier in this tutorial. Then navigate to /var/www/<torrentflux-b4rt_directory>/clients/transmission. Copy the Transmission-1.06_tfCLI-svn3356.tar.bz2 to your home folder. Untar it using this command.
tar -jxvf Transmission-1.06_tfCLI-svn3356.tar.bz2
Now copy /home/<user_name>/Transmission-1.06_tfCLI-svn3356/cli/transmissioncli.c to /home/<user_name>/transmission-1.06/cli
Now enter the following commands on a terminal.
sudo su
cd transmission-1.06
./configure -q && make -s
make install
Once the building is complete click "Update Settings" on the TorrentFlux-b4rt page.
This completes the TorrentFlux-b4rt installation. Go through the settings and set it up according to your preferences.It's up to you to do the fine tuning on TorrentFlux-b4rt. You could add different users so that they could have individual TorrentFlux logins.
How to add a secondary hard disk for torrent downloads?
Run the following command
sudo lshw -C disk
note the name for your second hard disk (usually this will be under *-disk: 1) note the name next to logical name.
Now run this command.
sudo fdisk /dev/<name_of_the_second_disk>
Type "
n" (without quotes) and hit enter.
Type "
p" (without quotes) and hit enter.
Type "
1" (without quotes) and hit enter.
Press enter twice to accept the default start and end values for the number of cylinders.
Type "
w" (without quotes) and hit enter. This will also exit fdisk.
Now type...
sudo mkfs -t ext3 /dev/sdb1
okay the disk is ready! now we have to mount it in order to use it. Type the following commands.
sudo mkdir /media/sdb1
Now on Webmin go to System > Disk and Network Filesystems.
In the type drop down select Linux Native Filesystem (ext3) and click Add Mount. Then do the following changes on the page.
Mounted As = /media/sdb1
Save Mount? = Save and Mount at boot
Mount Now? = Don't mount
Linux Native File System = Select "Disk" and 'Device B partition 1 (Linux)" from the drop down.
Click Create
Reboot the server by entering the following command.
sudo reboot
Once the server restarts go to Webmin > Other > File Manager and navigate to /media/sab1. Create a directory and name it as downloads. Tick all read, write and list check boxes using the info dialog box. Click Save.
Now in TorrentFlux-b4rt log in as the admin user and click Admin > Server and change the "Transfer Parent Path" to /media/sdb1/download and click Update Settings. Now TorrentFlux will use this directory for downloads.
This completes this tutorial as well. Sit back and enjoy!!!
