How I installed a CentOS firewall & mail/web/file server

Background

I am too far from my local exchange to get ADSL broadband, but about a mile away, up the hill, the houses are just within ADSL range of their (different) exchange. So I've made friends with someone who lives up there, installed a Zyxel Prestige 660H ADSL router in their house, along with a wireless link using Senao bridges and 14dB flat panel antennae.

This works so well, some of my neighbours want to join in. As we would all be sharing a single 512Mb connection, I want to do as much as possible to reduce the amount of traffic that has to pass down the wire, and I also want to firewall my business network from the neighbours (who might not have as careful an attitude to security as I do).

Hardware

I bought a nice 1.5GHz Pentium box from Tranquil PC. It has a 250GB disk, and 3 Ethernet ports (one of which is Gigabit). It has no fans, and is almost completely silent (I can just about hear the hard disk running if I am within 1 metre of the box, on a quiet night).

Network

I have 4 networks in the 192.168 range. One is for the ADSL router and my neighbours. On the same physical network, but using a different address range, are the various wireless bridges. I then have two internal company networks, a Gigabit one to my main work machine, and another for all the other machines and printers.

I also registered a domain with 1 & 1 Internet just for this network.

Software

I installed CentOS 4 Linux on it. Then I added Bill Shupp's Qmail Toaster to provide a complete email solution.

DNS

I have set up the BIND DNS server to provide 3 DNS views

Queries from the Internet return my fixed IP address for all public-facing host names.
Queries from my neighbours return local IP addresses for all public-facing host names, and for the ADSL router.
Queries from my work machines return local IP addresses for all public facing names, and also resolve names for every machine on all the networks.

This took a while to work out how to do. In the end, I subscribed to O'Reilly Network Safari Bookshelf which lets you read most of their publications online, and I read "DNS & BIND Cookbook" By Cricket Liu. This helped a lot, and is far more informative than the BIND manual. Here are the config files.

Web server

I set up the Apache web server to serve pages for my domain name. I actually do a lot of web site development, so I set up a few virtual servers for testing different sites.

DHCP

I set up the DHCP server to provide DCHP addresses for all my networks. Fixed addresses are provided for most of the machines on the work networks. WPAD (Internet Explorer automatic proxy configuration information) is also provided, using a wpad.dat file on the web server. When it allocates a non-fixed address (for my work laptops, or for my neighbours), DHCP updates the work DNS zones. This means I can address any machine by name from within my work networks.

Web proxy

I set up the Squid web proxy to provide proxy services for all the internal networks.

File server

I set up Samba to provide a large backup directory for all my Windows machines on work networks only. For the main machine, connected via Gigabit Ethernet, this provides a very fast backup disk. I use Acronis to make backup images. I also use Unison run using the Windows scheduler to keep an additional backups of important files.

Mail server

Bill's qmail toaster talked me through installing qmail (an improved mail server), vpopmail (makes it easy to handle mail for more than one domain), courier-imap (IMAP and POP servers), SquirrelMail (webmail), SpamAssasin (anti-spam), Clam anti-virus, and a few other bits and pieces to glue it together. I also use fetchmail to collect my trumphurst.com email from SpamCop and feed it into the system. SpamCop does detect and trash about 2000 spam emails sent to my trumphurst.com addresses each day, but it still lets through a hundred or so. My plan is to use the Bayesian filters in SpamAssasin to get rid of these.

I've installed the spam_buttons plugin to SquirrelMail, which provides "Spam" and "Not Spam" buttons to forward mail to a couple of extra addresses at my domain - I have set up a cron job to run these through Bayesian filter training program.

LogWatch

CentOS comes with a program called LogWatch installed, which goes through the numerous log files generated daily by almost everything in Linux, and emails the root user with a summary of the important stuff. This works really well, except that the the version of LogWatch installed with CentOS doesn't cope well with the multilog log file output favoured by qmail. Upgrading to the latest version from logwatch.org fixes this (and quite a few other minor inconveniences).

Webmin

I did toy with webmin, but I found it didn't work well with my virtual server setup in Apache, it didn't seem to understand the views I set up in BIND, and I generally felt it wasn't sufficiently flexible to cope with my requirements.