Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Installation and Upgrades / Add "unknown-clients deny" to dhcpd.conf
« on: September 27, 2013, 06:19:05 pm »
Hi,
I have clients connecting on two interfaces. One is for staff and the other for students. The staff have less restrictions and more bandwidth, while the students have strict rules and managed bandwidth.
To further secure the staff network, since now and again some one not on the "list" shows up, I have found that adding "unknown-clients deny" to the pool declaration in dhcpd.conf of great help.
The question is how to add this permanently to the configuration. I have added other parameters to the the dhcpd.conf.mas file, but these are global, and the declarations for the different networks is done the the zentyal scripts when you save the configs.
¿Where or how can I add this?
I gather that a "hook script" could be the solution... something along awk-sed way? Looking for the interface name and then the pool declaration?
Any ideas?
I have clients connecting on two interfaces. One is for staff and the other for students. The staff have less restrictions and more bandwidth, while the students have strict rules and managed bandwidth.
To further secure the staff network, since now and again some one not on the "list" shows up, I have found that adding "unknown-clients deny" to the pool declaration in dhcpd.conf of great help.
The question is how to add this permanently to the configuration. I have added other parameters to the the dhcpd.conf.mas file, but these are global, and the declarations for the different networks is done the the zentyal scripts when you save the configs.
¿Where or how can I add this?
I gather that a "hook script" could be the solution... something along awk-sed way? Looking for the interface name and then the pool declaration?
Any ideas?
2
Installation and Upgrades / Re: PC - thin client - set up to go to only a couple websites?
« on: September 26, 2013, 04:24:06 am »
hi,
The options for zentyal-ltsp work very well. I use a slightly custom setup, but overall it works great.
The building of the image and serving are pretty straight forward and documented.
Users can modify things during the session, but they can't access the image (not in the way you are thinking, anyway), although they might be able to set preferences in their home folders. You might want to look into the "web kiosk" feature of LTSP. You can find more info @ ltsp.org and also https://help.ubuntu.com/community/UbuntuLTSP
Ideally, you want to group the clients in the network. Either on an exclusive segment or even physically. This is not strictly necessary, but it makes things like limiting web-access easier.
As far as websites go, I think your best bet is to use squid with a "whitelist" profile. Once you have your clients grouped (by nic, by net or subnet, etc) you get squid to apply the profile to that particular group. That should limit their access to only those domains you define in the whitelist.
I hope it's only a few domains, you don't want to be entering a long list of domains in the profile page!!!
The options for zentyal-ltsp work very well. I use a slightly custom setup, but overall it works great.
The building of the image and serving are pretty straight forward and documented.
Users can modify things during the session, but they can't access the image (not in the way you are thinking, anyway), although they might be able to set preferences in their home folders. You might want to look into the "web kiosk" feature of LTSP. You can find more info @ ltsp.org and also https://help.ubuntu.com/community/UbuntuLTSP
Ideally, you want to group the clients in the network. Either on an exclusive segment or even physically. This is not strictly necessary, but it makes things like limiting web-access easier.
As far as websites go, I think your best bet is to use squid with a "whitelist" profile. Once you have your clients grouped (by nic, by net or subnet, etc) you get squid to apply the profile to that particular group. That should limit their access to only those domains you define in the whitelist.
I hope it's only a few domains, you don't want to be entering a long list of domains in the profile page!!!
3
Installation and Upgrades / Re: !!! Saved configs with error, firewall module!!!!
« on: September 26, 2013, 04:10:05 am »
Nope, latest updates revert to past error:
I tried, again, the fix described here:
http://forum.zentyal.org/index.php/topic,16870.msg67270.html#msg67270
But I get:
Again.
I don't understand. Why would the latest updates NOT include what already seems to have been fixed in the source, or is this new?
All I can say is that my clients have lost connectivity to the internet since squid rules don't get added.
Any ideas? Anyone experience something similar?
Code: [Select]
2013/09/25 14:57:47 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: firewall
2013/09/25 14:58:16 ERROR> Sudo.pm:233 EBox::Sudo::_rootError - root command set -e
/sbin/iptables -t nat -A premodules -p tcp -d hotmail.com --dport 80 -j ACCEPT
/sbin/iptables -t nat -A premodules -p tcp -d live.com --dport 80 -j ACCEPT
/sbin/iptables -t nat -A premodules -p tcp -d login.live.com --dport 80 -j ACCEPT
/sbin/iptables -t nat -A premodules -p tcp -d mail.live.com --dport 80 -j ACCEPT
/sbin/iptables -t nat -A premodules -i eth1 ! -d 192.168.10.250 -p tcp --dport 80 -j REDIRECT --to-ports 3128
/sbin/iptables -t nat -A premodules -i eth2 ! -d 192.168.123.250 -p tcp --dport 80 -j REDIRECT --to-ports 3128
/sbin/iptables -t filter -A imodules -m state --state NEW -i eth1 -p tcp --dport 3128 -j iaccept
/sbin/iptables -t filter -A imodules -m state --state NEW -i eth2 -p tcp --dport 3128 -j iaccept
/sbin/iptables -t filter -A imodules -m state --state NEW -p tcp --dport 3129 -j DROP
/sbin/iptables -t filter -A imodules -m state --state NEW -p tcp --dport 3130 -j DROP
/sbin/iptables -t filter -A omodules -m state --state NEW -p tcp --dport 80 -j oaccept
/sbin/iptables -t filter -A omodules -m state --state NEW -p tcp --dport 443 -j oaccept failed.
Error output: iptables v1.4.12: host/network `hotmail.com' not found
Try `iptables -h' or 'iptables --help' for more information.
Command output: .
Exit value: 2
2013/09/25 14:58:16 ERROR> Iptables.pm:659 EBox::Iptables::__ANON__ - Error executing firewall rules for module squid
2013/09/25 14:58:16 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: trafficshaping
2013/09/25 14:58:22 WARN> GlobalImpl.pm:685 EBox::GlobalImpl::saveAllModules - Changes saved with some warnings:
Firewall failed to add rules for the following modules: squid. Probably this is caused by a lack of connectivity, check your configuration or disable those modules
I tried, again, the fix described here:
http://forum.zentyal.org/index.php/topic,16870.msg67270.html#msg67270
But I get:
Code: [Select]
2013/09/25 22:57:24 ERROR> Service.pm:954 EBox::Module::Service::__ANON__ - Error restarting service: Can't locate object method "STANDALONE_MODE" via package "EBox::UsersAndGroups" at /usr/share/perl5/EBox/Squid.pm line 1314.Again.
I don't understand. Why would the latest updates NOT include what already seems to have been fixed in the source, or is this new?
All I can say is that my clients have lost connectivity to the internet since squid rules don't get added.
Any ideas? Anyone experience something similar?
4
Installation and Upgrades / Re: dhcp range on different subnet OR virtual interface
« on: September 10, 2013, 09:43:39 pm »
Err, but it was not solved. I found a workaround.
5
Installation and Upgrades / Re: dhcp range on different subnet OR virtual interface
« on: September 10, 2013, 05:48:39 am »
Well, far from solved, but I managed to get what I wanted.
Since my AP/router offered multiple ssids, AND offered to split the ports from wan and lan, I did just that.
Bridged one ssid and a port to the "open" network and pluged it into a nic on zentyal, and bridged the other ssid to the swith and plugged that into the "closed" network. Now I got distinct and separate networks for staff and students!!!
I agree that using MACs as a security feature is weak to say the least, but in a small school where I don't expect any hardcore wardriving, it's a starting point.
For now, "unsecure" clients are limited to the guest network, while known clients have got the wpa2 password that changes regularly AND have MAC's registered in zentyal.
Since my AP/router offered multiple ssids, AND offered to split the ports from wan and lan, I did just that.
Bridged one ssid and a port to the "open" network and pluged it into a nic on zentyal, and bridged the other ssid to the swith and plugged that into the "closed" network. Now I got distinct and separate networks for staff and students!!!
I agree that using MACs as a security feature is weak to say the least, but in a small school where I don't expect any hardcore wardriving, it's a starting point.
For now, "unsecure" clients are limited to the guest network, while known clients have got the wpa2 password that changes regularly AND have MAC's registered in zentyal.
6
Installation and Upgrades / Re: dhcp range on different subnet OR virtual interface
« on: September 03, 2013, 10:21:12 pm »
Ok. Thanks for the info, but I was aware of all of this.
What I am trying to get/do is implement it. I zentyal 2 it can be done from the gui, but in v.3 it seems that you have to modify the dhcpd.configs (and use the .mas file or the pre-up hooks).
I know there are 2 and 4 port nics that you can put in, but I don't exacly have one lying around or the budget to invest at the moment, although it would seem that it makes things much easier/simpler if you do!
I just did a trial config and it seemed to go ok, but no routing
AND zentyal, for some reason, restarted the dhcpd at some point and rewrote the configs.
I might add that my query begun with the fact that I upgraded and AP that offered multiple SSIDS, and so I decided to segregate clients and so looked into subnets, and so forth...
What I am trying to get/do is implement it. I zentyal 2 it can be done from the gui, but in v.3 it seems that you have to modify the dhcpd.configs (and use the .mas file or the pre-up hooks).
I know there are 2 and 4 port nics that you can put in, but I don't exacly have one lying around or the budget to invest at the moment, although it would seem that it makes things much easier/simpler if you do!
I just did a trial config and it seemed to go ok, but no routing
AND zentyal, for some reason, restarted the dhcpd at some point and rewrote the configs.I might add that my query begun with the fact that I upgraded and AP that offered multiple SSIDS, and so I decided to segregate clients and so looked into subnets, and so forth...
7
Installation and Upgrades / Re: dhcp range on different subnet OR virtual interface
« on: September 03, 2013, 08:08:50 pm »Quote
Nevertheless I still don't understand how devices being directly connected to same physical network could distinguish between the two different ranges
Because it's not the devices that detect the network or settings, it's the server that "answers" and gives details to them depending on the settings you have in the configuration.
This is one of the examples that I have found that is quite clear: http://takbud.blogspot.com/2011/05/howto-dhcpd-with-multiple-subnets-on.html
although it does not go into the details of getting the subnet routed...
8
Installation and Upgrades / Re: dhcp range on different subnet OR virtual interface
« on: September 03, 2013, 04:11:31 pm »Quote
Just for the sake of elaboration on the issue:
Maybe I am missing something, but if you have 2 subnets on the same physical adapter (1 on the adapter and 1 virtual) wouldn't you get VERY strange behaviour if you put 2 DHCP servers, distributing IP addresses of different subnets, on that same adapter?
I don't want to run two server, just get the current one to hand out a different subnet. As described by Escorpion, Zentyal 2.0 already does this on virtual interfaces, so clearly it can be done and has been done and it works.
I have already found a setup like the one I am looking for and overall it's quite simple. ONE dhcp server hands out addresses for THREE subnets. Two have particular rules that match clients based on MAC or are directly registered in the dhcp.conf file (like setting a fixed address in the zentyal config and network objects). These subnets also DENY unknown clients, so that only AND only the ones that match or are registered receive an address for that subnet.
The remaining subnet declaration handles all other possible clients, thus isolating them and offering simple connectivity to the internet.
It looks like I might look into downgrading back to zentyal 2 if it's easier to implement there. I will persist, though, by trying to configure dhcp.conf first.
9
Installation and Upgrades / Re: dhcp range on different subnet OR virtual interface
« on: September 02, 2013, 11:08:29 pm »
Hi...
No, what I meant is if I enter a different subnet in my dhcpd.conf file, who does the routing for that subnet?
Do i create a virtual interface in Zentyal and that "works" as the router? or do I have to fiddle with iptables to do NAT from the subnet to a "real" interface in Zentyal???
Basically this is what I'm dealing with. I still haven't had time to do real testing though.
Thanks.
No, what I meant is if I enter a different subnet in my dhcpd.conf file, who does the routing for that subnet?
Do i create a virtual interface in Zentyal and that "works" as the router? or do I have to fiddle with iptables to do NAT from the subnet to a "real" interface in Zentyal???
Basically this is what I'm dealing with. I still haven't had time to do real testing though.
Thanks.
10
Installation and Upgrades / Re: dhcp range on different subnet OR virtual interface
« on: August 31, 2013, 09:21:33 pm »
OK. I understand, but maybe it's the underlying setup in zentyal 2.2 that "works it out". no?
Anyway, if I did modify my dhcp.config, I would still need to create a virtual interface to handle the connections and routing, right? It's not possible to set a router on a different subnet (ie, network is 10.x.x.x and router is set to 192.168.x.x)
I'll be doing some testing on monday to find out how it can be done, but it means setting up something semi-permanent in the dhcp.config.mas file...
Anyway, if I did modify my dhcp.config, I would still need to create a virtual interface to handle the connections and routing, right? It's not possible to set a router on a different subnet (ie, network is 10.x.x.x and router is set to 192.168.x.x)
I'll be doing some testing on monday to find out how it can be done, but it means setting up something semi-permanent in the dhcp.config.mas file...
11
Installation and Upgrades / Re: dhcp range on different subnet OR virtual interface
« on: August 30, 2013, 04:12:10 pm »
I found a ticket for feature requests that asks for this to be reinstated. It seems that there was some "troubles" with the dhcp server and virtual interfaces, but there are not any details.
Would it be possible to see what the dhcp.config looks like when you have dhcp running on a virtual interface?
I have found examples of dhcp.configs that don't rely on a virtual interface, or don't seem to have one configured, they just assign addresses on a different network (ie, 10.x.x.x and 192.168.x.x, etc)
My other question is: I see that when details for the network are sent, they include dns server and router pointing a the dhcp server. For instance, my main network is 192.168.10.0/24 and i set the server as a router and dns server on 192.168.10.1.
When I create a new pool on 10.10.10.0/24 and the server is 10.10.10.1... I don't understand how the new address handles routing and dns requests. Clearly there has to be a dns server running on that interface and/or address, but what about routing? Does the routing table just handle this? Since I haven't tried it yet I don't know, maybe it just works
Thanks for the input.
Would it be possible to see what the dhcp.config looks like when you have dhcp running on a virtual interface?
I have found examples of dhcp.configs that don't rely on a virtual interface, or don't seem to have one configured, they just assign addresses on a different network (ie, 10.x.x.x and 192.168.x.x, etc)
My other question is: I see that when details for the network are sent, they include dns server and router pointing a the dhcp server. For instance, my main network is 192.168.10.0/24 and i set the server as a router and dns server on 192.168.10.1.
When I create a new pool on 10.10.10.0/24 and the server is 10.10.10.1... I don't understand how the new address handles routing and dns requests. Clearly there has to be a dns server running on that interface and/or address, but what about routing? Does the routing table just handle this? Since I haven't tried it yet I don't know, maybe it just works
Thanks for the input.
12
Installation and Upgrades / Re: dhcp range on different subnet OR virtual interface
« on: August 29, 2013, 09:20:10 pm »
Really? Because that's what I first looked for and didn't find a way of doing it.
After I set the virtual interface (Network->Interfaces->Add Virtual IP) I looked in DHCP... but when I tried to set a range with the appropriate subnet (different to the "real" ip of the interface), zentyal won't allow it. And the virtual interface does not show up as an option to run dhcp on it.
¿Do you have a setup like this? If you do, I'm very interested in knowing how you achieved this. I know you can do it in the configs, and I'm currently reading up on dhcp.config to set it up, but it would be leaps better if I could set it up directly from the web-gui.
After I set the virtual interface (Network->Interfaces->Add Virtual IP) I looked in DHCP... but when I tried to set a range with the appropriate subnet (different to the "real" ip of the interface), zentyal won't allow it. And the virtual interface does not show up as an option to run dhcp on it.
¿Do you have a setup like this? If you do, I'm very interested in knowing how you achieved this. I know you can do it in the configs, and I'm currently reading up on dhcp.config to set it up, but it would be leaps better if I could set it up directly from the web-gui.
13
Installation and Upgrades / dhcp range on different subnet OR virtual interface
« on: August 29, 2013, 05:23:14 pm »
Hi:
Im trying to configure a "open" wifi network in a school. As I have read in numerous places, the best practice is to isolate the network and just offer basic connectivity.
I have a AP that can broadcast separate SSIDS, one private and one public. I thought I would create a virtual interface in Zentyal and route all this traffic through there, into the proxy and then out into the internet.
My big hiccup is that there is no strait forward way to use dhcp on a virtual interface in Zentyal (and it seems that in version 2 there was.)
I tried to directly edit the dhcp.config but didn't succeed in getting a functional connection.
HAs anyone attempted something like this or has setup something similar? Any feedback is most welcome.
Im trying to configure a "open" wifi network in a school. As I have read in numerous places, the best practice is to isolate the network and just offer basic connectivity.
I have a AP that can broadcast separate SSIDS, one private and one public. I thought I would create a virtual interface in Zentyal and route all this traffic through there, into the proxy and then out into the internet.
My big hiccup is that there is no strait forward way to use dhcp on a virtual interface in Zentyal (and it seems that in version 2 there was.
)I tried to directly edit the dhcp.config but didn't succeed in getting a functional connection.
HAs anyone attempted something like this or has setup something similar? Any feedback is most welcome.
14
Spanish / Re: iptables v1.4.12: Couldn't load target `iaccept'[Solucionado]
« on: August 01, 2013, 06:49:36 pm »
Hoy hubo una actualización de zentyal-squid...
Decidí instalar esta y parece que, o arreglo el problema, o al instalar se "recargaron" los modulos... no sabría decir, pero se soluciono el problema.
Nuevamente, gracias por tu ayuda.
Decidí instalar esta y parece que, o arreglo el problema, o al instalar se "recargaron" los modulos... no sabría decir, pero se soluciono el problema.
Nuevamente, gracias por tu ayuda.
15
Spanish / Re: iptables v1.4.12: Couldn't load target `iaccept'[Solucionado]
« on: August 01, 2013, 06:18:10 pm »
Err...
A esto me refiero:
Code: [Select]
Trace
Can't locate object method "STANDALONE_MODE" via package "EBox::UsersAndGroups" at /usr/share/perl5/EBox/Squid.pm line 1311.