The firewall can use IPTables to forward packets between the Internet and the internal network. IPTables is the interface to changing the built in netfilter firewall built into the Linux kernel. We'll also use IPTables to forward SSH requests for the firewall to the head node, making the firewall transparent. (Users of the cluster should interact with the head node, not the firewall.)
For my example (see Network Topology), this means that users will see something like the following. They specify the address of my firewall, eyrie, but then are deposited onto gyrfalcon, my head node. 
kwanous@cassowary:~$ ssh's password:

Linux gyrfalcon 2.6.18-4-486 #1 Wed May 9 22:23:40 UTC 2007 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Most newer version of Debian (etch, sid, lenny) come with iptables installed. However, to make sure iptables installed with the latest version, run.

apt-get install iptables

Configuring IPTables

IPTables is generally configured from the command line; it isn't read from a file. To make changes that "stick" after a reboot, a bash script run at startup can be used to enter all the configuration commands. We've already created a script for you - IPTables Script. Download this, save it as local, place it in /etc/init.d/, then change its status to be executable (chmod +x local/code>). Next the file needs to be symlinked to a place where it will be loaded as the firewall is started up. Debian stores the files loaded during runtime in /etc/rc*.d, where * is the runlevel: 0, 1, 2, 3, 4, 5, 6, or S. In Debian, run level 2 is the normal run level. /etc/rcS.d stores the scripts that are run regardless of the run level. Within a given run level directory, the scripts are run in order of lowest to highest numbered. Symlinks that start with S are executed with the argument start, K (for kill) ones are executed with stop
To be the most secure and not allow any slips while the server is started up, the local script needs to be executed before the networking script. Networking is S40networking, so S39 will do. Symlink the file with
ln -s /etc/init.d/local /etc/rcS.d/S39local
or to /etc/rc2.d/S39local if you prefer. 

Source Network Address Translation (SNAT)

The first iptables command does the SNAT - translating packets generated by computers on the internal interface to go out to the Internet. Any machines seeing packets on the Internet from the cluster will see them as coming from the firewall, and they will respond to the firewall. Rather than accepting the packets themselves, the firewall them forwards them to the inside of the network. 
iptables -t nat -A POSTROUTING -d ! ${LOCALNET} -j SNAT --to ${EXTERNIP}
  • -t nat specifies that this rule's type is network address translation (NAT), aka IP masquerading
  • -A POSTROUTING appends a rule to the POSTROUTING chain, meaning it will be processed after all the other possible processing has been done
  • -d ! ${LOCALNET} means any packets destined for an IP not within ${LOCALNET}
  • -j SNAT means to jump to the SNAT rule
  • --to ${EXTERNIP} specifies that any packets leaving will assume the IP ${EXTERNIP}
All together in English, this rule says to take any packets not destined for sources within the internal network and send them out to their destination on the outside network after changing the source destination IP address to the firewall's IP.

Destination Network Address Translation (DNAT)

This rule does just the opposite. It takes SSH packets coming in from the Internet and sends them along to the head node. 
iptables -t nat -A PREROUTING --dst ${EXTERNIP} -p tcp --dport 22 -j DNAT --to-destination ${SSHHOST}
Created by d'za

ClarkConnect is a powerful and affordable Internet server and gateway solution. The software solution will give your organization enterprise-level server features at an affordable price.
The significant changes are:

* features are in better working order
* the developer environment is available
* the kernel is up-to-date (notably, IMQ bandwidth QoS is integrated).

Klick here to downloa.. 

Created by d'za

Iptables is a powerful administration tool for IPv4 packet filtering and NAT. It is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Iptables commands can be entered by command line interface, and/or saved as a Firewall script in the dd-wrt Administration panel. I tend to recommend testing and confirming your rules at the command line first. This way, if you happen to make a big mistake (like blocking access to the router), simply rebooting the router should repair it rather than having to do a hard reset. To get your rules to survive a reboot of the router, save them in a Firewall script as mentioned earlier.

Basic Usage
iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)


--append -A chain     Append to chain
--delete  -D chain     Delete matching rule from chain
--delete  -D chain rulenum
                              Delete rule rulenum (1 = first) from chain
--insert  -I chain [rulenum]
                              Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
                              Replace rule rulenum (1 = first) in chain
--list      -L [chain]    List the rules in a chain or all chains
--flush   -F [chain]    Delete all rules in  chain or all chains
--zero    -Z [chain]   Zero counters in chain or all chains
--new    -N chain      Create a new user-defined chain
             -X [chain]   Delete a user-defined chain
--policy  -P chain target
                              Change policy on chain to target
             -E old-chain new-chain
                              Change chain name, (moving any references)


--proto    -p [!] proto
                              protocol: by number or name, eg. `tcp'
--source  -s [!] address[/mask]
                              source specification
--destination  -d [!] address[/mask]
                              destination specification
--sport [!] port[:endport]
                              source port (use `:' when specifying range)
--dport [!] port[:endport]
                              destination port
--in-interface  -i [!] input name[+]
                              network interface name ([+] for wildcard)
--jump    -j target
                              target for rule (may load target extension)
--match  -m match
                              extended match (may load extension)
--state state
                              connection states to match: 
                                   INVALID NEW ESTABLISHED RELATED
--tcp-flags [!] mask 
                              match when the TCP flags are as specified:
                                   SYN ACK FIN RST URG PSH ALL NONE
--numeric    -n         numeric output of addresses and ports
--out-interface -o [!] output name[+]
                              network interface name ([+] for wildcard)
--table        -t table  table to manipulate (default: `filter')
--verbose   -v          verbose mode
--line-numbers         print line numbers when listing
--exact       -x          expand numbers (display exact values)
--fragment  -f          match second or further fragments only
--modprobe=     try to insert modules using this command
--set-counters PKTS BYTES    set the counter during insert/append
--version    -V          print package version

MAC v1.3.7 options:
 --mac-source [!] XX:XX:XX:XX:XX:XX
                              Match source MAC address 
Created by d'za 




Securing Apache has been the subject of many books and tutorials and will continue to be as security is an ever-changing field. By no means is this short page meant to be exhaustive. The steps below are basic recommendations for beginning to protect a web server; however, much more strenuous measures are needed to begin to truly secure one. Please use the information below as a starting place only. If you haven't yet set up with the web server, you may want to look at that first. 
# Configuring Apache
* Tweaking Defaults

One of the first things to do after installing Apache is to configure where it will serve files from, and to limit the options that people accessing the web server have. This is done by editing /etc/apache2/sites-available/default. Look for this section:

        Options FollowSymLinks
        AllowOverride None
 This section controls how Apache treats the root directory of the file system (and by inheritance, all the files within the file system). This is somewhat secure, but a more secure configuration is better. Change the section to read like this:

        Order Deny,Allow
        Deny from all
        Options None
        AllowOverride None

This tells Apache not to serve any files at all from the file system, and also to allow no special options (such as symlinking, includes, or cgi scripts), and not to allow this to be overridden by .htaccess files in the directories. This is used to protect files that Apache shouldn't have access to. However, since we do want Apache to access files from within the /var/www directory, we need to edit the section below it to look like this:

        Options FollowSymLinks MultiViews
        Order allow,deny
        Allow from all

The allow from all is what allows Apache to serve pages from within /var/www. Also, removing Indexes means that web users will not be able to see the contents of web directories. You'll need to restart Apache in order for this to take effect. Restart Apache with apache2ctl restart. 

* Hiding Server Version

If you open up a web browser and visit, you'll see an error page like the one shown below. That gives away an awful lot of information to someone interested in attacking the system! To obfuscate this information, open /etc/apache2/apache2.conf. Look for the line

ServerTokens Full

and change it to
ServerTokens Prod
You'll need to restart Apache in order for this to take effect. Restart Apache with apache2ctl restart. Afterward, server error pages should look something more like this:
# Installing Mod_Security
* Getting all the Pieces
The security module, or mod_security, is an Apache module that can be installed for closer monitoring of HTTP requests and responses as well as easy denial of packets that look suspicious. Unfortunately, due to licensing differences, mod_security is not available through the Debian repository, and so it can't be apt-gotten. Still, the module isn't terribly difficult to install. Before obtaining the source code, there are a few other parts that can be installed through apt. These are libxml2-dev and apache2-prefork-dev. To install these, run

apt-get install libxml2-dev apache2-prefork-dev

To get the source code for mod_security, you must first create a user account with Breach Security, the developers of mod_security. After logging in, navigate to Downloads and then modsecurity-apache/. Find the latest version of modsecurity-apache...tar.gz and right-click it to save the download location. From where you keep your source code, run

wget --no-check-certificate

Untar the file with tar xvzf and then cd into the new directory. From there, cd into apache2. Mod_security follows the typical source installation paradigm, so no surprises there. Run ./configure --help to see all available options. In most cases, none will be necessary. Go ahead and run ./configure (with any options) and then make. If it finishes without an error, it's safe to make install.

# Configuring Apache

Now that the files for mod_security have been installed, Apache needs to be told to use them. Cd into /etc/apache2/mods-available. A new file needs to be created to tell Apache to load the mod_security module. Call this file modsecurity2.load and enter the following contents:

LoadFile /usr/lib/
LoadModule security2_module /usr/lib/apache2/modules/

Now move up one directory and then into mods-enabled (cd ../mods-enabled). Here, a symlink to the file needs to be created. This is done with

ln -s ../mods-available/modsecurity2.load

While we're here, mod_security also requires mod_unique_id to be running, so create a symlink to enable that one, too:

ln -s ../mods-available/unique_id.load

After this, it's time to restart Apache and make sure it loads the new file. Run apache2ctl restart and then look at the bottom of the Apache log with tail /var/log/apache2/error.log. You should see something like this:

[Sun Apr 06 18:54:25 2008] [notice] ModSecurity for Apache/2.5.2 ( configured.

If you don't, or you see any errors, double check the above and make sure you're error-free before continuing.

Created by d'za

Tadinya sich saya masih ragu-ragu untuk memosting artikel ini, tetapi karena di sekolah juga ada tugas yang berhubungan dengan artikel ini, maka saya putuskan untuk memostingkanya juga.hehehehe.. saya pengen bikin koneksi dari virtual machine ke jaringan luar. Sudah nyoba pake bridge ga bisa. Sekarang bikin experiment lagi, tapi pake router. Laptop (Windows XP Pro) ini aku jadikan router yang terhubung ke dua jaringan virtual di VMware.
Jaringan yang satu ada Windows Server 2003 Standard Edition dengan IP terhubung ke gateway (VMware Network Adapter).
Jaringan satu lagi ada Debian Linux (Etch) dengan IP terhubung ke gateway . Setelah semua setting selesai lengkap dengan routing table-nya. Aku koneksikan laptop ke LAN di RPL dengan IP dan gateway
Terlihat di tcpdump: ping dari Debian

kresna:/home/fitrah# tcpdump -nt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
arp who-has tell
arp reply is-at 00:50:56:c0:00:02
IP > ICMP echo request, id 9507, seq 1, length 64
IP > ICMP echo request, id 9507, seq 2, length 64
IP > ICMP echo request, id 9507, seq 3, length 64
IP > ICMP echo request, id 9507, seq 4, length 64
IP > ICMP echo request, id 9507, seq 5, length 64
IP > ICMP echo request, id 9507, seq 6, length 64

8 packets captured
8 packets received by filter
0 packets dropped by kernel

Ternyata ga bisa. Kesel banget!!!!
Aku belum tahu kenapa hasilnya begitu soalnya windump yang coba aku jalankan di laptop ini ga bisa jalan, jadi ngga’ bisa liat paket yang jalan antara laptop dan Tapi asumsiku begini:
Paket ICMP yang dikirim dari itu bisa sampai ke, TAPI karena gateway ga tahu jaringan yang terhubung ke laptopku, maka dia ga bisa reply ke


Routing table-ku yang keliru

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\M. Fithrah Muttaqin>route print
Interface List
0×1 ……………………… MS TCP Loopback interface
0×2 …00 50 56 c0 00 02 …… VMware Virtual Ethernet Adapter for VMnet2
0×3 …00 50 56 c0 00 01 …… VMware Virtual Ethernet Adapter for VMnet1
0×10005 …00 0f b0 d2 b7 d0 …… Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
Active Routes:
Network Destination Netmask Gateway Interface Metric 20 20 20 20 20 20 <— 20 20 20 20 1 30 20 20 20 1 1 1 Default Gateway: =========================================================================== 
Persistent Routes: None Tapi ga apa-apa, masih ada jalan lain, walaupun belum terpikirkan. Paling tidak ada bahan untuk posting di blog ini. Berikut ini cara menjadikan Windows sebagai PC router: Secara default, windows tidak dapat melakukan IP address forwarding sehingga windows tidak dapat melakukan routing IP address antar-jaringan. Namun kita dapat menjadikan windows sebagai sebuah PC router dengan melakukan sedikit perubahan pada registry windows. Sebelum lupa: Untuk Windows 2000/NT ga perlu susah2 edit registry, soalnya udah ada pilihan untuk set IP Forwarding. Klo ga salah di Properties-nya network adapter (Local Area Connection Properties) di tab Advanced ada checkbox IP Forwarding. Nah, untuk mengetahui perubahan yang terjadi pada windows sebelum dan setelah menjadi router, terlebih dahulu kita jalankan perintah ipconfig /all pada command prompt. Sebelum menjadi router, “IP Routing Enabled” (pada bagian Windows IP Configuration) masih bernilai “false”. Untuk menjadikan windows sebagai router, begini caranya: 1. Masuk ke registry editor Start -> Run -> ketik regedit

2. Cari key berikut ini:


3. Ganti dword value IPEnableRouter menjadi 1

4. Restart windows

Setelah itu kita jalankan perintah ipconfig /all pada command prompt, jika nilai “IP Routing Enabled” bernilai “yes”, maka windows sudah bisa menjadi router dan kita bisa membuat routing table dengan perintah route pada command prompt.

Created by d'za

Sebelum mebaca artikel kali ini, lebih baik saya anjurkan anda membaca artikel saya yang sebelumnya, hal ini dikarenakan pada artikel saya yang sebelumnya saya telah menjelaskan tentang langkah dasar menginstall  quid, klick disini untuk membaca artikel tersebut. Pada prinsipnya squid membutuhkan routing untuk meneruskan permintaan ke internet, routing akan tergantung pada aturan routing yang ada di linux anda, pada
contoh ini, apabila kita melihat table routing yang ada :

Destination Gateway Genmask Flags Metric Ref Use Iface 0 0 0 U 0 0 eth0 0 0 0 U 0 0 eth1
default UG 0 0 eth0

Default gateway nya adalah, sehingga secara default semua paket yang diambil oleh squid untuk dilanjutkan ke internet akan menggunakan sebagai routing ke internet. Yang diinginkan adalah agar ketika misalnya ada request dari user dengan IP Address yang gatewaynya ke (IP Address di eth1) ke internet pada port 80 (http), yang kemudian dialihkan ke port 3128 (squid) dengan menggunakan TPROXY iptables, squid akan melakukan binding dengan IP Address, yang apabila routingnya sudah diatur (lihat langkah no.6) akan diteruskan ke dengan tetap membawa IP Address user (iptables TPROXY).
Pada squid yang dibutuhkan adalah pengaktifan tproxy, dan memanfaatkan tcp_outgoing address berdasarkan acl src-address, berikut contoh file konfigurasi saya (sebagian). Silahkan eksplorasi lebih lanjut untuk konfigurasi performa squid.

http_port 3128 tproxy transparent
acl client_3dnet_isplasa src
acl client_3dnet_alwy src
acl client_3dnet_anis src
acl client_3dnet_pkstebet src
acl client_3dnet_pkstebet2 src
acl client_sonny src
acl client_christ src
acl client_shandy src
acl client_tono src

tcp_outgoing_address client_3dnet_isplasa
tcp_outgoing_address client_3dnet_alwy
tcp_outgoing_address client_3dnet_anis
tcp_outgoing_address client_3dnet_pkstebet
tcp_outgoing_address client_3dnet_pkstebet2
tcp_outgoing_address client_sonny
tcp_outgoing_address client_christ
tcp_outgoing_address client_shandy
tcp_outgoing_address client_tono

server_persistent_connections off

Dengan demikian apabila request muncul dari IP Address, maka squid akan berjalan pada, sehingga request diteruskan dengan tetap membawa IP Address user ( ke Router Mikrotik yang terletak diatasnya. Pastikan bahwa IP Gateway user merupakan salah satu IP Address yang diassign ke eth1 (local), karena gateway user adalah ke Gateway Linux Squid.

Created by d'za


Oke, setelah menjelaskan tentang macam-macam source list pada debian dan ubuntu, kali ini saya akan menjelaskan tentang cara-cara untuk memproxy suatu web site pada debian, Paket squid yang saya gunakan adalah 2.6.STABLE14, caranya yaitu ambil langsung source codenya dari situs squid-cache karena paket squid dari debian tidak mendukung umtuk proxy.

squid (2.6.5-2) unstable; urgency=low
* debian/rules
- Remove mispelled configure option enablig TPROXY support
(TPROXY support is NOT enabled since it needs kernel patches which
are not in the kernel sources distributed by debian)
cd /usr/src/
tar -xzvf squid-2.6.STABLE14.tar.gz

Kompilasi dilakukan sama dengan kompilasi standard debian dengan tambahan opsi -enable-linux-tproxy, apabila ingin melihat standar kompilasi squid pada debian silahkan instal terlebih dahulu squid dan jalankan dengan -v.

apt-get install squid
squid -v

Instal squid dari source, Jalankan perintah ./configure dalam satu baris.

cd /usr/src/squid-2.6.STABLE14/
./configure -prefix=/usr -exec_prefix=/usr -bindir=/usr/sbin -sbindir=/usr/sbin -libexecdir=/usr/lib/squid -sysconfdir=/etc/squid -localstatedir=/var/spool/squid -datadir=/usr/share/squid -enable-linux-netfilter -enable-storeio=ufs,aufs,diskd,null -enable-arp-acl -enable-removal-policies=lru,heap -enable-snmp -enable-delay-pools -enable-htcp -enable-poll -enable-cache-digests -enable-underscores -enable-referer-log -enable-useragent-log -enable-auth="basic,digest,ntlm" -enable-carp -enable-large-files -enable-linux-tproxy
make all
make install
cp /usr/src/linux/include/linux/netfilter_ipv4/ip_tproxy.h /usr/include/linux/netfilter_ipv4
cp /usr/include/linux/capability.h /usr/include/sys

Created by d'za

deb etch main contrib non-free, deb etch main contrib non-free, dan deb etch main contrib non-free.
# Debian Sid
deb sid main contrib non-free
deb sid/updates main contrib non-free
# Debian Lenny

deb lenny main contrib non-free
deb lenny/updates main contrib non-free

# Debian Etch 4.0

deb etch main contrib non-free
deb etch/updates main contrib non-free

# Ubuntu hardy 8.04 LTS

deb hardy main restricted universe multiverse
deb hardy-updates main restricted universe multiverse
deb hardy-security main restricted universe multiverse

# Ubuntu Gutsy 7.10

deb gutsy main restricted universe multiverse
deb gutsy-updates main restricted universe multiverse
deb gutsy-security main restricted universe multiverse

# Ubuntu Dapper 6.06 LTS

deb dapper main restricted universe multiverse
deb dapper-updates main restricted universe multiverse
deb dapper-security main restricted universe multiverse