The idea here is to setup DNSMASQ and HAVP to provide DNS, DHCP and content filtering in a Windows 7/Vista/XP client environment on Ubuntu Server Edition. DNSMASQ is a light package which will provide DNS caching and DHCP to a network (amongst other things). HAVP is a proxy server which uses a third party virus scanner (usually ClamAV) to scan internet content for viruses. This assumes that you already have Ubuntu Server Edition installed on a suitable machine and have a working internet connection. In the settings “192.168.1.254” refers to this machine which is acting as a router/firewall, you could equally set it to the ip of another router on the network. “192.168.1.253” refers to the ip of a Windows server. First off install DNSMASQ:-
apt-get install dnsmasq
nano -w /etc/dnsmasq.conf
We now need to set the relevant options:-
Should be set, this stops DNSMASQ from checking /etc/resolv.conf for DNS server addresses. I have found with transient internet links such as ISDN and DSL that DNSMASQ doesn’t always pick up changes in /etc/resolv.conf so it is a good idea to use this option and set your DNS servers statically.
We are using OpenDNS’s servers here to provide site filtering and some protection from nasties. You can customise how OpenDNS filters traffic by signing up with them and telling them your IP/setting up a dynamic hostname relationship. http://www.opendns.com/start/
If you have an Active Directory domain within your network you need to tell DNSMASQ to forward requests for the Active Directory domain to the Windows server IP. If you don’t you will find you cannot add Windows XP machines into the domain and other DNS related services such as SQL will fail.
Tells DNSMASQ which interface to listen on. If you do not set this DNSMASQ will listen on all available interfaces. Usually your LAN interface will be “eth0” unless you have an unusual setup like bridging in which case it will be “br0”.
Allows DNSMASQ to have a domain name and use it in DHCP, your DHCP clients will then get fully qualified domain names based on this domain and you will be able to resolv and ping them. For instance “ping mycomputer.mydomain.com”.
Sets the range of IP addresses for DNSMASQ to use for DHCP and also the lease time. I find setting a long lease time is a good way to minimise DHCP traffic and reduce log noise. This range has to be in the same network the IP of the “listening” interface is in.
Sets the router/default gateway for your DHCP clients. Presumably this will be the IP of your Ubuntu box although it could also be the address of some other router. If this option isn’t set DNSMASQ will use the primary address of the DNSMASQ machine. Still I think it is a good idea to set this explicitly so you can’t blame DNSMASQ if it sends out the wrong address.
# The following DHCP options set up dnsmasq in the same way as is specified # for the ISC dhcpcd in # http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt # adapted for a typical dnsmasq installation where the host running # dnsmasq is also the host running samba. # you may want to uncomment some or all of them if you use # Windows clients and Samba. #dhcp-option=19,0 # option ip-forwarding off #dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) #dhcp-option=45,0.0.0.0 # netbios datagram distribution server #dhcp-option=46,8 # netbios node type dhcp-option=19,0 dhcp-option=44,192.168.1.253 dhcp-option=45,192.168.1.253 dhcp-option=46,8
Are options for inter-operation with Samba and Windows servers. I’m assuming here, that there is another machine on the network acting as a WINS/datagram server, could be running Samba or Windows server. You could equally be running Samba on this machine, in which case, either leave options 45 and 46 defined as “0.0.0.0” or specify the ip of this machine. Both will have the same effect.
Option 46 refers to the NETBIOS node type you want your clients to have, “0x8” being “hybrid”, meaning your clients will first try the WINS server to resolve a NETBIOS name and then broadcast if the WINS server can’t resolve it. This helps to keep broadcast traffic on the network to a minimum.
Tells Microsoft clients to release their DHCP lease when they shutdown. According to the config file Microsoft wants this, it is handy so you can tell which clients are up just by looking at “/var/lib/misc/dnsmasq.leases”. You can then start DNSMASQ by issuing:-
service dnsmasq restart
Check syslog for errors by typing:-
tail -f /var/log/syslog
Now to install and configure HAVP:-
apt-get install havp
Edit the HAVP config file:-
Uncomment and change the “TRANSPARENT” option to read:-
Then start HAVP:-
service havp restart
Finally tell the firewall to redirect traffic on port 80 to HAVP on the Ubuntu server so that HAVP scans web traffic for viruses. In iptables running on the same machine this would be done like so:-
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
Which would also need to be added to the firewall rules file minus the “iptables” so that the configuration is restored upon server restart.