Codes, scripts and configurations

Codes, scripts and configurations

This appendix contains samples of all the scripts used in the previous chapters.

APACHE FILE PERMISSIONS SCRIPT

The first argument of the script is the target directory and must have a trailing /. The script prints an on-screen list of all the files it has modified.

[root@bigboy tmp]# ./fix-www-perms.sh /home/www/webpages/

/home/www/webpages/

/home/www/webpages/file1.htm

/home/www/webpages/file2.htm

[root@bigboy tmp]

Here's how it's done:

#!/bin/sh

# fix-www-perms.sh - Recursively fixes file permissions in a www directory # so that Apache may serve the pages correctly

# (c) SiliconValleyCCIE.com

for i in `find $1`

do

if [ -d $i ] ; then

chmod 755 $i

echo $i

else

chmod 644 $i

echo $i

fi

done

SENDMAIL SPAM FILTER SCRIPT

One of the good things about having a Linux box at home is that you can create your own customized spam filter. Here's a summary of a script called mailfilter.pl, which I've used at home for some time:

It uses two configuration files: mail-filter.accept lists all the mail to

accept and mail-filter.reject lists all the mail to reject. Each file has

two columns.

The first column has either the word "subject:" or "address:" and the second

column has either a subject string (inclusive of spaces) or a single

address entry. Sometimes SPAM is sent to multiple addresses in the

same domain, there is also a "repeataddress" keyword that can be used in

the first column followed by the offending multiple entry domain name.

If there are more than two repetitions of the domain, then the e-mail is

rejected.

The script matches addresses in both the To and From field of the

received e-mail.

The script reads the reject file and rejects any matching e-mails, it then

reads the accept file and accepts any matching e-mails, then it denies

everything else.

The script rejects e-mails in which your e-mail address doesn't appear in

the To, From, or CC field. BCC e-mails are therefore denied. If you

receive e-mails as part of mailing lists, put the name of the mailing list in

your accept file.

The script is very tolerant of e-mail addresses. You do not have to have an

@ sign in the configuration files' entries. The script matches on a partial

address too.

Mail-filter.pl logs all accepted and denied e-mails in a file called mailfilter.

log. Look at this file from time to time as you may find yourself

rejecting too much traffic, which will require you to modify the configuration

files.

The script runs using the PERL scripting language, which is installed by

default on Red Hat. If you don't have PERL, go to www.cpan.org to download

and install a variety of PERL modules. Click on the CPAN home page's

Modules link. Click the All Modules listing, and download and install the

MailTools, IO-Stringy, MIME-tools, and Mail-Audit modules in that order. The

CPAN modules page also has a link on how to install the modules.

Here's how to install the script:

Place mail-filter.pl in your $HOME directory (default login directory). In

this case the username is mailiuser.

Use the chmod command to make it executable:

[root@bigboy mailuser]# chmod 700 mail-filter.pl

Go to the /etc/smrsh directory and create a symbolic link to the mailfilter.

pl file there:

[root@bigboy mailuser]# cd /etc/smrsh

[root@bigboy smrsh]# ln -s /home/mailuser/mail-filter.pl

Create a .forward file in your home directory:

#!/bin/bash

| ~/mail-filter.pl

You should then be ready to go!

The mail-filter.accept File

address: my-address@mysite.com

address: cnn

subject: Alumni Association

The mail-filter.reject File

address: spammer@spammer.com

repeataddress: my-isp-provider.net

subject: porn

The mail-filter Script

#!/usr/bin/perl

# Mail-filter - PERL Script

# Reference pages

# https://search.cpan.org/author/SIMON/Mail-Audit-2.1/Audit.pm

# https://simon-cozens.org/writings/mail-audit.html

# PERL modules needed from

https://www.cpan.org/modules/01modules.index.html

# Need to install the following modules:

# MailTools, IO-Stringy, MIME-tools & Mail-Audit in this order

# Need to have:

# a logical link to this file in /etc/smrsh

# .forward file with the following line in it

# #!/bin/bash

# | ~/mail-filter

use Mail::Audit;

use MIME::Lite;

# Spam filter variables

$FILEPATH = "/home/mailuser/";

$ITEM = Mail::Audit->new;

$FROM = $ITEM->from();

$TO = $ITEM->to();

$CC = $ITEM->cc();

$SUBJECT = $ITEM->subject();

$BODY = $ITEM->body();

$DATE = "";

$INBOX_LOG = $FILEPATH . "mail-filter.log";

$ACCEPT_FILE = $FILEPATH . "mail-filter.accept";

$REJECT_FILE = $FILEPATH . "mail-filter.reject";

#################### Don't edit below here ###################

chomp($DATE = `date '+ %m/%d/%Y %H:%M:%S'`);

$DATE =~ s/^s*(.*?)s*$/$1/;

chomp($FROM, $TO, $CC, $SUBJECT);

study $FROM;

study $SUBJECT;

study $TO;

study $CC;

&Mail_Filter;

exit;

sub Mail_Filter = "$type";

# Get the bad address

if ($type =~ /^address$/i) = "$type";

# Get the bad repeat address

if ($type =~ /^repeataddress$/i) = "$type";

close (REJECT_FILE);

open (ACCEPT_FILE, "$ACCEPT_FILE");

while(<ACCEPT_FILE>) = "$type";

if ($type =~ /address/i) = "$type";

close (ACCEPT_FILE);

sendmail Spam Filter Script 595

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 595

# Reject by subject

foreach my $criteria (keys %badsubjects)

# Reject email to/from these addresses

foreach my $criteria (keys %badaddresses)

# Sometimes SPAM is sent to multiple addresses in the same domain.

Reject email if

# the number of addresses in the to: or cc: >= 3

foreach my $criteria (keys %badrepeataddresses)

if($i >= 3)

# Accept some subject lines

for my $criteria (keys %goodsubjects)

# Accept emails to/from these addresses

596 Codes, Scripts, and Configurations Appendix II

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 596

for my $criteria (keys %goodaddresses)

# Reject everything else

&Reject_Mail("yes");

sub Strip_Record

# Return the addresses

elsif ($fields[0] =~ /^address$/i)

else

# Return the repeat addresses

elsif ($fields[0] =~ /^repeataddress$/i)

sendmail Spam Filter Script 597

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 597

else

sub Reject_Mail

else

close(LOG);

exit;

IPTABLES SCRIPTS

Here are a number of iptables script samples for such tasks as allowing FTP

and NTP traffic through your firewall, plus a detailed script suitable for a

home/small office.

FTP Client Script

# - Interface eth0 is the internet interface

# - Interface eth1 is the private network interface

modprobe ip_conntrack_ftp

# FTP connections from your Linux server

# Outbound FTP requests on control connection (port 21)

598 Codes, Scripts, and Configurations Appendix II

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 598

iptables -A OUTPUT-o eth0 -p tcp -sport 1024:65535 -dport 21

-m state -state NEW -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -sport 21 -dport 1024:65535

-m state -state ESTABLISHED,RELATED -j ACCEPT

# Select one of the following two

# FTP connections from your Linux server

# Active FTP data connection established back from remote server

iptables -A INPUT -i eth0 -p tcp -sport 20 -dport 1024:65535

-m state -state NEW -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -dport 20 -sport 1024:65535

-m state -state ESTABLISHED,RELATED -j ACCEPT

# FTP connections from your Linux server

# Passive FTP data connection established from your Linux server

iptables -A OUTPUT -o eth0 -p tcp -dport 1024:65535

-sport 1024:65535 -m state -state NEW -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -sport 1024:65535

-dport 1024:65535 -m state -state ESTABLISHED,RELATED

-j ACCEPT

FTP Server Script

# - Interface eth0 is the internet interface

# - Interface eth1 is the private network interface

modprobe ip_conntrack_ftp

# FTP connections to your Linux server

# Inbound FTP requests on control connection (port 21)

iptables -A INPUT -i eth0 -p tcp -dport 21 -sport 1024:65535

-m state -state NEW -j ACCEPT

iptables -A OUTPUT-o eth0 -p tcp -dport 1024:65535 -sport 21

-m state -state ESTABLISHED,RELATED -j ACCEPT

# Select one of the following two

# FTP connections to your Linux server

# Active FTP data connection established back to client from

# your server

iptables -A OUTPUT -o eth0 -p tcp -sport 20 -dport 1024:65535

-m state -state NEW -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -dport 20 -sport 1024:65535

-m state -state ESTABLISHED,RELATED -j ACCEPT

# FTP connections to your Linux server

# Passive FTP data connection established to your Linux server

# from remote client

iptables -A INPUT -i eth0 -p tcp -sport 1024:65535

-dport 1024:65535 -m state -state NEW -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -dport 1024:65535

-sport 1024:65535 -m state -state ESTABLISHED,RELATED

-j ACCEPT

NTP Server Script

# - Interface eth0 is the internet interface

# - Interface eth1 is the private network interface

iptables -A OUTPUT -o eth0 -p udp -m multiport --ports 123

-j ACCEPT

iptables -A INPUT -i eth0 -p udp -m multiport --ports 123

-j ACCEPT

Home/Small Office Protection Script

#!/bin/bash

# Set up variables for the firewall

# WEBSERVER_1 uses port forwarding for HTTP, DNS and SMTP mail

EXTERNAL_INT="eth0" # External Internet interface

INTERNAL_INT="eth1" # Home Network Interface

HOME_NETWORK="192.168.1.0/24" # Home network address range

WEBSERVER_1_INT="192.168.1.101" # (Port fwding) Server Real IP

WEBSERVER_2_INT="192.168.1.100" # (1 to 1 NAT) Server real IP

WEBSERVER_2_EXT="216.10.119.248" # (1 to 1 NAT) Server NAT IP

600 Codes, Scripts, and Configurations Appendix II

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 600

TIME_SERVER1="192.6.38.127" # Remote time server #1

TIME_SERVER2="216.27.190.202" # Remote time server #2

TIME_SERVER3="204.123.2.5" # Remote time server #1

# Uncomment this for 1:1 NAT PLUS (Remove Masquerade section)

# $MANY_TO_1_NAT="216.10.119.249" # (Many to 1 NAT)

############### Load important iptables modules ###############

# Load the NAT module

modprobe iptable_nat

# Load modules for FTP connection tracking and NAT - You may need

# them later

modprobe ip_conntrack_ftp

######### Define our chains and important variables ###########

# Get the IP address of the firewall's external interface

EXTERNAL_IP="`ifconfig $EXTERNAL_INT | grep 'inet addr' |

awk '' | sed -e 's/.*://'`"

INTERNAL_IP="`ifconfig $INTERNAL_INT | grep 'inet addr' |

awk '' | sed -e 's/.*://'`"

############ Fix Linux settings for better security ###########

# Disable routing triangulation. Respond to queries out

# the same interface, not another. Helps to maintain state

# Also protects against IP spoofing

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

iptables Scripts 601

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 601

# Enable logging of packets with malformed IP addresses

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Disable redirects

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Disable source routed packets

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable acceptance of ICMP redirects

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Turn on protection from Denial of Service (DOS) attacks

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable responding to ping broadcasts

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable routing (IP forwarding)

echo 1 > /proc/sys/net/ipv4/ip_forward

############ Initialize all the chains we'll use ##############

# Initialize all the chains by removing all the rules

# tied to them

iptables -flush

iptables -t nat -flush

602 Codes, Scripts, and Configurations Appendix II

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 602

iptables -t mangle -flush

# Now that the chains have been initialized, the user defined

# chains should be deleted. We'll recreate them in the next step

iptables -delete-chain

iptables -t nat -delete-chain

iptables -t mangle -delete-chain

# If a packet doesn't match one of the built in chains, then

# The policy should be to drop it

iptables -policy INPUT DROP

iptables -policy OUTPUT DROP

iptables -policy FORWARD DROP

iptables -t nat -policy POSTROUTING ACCEPT

iptables -t nat -policy PREROUTING ACCEPT

# The loopback interface should accept all traffic

# Necessary for X-Windows and other socket based services

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

################### Check for bad addresses ###################

# Initialize our user-defined chains

iptables -N valid-src

iptables -N valid-dst

# Verify valid source and destination addresses for all packets

iptables -A INPUT -i $EXTERNAL_INT -j valid-src

iptables -A FORWARD -i $EXTERNAL_INT -j valid-src

iptables -A OUTPUT -o $EXTERNAL_INT -j valid-dst

iptables -A FORWARD -o $EXTERNAL_INT -j valid-dst

# Source and Destination Address Sanity Checks

# Drop packets from networks covered in RFC 1918 (private nets)

# Drop packets from external interface IP

iptables Scripts 603

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 603

iptables -A valid-src -s $10.0.0.0/8 -j DROP

iptables -A valid-src -s $172.16.0.0/12 -j DROP

iptables -A valid-src -s $192.168.0.0/16 -j DROP

iptables -A valid-src -s $224.0.0.0/4 -j DROP

iptables -A valid-src -s $240.0.0.0/5 -j DROP

iptables -A valid-src -s $127.0.0.0/8 -j DROP

iptables -A valid-src -s 0.0.0.0/8 -j DROP

iptables -A valid-src -d 255.255.255.255 -j DROP

iptables -A valid-src -s 169.254.0.0/16 -j DROP

iptables -A valid-src -s $EXTERNAL_IP -j DROP

iptables -A valid-dst -d $224.0.0.0/4 -j DROP

# Log and drop chain

iptables -A LOG-and-drop -j LOG -log-ip-options

-log-tcp-options -log-level debug

iptables -A LOG-and-drop -j DROP

################## Firewall Rules Section #####################

# Allow outbound DNS queries from the FW and the replies too

# - Interface $EXTERNAL_INT is the internet interface

# Zone transfers use TCP and not UDP. Most home networks

# / websites using a single DNS server won't require TCP statements

iptables -A OUTPUT -p udp -o $EXTERNAL_INT -dport 53

-sport 1024:65535 -j ACCEPT

iptables -A INPUT -p udp -i $EXTERNAL_INT -sport 53

-dport 1024:65535

-j ACCEPT

# Allow port 22 (SSH) connections to the firewall

iptables -A INPUT -p tcp -i $EXTERNAL_INT -dport 22

-sport 1024:65535 -m state -state NEW -j ACCEPT

# Allow port 80 (www) and 443 (https) connections from the firewall

604 Codes, Scripts, and Configurations Appendix II

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 604

iptables -A OUTPUT -j ACCEPT -m state -state NEW

-o $EXTERNAL_INT -p tcp -dport 80 -sport 1024:65535

iptables -A OUTPUT -j ACCEPT -m state -state NEW

-o $EXTERNAL_INT -p tcp -dport 443 -sport 1024:65535

# Allow outbound ICMP echo requests & inbound echo replies

iptables -A OUTPUT -j ACCEPT -o $EXTERNAL_INT -p icmp

-icmp-type echo-request

iptables -A INPUT -j ACCEPT -i $EXTERNAL_INT -p icmp

-icmp-type echo-reply

# Allow all bidirectional traffic from your firewall to the

# protected network

# - Interface $INTERNAL_INT is the private network interface

iptables -A INPUT -j ACCEPT -p all -s $HOME_NETWORK

-i $INTERNAL_INT

iptables -A OUTPUT -j ACCEPT -p all -d $HOME_NETWORK

-o $INTERNAL_INT

#################### 1 to 1 NAT Section #######################

# NAT ALL traffic:

# TO: FROM: MAP TO SERVER:

# $WEBSERVER_1_EXT Anywhere $WEBSERVER_1_INT

# SNAT is used to NAT all other outbound connections initiated

# from the protected network to appear to come from

# IP address $WEBSERVER_1_EXT

# POSTROUTING:

# NATs source IP addresses. Frequently used to NAT connections from

# your home network to the Internet

# PREROUTING:

# NATs destination IP addresses. Frequently used to NAT

# connections from the Internet to your home network

# PREROUTING statements for 1:1 NAT

# (Connections originating from the Internet)

iptables -t nat -A PREROUTING -d $WEBSERVER_2_EXT

-i $EXTERNAL_INT

iptables Scripts 605

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 605

-j DNAT -to-destination $WEBSERVER_2_INT

# POSTROUTING statements for 1:1 NAT

# (Connections originating from the home network servers)

iptables -t nat -A POSTROUTING -s $WEBSERVER_2_INT

-o $EXTERNAL_INT

-j SNAT -to-source $WEBSERVER_2_EXT

# Allow forwarding to each of the servers configured for 1:1 NAT

# (For connections originating from the Internet. Notice how you

# use the real IP addresses here)

# HTTP

iptables -A FORWARD -p tcp -i $EXTERNAL_INT -o $INTERNAL_INT

-d $WEBSERVER_2_INT -dport 80 -sport 1024:65535

-m state -state NEW -j ACCEPT

# SSH

iptables -A FORWARD -p tcp -i $EXTERNAL_INT -o $INTERNAL_INT

-d $WEBSERVER_2_INT -dport 22 -sport 1024:65535

-m state -state NEW -j ACCEPT

# DNS (TCP)

iptables -A FORWARD -p tcp -i $EXTERNAL_INT -o $INTERNAL_INT

-d $WEBSERVER_2_INT -dport 53

-m state -state NEW -j ACCEPT

# DNS (UDP)

iptables -A FORWARD -p udp -i $EXTERNAL_INT -o $INTERNAL_INT

-d $WEBSERVER_2_INT -dport 53

-m state -state NEW -j ACCEPT

# NTP

iptables -A FORWARD -p udp

-d $TIME_SERVER1 -dport 123 -sport 123

-s $WEBSERVER_2_EXT -j ACCEPT

iptables -A FORWARD -p udp

-d $TIME_SERVER2 -dport 123 -sport 123

-s $WEBSERVER_2_EXT -j ACCEPT

iptables -A FORWARD -p udp

-d $TIME_SERVER3 -dport 123 -sport 123

-s $WEBSERVER_2_EXT -j ACCEPT

################### Port Forwarding Section ###################

# Allow port forwarding for traffic on HTTP, HTTPS, SMTP and DNS

# to WEBSERVER_1 on the same ports

## Allow Port Forwarding

606 Codes, Scripts, and Configurations Appendix II

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 606

# HTTP (Port Forwarding)

iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL_INT

-d $EXTERNAL_IP -dport 80 -sport 1024:65535 -j DNAT

-to $WEBSERVER_1_INT:80

# SMTP Sendmail (Port Forwarding)

iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL_INT

-d $EXTERNAL_IP -dport 25 -sport 1024:65535 -j DNAT

-to $WEBSERVER_1_INT:25

# SSH (Port Forwarding)

iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL_INT

-d $EXTERNAL_IP -dport 22 -sport 1024:65535 -j DNAT

-to $WEBSERVER_1_INT:22

# DNS (TCP) (Port Forwarding)

iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL_INT

-d $EXTERNAL_IP

-dport 53 -sport 1024:65535 -j DNAT

-to $WEBSERVER_1_INT:53

# DNS (UDP) (Port Forwarding)

iptables -t nat -A PREROUTING -p udp -i $EXTERNAL_INT

-d $EXTERNAL_IP -dport 53 -sport 1024:65535 -j DNAT

-to $WEBSERVER_1_INT:53

## Allow routing after port forwarding

# HTTP (Routing after port forwarding NAT)

iptables -A FORWARD -p tcp -i $EXTERNAL_INT

-d $WEBSERVER_1_INT -dport 80 -sport 1024:65535

-m state -state NEW -j ACCEPT

# SMTP Sendmail (Routing after port forwarding NAT)

iptables -A FORWARD -p tcp -i $EXTERNAL_INT

-d $WEBSERVER_1_INT -dport 25 -sport 1024:65535

-m state -state NEW -j ACCEPT

# SSH (Routing after port forwarding NAT)

iptables -A FORWARD -p tcp -i $EXTERNAL_INT

-d $WEBSERVER_1_INT -dport 22 -sport 1024:65535

-m state -state NEW -j ACCEPT

# DNS (TCP) (Routing after port forwarding NAT)

iptables -A FORWARD -p tcp -i $EXTERNAL_INT

-d $WEBSERVER_1_INT -dport 53 -m state -state NEW

-j ACCEPT

# DNS (UDP) (Routing after port forwarding NAT)

iptables -A FORWARD -p udp -i $EXTERNAL_INT

-d $WEBSERVER_1_INT

-dport 53 -j ACCEPT

############ (Many to one NAT) Not Masquerading ###############

iptables Scripts 607

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 607

# POSTROUTING statements for Many:1 NAT

# (Connections originating from the entire home network)

#iptables -t nat -A POSTROUTING -s $HOME_NETWORK

# -j SNAT -o INTERNAL_INT -to-source $MANY_TO_1_NAT

################# (Many to one NAT) Masquerading ##############

# Allow masquerading

# Enable routing by modifying the ip_forward /proc filesystem file

# - Interface $EXTERNAL_INT is the internet interface

# - Interface $INTERNAL_INT is the private network interface

iptables -A POSTROUTING -t nat -o $EXTERNAL_INT -s $HOME_NETWORK

-d 0/0 -j MASQUERADE

############ Allow already established connections ###########

# Prior to masquerading, the packets are routed via the filter

# table's FORWARD chain.

# Allowed outbound: New, established and related connections

# Allowed inbound : Established and related connections

iptables -A FORWARD -t filter -o $EXTERNAL_INT -m state

-state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i $EXTERNAL_INT -m state

-state ESTABLISHED,RELATED -j ACCEPT

# Allow previously established connections

# - Interface $EXTERNAL_INT is the internet interface

iptables -A INPUT -j ACCEPT -m state

-state ESTABLISHED,RELATED -i $EXTERNAL_INT -p tcp

################ Log and drop all other packets ###############

608 Codes, Scripts, and Configurations Appendix II

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 608

# Log and drop all other packets to file /var/log/messages

# Without this we could be crawling around in the dark

iptables -A OUTPUT -j LOG-and-drop

iptables -A INPUT -j LOG-and-drop

iptables -A FORWARD -j LOG-and-drop

SAMPLE DNS ZONE FILES: USING BIND VIEWS

Here are some sample zone files for a home/small office network that requires

the use of BIND views as explained in Chapter 18, "Configuring DNS."

The /etc/named.conf File

This first sample, named.conf, is for a network in which BIND views are being

used.

An ACL named trusted-subnet was created to define the internal network

192.168.1.0. Two other built-in ACLs are used: localhost, which defines

the DNS server itself, and localnets, which defines all the networks to which

the server is directly connected. Together, the three are used to define the view

named internal, which will return the data contained in the localhost.zone,

192.168.1.zone and my-site-internal.zone files for all queries from these networks.

The view external is used for queries from all other networks and

returns the contents of the my-site.zone file.

Reference to the 192.168.1.0/24 network in the ACL is actually redundant,

because the network is directly connected to the server's NIC and therefore

is also part of the localnets ACL too.

options ;

allow-transfer ;

allow-recursion ;

// a caching only nameserver config

controls keys ;

acl "trusted-subnet" ;

view "internal" ;

zone "." IN ;

zone "localhost" IN ;

zone "0.0.127.in-addr.arpa" IN ;

zone "1.168.192.in-addr.arpa" IN ;

zone "my-web-site.org" ;

view "external" ;

recursion no;

zone "my-web-site.org" ;

610 Codes, Scripts, and Configurations Appendix II

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 610

Zone File for my-web-site.org (External View)

Here is an example for the external zone file for my-web-site.org. The firewall

rules NAT IP address 97.158.253.26 to server Bigboy's 192.168.1.100 IP

address, so all references to Bigboy need to use the public IP address. As server

Bigboy is the mail and Web server, the zone file also has an A record / CNAME

combination so that so that you can access Bigboy by one of these two aliases

depending on the role you wish it to play. For mail, you could access it as

mail.my-web-site.org and for Web applications you could access it as www.myweb-

site.org.

; Zone file for my-web-site.org - Filename my-site.zone

; The full zone file

$TTL 3D

@ IN SOA www.my-web-site.org. hostmaster.my-website.

org. (

200211152 ; serial, todays date + todays

serial #

3600 ; refresh, seconds

3600 ; retry, seconds

3600 ; expire, seconds

3600 ) ; minimum, seconds

NS www ; Inet Address of name server

my-web-site.org. MX 10 mail ; Primary Mail Exchanger

localhost A 127.0.0.1

www A 97.158.253.26

mail CNAME www

Zone File for my-web-site.org (Internal View)

Here is an example for the internal zone file for my-web-site.org. When the

name server is accessed from the internal 192.168.0.0 network, bigboy.my-website.

org maps to 192.168.1.100. There is also an entry for one of the home PCs

named Smallfry, which you can now additionally access as smallfry.my-website.

org. As server Bigboy is also a mail and Web server, CNAMEs are added so

that you can access 192.168.1.100 by one of two aliases depending on the role

you wish it to play. For mail, you could access it as mail.my-site-internal.com

and for Web applications you could access it as www.my-web-site.org.

; Zone file for my-web-site.org - Filename my-site-internal.zone

Sample DNS Zone Files: Using BIND Views 611

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 611

; The full zone file

$TTL 3D

@ IN SOA www.my-web-site.org. hostmaster.my-website.

org. (

200211151 ; serial, todays date + todays

serial #

3600 ; refresh, seconds

3600 ; retry, seconds

3600 ; expire, seconds

3600 ) ; minimum, seconds

NS www ; Inet Address of name server

my-web-site.org. MX 10 mail.my-web-site.org. ; Primary Mail

Exchanger

localhost A 127.0.0.1

bigboy A 192.168.1.100

smallfry A 192.168.1.102

firewall A 192.168.1.1

www CNAME bigboy

mail CNAME bigboy

Reverse Zone File for a Home Network Using NAT

You can also create a reverse zone file for the home network on the

192.168.1.X network using the same principles you used for a public network.

Now you'll get correct responses for both forward and reverse lookups using

the host or nslookup commands.

; Reverse Zone file for 192.168.0.0 - Filename 192.168.1.zone

$TTL 86400

@ 1D IN SOA @ root (

51 ; serial (d. adams)

3H ; refresh

15M ; retry

1W ; expiry

1D ) ; minimum

1D IN NS @

100 PTR bigboy.my-web-site.org.

102 PTR smallfry.my-web-site.org.

1 PTR firewall.my-web-site.org.

612 Codes, Scripts, and Configurations Appendix II

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 612

SENDMAIL SAMPLES

Chapter 21, "Configuring Linux Mail Servers," outlined the formats of numerous

files. The features mentioned there are used in this complete set of files

customized for a domain named my-web-site.org.

Sample /etc/mail/access File

In this sample section of an /etc/mail/access file relaying is allowed for the

local server and the 192.168.x.x network only.

# Check the /usr/share/doc/sendmail/README.cf file for a description

# of the format of this file. (search for access_db in that file)

# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc

# package.

# by default we allow relaying from localhost

localhost.localdomain RELAY

localhost RELAY

127.0.0.1 RELAY

# Relay messages from the local subnet

192.168 RELAY

Sample /etc/mail/local-host-names File

In this sample section of a local-host-names file all the domains for which the

mail server has mail responsibility are listed.

# local-host-names - include all aliases for your machine here.

my-web-site.org

www.my-web-site.org

mail.my-web-site.org

ns.my-web-site.org

my-other-site.com

www.my-other-site.com

mail.my-other-site.com

ns.my-other-site.com

Sample /etc/mail/sendmail.mc File

Here is a sample section of a sendmail.mc file.

dnl # The following causes sendmail to only listen on the IPv4

loopback address

sendmail Samples 613

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 613

dnl # 127.0.0.1 and not on any other network devices. Remove the

loopback

dnl # address restriction to accept email from the internet or

intranet.

dnl #

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

dnl ***** Customised section 1 start *****

dnl

dnl Kill The SPAM Using Blackholes

dnl

FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1 ACCESS

DENIED to OPEN PROXY SERVER "$&" by easynet.nl DNSBL

(https://proxies.blackholes.easynet.nl/errors.html)"', `')dnl

FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to

sending server misconfiguration - see

https://www.ordb.org/faq/#why_rejected"')dnl

FEATURE(`dnsbl', `sbl.spamhaus.org', `"550 Mail from "

$`'& " refused - see https://www.spamhaus.org/sbl/"')

FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&

" refused - see https://spamcop.net/bl.shtml"')

FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from "

$& " refused. Rejected for bad WHOIS info on IP of your

SMTP server - see https://www.rfc-ignorant.org/"')

dnl

dnl Masquerading stuff

dnl

FEATURE(always_add_domain)dnl

FEATURE(`masquerade_entire_domain')dnl

FEATURE(`masquerade_envelope')dnl

dnl FEATURE(`allmasquerade')dnl Even masquerades messages destined for

local mailboxes but for other domains

FEATURE(delay_checks)dnl

dnl

dnl

dnl FEATURE(genericstable, `hash -o /etc/mail/genericstable')dnl

dnl GENERICS_DOMAIN_FILE(`/etc/mail/genericstable')dnl

dnl

dnl

define(`confPRIVACY_FLAGS',`goaway')dnl - Limits command usage

define(`confSMTP_LOGIN_MSG', `$j server ready at $b')dnl - Changes

login message

define(`confMAX_HEADERS_LENGTH',16384)dnl

dnl

MASQUERADE_DOMAIN(localhost)dnl

MASQUERADE_DOMAIN(localhost.localdomain)dnl

MASQUERADE_DOMAIN(`my-web-site.org.')dnl (for everyone

else)

MASQUERADE_AS(my-web-site.org)dnl (for local

machine)

dnl

dnl

dnl ***** Customised section 1 end *****

dnl

614 Codes, Scripts, and Configurations Appendix II

40Harrison_Apdx2.qxd 2/25/05 10:26 AM Page 614

Sample /etc/mail/virtusertable File

In this virtusertable file the server will accept e-mail to only three users in

the various domains, rejecting everything else.

t689ndtw@my-web-site.org paul

paul@my-other-site.com paul

paul@my-web-site.org paul

@my-other-site.com error:nouser User unknown

@my-web-site.org error:nouser User unknown