Mini HOWTO for IMSLU (Internet Management System for LAN Users) on Debian/GNU Linux

	Copyright  2016 IMSLU Developers
    
    Permission is granted to copy, distribute and/or modify this document
    under the terms of the GNU Free Documentation License, Version 1.3
    or any later version published by the Free Software Foundation;
    with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
    A copy of the license is included in the section entitled "GNU
    Free Documentation License".
__________________________________________________________________

   Table of Contents
   
   1 Intro

		1.1 About IMSLU
		1.2 IMSLU Developers
			1.2.1 Others
		1.3 Legal Notice
		1.4 Other Information

	2 Installation and configuration

		2.1 Requirements
		2.2 Download and install
		2.3 System upgrade
		2.4 Database server
		2.5 Apache2 and PHP5
		2.6 bind9
		2.7 Roaring Penguin PPPoE server
		2.8 FreeRadius client
		2.9 FreeRadius server
		
	3 Scripts

	4 User Interface

___________________________________________________


Chapter 1. Intro

1.1 About IMSLU


1.2 IMSLU Developers

	* PHP Code:
	Fahri Hasan - fahri_hasan@hotmail.com

	* Bash Code:
	Fahri Hasan
		     
	* Design:
     Fahri Hasan
     
	* HTML, JavaScript, CSS:
     Fahri Hasan
     
	* Images:
     
	* Documentation:
     Fahri Hasan
     
	* Beta testing:
	 Veselin Alexandrov
     Fahri Hasan

	* http://www.linux-bg.org/forum/index.php?topic=45276:
	 Naka
	 gat3way
	 edmon
	   
1.2.1 Others

	IMSLU uses elements of other software:
		- http://www.zabbix.com/rn2.0.4.php
		- http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
		- http://www.wikihow.com/Create-a-Secure-Session-Managment-System-in-PHP-and-MySQL
	   
	Used selected content or guides:
		- (russian) http://habrahabr.ru/post/111399/
		- (en) Linux Advanced Routing & Traffic Control HOWTO - http://www.lartc.org/lartc.html
		- (bugarian) http://myfreesoft.net/phpBB2/viewtopic.php?t=751
		- (bugarian) http://www.linux-bg.org/cgi-bin/y/index.pl?page=article&id=advices&key=364103812
		- (bugarian) http://www.linux-bg.org/cgi-bin/y/index.pl?page=article&id=advices&key=386924398
		- Debian advanced router for ISP  firewall, traffic shaping, smp_affinity, taskset, sysctl and more  http://itservice-bg.net/?p=1122
		- (russian) http://linuxsnippets.net/ru/node/268
		- https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-debian-7
        - http://www.zytrax.com/books/dns/ch7/logging.html
		
		
1.3 Legal Notice

	Copyright  2016 IMSLU Developers
	
	This program is free software; you can redistribute it and/or modify
	it under the terms of the GNU General Public License as published by
	the Free Software Foundation; either version 2 of the License, or
	(at your option) any later version.
 
	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
	GNU General Public License for more details.
 
	You should have received a copy of the GNU General Public License
	along with this program; if not, write to the Free Software
	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
__________________________________________________________________

Chapter 2 Installation and configuration

####### 2.1 Requirements #######

	* OS - Linux, yet is fully compatible with Debian Jessie
		- http://www.debian.org/

	* Apache2
		- http://www.apache.org/

	* PHP >= 5.4
		- http://php.net/

	* Database Server - during the development was used MariaDB
		- https://mariadb.org/

	* xtables-addons
		- http://xtables-addons.sourceforge.net/

	* Freeradius
		- http://freeradius.org/

	* Roaring Penguin PPPoE server
		- http://www.roaringpenguin.com/products/pppoe

	* Point-to-Point Protocol (PPP) - daemon
		- http://ppp.samba.org/

	* Recommended	

	* Debian minimal install of a base system

		- http://www.debian.org/doc/books


####### 2.2 Download and install #######

mkdir ~/src
cd ~/src

Download from:
git clone https://github.com/mysticall/imslu.git

AS ROOT in user ~/src:
ln -s $(pwd -P) ~/src

mkdir /usr/share/imslu
cp -r ~/src/imslu/PHP/* /usr/share/imslu

mkdir /etc/imslu
cp -r ~/src/imslu/conf/debian/imslu/* /etc/imslu/
chmod +x /etc/imslu/scripts/*

mkdir /etc/imslu/backup
chown www-data:www-data /etc/imslu/backup

mkdir /var/log/imslu
cp ~/src/imslu/conf/cron/imslu /etc/cron.d/

### System settings ###

install -c -m 755 ~/src/imslu/conf/debian/etc/rc.local /etc
install -c -m 644 ~/src/imslu/conf/debian/etc/sysctl.conf /etc
install -c -m 644 ~/src/imslu/conf/debian/etc/network/interfaces /etc/network


####### 2.3 System upgrade #######

Info:
-----------
First back up the database!
Follow strictly these steps to upgrade:
-----------

. /etc/imslu/config.sh
cd $SQL_BACKUP_DIR; $MYSQLDUMP $database -u $user -p${password} > $(date +"%Y-%m-%d-%H:%M:%S")_${database}_full-dump.sql

### FROM 0.1-alpha TO 0.1-alpha-1 ### 
mysql $database -u $user -p${password} < database/upgrades/mysql/01_patch-0.1-alpha-1.sql

### FROM 0.1-alpha-1 TO 0.2-alpha ###
STEP 1:
mysql $database -u $user -p${password} < database/upgrades/mysql/02_patch_from_0.1-alpha-1_to_0.2-alpha-step1.sql
php5 database/upgrades/mysql/from_0.1-alpha-1_to_0.2-alpha.php
php5 database/upgrades/mysql/fix_serviceid_0.2-alpha.php

STEP 2:
rm /etc/rsyslog.d/ip_status.conf
rm /etc/ppp/ip-up.d/0001shaper
rm /etc/ppp/ip-down.d/0001shaper


####### 2.4 MariaDB #######

apt-get update
apt-get install mariadb-server

-----------
CREATE IMSLU Database
-----------
mysql -u root -p
CREATE DATABASE imslu DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON imslu.* TO imslu@localhost IDENTIFIED BY 'imslu_password';
quit;

-----------
CREATE Tables and inser data
-----------
. /etc/imslu/config.sh
cd ~/src/imslu/database/mysql

mysql $database -u $user -p${password} < 01_schema.sql
mysql $database -u $user -p${password} < 03_example_static_ip-addresses.sql
mysql $database -u $user -p${password} < 04_freeradius_schema.sql
mysql $database -u $user -p${password} < 05_freeradius_example_ip-pool.sql


####### 2.5 Apache2 and PHP5 #######

apt-get install libapache2-mod-php5 php5-mysql

Uncomment and set default timezone
nano /etc/php5/apache2/php.ini
-----------
date.timezone = "Europe/Sofia"
-----------

mkdir /etc/apache2/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address.

example:
-----------
Generating a 2048 bit RSA private key
............................................................+++
...........................................................+++
writing new private key to '/etc/apache2/ssl/apache.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BG
State or Province Name (full name) [Some-State]:Sofia
Locality Name (eg, city) []:Sofia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:imslu
Organizational Unit Name (eg, section) []:imslu
Common Name (e.g. server FQDN or YOUR name) []:192.168.1.254
Email Address []:webmaster@localhost
-----------

a2enmod ssl
a2enmod rewrite

rm /var/www/html/index.html
cp /etc/imslu/index.php /var/www/html
ln -s /etc/imslu/apache-ssl.conf /etc/apache2/sites-enabled/imslu-ssl.conf

NB: Edit "/etc/imslu/expired.conf" and change IP address.
ln -s /etc/imslu/expired.conf /etc/apache2/sites-enabled/expired.conf
cp /etc/imslu/000-default.conf /etc/apache2/sites-available

/etc/init.d/apache2 restart


####### 2.6 bind9 #######

https://wiki.debian.org/Bind9

apt-get install bind9 

nano /etc/bind/named.conf
Add before 'include "/etc/bind/named.conf.options";'
------------------------------------------------------------------------
logging{
  channel simple_log {
    file "/var/bind9/chroot/var/log/bind.log" versions 3 size 5m;
    severity error;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category default{
    simple_log;
  };
};
------------------------------------------------------------------------

nano /etc/bind/named.conf.options 
Add after "listen-on-v6 { any; };"
------------------------------------------------------------------------
    listen-on { 127.0.0.1; 10.0.1.1; 10.0.2.1; };

    allow-transfer { none; };
    recursion yes;
    allow-query { 127.0.0.1; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };

    // Do not make public version of BIND
    version none;
------------------------------------------------------------------------

Bind Chroot

/etc/init.d/bind9 stop

nano /etc/default/bind9
------------------------------------------------------------------------
OPTIONS="-u bind -t /var/bind9/chroot"
------------------------------------------------------------------------

mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named,var/log}
mknod /var/bind9/chroot/dev/null c 1 3
mknod /var/bind9/chroot/dev/random c 1 8
chmod 660 /var/bind9/chroot/dev/{null,random}
mv /etc/bind /var/bind9/chroot/etc
ln -s /var/bind9/chroot/etc/bind /etc/bind
chown -R bind:bind /etc/bind/*
chmod 775 /var/bind9/chroot/var/{cache/bind,run/named,log}
chgrp bind /var/bind9/chroot/var/{cache/bind,run/named,log}

nano /etc/init.d/bind9
------------------------------------------------------------------------
PIDFILE=/var/bind9/chroot/var/run/named/named.pid
------------------------------------------------------------------------

/etc/init.d/rsyslog restart; /etc/init.d/bind9 start


####### 2.7 Roaring Penguin PPPoE server #######

apt-get install build-essential fakeroot libncurses5-dev
apt-get install ppp
apt-get build-dep pppoe

cd ~/src
apt-get source pppoe
cd rp-pppoe-3.8/src
./configure

Add kernel pppoe support:
sed -i 's/\/\* \#undef HAVE_LINUX_KERNEL_PPPOE \*\//\#define HAVE_LINUX_KERNEL_PPPOE 1/' config.h

cd ..
fakeroot make -f debian/rules PLUGIN_PATH=/usr/lib/pppd/2.4.6/rp-pppoe.so
fakeroot make -f debian/rules binary
cd ..
dpkg -i pppoe_3.8-3_amd64.deb


Hold PPPoE Server version on current:
echo pppoe hold | dpkg --set-selections

If need to recompile and reinstall PPPoE Server:
echo pppoe install | dpkg --set-selections


Copy PPPoE server configuration files:

install -c -m 644 ~/src/imslu/conf/debian/etc/ppp/options /etc/ppp
install -c -m 644 ~/src/imslu/conf/debian/etc/ppp/pppoe-server-options /etc/ppp

install -c -m 644 ~/src/imslu/conf/debian/etc/imslu/scripts/0001_up_imslu /etc/ppp/ip-up.d/
install -c -m 644 ~/src/imslu/conf/debian/etc/imslu/scripts/0001_down_imslu /etc/ppp/ip-down.d/
chmod a+x /etc/ppp/ip-up.d/0001_up_imslu
chmod a+x /etc/ppp/ip-down.d/0001_down_imslu


####### 2.8 FreeRadius client #######

apt install libfreeradius-client2

echo "localhost my_isp_radius_secret" > /etc/radiusclient/servers
install -c -m 644 ~/src/imslu/conf/debian/etc/radiusclient/port-id-map /etc/radiusclient
install -c -m 644 ~/src/imslu/conf/debian/etc/radiusclient/radiusclient.conf /etc/radiusclient
echo "ATTRIBUTE   Acct-Interim-Interval   85  integer" >> /etc/radiusclient/dictionary

####### 2.9 FreeRadius server #######

apt install freeradius freeradius-common freeradius-mysql freeradius-utils libfreeradius2

Setting up a FreeRadius server:

rm /etc/freeradius/sites-enabled/inner-tunnel
echo '' > /etc/freeradius/huntgroups
echo 'ATTRIBUTE   Acct-Interim-Interval   85  integer' >> /etc/freeradius/dictionary

install -c -m 640 ~/src/imslu/conf/debian/etc/freeradius/2.2/radiusd.conf /etc/freeradius
install -c -m 640 ~/src/imslu/conf/debian/etc/freeradius/2.2/sql.conf /etc/freeradius
install -c -m 640 ~/src/imslu/conf/debian/etc/freeradius/2.2/sqlippool.conf /etc/freeradius
install -c -m 640 ~/src/imslu/conf/debian/etc/freeradius/2.2/sites-available/default /etc/freeradius/sites-available

/etc/init.d/freeradius restart
chmod 755 /var/log/freeradius


####### 3 Scripts #######

Install system tools:

apt-get install sudo vlan ipset arp-scan arping ethtool minicom


PHP use sudo to start scripts, that need root access
Add to /etc/sudoers as exsample:
nano /etc/sudoers
------------------------------------------------------------------------
# Cmnd alias specification
Cmnd_Alias      FUNCTIONS_PHP = /etc/imslu/scripts/functions-php.sh
Cmnd_Alias      ARPING = /usr/sbin/arping

# Allow members of group www-data to execute commands
%www-data ALL=NOPASSWD: FUNCTIONS_PHP, ARPING
------------------------------------------------------------------------
/etc/init.d/sudo restart


### Disable predictable interface names ###

nano /etc/default/grub
------------------------------------------------------------------------
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
GRUB_TERMINAL=console
------------------------------------------------------------------------
update-grub2


### Stop Clearing Console ###
sed -i 's/TTYVTDisallocate=yes/TTYVTDisallocate=no/' /lib/systemd/system/getty@.service


### ULOGD ###

apt-get install ulogd2

rm /etc/logrotate.d/ulogd2
install -c -m 644 ~/src/imslu/conf/debian/etc/ulogd.conf /etc
/etc/init.d/ulogd2 restart


##### 3.1 Rebuild an official Debian kernel #####
https://tracker.debian.org/pkg/linux

apt-get build-dep linux
:~# exit
cd ~/src
apt-get source linux

### Apply IMQ patch ###
https://github.com/imq/linuximq

cd linux-3.16.36
patch -p 1 < ~/src/imslu/conf/kernel/linux-3.16-imq.diff
sed -i -e 's|$(MAKE) |$(MAKE) -j4 |' debian/rules.gen
fakeroot make -f debian/rules setup 2>&1 | tee setup.log

make -C debian/build/build_amd64_none_amd64 menuconfig
-----------
    Security options  --->
    [ ] NSA SELinux Support
    [ ] AppArmor support

    General setup  --->
    [ ] Auditing support

[*] Networking support  --->
      Networking options  --->
        [ ] Security Marking
        [*] Network packet filtering framework (Netfilter)  --->
            Core Netfilter Configuration  --->
              <M>   "IMQ" target support

        <M> IP set support  --->

              (256) Maximum number of IP sets (NEW)
              <M>   hash:ip set support
              <M>   hash:ip,mark set support
              <M>   hash:ip,port,ip set support
              <M>   hash:ip,port,net set support
              <M>   hash:mac set support
              <M>   hash:net,port,net set support
              <M>   hash:net set support
              <M>   hash:net,net set support
              <M>   hash:net,port set support
              <M>   hash:net,iface set support

    Device Drivers  --->
      -*- Network device support  --->
        {*} IMQ (intermediate queueing device) support 
            IMQ behavior (PRE/POSTROUTING) (IMQ AB)  --->
        (2) Number of IMQ devices

        --- IMQ behavior (PRE/POSTROUTING) (IMQ AB)  --->
            ( ) IMQ AA
            (X) IMQ AB
            ( ) IMQ BA
            ( ) IMQ BB

-----------

fakeroot make -f debian/rules binary-arch 2>&1 | tee binary.log

If error: "ABI has changed!  Refusing to continue."
-----------
mv debian/abi/3.16.0-4/amd64_none_amd64 debian/abi/3.16.0-4/amd64_none_amd64.orig
cp debian/build/build_amd64_none_amd64/Module.symvers debian/abi/3.16.0-4/amd64_none_amd64
fakeroot make -f debian/rules binary-arch 2>&1 | tee binary2.log
-----------

cd ..
dpkg -i linux-image-3.16.0-4-amd64_3.16.36-1+deb8u2_amd64.deb

NB: Install linux headers with IMQ patch or xtables addons will not work.
apt-get install linux-kbuild-3.16
dpkg -i linux-headers-3.16.0-4-common_3.16.36-1+deb8u2_amd64.deb linux-compiler-gcc-4.8-x86_3.16.36-1+deb8u2_amd64.deb linux-headers-3.16.0-4-amd64_3.16.36-1+deb8u2_amd64.deb

##### 3.2 Rebuild iptables #####

apt-get build-dep iptables
cd ~/src
apt-get source iptables
wget https://raw.githubusercontent.com/imq/linuximq/master/latest/iptables-1.4.13-imq.diff

### Apply IMQ patch ###
cd iptables-1.4.21
patch -p 1 < ../iptables-1.4.13-imq.diff
sed -i -e 's|1.4.21-2|1.4.21-2+b1|' debian/changelog
fakeroot make -f debian/rules binary 2>&1 | tee binary.log
cd ..
dpkg -i iptables_1.4.21-2+b1_amd64.deb libxtables10_1.4.21-2+b1_amd64.deb
dpkg -i iptables-dev_1.4.21-2+b1_amd64.deb


### DNETMAP ###
http://arpnet.pl/dnetmap/

apt install --no-install-recommends xtables-addons-common xtables-addons-dkms libtext-csv-xs-perl
modprobe xt_DNETMAP


####### 3.3 GRAPHICS #######

apt-get install rrdtool



####### 3.4 CONFIG #######

Edit config files:
- /etc/imslu/config.sh
- /etc/imslu/config.php
- /etc/imslu/database_config.php


####### User Interface #######

Group:    System administrators
User:     sadmin
Password: sadmin

Group:    Administrators
User:     admin
Password: admin
