Back to April 2000 meeting page
Talk for Manchester LUG
Matthew Palmer
Networking Linux in the home or Small Business
This is intended to be an outline for setting up a small network using Linux
and incorporating Windows machines as workstations. It is intended to be
based around Linux 2.0.x, although the vast majority is also applicable to
2.2.x. Windows configuration will be described in a fairly generalised
manner, so as to be helpful to all dialects.
The scenario for which this setup is intended is as follows:
- A home or small business.
- want to network several computers.
- have a part-time Internet connection.
- want to share a couple of printers.
- have common filestore available.
- No official IP network address assigned.
As a result of these requirements, security from the outside network world is
not a paramount concern; steps will be taken to ensure that risk is
minimised, but functionality will be selected over security if necessary.
All machines are assumed to have a completely local installation of the
operating system and applications, and only home directories and printers
are to be shared. The passwd, shadow and group files are also shared, to
allow reliable UID->name mapping. Yes, this is a security problem, but we
can minimise it if we're careful.
Physical
- Ethernet - most common LAN protocol, widely supported by most OSes.
- 10Base2 - coax cable, bus pattern.
- 180m max run length (terminator-to-terminator).
- Terminated at both ends of cable run.
- Each machine connected to the cable by a 'T' connector.
- Any break in the cable will disable entire network.
- 10BaseT - twisted pair cable, star pattern.
- 100-150m max run length (11.5dB drop, technically).
- Each host connects to a central hub by it's own run of cable.
- A broken cable will only disable one host.
Logical layout
- Several clients running Linux or Windows (or both).
- File server.
- Print server.
- Network server.
- These functions can be incorporated into one machine, if resources
permit.
- Note: a Linux server does not have to be big on memory or processor
power - a 486DX2/80 with 16MB of RAM does my file, print, and network
services quite fine.
- Will use IP network 192.168.1/24 - reserved by IANA for private
networks.
Installation
Cabling
- Don't run cables near power lines.
- Don't run copper between buildings - use Fiber.
- Keep runs as short as possible, remember 185m total for 10Base2,
100-150m per cable for 10BaseT.
- Don't cable unless you're sure you can handle it.
Assigning services
- Choose whether to have file/print/network server on one machine or
separate machines.
Assigning names and addresses
- Choose a local domain name, something fictional which is not likely to
be a real name. domain.fake.uk will be used for example.
- Give each machine a name - see RFC1178 for guidelines.
- The servers should have additional names - nfs, ns,
www, print, etc to show services available.
- Give each machine an IP address, subject to the following guidelines:
- Do not use 0 and 255 - reserved for special purposes.
- Network server should get 1 (by convention)
- File & print servers (if separate) get 2 & 3 (again, convention)
- Sequentially number all remaining machines.
- Keep a record of all address-to-name relationships.
Clients
Linux
Kernel
There are a number of items which must be configured into your kernel (or,
in some cases, possibly as modules). The list below is taken from Linux
version 2.0.36, but shouldn't NEED anything more for 2.2.x, although there
are more options available.
- CONFIG_NET
- CONFIG_INET
- CONFIG_NETDEVICES
- CONFIG_NET_ETHERNET
- At least one card driver (only one, preferably) unless the machine is a
laptop using a PCMCIA device.
- CONFIG_NFS_FS
ifconfig
Doing the ifconfig work at startup is a distro-specific issue. On
BSD-like inits, the config will probably be in /etc/rc.d/rc.network or
something similar. On SysV machines it's more likely to be in
/etc/init.d/network or similar. Then the individual style of each script
will be different. It should be fairly obvious, at any rate. Most distros
have a config script to do it automatically for you, so you can use that if
you want.
If you want (or need) to roll your own ifconfig line, the following script
will do the job for you, replacing <x> with the number
assigned to the machine earlier.
#!/bin/sh
IPADDR=192.168.1.<x>
NETMASK=255.255.255.0
/sbin/ifconfig eth0 $IPADDR netmask $NETMASK
route
The same comments apply to route as did for ifconfig, and ifconfig and route
are usually run at the same time. A roll-your-own config script, for both
ifconfig and route together, is as follows:
#!/bin/sh
IPADDR=192.168.1.
NETMASK=255.255.255.0
NETWORK=192.168.1.0
GATEWAY=192.168.1.1
/sbin/ifconfig eth0 $IPADDR netmask $NETMASK
/sbin/route add -net $NETWORK netmask $$NETMASK eth0
/sbin/route add default gw $GATEWAY
/etc/resolv.conf
- Configures nameservers and search domains.
- Use the following:
search domain.fake.uk
nameserver 192.168.1.1
Tells host to use 192.168.1.1 (network server) as it's sole DN server,
and append domain.fake.uk to any address that it can't resolve otherwise.
/etc/host.conf
/etc/hosts
- This only needs to contain the localhost address (127.0.0.1) since we
will use a local DNS server to perform all lookups.
/etc/fstab
To facilitate NFS mounts, add the following lines to /etc/fstab:
nfs:/etc /nfs/etc nfs defaults 0 0
nfs:/home /nfs/home nfs defaults 0 0
Also ensure that the directories /nfs/etc and /nfs/home
are created, on the root partition!
Move /etc/passwd, /etc/group, and /etc/shadow (if
used) to /nfs/etc. Then
symlink:
ln -s /nfs/etc/passwd /etc/passwd
ln -s /nfs/etc/group /etc/group
ln -s /nfs/etc/shadow /etc/shadow (if used)
ln -s /nfs/home /home
/etc/printcap
Windows
- Win3.11 - Main -> Control Panel -> Network
- Win9x - Start -> Control Panel -> Network
Protocols
- Ensure that TCP/IP is available, and is the default protocol.
- Can remove other protocol stacks (IPX, etc).
IP address
- Select "Configure" for TCP/IP protocol.
- Insert given IP address (of the form 192.168.1.<x>) in the
appropriate field.
- Netmask is 255.255.255.0, if Windows doesn't automatically guess it.
Default gateway
DNS
- Turn WINS off.
- Add single DNS server - 192.168.1.1.
- Add domain.fake.uk to domain list.
File sharing
Using File Manager or Windows Explorer (depending on Windows version),
map the home directory from samba to a local drive.
Print sharing
Using Print Manager, map the network printers on print to local
printer ports.
Servers
File server
Will have aliases of nfs, samba, www (if web server used).
Kernel
Must have the following options enabled:
- CONFIG_NET
- CONFIG_INET
- CONFIG_NETDEVICES
- CONFIG_NET_ETHERNET
- At least one card driver (only one, preferably) unless the machine is a
laptop using a PCMCIA device.
NFS
Edit /etc/exports for the following:
/etc 192.168.1/24(root_squash,insecure,ro)
/home 192.168.1/24(root_squash,insecure,rw)
Samba
Web server
- Many organisations like an internal web server for testing sites,
sharing public info, and the sheer novelty of it.
- Not a public web server - only accessible from WITHIN the local network.
- The web server is here instead of on Network server for security, but
mainly because fileserver will probably have more disk space for web space.
- Using Apache:
- Set listen to the network address of the local network,
especially if the web server is running on the network server.
- Config files are in /etc/apache (under Debian, anyway). Main
document root is under /var/www.
- User home pages go in the directory $HOME/public_html by
default.
- Standard config options are sane.
Print server
Kernel
- CONFIG_NET
- CONFIG_INET
- CONFIG_NETDEVICES
- CONFIG_NET_ETHERNET
- At least one card driver (only one, preferably) unless the machine is a
laptop using a PCMCIA device.
lpr
lprNG
I mention this because it seems like a good future option for systems.
However, I have no significant experience with it, and shall not attempt to
give configuration details. I will merely recommend an examination of the
documentation - since the config for lpr and lprNG are rather similar.
Samba
Similarly to the file server:
[global]
debug level = 1
printing = bsd
security = user
printcap name = /etc/printcap
load printers = yes
server string = FooBar Inc. printserver running Samba %v
client code page = 437
name resolve order = host
interfaces = 192.168.1.1/24
socket address = 192.168.1.1
create mask = 0644
[printers]
path=/tmp
guest ok = no
browsable=yes
printable=yes
Network server
Kernel
The following are required options:
- CONFIG_MODULES
- CONFIG_NET
- CONFIG_FIREWALL
- CONFIG_INET
- CONFIG_IP_FORWARD
- CONFIG_IP_FIREWALL
- CONFIG_IP_MASQUERADE
- CONFIG_NETDEVICES
- CONFIG_NET_ETHERNET
- At least one card driver (only one, preferably) unless the machine is a
laptop using a PCMCIA device.
- SLIP support if you want to use diald.
- Support for whatever Internet access method you use. (SLIP, PPP, ISDN,
Cable modem, whatever)
The following are recommended:
- CONFIG_IP_MASQUERADE_ICMP
- CONFIG_IP_ALWAYS_DEFRAG
- CONFIG_IP_ACCT
- CONFIG_IP_ROUTER (if network server running separate to file and print
server)
- CONFIG_IP_NOSR
You may need CONFIG_EXPERIMENTAL to be able to select some of the
options, certainly for MASQ_ICMP, under 2.0.x.
Under newer kernels (2.0.34 or later) forwarding is disabled by default and
must be explicitly turned on by echo "1" >
/proc/sys/net/ipv4/ip_forward.
DNS
We want a system which can resolve local addresses, but forwards all remote
addresses elsewhere. The best way of doing this is a non-delegated,
forwarding, caching nameserver. The template config files for doing this
under BIND 8 are as follows:
/etc/named.conf
options {
directory "/var/named";
listen-on port 53 {192.168.1.1;};
forward only;
forwarders {/* Forwarders list */};
};
zone "domain.fake.uk" {
type master;
file "zone/domain.fake.uk";
allow-update {none;};
allow-transfer {none;};
allow-query {192.168.1/24;};
notify no;
also-notify { };
};
zone "1.168.192.IN-ADDR.ARPA" {
type master;
file "rev/192.168.1";
allow-update {none;};
allow-transfer {none;};
allow-query {192.168.1/24;};
notify no;
also-notify { };
};
zone "localhost" {
type master;
file "zone/local";
};
zone "127.in-addr.arpa" {
type master;
file "rev/127";
};
zone "." {
type hint;
file "named.root";
};
/var/named/zone/domain.fake.uk
IN SOA gateway.domain.fake.uk. hostmaster.domain.fake.uk. (
YYYYMMDDRR ; Date Edited
10800 ; Refresh - 3 hours
600 ; Retry - 10 mins
3600000 ; Expire - 1000 hours
86400) ; Minimum - 24 hours
; Nameservers listed here must be primary or secondary
; servers for this zone
IN NS ns.domain.fake.uk.
IN A 192.168.1.1
;
; Local System Addresses
;
ns IN CNAME gateway
print IN CNAME gateway
samba IN CNAME gateway
nfs IN CNAME gateway
www IN CNAME gateway
mail IN CNAME gateway
gateway IN A 192.168.1.1
MX 0 domain.fake.uk.
;<name> IN A 192.168.1.<x>
MX 0 domain.fake.uk.
/var/named/rev/192.168.2
IN SOA gateway.domain.fake.uk. hostmaster.domain.fake.uk. (
YYYYMMDDRR ; Date edited
10800 ; Refresh - 3 hours
600 ; Retry - 10 mins
3600000 ; Expire - 1000 hours
86400) ; Minimum - 24 hours
IN NS gateway.domain.fake.uk.
0 IN PTR local.
1 IN PTR gateway.
;<x> IN PTR <name>.
/var/named/zone/local
; BIND data file for local loopback interface
;
IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Default TTL
;
IN NS localhost.
IN A 127.0.0.1
/var/named/rev/127
; BIND reverse data file for local loopback interface
;
IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Default TTL
;
IN NS localhost.
1.0.0 IN PTR localhost.
/var/named/named.root
You should obtain an up-to-date version of this file. Info on obtaining it
is as follows (taken from named.root.1997982200):
; This file is made available by InterNIC registration services
; under anonymous FTP as
; file /domain/named.root
; on server FTP.RS.INTERNIC.NET
; -OR- under Gopher at RS.INTERNIC.NET
; under menu InterNIC Registration Services (NSI)
; submenu InterNIC Registration Archives
; file named.root
IP Masquerading
- The default policies as defined here state that, by default, we should
silently discard all packets which did not originate or are destined for the
local host. However, if the packet originated with someone on the network
192.168.1.0/24 (our local network) we will masquerade the headers. It is
implied that a response packet from the outside world will be de-masqueraded
and passed on if we know where it's going, bypassing the usual forwarding
ruleset (so a forwarding rule denying anything from the outside world will
not stop a return-masq packet - although an input rule will).
- It is very, very wrong to make the default policy masquerade. That will
allow anyone with half a clue to use your system as a nice anonymous
forwarder.
- These commands can go in a few places. System startup scripts (might
not work for modern systems), ppp-up script, or, if you're using diald, in
the script pointed to by the addroute option.
- A different script is required for 2.2.x kernels as opposed to 2.0.x
(and earlier)
kernels, due to a difference in their internal routing procedures. You can
use /usr/bin/awk '{printf(%3.3s\n", $3)}' /proc/version to determine
kernel version, then decide which script to run based on the second part of
the version number.
- For 2.2.x kernels:
- Use ipchains to set default policies for forwarding:
- ipchains -p forward DENY
- ipchains -A forward -s 192.168.1.0/24 -j MASQ
- For 2.0.x kernels:
- Use ipfwadm to set default policies for forwarding:
- ipfwadm -F -p deny
- ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
Demand dialling
- Can be automatic or requested.
- automatic is convenient, but can be expensive if mis-configured, net
usage is erratic, or you are paying per-minute for your connection.
- requested takes some work on the part of the user, but is more easily
controlled.
- requested can be achieved as follows:
- Automatic is usually implemented either by diald, or newer versions of
pppd.
- The diald method:
- Add the masquerading commands (from above) in the script pointed to by
the addroute option.
- The number of options for diald is huge, check the docs for diald.
- A few things to check:
- DNS lookups can be a problem, either way - it can cause spurious
link-ups, or it can prevent the link from coming up.
- The interaction between pppd and diald is complex, follow the
directions very closely.
- The pppd method (requires pppd 2.3b<something>t; or later):
Extensions
Of course, there are much more things we can do to make this bigger, easier,
more secure, more featureful, stranger, scarier, whatever. Some possibilities:
- DHCP. I've looked at this, used it, but for a small static network it's
not really needed. It's elementary to set up, anyway.
- Full-time Internet link. This requires hardening the gateway machine,
and tends to preclude putting the file and print server on the gateway (your
average daemon tends to resemble swiss-cheese, relatively speaking).
- IP accounting. Although I've put it in the recommended options for the
network server kernel, I've not specified any rules for it. man
ipfwadm (for 2.0.x) or man ipchains for accounting info.
- Allowing publicly accessible servers. Only really useful on full-time
internet links (see above) but can easily be done with port forwarding. It
does involve hardening al the daemons, amongst other things.
- Heavier security. There is plenty of stuff to improve security on the
firewall, but I'm not going to go into it here. Read IP-masq mini-HOWTO for
a lot more on masq security.
- Security elsewhere could also be improved, if you
think that non-trustworthy people will have physical access to the local
network. But if you're allowing people physical access, you're screwed
anyway (IMHO).
- Mail. It's common, but it's irritating to set up for a part-time masqed
domain. Maybe a topic for a future meeting.
References
- comp.dcom.lans.ethernet FAQ
- RFC1918 - Address Allocation for Private Internets, Y. Rekhter, et al (also BCP5)
- RFC1178 - Choosing a Name for Your Computer, D. Libes (also FYI5)
- RFC1034 - Domain names, concepts and facilities, P. Mockapetris (also
STD13)
- The IP-masq mini-HOWTO, Ambrose Au & David Ranch
- The Linux Home network, Preston F. Crow, Linux Journal,
April 2000, pp 80-84
- Setting up a Linux Gateway, Lawrence Teo, Linux Journal,
April 2000, pp 86-88
- Various manual pages:
- ifconfig(8)
- route(8)
- resolv.conf(5)
- host.conf(5)
- hosts(5)
- fstab(5)
- printcap(5)
- lpd(8)
- exports(5)
- smb.conf(5)
- ipfw(4)
- ipfw_chains(4)
- ipfwadm(8)
- ipchains(8)
Bibliography
- NET-3-HOWTO (2.0.x kernels)
- NET-4-HOWTO (2.2.x kernels)
- The Network Administrator's guide
- PPP-HOWTO
- Ethernet-HOWTO
- The Linux IP Masquerading resource,
http://ipmasq.cjb.net
- Firewall HOWTO
- IPChains HOWTO
- NFS HOWTO
- Building your own Internet site, Tony Dean, Linux Journal,
April 2000, pp 150-151