Manchester Linux User Group (ManLUG) - April 2000

Content is scrollable

Back to April 2000 meeting page

Talk for Manchester LUG
Matthew Palmer

Networking Linux in the home or Small Business

This is intended to be an outline for setting up a small network using Linux and incorporating Windows machines as workstations. It is intended to be based around Linux 2.0.x, although the vast majority is also applicable to 2.2.x. Windows configuration will be described in a fairly generalised manner, so as to be helpful to all dialects.

The scenario for which this setup is intended is as follows:

A home or small business.
want to network several computers.
have a part-time Internet connection.
want to share a couple of printers.
have common filestore available.
No official IP network address assigned.

As a result of these requirements, security from the outside network world is not a paramount concern; steps will be taken to ensure that risk is minimised, but functionality will be selected over security if necessary.

All machines are assumed to have a completely local installation of the operating system and applications, and only home directories and printers are to be shared. The passwd, shadow and group files are also shared, to allow reliable UID->name mapping. Yes, this is a security problem, but we can minimise it if we're careful.

Physical

Ethernet - most common LAN protocol, widely supported by most OSes.
10Base2 - coax cable, bus pattern.
- 180m max run length (terminator-to-terminator).
- Terminated at both ends of cable run.
- Each machine connected to the cable by a 'T' connector.
- Any break in the cable will disable entire network.
10BaseT - twisted pair cable, star pattern.
- 100-150m max run length (11.5dB drop, technically).
- Each host connects to a central hub by it's own run of cable.
- A broken cable will only disable one host.

Logical layout

Several clients running Linux or Windows (or both).
File server.
Print server.
Network server.
These functions can be incorporated into one machine, if resources permit.
Note: a Linux server does not have to be big on memory or processor power - a 486DX2/80 with 16MB of RAM does my file, print, and network services quite fine.
Will use IP network 192.168.1/24 - reserved by IANA for private networks.

Installation

Cabling

Don't run cables near power lines.
Don't run copper between buildings - use Fiber.
Keep runs as short as possible, remember 185m total for 10Base2, 100-150m per cable for 10BaseT.
Don't cable unless you're sure you can handle it.

Assigning services

Choose whether to have file/print/network server on one machine or separate machines.

Assigning names and addresses

Choose a local domain name, something fictional which is not likely to be a real name. domain.fake.uk will be used for example.
Give each machine a name - see RFC1178 for guidelines.
The servers should have additional names - nfs, ns, www, print, etc to show services available.
Give each machine an IP address, subject to the following guidelines:
- Do not use 0 and 255 - reserved for special purposes.
- Network server should get 1 (by convention)
- File & print servers (if separate) get 2 & 3 (again, convention)
- Sequentially number all remaining machines.
- Keep a record of all address-to-name relationships.

Clients

Linux

Kernel

There are a number of items which must be configured into your kernel (or, in some cases, possibly as modules). The list below is taken from Linux version 2.0.36, but shouldn't NEED anything more for 2.2.x, although there are more options available.

CONFIG_NET
CONFIG_INET
CONFIG_NETDEVICES
CONFIG_NET_ETHERNET
At least one card driver (only one, preferably) unless the machine is a laptop using a PCMCIA device.
CONFIG_NFS_FS

ifconfig

Doing the ifconfig work at startup is a distro-specific issue. On BSD-like inits, the config will probably be in /etc/rc.d/rc.network or something similar. On SysV machines it's more likely to be in /etc/init.d/network or similar. Then the individual style of each script will be different. It should be fairly obvious, at any rate. Most distros have a config script to do it automatically for you, so you can use that if you want.

If you want (or need) to roll your own ifconfig line, the following script will do the job for you, replacing <x> with the number assigned to the machine earlier.

#!/bin/sh
IPADDR=192.168.1.<x>
NETMASK=255.255.255.0

/sbin/ifconfig eth0 $IPADDR netmask $NETMASK

route

The same comments apply to route as did for ifconfig, and ifconfig and route are usually run at the same time. A roll-your-own config script, for both ifconfig and route together, is as follows:

#!/bin/sh
IPADDR=192.168.1.
NETMASK=255.255.255.0
NETWORK=192.168.1.0
GATEWAY=192.168.1.1

/sbin/ifconfig eth0 $IPADDR netmask $NETMASK
/sbin/route add -net $NETWORK netmask $$NETMASK eth0
/sbin/route add default gw $GATEWAY

`/etc/resolv.conf`

Configures nameservers and search domains.
Use the following:

search domain.fake.uk
nameserver 192.168.1.1

Tells host to use 192.168.1.1 (network server) as it's sole DN server, and append domain.fake.uk to any address that it can't resolve otherwise.

`/etc/host.conf`

Tells host how to resolve names.
Use the following:
```
order bind,hosts
multi on
```
This tells the resolver to check the DNS server before /etc/hosts, and to return all names for an address.

`/etc/hosts`

This only needs to contain the localhost address (127.0.0.1) since we will use a local DNS server to perform all lookups.

`/etc/fstab`

To facilitate NFS mounts, add the following lines to /etc/fstab:

nfs:/etc	/nfs/etc	nfs	defaults	0	0
nfs:/home	/nfs/home	nfs	defaults	0	0

Also ensure that the directories /nfs/etc and /nfs/home are created, on the root partition!

Move /etc/passwd, /etc/group, and /etc/shadow (if used) to /nfs/etc. Then symlink:

ln -s /nfs/etc/passwd /etc/passwd
ln -s /nfs/etc/group /etc/group
ln -s /nfs/etc/shadow /etc/shadow (if used)
ln -s /nfs/home /home

`/etc/printcap`

One record per printer queue.
Names (separated by |), followed by colon-separated list of parameters.
Parameters of interest for clients:
- sd - Spool Directory. Where lpd will store print jobs.
- mx - Maximum file size. Set to 0 for infinite file size, or to the number of BUFSIZ blocks to allow for a single print job.
- rm - Remote machine name. Set to print for our case.
- rp - Remote printer. Probably the same as the local printer for our case.
- sh - Suppress burst page. Stops paper wastage by not printing a page telling who printed the job and so forth.

Sample printcap entry:

lp|FX-105|Dot-matrix:sd=/var/spool/lpd/lp:mx#0:rm=print:rp=lp:sh

Windows

Win3.11 - Main -> Control Panel -> Network
Win9x - Start -> Control Panel -> Network

Protocols

Ensure that TCP/IP is available, and is the default protocol.
Can remove other protocol stacks (IPX, etc).

IP address

Select "Configure" for TCP/IP protocol.
Insert given IP address (of the form 192.168.1.<x>) in the appropriate field.
Netmask is 255.255.255.0, if Windows doesn't automatically guess it.

Default gateway

192.168.1.1.

DNS

Turn WINS off.
Add single DNS server - 192.168.1.1.
Add domain.fake.uk to domain list.

File sharing

Using File Manager or Windows Explorer (depending on Windows version), map the home directory from samba to a local drive.

Print sharing

Using Print Manager, map the network printers on print to local printer ports.

Servers

File server

Will have aliases of nfs, samba, www (if web server used).

Kernel

Must have the following options enabled:

CONFIG_NET
CONFIG_INET
CONFIG_NETDEVICES
CONFIG_NET_ETHERNET
At least one card driver (only one, preferably) unless the machine is a laptop using a PCMCIA device.

NFS

Edit /etc/exports for the following:

/etc	192.168.1/24(root_squash,insecure,ro)
/home	192.168.1/24(root_squash,insecure,rw)

Samba

Config can get very, very complicated, very, very, quickly.
Our simple config doesn't need to, though.
We will simply share the home directories of users and let Samba work out sensible defaults for everything else.

Generalised smb.conf:

[global]
debug level = 1
printing = bsd
security = user
server string = FooBar Inc. fileserver running Samba %v
client code page = 437
name resolve order = host
interfaces = 192.168.1.1/24
socket address = 192.168.1.1
create mask = 0644

[homes]
guest ok = no
read only = no

For a combined file/print server, take the printer-specific bits (basically, anything not common to the two files) from the print server Samba config (below) and stick them in this file.

Web server

Many organisations like an internal web server for testing sites, sharing public info, and the sheer novelty of it.
Not a public web server - only accessible from WITHIN the local network.
The web server is here instead of on Network server for security, but mainly because fileserver will probably have more disk space for web space.
Using Apache:
- Set listen to the network address of the local network, especially if the web server is running on the network server.
- Config files are in /etc/apache (under Debian, anyway). Main document root is under /var/www.
- User home pages go in the directory $HOME/public_html by default.
- Standard config options are sane.

Print server

Kernel

CONFIG_NET
CONFIG_INET
CONFIG_NETDEVICES
CONFIG_NET_ETHERNET
At least one card driver (only one, preferably) unless the machine is a laptop using a PCMCIA device.

lpr

Printer configuration is achieved by /etc/printcap.
Access control, accounting, and formatting should be performed on-server, to make admin easier.
The most useful options are (there are lots more - man printcap):
- af - Accounting file.
- if - Input filter. Supposed to do accounting, but is used in practice for filtering of print jobs for a specific printer. Use man magicfilter for the good oil on print filtering (we won't discuss it here).
- lp - Device to write print data.
- lf - Log file name. The lpr system doesn't do much logging, but still, some is better than none...
- mx - Maximum file size.
- pl - Page length, in lines.
- pw - Page width, in lines.
- rs - restrict remote users to those with local accounts.
- sh - Suppress printing of banner page.

A sample printer:

lp|FX-105|Dot-matrix:af=/var/log/print/lp.acct\
	:if=/etc/magicfilter/epson-9-filter\
	:lp=/dev/lp1:lf=/var/log/print/lp.log\
	:mx#5000:pl#66:pw#80:sh

The /etc/hosts.lpd file lists machines allowed to access the print system. It's just a list of hosts, possibly with wildcard specifiers. So *.domain.fake.uk should suffice.

lprNG

I mention this because it seems like a good future option for systems. However, I have no significant experience with it, and shall not attempt to give configuration details. I will merely recommend an examination of the documentation - since the config for lpr and lprNG are rather similar.

Samba

Similarly to the file server:

[global]
debug level = 1
printing = bsd
security = user
printcap name = /etc/printcap
load printers = yes
server string = FooBar Inc. printserver running Samba %v
client code page = 437
name resolve order = host
interfaces = 192.168.1.1/24
socket address = 192.168.1.1
create mask = 0644

[printers]
path=/tmp
guest ok = no
browsable=yes
printable=yes

Network server

Kernel

The following are required options:

CONFIG_MODULES
CONFIG_NET
CONFIG_FIREWALL
CONFIG_INET
CONFIG_IP_FORWARD
CONFIG_IP_FIREWALL
CONFIG_IP_MASQUERADE
CONFIG_NETDEVICES
CONFIG_NET_ETHERNET
At least one card driver (only one, preferably) unless the machine is a laptop using a PCMCIA device.
SLIP support if you want to use diald.
Support for whatever Internet access method you use. (SLIP, PPP, ISDN, Cable modem, whatever)

The following are recommended:

CONFIG_IP_MASQUERADE_ICMP
CONFIG_IP_ALWAYS_DEFRAG
CONFIG_IP_ACCT
CONFIG_IP_ROUTER (if network server running separate to file and print server)
CONFIG_IP_NOSR

You may need CONFIG_EXPERIMENTAL to be able to select some of the options, certainly for MASQ_ICMP, under 2.0.x.

Under newer kernels (2.0.34 or later) forwarding is disabled by default and must be explicitly turned on by echo "1" > /proc/sys/net/ipv4/ip_forward.

DNS

We want a system which can resolve local addresses, but forwards all remote addresses elsewhere. The best way of doing this is a non-delegated, forwarding, caching nameserver. The template config files for doing this under BIND 8 are as follows:

`/etc/named.conf`

options {
        directory "/var/named";
        listen-on port 53 {192.168.1.1;};
        forward only;
        forwarders {/* Forwarders list */};
};

zone "domain.fake.uk" {
        type master;
        file "zone/domain.fake.uk";
        allow-update {none;};
        allow-transfer {none;};
        allow-query {192.168.1/24;};
        notify no;
        also-notify { };
};

zone "1.168.192.IN-ADDR.ARPA" {
        type master;
        file "rev/192.168.1";
        allow-update {none;};
        allow-transfer {none;};
        allow-query {192.168.1/24;};
        notify no;
        also-notify { };
};

zone "localhost" {
        type master;
        file "zone/local";
};

zone "127.in-addr.arpa" {
        type master;
        file "rev/127";
};

zone "." {
        type hint;
        file "named.root";
};

`/var/named/zone/domain.fake.uk`


	IN SOA gateway.domain.fake.uk. hostmaster.domain.fake.uk. (
  YYYYMMDDRR    ; Date Edited
  10800         ; Refresh       - 3 hours
  600           ; Retry         - 10 mins
  3600000       ; Expire        - 1000 hours
  86400)        ; Minimum       - 24 hours

;  Nameservers listed here must be primary or secondary
;  servers for this zone

  IN NS ns.domain.fake.uk.
  IN A 192.168.1.1

;
; Local System Addresses
;

ns	IN CNAME gateway
print	IN CNAME gateway
samba	IN CNAME gateway
nfs	IN CNAME gateway
www	IN CNAME gateway
mail	IN CNAME gateway

gateway	IN A 192.168.1.1
	MX 0 domain.fake.uk.
;<name> IN A 192.168.1.<x>
	MX 0 domain.fake.uk.

`/var/named/rev/192.168.2`

	IN SOA gateway.domain.fake.uk. hostmaster.domain.fake.uk. (
  YYYYMMDDRR    ; Date edited
  10800         ; Refresh       - 3 hours
  600           ; Retry         - 10 mins
  3600000       ; Expire        - 1000 hours
  86400)        ; Minimum       - 24 hours

	IN NS	gateway.domain.fake.uk.

0	IN PTR	local.
1	IN PTR	gateway.
;<x>	IN PTR	<name>.

`/var/named/zone/local`

; BIND data file for local loopback interface
;
	IN	SOA	localhost.	root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Default TTL
;
	IN      NS      localhost.
	IN      A       127.0.0.1

`/var/named/rev/127`

; BIND reverse data file for local loopback interface
;
	IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Default TTL
;
	IN      NS      localhost.
1.0.0   IN      PTR     localhost.

`/var/named/named.root`

You should obtain an up-to-date version of this file. Info on obtaining it is as follows (taken from named.root.1997982200):

;       This file is made available by InterNIC registration services
;       under anonymous FTP as
;           file                /domain/named.root
;           on server           FTP.RS.INTERNIC.NET
;       -OR- under Gopher at    RS.INTERNIC.NET
;           under menu          InterNIC Registration Services (NSI)
;              submenu          InterNIC Registration Archives
;           file                named.root

IP Masquerading

The default policies as defined here state that, by default, we should silently discard all packets which did not originate or are destined for the local host. However, if the packet originated with someone on the network 192.168.1.0/24 (our local network) we will masquerade the headers. It is implied that a response packet from the outside world will be de-masqueraded and passed on if we know where it's going, bypassing the usual forwarding ruleset (so a forwarding rule denying anything from the outside world will not stop a return-masq packet - although an input rule will).
It is very, very wrong to make the default policy masquerade. That will allow anyone with half a clue to use your system as a nice anonymous forwarder.
These commands can go in a few places. System startup scripts (might not work for modern systems), ppp-up script, or, if you're using diald, in the script pointed to by the addroute option.
A different script is required for 2.2.x kernels as opposed to 2.0.x (and earlier) kernels, due to a difference in their internal routing procedures. You can use /usr/bin/awk '{printf(%3.3s\n", $3)}' /proc/version to determine kernel version, then decide which script to run based on the second part of the version number.
For 2.2.x kernels:
- Use ipchains to set default policies for forwarding:
- ipchains -p forward DENY
- ipchains -A forward -s 192.168.1.0/24 -j MASQ
For 2.0.x kernels:
- Use ipfwadm to set default policies for forwarding:
- ipfwadm -F -p deny
- ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0

Demand dialling

Can be automatic or requested.
automatic is convenient, but can be expensive if mis-configured, net usage is erratic, or you are paying per-minute for your connection.
requested takes some work on the part of the user, but is more easily controlled.
requested can be achieved as follows:
- Add services on two unused ports in /etc/services called link-up and link-down.
- Add the following lines to /etc/inetd.conf:
```
link-up		stream	tcp	nowait	root	<link up command>
link-down	stream	tcp	nowait	root	<link down command>
```
- To bring the link up, simply make a connection (telnet, http, whatever) to the port specified in /etc/services as the link-up port, and similarly to bring it down.
- Yes, this is a huge security hole - anyone from the outside can drop the link by connecting to the appropriate port. Use tcpd to stop this, or you can try firewall rules or a bunch of other access control methods.
Automatic is usually implemented either by diald, or newer versions of pppd.
The diald method:
- Add the masquerading commands (from above) in the script pointed to by the addroute option.
- The number of options for diald is huge, check the docs for diald.
- A few things to check:
  - DNS lookups can be a problem, either way - it can cause spurious link-ups, or it can prevent the link from coming up.
  - The interaction between pppd and diald is complex, follow the directions very closely.
The pppd method (requires pppd 2.3b<something>t; or later):
- Add the following line to /etc/ppp/peers/provider if you're using an ultra-modern pppd, or /etc/ppp/options otherwise:
```
demand idle 600 holdoff 20
```
- This will kill the link after 10 minutes of inactivity (600 seconds) and will pause for 20 seconds between connections.
- If you've got an ISP with a dynamic IP allocation system, add the nodefaultip option.
- The pppd daemon should be run from the system startup scripts; the link will only be brought up when data is present.

Extensions

Of course, there are much more things we can do to make this bigger, easier, more secure, more featureful, stranger, scarier, whatever. Some possibilities:

DHCP. I've looked at this, used it, but for a small static network it's not really needed. It's elementary to set up, anyway.
Full-time Internet link. This requires hardening the gateway machine, and tends to preclude putting the file and print server on the gateway (your average daemon tends to resemble swiss-cheese, relatively speaking).
IP accounting. Although I've put it in the recommended options for the network server kernel, I've not specified any rules for it. man ipfwadm (for 2.0.x) or man ipchains for accounting info.
Allowing publicly accessible servers. Only really useful on full-time internet links (see above) but can easily be done with port forwarding. It does involve hardening al the daemons, amongst other things.
Heavier security. There is plenty of stuff to improve security on the firewall, but I'm not going to go into it here. Read IP-masq mini-HOWTO for a lot more on masq security.
Security elsewhere could also be improved, if you think that non-trustworthy people will have physical access to the local network. But if you're allowing people physical access, you're screwed anyway (IMHO).
Mail. It's common, but it's irritating to set up for a part-time masqed domain. Maybe a topic for a future meeting.

References

comp.dcom.lans.ethernet FAQ
RFC1918 - Address Allocation for Private Internets, Y. Rekhter, et al (also BCP5)
RFC1178 - Choosing a Name for Your Computer, D. Libes (also FYI5)
RFC1034 - Domain names, concepts and facilities, P. Mockapetris (also STD13)
The IP-masq mini-HOWTO, Ambrose Au & David Ranch
The Linux Home network, Preston F. Crow, Linux Journal, April 2000, pp 80-84
Setting up a Linux Gateway, Lawrence Teo, Linux Journal, April 2000, pp 86-88
Various manual pages:
- ifconfig(8)
- route(8)
- resolv.conf(5)
- host.conf(5)
- hosts(5)
- fstab(5)
- printcap(5)
- lpd(8)
- exports(5)
- smb.conf(5)
- ipfw(4)
- ipfw_chains(4)
- ipfwadm(8)
- ipchains(8)

Bibliography

NET-3-HOWTO (2.0.x kernels)
NET-4-HOWTO (2.2.x kernels)
The Network Administrator's guide
PPP-HOWTO
Ethernet-HOWTO
The Linux IP Masquerading resource, http://ipmasq.cjb.net
Firewall HOWTO
IPChains HOWTO
NFS HOWTO
Building your own Internet site, Tony Dean, Linux Journal, April 2000, pp 150-151