[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: small network setup tools

On Tue, Jan 22, 2002 at 10:01:45PM +0100, Thomas Halahan wrote:
> Thanks for the advise guys.  Need a little more 
> clarification.  Have got my PC networked now, and all point 
> to the gateway PC which has the modem attatched.  However 
> when I dial up the gateway PC doesn't allow the other PC's 
> to route through it to the internet.  The route table 
> suggests that this should be possible when the ppp0 ip 
> addresses are assigned.  Reading aroung it seems that I 
> need the 'ipmasq' package.  Can you confirm this.  
> Also I need some kernal modules (of kernel compile flags) 
> available. Will I have to recompile my kernel. I hope not.

Hi Tom, just came across this thread.

I run a network using a Debian machine as the network gateway.  These are
some of the tools I make use of.  I'm running Woody on the machine; on
Potato there are less tools available, but more likely to be rock solid.  I
run Woody on other machines and only upgrade the gateway when I am sure the
current versions in Woody are stable and secure:

Webmin. (Install webmin-ssl for encypted access).  Great for administering
boxes without spending hours in manpages to get config syntax right.
I like it particularly for mail daemon configuration, name server (bind)
configuration, user admin and for remote access from a M$ machine through a
browser.  It is also great for users, having built in mailreading and access
to files though a Java applet.

Bind - name server.   Set it up to forward queries to your ISPs DNS server
and add local forward and reverse domains for your network.  Point the other
machines on your network here, not directly at the ISP.  That way queries are
cached, and the ISP DNS configuration only needs to be done on your gateway.
You need the local forward and reverse domains for your network so that
machines do not try use the ISP DNS to perform DNS queries for your local
network - this causes many applications to hang, e.g. telnet from one
machine to another internally.  

Talking of telnet, don't use it!  If you only have Linux boxes, use sshd.  If
you have other OSes around, use telnetd-ssl, which will encrypt
communications when possible.  And close the port for the internet

Squid - web cache.  Install and add an acl for your local network.  Set
proxy on other machines to point here (http_proxy, ftp_proxy).  At this
point you should have web access on all machines even without masquerading
set up.

Masquerading.  Your kernel needs ipchains if 2.2, netfilter if 2.4.  I'm
using 2.4, and netfilter was already there so there's no need to recompile.
There are many different tools available for generating rulesets, such as
knetfilter, fwbuilder, ipmasq, easyfw, mason, firewall-easy, ferm
(grep-available firewall to get a quick list).  I'm using fwbuilder - it's
maybe not the easiest but has a GUI and is very flexible.

If you want to be able to get in from the outside, have a look at ddclient
for updating a DNS entry at dyndns.org.  I update the entry when the machine
dials in, and have firewalled all incoming ports apart from ssh and

There are lots of different ways of setting things up, and these suggestions
are just a small selection of what can be done.  At least they'll give you
something to start with and you can go from there.

If you have more followup questions, please tell us a bit more about your
setup, otherwise you may find some of the advice given does not apply
because people have had to make assumptions about things you have not said.
You have not said what software versions you are working with.  In
particular, Potato, Woody or Sid?  kernel 2.2 or 2.4?  You said the other
PCs could not reach the internet though the gateway.  Tell us what you did
to test that, and what happened.  E.g. "I started up Netscape for
www.debian.org but got a request timed out error message".  The more
specific your question, the more likely you are to get help that is specific
for your problem.  Very general questions are more likely to be ignored.

Chris Halls | Frankfurt, Germany

Attachment: pgpXGbvcEKKdt.pgp
Description: PGP signature

Reply to: