On Tue, Jan 22, 2002 at 10:01:45PM +0100, Thomas Halahan wrote: > > Thanks for the advise guys. Need a little more > clarification. Have got my PC networked now, and all point > to the gateway PC which has the modem attatched. However > when I dial up the gateway PC doesn't allow the other PC's > to route through it to the internet. The route table > suggests that this should be possible when the ppp0 ip > addresses are assigned. Reading aroung it seems that I > need the 'ipmasq' package. Can you confirm this. > > Also I need some kernal modules (of kernel compile flags) > available. Will I have to recompile my kernel. I hope not. Hi Tom, just came across this thread. I run a network using a Debian machine as the network gateway. These are some of the tools I make use of. I'm running Woody on the machine; on Potato there are less tools available, but more likely to be rock solid. I run Woody on other machines and only upgrade the gateway when I am sure the current versions in Woody are stable and secure: Webmin. (Install webmin-ssl for encypted access). Great for administering boxes without spending hours in manpages to get config syntax right. I like it particularly for mail daemon configuration, name server (bind) configuration, user admin and for remote access from a M$ machine through a browser. It is also great for users, having built in mailreading and access to files though a Java applet. Bind - name server. Set it up to forward queries to your ISPs DNS server and add local forward and reverse domains for your network. Point the other machines on your network here, not directly at the ISP. That way queries are cached, and the ISP DNS configuration only needs to be done on your gateway. You need the local forward and reverse domains for your network so that machines do not try use the ISP DNS to perform DNS queries for your local network - this causes many applications to hang, e.g. telnet from one machine to another internally. Talking of telnet, don't use it! If you only have Linux boxes, use sshd. If you have other OSes around, use telnetd-ssl, which will encrypt communications when possible. And close the port for the internet interface. Squid - web cache. Install and add an acl for your local network. Set proxy on other machines to point here (http_proxy, ftp_proxy). At this point you should have web access on all machines even without masquerading set up. Masquerading. Your kernel needs ipchains if 2.2, netfilter if 2.4. I'm using 2.4, and netfilter was already there so there's no need to recompile. There are many different tools available for generating rulesets, such as knetfilter, fwbuilder, ipmasq, easyfw, mason, firewall-easy, ferm (grep-available firewall to get a quick list). I'm using fwbuilder - it's maybe not the easiest but has a GUI and is very flexible. If you want to be able to get in from the outside, have a look at ddclient for updating a DNS entry at dyndns.org. I update the entry when the machine dials in, and have firewalled all incoming ports apart from ssh and webmin-ssl. There are lots of different ways of setting things up, and these suggestions are just a small selection of what can be done. At least they'll give you something to start with and you can go from there. If you have more followup questions, please tell us a bit more about your setup, otherwise you may find some of the advice given does not apply because people have had to make assumptions about things you have not said. You have not said what software versions you are working with. In particular, Potato, Woody or Sid? kernel 2.2 or 2.4? You said the other PCs could not reach the internet though the gateway. Tell us what you did to test that, and what happened. E.g. "I started up Netscape for www.debian.org but got a request timed out error message". The more specific your question, the more likely you are to get help that is specific for your problem. Very general questions are more likely to be ignored. Chris -- Chris Halls | Frankfurt, Germany
Attachment:
pgpZSYN76nSpM.pgp
Description: PGP signature