weblog.mattdorn.com

Generously funded by Matt Dorn

Home Network Setup

without comments

I recently created up a home network/cable modem sharing setup using an old Pentium 100MHz box with 64 MB of RAM as a Linux-based Internet gateway providing the following network services:

  • IP forwarding (routing)
  • IP masquerading (for permitting all machines on the LAN to share the cable modem’s connection to the internet by letting them use the same IP address)
  • DHCP (for assigning IPs to the machines on the LAN when they come onto the network)
  • Samba (for file and printer sharing compatibility with whatever Windows machines there may be on the network)

These documents were indispensable:

#1: http://www.jandg-cooper.com/home_network/index.html
Describes in detail setting up a home network with a Linux server providing a broad range of internet services–all of ones listed above, plus mail, DNS, etc. It focusses on Linux kernel 2.4.x systems. (Red Hat 7.3+ for Red Hat users.)

#2: http://www.tldp.org/HOWTO/mini/Home-Network-mini-HOWTO.html
A shorter Linux Documentation Project document that describes setting up a basic home network on Red Hat 6, therefore focussing on Linux kernel 2.2.x systems. I decided to use Red Hat 7.0, which has a 2.2 kernel, so this document ended up being more useful for me. However, the other document explains more clearly and in greater detail what exactly is happening with each step you take.

HARDWARE NOTES

Evidentally it’s possible to pull all this off with a single NIC in your server, but the recommended configuration is to have 2 NICs–one for the cable modem and the other for the hub. Additionally, to avoid trouble, it’s advisable that the NICs be identical, rather two different models.

  • Server: 100 MHz Pentium, 64 MB RAM, 2 D-Link DFE-530TX+ NICs
  • 4-port Ethernet hub
  • Workstation 1: HP Omnibook 4150 Notebook, Pentium II 366 MHz, 128 MB RAM. Linux/Win2000.
  • Workstation 2: Pentium III 550 MHz, 384 MB RAM. Linux/Win2000.
  • Workstation 3: Celeron 1GHz, 128 MB RAM. WinXP

I had originally wanted to upgrade the server with some cheap parts–particularly the processor–but according the manual I found on the manufacturer Web site, the FIC PA-2000 motherboard can’t handle a processor faster than a 133MHz Pentium. The few network services I currently have running seem to run flawlessly with this cheap old box, but I’d like to try to add DNS service plus the Squid proxy server and DansGuardian. I’ll be amazed if Linux can pull that off on this box without noticeable performance degradation, and will update this document accordingly.

INTERNET CONNECTION AND BASIC NETWORK CONFIGURATION

The first order of business is to make sure the server can connect to the Internet through the cable modem. These days almost all ISPs assign IPs via DHCP, so with the server functioning as a simple DHCP client, this shouldn’t be a problem. (You should have installed the the DHCP client daemon package (dhcpcd) upon installing the OS–if not you’ll have to do it yourself.) Linux will identify the two network cards by the device names “eth0″ and “eth1″. In my setup, eth0 represents the card that connects to the cable modem. Upon installing RedHat 7.0, my cards were automatically detected, and I had the option of making eth0 configure itself upon boot through DHCP. On RedHat systems, this setup can be handled post-install through the “linuxconf” utility. At this point, you should be able to “ping www.google.com” from your server and transmit and receive packets without a problem.

This is a good point to take care of the fundamental network configuration:

As I mentioned, the “linuxconf” utility can handle a lot of this if you’re running RedHat. But you can also edit the the necessary configuration files manually, as follows:

If you’re familiar with *nix systems, you know that most configuration files reside somewhere within the “/etc” directory. You’ll need a file called “ifcfg-ethX” in 

/etc/sysconfig/network-scripts/

for each of your NICs. A partial listing of my file in 

/etc/sysconfig/network-scripts/ifcfg-eth0

looks like this:

DEVICE="eth0"
BOOTPROTO="dhcp"
ONBOOT="yes"
IPADDR=""
NETMASK=""

while 

/etc/sysconfig/network-scripts/ifcfg-eth1

looks like this:

DEVICE="eth1"
BROADCAST=192.168.1.255
IPADDR="192.168.1.1"
NETMASK="255.255.255.0"
NETWORK=192.168.1.0
ONBOOT="yes"
BOOTPROTO="none"

In the first listing, we see that eth0–that is, the NIC that connects to the cable modem–activates on boot, and will receive its network configuration information via DHCP–in this case, through your cable modem ISP’s DHCP server.

eth1 is the device that connects the rest of your network to the server. IP addresses that begin with “192.168.1″ are reserved for internal networking, and so you’ll want your server to have such an address. In my case, I’ve assigned it the first IP in that range–192.168.1.1–to the “IPADDR” variable here. The “BROADCAST” variable identifies the address that will transmit packets to all the machines on your LAN. (I’m actually not sure when or if this ever takes place on my LAN.) A “NETMASK” of 255.255.255.0 simply means that all IPs that look like 192.168.1.x will be part of the LAN. All other IPs will have to be reached via the router.

“/etc/sysconfig/network” is a file that controls some general networking variables. You’ll want to make sure that it has the following lines:

NETWORKING=yes
FORWARD_IPV4="yes"

According to document #2, you may also need to edit “/etc/sysctl.conf” and make sure it has the following lines:

net.ipv4.ip_forward = 1
net.ipv4.ip_always_defrag = 1

If you’re editing your files manually rather than using linuxconf, you’ll want to restart your network so that the new config values are activated:

/etc/rc.d/init.d/network restart

As far as the server itself goes, everything should be in working order at this point, although I should point out that I had a problem in which I could not have both eth0 and eth1 activated and access the Internet with the cable modem at the same time. I wish I knew what I did to make this problem go away, but at some point in my screwing around, it started working!

DHCP SERVER

Your server will also run a DHCP server daemon (the package dhcp) to assign IP addresses to the machines on your LAN when their own DHCP client software queries the server for an IP to connect to the network. (Document #2 includes a series of instructions that I didn’t really follow, and somehow still got DHCP running.) Take a look at “/etc/dhcpd.conf”

The most important line here is the “range” variable, which will determine the number of machines that can be on your network at any one time. Mine says:

range 192.168.1.10 192.168.1.60;

which means 51 computers (obviously way more than you’ll ever need for a home network) can be simultaneously logged onto the LAN. We know that 192.168.1.1 is the server’s address about 192.168.1.2 through 9? Well, if you’re running DNS on your server, you can assign permanent IP addresses with hostnames to the machines on your LAN so that anyone on the network can simply use that name instead of IP address to refer to that box. Include an entry that looks like this for each of machine on your LAN:

#   --- This Linux box: the server
    host linuxserver {
        hardware ethernet 00:32:19:2C:A7:4F;
        fixed-address 192.168.1.1;
    }

Machines that don’t have such an entry (e.g., a friend’s laptop) will simply be assigned an IP via DHCP and can use the network just as easily.

Note that the same effect could be achieved by maintaining the “/etc/hosts” file on each machine on your network, but it’s obviously much easier to maintain this information from a central location.

Note also that the NIC hardware IDs required by these entries can be retrieved through the command “ifconfig” on Linux or “winipcfg” on Windows.

Restart your DHCP server with:

/etc/rc.d/init.d/dhcpd start

(NB: At some point, I had to create a blank “dhcp.leases” when the DHCP daemon complained that it couldn’t find one. Oddly, I can no longer find where Linux puts that file despite trying to “find” it.)

SECURITY AND “IP MASQUERADING”

To do packet handling and filtering, the 2.2 Linux kernel uses a program called “ipchains,” while the 2.4 kernel offers an enhanced version of that program used “iptables.” ipchains and iptables can be used to provide a secure firewall for your network, and for network address translation (NAT) or “IP masquerading,” which permits all the machines on your network to make use of a single Internet connection–in my case, the cable modem.

Because I’m running Red Hat 7.0, and therefore the 2.2 kernel, I used ipchains, and for now, I’m using it only for the purpose of masquerading, while I provide basic security to my network with the “/etc/hosts.deny” and “/etc/hosts.allow” files, as described in document #1 mentioned above. hosts.deny contains a single line–”ALL: ALL”–which denies all connections from incoming hosts, while the lines “ALL: 127.0.0.1″ followed by “ALL: 192.168.1.” in hosts.allow, modifies that rule to allow connections from the server itself (whose “loopback address” is 127.0.0.1) and from all devices on the LAN. I imagine I’ll have to make some changes to this setup when I get around to trying to serve content from a Web server/Zope application server from inside my LAN.

As for using ipchains to handle masquerading, I’ve included the following directly from document #1:

Configuring simple masquerading is very very easy once your internal and external networking is operational. Edit the /etc/rc.d/rc.local file and add the following lines to the bottom:

# 1) Flush the rule tables.
/sbin/ipchains -F input
/sbin/ipchains -F forward
/sbin/ipchains -F output
# 2) Set the MASQ timings and allow packets in for DHCP configuration.
/sbin/ipchains -M -S 7200 10 60
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 68 -d 0/0 67 -p udp
# 3) Deny all forwarding packets except those from local network.
#    Masquerage those.
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
# 4) Load forwarding modules for special services.
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio

Run the rc.local script with the command /etc/rc.d/rc.local and you are ready to go! Sit down at one of your other computers and try some web surfing.

SAMBA

Samba is the only network service that I’m running that is not necessary for Internet connection sharing on your LAN. It’s necessary, though, if you want to share files and print services between Windows and Linux machines. I actually haven’t setup a printer through it yet, though.

You’ll need the following packages: samba-common, samba, and samba-client. Even if you installed these when you installed your OS, the two necessary daemons may not be set up to start on boot. Check to see if they’re running with: “ps -Al | grep mbd”. If you see smbd and nmbd running as processes, you’re all set. If not, start them with this command:

/etc/init.d/smb start

If your server’s LAN IP address is 192.168.1.1 You should be able to go to: “http://192.168.1.1:901/” to use the “SWAT” browser-based Samba configuration tool. If you have problems, you may need to add the following line to your /etc/xinetd.conf file as suggested by swat’s man page:

/usr/local/samba/bin/swat swat

Additionally, your “/etc/xinetd.d/swat” file may have Swat disabled by default. Make sure you have the line “disable = no” in this file.

This steps seemed to clear up any problems for me.

In Swat, under the “Globals” section, the following variables are the important ones:

  • workgroup: Your Windows workgroup name
  • netbios name: The name you want your server to show up as in Windows networking
  • interfaces: should be eth0 or whichever interface services your LAN
  • security: best option is USER — access will be controlled through username and password
  • encrypt passwords: must be “Yes” to function with Windows users
  • hosts allow: Value should be “192.168.1. 127.” to provide access only to users of your LAN

The rest of the variables should be OK with their default values.

You can create network shares pretty intuitively through the “Shares” section. A “homes” share is a special Samba share that provides users with accounts on the server access to their “home” directory.

Swat manipulates the “/etc/samba/smb.cnf” file, which, of course, can be edited manually.

USEFUL COMMANDS:

ifconfig

View network interface information (if invoked with no arguments).

/etc/rc.d/init.d/network restart
/etc/init.d/xinetd restart

Restart networking services.

/sbin/ifup eth0
/sbin/ifdown eth0

Start and stop a network interface, respectively. Sometimes this is necessary when network connectivity has been unexpectedly interrupted.

chkconfig dhcpd on

Adds dhcp startup script to the runlevel directories under /etc/rc.d so that DHCP starts on boot–obviously can be used with other services that you want started on boot.

chkconfig --list | grep SERVICE_NAME

See which if any run levels the service is set to start in.

tail -f /var/log/messages

Watch the messages on the server as the machines on your LAN connect to it via DHCP.

Written by mdorn

August 20th, 2003 at 12:35 pm

Posted in Uncategorized

«
»

Leave a Reply