Server setup

Server setup

Post by Anub » Fri, 27 Jun 2003 19:52:55



Hi,

In the weekends I maintain a small network (14 win98 clients) in a
non-profit organisation. About half a year ago I setup a Win2k server
(active directory domain controller) to share the one incomming ADSL
connection over the 14 clients.
This is works nice, but like you could guess I would like to step over
to Linux. First of all to learn how to setup the same thing under
Linux and second to help the organistation to get rid of the huge
costs of Win2k.

I have a moderate Linux (mainly RedHat) command line knowledge, but I
never setup something like a DNS server.
My first question:
* What should I install/configure first? Firewall? DNS? Samba? And
after that? Is there a commonly used "workflow" for this?
Secondly, but not so important:
* Is there anyone who has setup the same (linux server + some win98
clients) with internet connection sharing and maybe antivirus scanning
on server?

I know this last question is probably "huge" but as I said, it's not
so important - thats something I probably have to find out myself
while reading many HOWTOs on TLDP.

So if anyone can help me out with the "workflow" and maybe has some
other handy tips, that would be greatly appreciated!

Thanks in advance!

Kind Regards,
Sam

 
 
 

Server setup

Post by Scarlet Otte » Fri, 27 Jun 2003 20:07:44




Quote:> * Is there anyone who has setup the same (linux server + some win98
> clients) with internet connection sharing and maybe antivirus scanning
> on server?

FreeSCO ( http://www.freesco.org/ ) might be a good way to get started.  
It's Linux-based, and very easy to configure.  I have a FreeSCO router
(Named her Articuno) set up as our gateway to the Internet (dial-up even).  
Articuno is currently serving as the router for three Windows-98 Lite
systems (plus various other project systems) on a home LAN linked together
with an AT&T StarLAN-10 hub.  Although we use dial-up here, FreeSCO also
can serve as a router on a high-speed Internet connection.  There's been a
ton of packages ported to FreeSCO as well (Samba, Antivir, Lynx, PINE,
etc.)

If you decide to give it a try, and you have any questions, send an email
my way.

-- Otter
(Spamfoil in place.  Lift MYTAILFEATHERS to reply via email.)

 
 
 

Server setup

Post by Sybren Stuve » Fri, 27 Jun 2003 20:44:04


Anubis enlightened us with:

Quote:> This is works nice, but like you could guess I would like to step over
> to Linux.

Good choice.

Quote:> * What should I install/configure first?  Firewall? DNS? Samba?

Samba is only required if you want to use the linux box as a file server
or authentication server for the win98 clients. Since your question
was only about internet connection sharing, you won't need it.

First, install a nice and tight firewall. That makes sure your system
isn't wide open. Then install a DNS server if you want to use one. You
can also let your clients use your ISP's DNS server, of course.

Quote:> And after that? Is there a commonly used "workflow" for this?

After that read some firewall documentation on www.tldp.org. What is
called "Internet Connection Sharing" in windoze is called NAT (Network
Address Translation) or IP Masquerading in the rest of the world. Make
sure you read the right chapters. Also make sure you use kernel 2.4.xx
and iptables, since that is easier to set up than the older kernels and
tools.

You might also want to set up a DHCP server on the Linux box, for easier
maintenance.

Quote:> * Is there anyone who has setup the same (linux server + some win98
> clients) with internet connection sharing

I'm on a network with about 10 computers which are a mix of Win95,
Win98, Win98SE, Win2k, WinXP, Linux and IRIX. All work flawlessly with
our NATting server.

Quote:> and maybe antivirus scanning on server?

Nope, none. As I see it: if people want to run insecure environments
(read: any form of windoze), they should make sure they are secure
themselves. There are various scanners for windoze virii that run on
Linux, though, so it shouldn't be that hard to set up server-side
email-scanning.

Quote:> I know this last question is probably "huge"

No it's not ;-)

Quote:> but as I said, it's not so important - thats something I probably have
> to find out myself while reading many HOWTOs on TLDP.

Good guess ;-)

Quote:> So if anyone can help me out with the "workflow" and maybe has some
> other handy tips, that would be greatly appreciated!

Here is the important part of my firewall script. Make sure you adjust
it to your needs. The HTB script requres a recent kernel (tried on
2.4.20 and 2.4.21) and makes sure up- and downloads don't interfere
(that much), makes ssh connections nice and fast, etc.

+------------------------ rc.firewall --------------------------------+
#!/bin/sh

LOOP="127.0.0.0/8"
INTERN="10.0.0.0/16"
ANYWHERE="0/0"
EXTERN_IP="80.126.213.162"
INTERNAL_INTERFACE="eth1"
EXTERNAL_INTERFACE="eth0"

echo "Disabling ip-forwarding"
echo 0 > /proc/sys/net/ipv4/ip_forward

echo "Loading kernel modules"
/sbin/depmod -a
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_conntrack_ftp

echo "Flushing old rules"
iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

echo "Setting up masquerading"
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s $INTERN -o $EXTERNAL_INTERFACE -j SNAT --to $EXTERN_IP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $EXTERNAL_INTERFACE -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $INTERN -j DROP # Drop spoofed packages

iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -j DROP
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -j ACCEPT
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -j ACCEPT

echo "Dropping all other ports"
iptables -A INPUT --protocol tcp -j DROP
iptables -A INPUT --protocol udp -j DROP

exec /root/htb
+-----------------------------------------------------------------------------+

And here is my HTB traffic shaping script:

+----------------------------- /root/htb -------------------------------------+

#!/bin/bash

# Set the following values to somewhat less than your actual download
# and uplink speed. In kilobits
DOWNLINK=1400
UPLINK=200
DEV=eth0

# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev $DEV root    2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null

###### uplink
# install root HTB, point default traffic to 1:20:
tc qdisc add dev $DEV root handle 1: htb default 20

# shape everything at $UPLINK speed - this prevents huge queues in your
# DSL modem which destroy latency:
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k

# high prio class 1:10:
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit \
   burst 6k prio 1

# bulk & default class 1:20 - gets slightly less traffic,
# and a lower priority:
tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[9*$UPLINK/10]kbit \
   burst 6k prio 2

# both get Stochastic Fairness:
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10

# TOS Minimum Delay (ssh, NOT scp) in 1:10:
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
      match ip tos 0x10 0xff  flowid 1:10

# ICMP (ip protocol 1) in the interactive class 1:10 so we
# can do measurements & impress our friends:
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
match ip protocol 1 0xff flowid 1:10

# To speed up downloads while an upload is going on, put ACK packets in
# the interactive class:
tc filter add dev $DEV parent 1: protocol ip prio 10 u32 \
   match ip protocol 6 0xff \
   match u8 0x05 0x0f at 0 \
   match u16 0x0000 0xffc0 at 2 \
   match u8 0x10 0xff at 33 \
   flowid 1:10
# rest is 'non-interactive' ie 'bulk' and ends up in 1:20

########## downlink #############
# slow downloads down to somewhat less than the real speed  to prevent
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:
tc qdisc add dev $DEV handle ffff: ingress

# filter *everything* to it (0.0.0.0/0), drop everything that's
# coming in too fast:
tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1

+----------------------------- /root/htb -------------------------------------+

Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?

 
 
 

Server setup

Post by Keegan Al » Sat, 28 Jun 2003 00:58:55


Hi Sam,

First, congrats on jumping into Linux.  Once you learn how to do what
you're setting out to do, you'll be hooked :)

If you're Linux box will double as a router between the Internet and
your internal LAN, I'd suggest setting up iptables first.  This will
act as a firewall between you and the Internet.  If you don't want to
mess with this, get a Linksys router to do the dirty work.

Second I'd setup Samba.  With 14 Win 98 systems, setup Samba as a
domain server and use it for authentication.  This way you can log-in
using the same username/password on all systems, plus map home
directories via login script, sync time with server, and other nifty
things.  Also, if you have any network printers, put them in Samba as
well so all systems can print to them.

If you're on the same subnet, go with DHCP next.  If you ever add or
remove a system, DHCP is the simplest way to go... and it's cake to
setup (one file to modify).

Then I'd setup imap/sendmail on your Linux box so your clients can use
it as their imap server.  I'm not very familiar with this area, but
once it's configured, your users can access their mailbox from any
system on the network or Internet.  You could even install Squirlmail
to make things simpler when they're away from work.

Next, configure Apache, FTP, SSH, and any other Internet apps you want
to run.  I find FTP and SSH the easiest way to get files from Windows
systems on my LAN.  I mounted the folder on Windows in Linux, and via
FTP I can get anything I need when I'm at home or traveling.  Much
easier then setting-up a VPN.

Another MUST program is Webmin.  You can manage everything from users,
cron jobs, even get a shell prompt from Webmin.  This is a 'gotta get'
program.

Outside of that, the sky's the limit.  Just make sure and run any
server updates as they're available.  I run Red Hat, so I have
'up2date -u' in my cron to run nightly.  This keeps my system updated
without me lifting a finger.  Also setup 'rdate -p -s [timeserver ip
addy]' in a cron to keep your time and date updated.  This runs hourly
on my server, and whenever a system logs-in, it uses the MS 'net time'
command to update the client.  This makes all system times congruent.

That's it...  It seems like a lot, but most of this can be done in an
hour or two after installing a clean system.  Let me know if you need
any help.

Take care, and above all else, have fun :)

Keegan.


> Hi,

> In the weekends I maintain a small network (14 win98 clients) in a
> non-profit organisation. About half a year ago I setup a Win2k server
> (active directory domain controller) to share the one incomming ADSL
> connection over the 14 clients.
> This is works nice, but like you could guess I would like to step over
> to Linux. First of all to learn how to setup the same thing under
> Linux and second to help the organistation to get rid of the huge
> costs of Win2k.

> I have a moderate Linux (mainly RedHat) command line knowledge, but I
> never setup something like a DNS server.
> My first question:
> * What should I install/configure first? Firewall? DNS? Samba? And
> after that? Is there a commonly used "workflow" for this?
> Secondly, but not so important:
> * Is there anyone who has setup the same (linux server + some win98
> clients) with internet connection sharing and maybe antivirus scanning
> on server?

> I know this last question is probably "huge" but as I said, it's not
> so important - thats something I probably have to find out myself
> while reading many HOWTOs on TLDP.

> So if anyone can help me out with the "workflow" and maybe has some
> other handy tips, that would be greatly appreciated!

> Thanks in advance!

> Kind Regards,
> Sam