Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
SDN 101: An Introduction to Software Defined Networking
Discover the advantages of SDN.
SDN has quickly become one of the hottest trends in IT. But not all SDN solutions offer real software-defined functionality. As more enterprises consider SDN, they want to know, “What is SDN? And what are the real benefits?” If you're ready to explore the advantages of SDN, and want to know how it should be implemented within your enterprise, start by reading our introductory white paper.
Click Here to receive this Complete Guide absolutely free.
Ive recently gotten thrown into the deep end in work. I got given the job of network admin which would be a good thing except that Im a linux n00b and most of the network servers are Linux. My boss is also pretty security concious which makes things more difficult.
Anywho as Im a n00b please be tolerant, going from windows to Linux is a steep learning curve. My boss wants me to put in a Linux file server, I was going to put a domain controller on the same server to lock down client logins. Is there any way I can stop two machines on the network seeing each other even if they know the IP of the machine?
Having personally switched a few networks over from Windows to Linux servers, I know it can be a bit daunting at first. But I am sure with the help of these forums, and the internet in general, you will be able to adapt pretty quickly.
Well, first things first, what OS are the client machines running? Since you said a DC, I am going to assume that you have Windows NT based systems. If you have some Linux clients, you can of course serve them as well with the same server.
So, you say you want to setup a file server and a PDC. Well, you will only need on server package for this, which is Samba.
The file server portion will be pretty easy with Samba, however, you should be warned that setting up a PDC (unless it is going to be a very simple installation) with Samba is not very easy, and to be perfectly honest, Samba simply doesn't do as good a job as Windows in this respect.
That of course isn't a great surprise, since Samba is constantly playing "catch-up" with Windows when it comes to PDC technology.
So while Samba is completely capable when it comes to file sharing, in the PDC department, it is about on par with Windows NT4 (since you have Windows experience, I assume you know NT4 was a very simplistic PDC).
So, to get to the point, if you have a lot of clients, or are looking to have advanced domain functionality, I would probably look into Windows 2003 for the PDC. It you have relatively few clients, and are satisfied with a basic domain model, then Samba should be able to do that for you.
I would suggest picking up some books on the subject, since while it is nice to be able to search Google whenever you like, it is still good to have a hard copy of the information on hand when you need it. For Samba, I would suggest "Samba: Unleashed" and "The Official Samba-3 HOWTO and Reference Guide".
My personal choice (if I had to pick just one) would be "Samba: Unleashed" while it is a bit outdated now (it predates Samba 3) it is still a wealth of information, and gives descriptions of every Samba configuration option. Luckily not much has changed, so the majority of this information is still perfectly valid.
Now, as for your last question, I'm not sure I understand what you are asking. You want to isolate the clients from each other?
My first question would be "Why?" since I can't think of a reason to do this (unless I am misinterpreting your question entirely). But, aside from that, I would need some more information on what exactly you need to do before I could make any suggestions.
Cheers for the encouraging reply, I guess the first thing for me is to get it setup and then I can worry about my security paranoid boss later. He wants me to know if I can isolate the clients hence I can exercise who has access to what.
Ok Ill give you a run down on the network, its less than 12 clients requiring file backup, email & internet access, a few need FTP/Telnet and SSH. Most clients are Win2K with 3 debian clients. All the servers on the network are debian. For the domain controller its about access more than authentication. I want to be able to give shares individually, to groups and communally. There is also the printer sharing aswell which a PDC will sort out, the only thing after that may be authentication for one or two web based applications but to be honest Im not sure if I can tie them together because they are on different servers (theres an internal file server running one or two in house web based applications).
In terms of tracking all traffic will be tracked via IP at the firewall (yet again being a n00b to linux Im assuming this is possible and Ive no idea what programs or apps to use to administer this) any forseeable problems here? Once again thanks for your help and patience.
As I figured, I misinterpreted your last question.
It is of course possible to limit who has access to what services (file sharing, FTP, etc) by users and groups, or even IPs.
So that can be done pretty easily, you will just need to get that all planed out after you know who is going to be working with what. That kind of thing can be done at the end of the installation. Basically, get it all up and running now, and then go back and talk with the Administration and discus everybody's rights as to what they can and cannot use (a little hint here, the staff never like to be told they cannot access a certain feature or service, so whenever possible, have somebody else make those decisions).
It is good that you have relatively few clients, it will make the PDC setup easier. Samba will be able to give out shares based on user names, so individual shares are not going to be a problem. And group and public shares are also setup fairly easily. Samba can also handle the print sharing as well, if that is something you need.
All that is covered in the "Samba: Unleashed" book I mentioned, and since you will be setting up a fairly complicated file server, it would be a good book to have on hand. Tell your boss you need it, and you should be able to get them to buy it for you, so it is a win-win situation.
As for the firewall, what kind of traffic are your trying to track? Keep users from using unauthorized software (AIM, IRC, etc), or content filtering (keep them off the porn sites)? And do you know what kind of firewall is running? Is it a Linux machine, or something hardware based like a Pix or SonicWall?
If what Im doing is a fairly complicated Id love to see and easy one! :-) And here was me thinking that it was a fairly simple setup, would adding a DHCP server be too much? Its running on another server that will be retired but I dont want to be pilling lots of services on one machine or the performance will go to shit.
The setup I would like would be to have a DHCP server that is "Dynamic" but not really as it gives out IP's according to MAC address is this possible?
As its a small number of clients this shouldnt be a problem and it eases things when it comes to tracking or troubleshooting because I will know which machnine by looking at the IP and as they are mapped by MAC I can be damn sure that the machine tha was used was the same one.
As for the firewall, Ive no idea. As far as I know its just Debian linux but Ive no idea what apps (is it applications or are they called packages under linux?) are installed/being used and Ive no idea how to find out over a telnet connection. The boss wants me to keep track of general network stats like traffic and unauthorized software and websites too.
I will be buying a copy of Samba Unleashed, Ive already rang the bookstore to order it in! :-) Ive to present a network plan to the Boss, Ill use Samba lots of times and when he asks me what do I need I will tell him the book would be helpful. :-)
Cheers for the heads up on staff issue, Ive come across it before in other admin jobs Ive done and it can get downright nasty. So if anyone else is reading this post heed our warning let the manager make the decision, they can take the flak and can put people in their place if they get very vocal about it. Then as time goes by your still the friendly network admin guy who would like to help but whos hands are tied! :-)
Of course my problem is that Ive to research and implement an IT policy! AHHHHHHHHhhhhhhhhhhhhhhhh
DHCP is much easier to setup than Samba (for the most part), and takes an extremely small amount of resources to run, so adding DHCP to your server will be a no problem at all.
The server program for this would be "dhcpd" and is usually installed by default.
And assigning IP's based on MAC is certainly possible. It is a bit time consuming to setup MAC Reservations, but not difficult. You could have the whole thing running in under a half hour. Once you get one MAC reservation setup, it is basically just a matter of copying and pasting that section, and editing the MACs accordingly. Plus, the documentation for "dhcpd" is great, you can pretty much just copy one of the many samples it gives you, and plug in your IP range.
If the firewall is a Debian machine, it is probably running some form of IPTables for the firewall (IPTables is the front-end for the firewall built into the Linux kernel). The easiest way to tell this over a telnet connection would be to run "iptables -L" on the firewall. If that returns a lot of lines, then IPTables is being used.
Now, is monitoring of the clients web traffic already being done, or is this something your Boss wants added? Blocking unwanted networking applications is pretty easy. All you would need to do is block everything outgoing (except things you want them to use, like the Web and Email) from the firewall with IPTables.
Personally, I would hold off on making any changes on the firewall at this point. It would be good to gain some more experience on the current server, before jumping into a critical system like the firewall and making changes.
A first step would be to check and see if IPTables is being used, then figure out what exactly the firewall is doing. If you like, you can post the output of "iptables -L" and we could decipher that for you and tell you what is going where.
Good to hear about the DHCP server, I thought as much but cause Im a n00b I just thought Id put it out there just in case there are any additional issues.
The reason I was asking about assignment via MAC address is that because I want to use IP ranges for different departments/workgroups etc and also it uniquely identifies each client.
As far as I know some basic monitoring is being done but Ive no idea what application is doing it or how to find out what applications/packages are installed. Is there any command to list off all the installed packages? To top it all off because I dont have easy physical access to the machines I dont even know what hardware is in them so Ive no idea if they are suitable for the tasks assigned. I thought uname --all was the answer to my problems but it gives very basic data. Is there something that will give you the same depth of information as the "system information" in windows?
The last thing I will be doing is poking around on mission critical servers untill I find my feet but there is an older server thats not in use that I can poke around on.
I think that you need to stop here. If your not the one controlling physical access then there is no reason of implemting any policy. Most of this stuff your going to do or use helps if you have physical access. My System room is locked at all times and me and the owner have the only keys, i work in the states and the owner stays at his house in england, plus my office is right in front of the door so I can moniter who tries to get in. I think that using static ips inside might be easyer than DHCP with mac addressing. I am not a big fan of DHCP so my opinon is kinda based off that. I run windows XP pro on all clients so I can use Pcanywhere to control them if needed. Makes system adminisitration very easy. You dont even have to leave you chair so go see the error message that you accounting department get when trying to edit an invoice. Simple click and you are controling their system. This works better with static ips so thats the reason that I do this.
If you want a good PDC you should try www.samba-tng.org
This is a real PDC and not a system acting as a PDC. THis also can be configured for active directory and LDAP though its going to be way over your head.