Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
1) I always suggest reading the IP Masquerading HOWTO for information on this. You need to make sure that the net.ipv4.conf.default.forwarding sysctl variable is set to 1 (you can use /etc/sysctl.conf for this). IIRC the last time I did this the sysctl variable was net.ipv4.ip_forward so some systems might do this, but my Kubuntu 7.10 machine tells me net.ipv4.conf.default.forwarding is the correct variable for it. You'll also need to set up some iptables rules to handle the packet mangling -- the link I posted for you tells you how to do that.
2) Yes -- sounds like you just need to tell the WAN interface to configure itself via DHCP and it sounds like it will work (DSL users like myself have a few extra hoops to jump through with PPP, but cable modem users are in the clear on this).
3) Again, yes -- just set it to a static IP address -- I always set my router to the first address on the subnet, i.e. X.X.X.1, but there's no reason it has to be done that way.
5) Don't understand your question -- so long as you tell Ubuntu that the interface ahould be configured via DHCP in /etc/network/interfaces you should be set for this part.
6) Best to have a startup script that starts dhcpd on boot, but yes, you want to tell it to listen on your LAN interface and hand out a range of addresses.
7) You set the IP configuration params for your machine in /etc/network/interfaces. You set all of the IP address, netmask, default gateway (your box), and optionally name servers gfor the DHCP clients on your network in the dhcpd.conf. You just have to make sure that these are correct, and you should be good to go.
1) Use your server as a NAT gateway.Is there a way to define this ?
No, you must install a router NAT software
2) Connect one NIC card to the modem (or Internet)
(defined as the NAT-servers WAN interface) How could be define the NAT-servers as WAN interface ?Is it defined on the /etc/network/interfaces file ?
No, normally for NAT equipment the interfaec is just called and labeled as the "WAN" interface. You should not define "WAN" in any configuration in the server.
3) Connect the other NIC card to a switch with serveral Ethernet ports
(defined as the NAT-servers LAN interface) How could be define the NAT-servers LAN interface ? Is it defined on the /etc/network/interfaces file ?
No, normally for NAT equipment the interfaec is just called and labeled as the "LAN" interface. You should not define "LAN" in any configuration in the server.
4) Connect all other PC's to the switch Done
5) Install a DHCP-server and DHCP-client software on your server I think I can handle with this.
5) The servers WAN interface should be defined as a DHCP-client
(the DHCP client should get one public IP-address
from the ISP with DHCP when the server start up)So my problems start in here, this is defined on the dhcp or in other local ?
If you install the NAT software on your server and use the NAT-configuration of it then I belive it give you a clear picture how you should do.
6) The server LAN interface should be defined as a DHCP-server
(the DHCP-server on the LAN interface delivery
private IP-addresses to all your PC's)
(=>one unique private IP-address for each PC)Ok here I think with this I could define where dhcp will work /usr/sbin/dhcp dev ethx (ethx belong to eth to define dhcp)
7) Configure the DHCP server (on your servers LAN interface)I think this is an introduction to the below points
7.1 Set a private IP-address of the servers LAN interface
This could be defined like this auto eth1
iface eth1 inet static
7.2 Set a subnet mask (e.g. 255.255.255.0) Couldn't this be done in the above point ? if not where I could define it ?
7.3 Definde a scope of private IP-address to your servers DHCP-server
(e.g. 192.168.0.10-192.168.0.99).This could be probably defined on the dhcp (/etc/dhcp.conf) and must start with range 192.168.0.10 192.168.0.99
7.4 Set a default gateway to the LAN interfaces IP-address
(e.g. 192.168.0.100)This probably would be the same has the above point, if not, where it can be defined.
Thanks for your patient and once again thanks a lot
1) Use your server as a NAT gateway.Is there a way to define this ?
No, you must install a router NAT software
The NAT functionality is supplied by the netfilter part of the kernel. You need to configure masquerading along with configuring the Firewall. The Linux firewall is configured with iptables commands. There are some programs that supply a GUI interface, to produce the iptables commands in a script that are run when you boot up. Some distro's have a checkbox that you can check to enable masquerading. This is probably in the firewall or gateway setup and would be the easiest way to proceed. I don't use Ubuntu, so you will need to look in its documentation yourself. You may also need to modprobe the nf_nat, iptable_nat, nf_conntrack_ipv4, iptable_nat and nf_conntrack kernel modules. You can enter the command "/sbin/lsmod" to check if they are already loaded.
I would also recommend downloading the NAG Guide from the www.tldp.org website. ( Network Administrators Guide ) Also read the IP Masquerading HOWTO linked to in the previous post.
You had put the firewall last in your list. Without a NAT router, it should be the first in the list, even if you have only one computer. Your public IP address will be banged on by hackers and bots. You need to configure your firewall to make sure you have all ports closed (unless you are running a public server).
A Defense in Depth strategy would have all interfaces firewalled on all computers. Only needed ports would be opened, depending on what services you need. If you have a computer running as a firewall for a network, it is normal practice to only have a bare minimum of software installed, and to even do things like scan for suid and guid commands and uninstall any that aren't necessary. Often a gateway host won't even have Xorg installed. It would be better to have any file server inside the lan and not use your gateway computer for that. Novell published a book on Linux Firewalls. The author put it this way: "Let a firewall be a firewall".
This gateway computer doesn't need to be a powerful machine. If you have an old computer gathering dust because it is outdated, you could dust it off and use it for the firewall.
I'm not sure I understood your last question.
"So if I use iptables has firewall it's correct and just one more opinion"
The iptables command is how the netfilter firewall inside the Linux kernel is configured. If you use a GUI interface, it isn't a separate firewall. It is an interface for creating these iptables commands. It will probably create a script containing iptables commands which are run when the computer boots up.
The iptables commands may create rules that effect only one interface. Maybe that is what you were getting at. Actually, most firewall setups will configure the firewall to deny everything by default, and then add rules to open up particular ports.
Some people will also configure a proxy server for certain services that can dig inside the packets of a particular protocol. This is sometimes referred to as an application firewall. The regular firewall does track the state of connections and can use plugins to handle particular applications, but generally it is best at what it is designed to do.
It may be best to first see if your distro has its own firewall configuration wizard and use it until you understand iptables and the internet protocols enough to roll your own. On SuSE for example, the firewall wizard uses 3 zones. Outside, Inside & DMZ. It defaults to enabling everything on the inside and walling off connections from the inside. The DMZ zone is the default zone for a public server. If you were running a web server for example, you would open up port 80 and forward it to the DMZ interface. You could even add more zones if you wanted to.
If you simply want to connect your regular desktop to the DSL modem and share the network connection, then you wouldn't assign any interface to the dmz zone and would close all ports on the internet side (the dsl modem) and open up ports that you need on the LAN interface. You should be able to do all of this from your distro's configuration utilities. You do need to run a dhcp server as well (for the LAN). You probably have a configuration wizard for that as well.
First off let me say this. I'm 21 and know the most about computers in my family. I'm in college but not in the computer/programming type. So I know the basics of what the norm or basics is. I know how to turn a computer on and if everything works good I can do a few programs. But mainly I use it for the internet and to play Xbox live, or type term papers.
My problem is this and I don't know how to type it as most other people do in this community. I wanted to hook up my xbox 360 to the internet so I may play online. So I bought a Linksys router. Model BEFSR41, It's a etherfast cable/dsl router. I'm guessing that it's a pretty basic router. I have a cable Modem. Thats about all I know about it. I did the set up cd for it. and when it starts doing the system configurations and tells me that the router could not access the internet. I went to the routers IP address with a friend of mine who is just a wee little bit smarter about computers then I and somehow we got it to were I could access the internet and play Xbox live. Everything was fine. Then after a week everything went to shit. My modem was saying that it was on and the receiving light was blinking. I could not access the internet or play online on my xbox. I have no idea on what to do or whats wrong. Can anyone help me at all. If you need information about something I could tell you if that would help you come up with a answer for me.
Thanks for the help being helded, I've tried to work with IPMAsquerade HOW To and I have a slightly difference
When I execute this command
I've got the following 2.6.22-14-server, probably it's the version of kernel.
I've tried to walk a little bit but I 've some problems like this.
When executing this command
Althought when I execute the other two commands
I couldn't find the above files.
But the problems still persist
When executing this one
ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/
ip_conntrack.o = dosen't even appear
ip_conntrack_ftp.o = dosen't even appear
ip_conntrack_irc.o = dosen't even appear
ip_nat_ftp.o = nf_nat_ftp.ko -> Couldn't mean the same thing
ip_nat_irc.o = nf_nat_irc.ko -> Couldn't mean the same thing
ip_tables.o = ip_tables.ko
ipt_MASQUERADE.o = ipt_MASQUERADE.ko
iptable_nat.o = iptable_nat.ko
iptable_mangle.o = arpt_mangle.ko -> Couldn't mean the same thing
iptable_filter.o = iptable_filter.ko
And some optional ones like:
ipchains.o = dosen't even appear
ipt_REJECT.o = ipt_REJECT.ko
and ipt_tcpmss.o = dosen't even appear
Probably the slightly difference could be by the version of kernel,so the question is, is it better to have kernel 2.4 and then recompile kernel 2.6 ?
Recently, the modules were changed. There isn't an ip_conntrack module anymore. It is nf_conntrack now. Also, a 2.6 kernel will use iptables and not ipchains.
What ports does the XBOX use? Since you are using a Cable/DSL router, it does the masquerading (NAT) for you. You don't need to set that up in Linux. Simply connect the XBox to the router and have the ports it needs forwarded to the XBox.
One thing you might try, if you can't find out which ports the XBox uses is to A) Disconnect the WAN input on the router B) Enable DPnP on the router C) Make a note which ports that DPnP opened C) Disable DPnP and manually forward the ports you need D) Reconnect the router to the internet.
Also check the cables. A bad cable, or connector could also be the problem.