LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 05-09-2009, 01:36 AM   #1
joebpa
LQ Newbie
 
Registered: Feb 2007
Posts: 8

Rep: Reputation: 0
Lightbulb What is the BEST way to make Debian my middleman


OK, I am a Windows Guru making the switch to Debian.
My system will be running Classrooms of about 30 PC's. Due to adminstration requirements there will be one Linux per classroom.
I have one NIC w/Static IP assigned by the college > eth0
I have a second NIC (eth1) that connects my switch & all PC's on my LAN.

I want the Debian to run everything DHCP, DNS, Squid, Firewall, or any other products needed. It may also handle SNMP traffic.

The questions is will I be required to have all these products/services, and how do I set the ones I do need up? Installing was a snap and network is running except for internet traffic from the LAN.

Desires:
Monitor all web traffic
Assign IP's to LAN
Block web traffic outbound
Block bad traffic inbound from ISP
Allow all internet traffic to pass from LAN to WAN while being watched and possibly blocked
LAN traffic stays on LAN side

So the general plan is to have the box being the middleman for anything and everything.

I am not sure if I will need all of these or maybe I need something else IP routes, run it as a router, or something I haven't heard of yet. I still don't know everything Linux can do yet.

So learn me oh wise ones. I am luke and you are OB1. Show me the path!!

If there is something you know I don't need to use please advise me.
Joe
MSM/MIS/MBA A+ Semper Fi

I will most likely switch my home network to follow this similar path once determined.
Thanks in advance
 
Old 05-09-2009, 02:45 AM   #2
sarin
Member
 
Registered: May 2001
Location: India, Kerala, Thrissur
Distribution: FC 7-10
Posts: 354
Blog Entries: 2

Rep: Reputation: 34
Hmm... Don't know if I got your question correctly

You need...

Quote:
Monitor all web traffic
Block web traffic outbound
1. A proxy with lot of access control stuff. Look at squid.

Quote:
Assign IP's to LAN
3. You need a DHCP server. Debian should have one. Fedora has a server from https://www.isc.org/software/dhcp

Quote:
Monitor all web traffic
Block web traffic outbound
Block bad traffic inbound from ISP
Allow all internet traffic to pass from LAN to WAN while being watched and possibly blocked
LAN traffic stays on LAN side
2. You need to configure a set of firewall rules. Look at iptables and firestarter

Well, most of it should be part of any default distribution. However, you will need some experience for configuring.

Last edited by sarin; 05-09-2009 at 02:46 AM. Reason: Corrected bad formatting
 
Old 05-09-2009, 03:54 AM   #3
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
Most of the possible needs and packages that you would require to get your debain upto the task is to your knowledge.
What you require, as I understand, is the help to configure your debian for the task. If you have experience on Windows and are no computer noob then it would not take much time for you to learn new things, though many of members here will disagree with me.
What you need for your task is already given in the previous post.
If administration is what you are looking for then you should look at webmin. It would not be much of installation headache if you have internet at debian box.

sudo apt-get install webmin
should do it for you.
It is a complete administration tool that you run from a web browser and most of the tabs are self explanatory.
 
Old 05-10-2009, 02:17 AM   #4
joebpa
LQ Newbie
 
Registered: Feb 2007
Posts: 8

Original Poster
Rep: Reputation: 0
sounds good so far.

Ok so unless someone knows of another way it looks as if I will need
DHCP - to handle giving out my IP's on the LAN side.
Do I have to use DNS?
Can I get away with using a router/gateway to ensure I have Internet access from the LAN side.
IF the Squid is capable, can I just use the Squid to forward any internet requests out my eth0 (WAN) If this is possible then I don't see a need for DNS.
I still think I will need the Firewall, because I don't believe Squid can filter/block to the extent I desire.

linuxlover.chaitanya = Thanks for your response, The webmin software installed after I updated my broken packages. I originally had 1.290 and that installed ok, but when I found 1.470 it required additional packages. I resolved that and it installed without issues. It does seem to be a great tool for management.
Is there a way to access webmin remotely? I would like to be able to access it from home/work/where ever i am?
Joe
Yes you were right i have been running windows networks since mid 1990's. I am familiar with many aspects of domains/IP/routing/dns. etc. just not on a linux level.
Thank god for standards.
 
Old 05-10-2009, 03:23 AM   #5
baig
Member
 
Registered: Nov 2008
Location: وادی ھنزہ
Distribution: Solaris 5.10, Debian Server 5.2, CentOS 5.6
Posts: 226
Blog Entries: 3

Rep: Reputation: 38
Hi,

As you said you are new to Linux and you need to configure a firewall. I think this link would help you generating a firewall script according to your needs.
Code:
http://easyfwgen.morizot.net/gen/
Cheers!!
 
Old 05-10-2009, 06:59 AM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,901

Rep: Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775
Quote:
Originally Posted by joebpa View Post

I want the Debian to run everything DHCP, DNS, Squid, Firewall, or any other products needed. It may also handle SNMP traffic.
and

Quote:
Do I have to use DNS?
In your earlier post it seemed as if you knew that you needed DNS, but now it seems like an open question. You might, technically, need DNS or it might just make life easier for you, so it may not be enough to know that you don't need it.

If you are running an externally adressable website on on of these network segments, then you will need dns (but, equally, that's not the same as needing a dns server). This is normally a very, very bad idea, so I'm hoping this isn't the case.

If the classroom computers need to access a number of different servers, and accessing these servers by name is a convenience, then there may be a case for running DNS internally. You say nothing that makes this seem to be the case, so from the information so far, so it is quite possible that you don't need this.

(Note, that even if you do need DNS, this isn't the same as saying that you need BIND. There are servers that can do both DNS and DHCP and are simpler to configure than BIND, so there reasons to consider other servers.)

Quote:
Monitor all web traffic
You can get a certain amount of monitoring from squid and associated utilities. Whether this does what you want is another matter; if you want to tie web pages back to a user, there are a certain number of stages to go through. You'd probably know which IP address that was, but that's an IP you may have given out dynamically, so that doesn't even tell you which workstation that was, and even if that was tied to a workstation, you may not know which user was logged in at the time.

But if you merely wanted to know that someone in the class had tried to access a 'bad' website, that would much easier.

So can you define exactly what you want?

Quote:
Block web traffic outbound
You don't seem to mean 'block all http/https accesses from internal computers', so what do you mean?
Quote:
Block bad traffic inbound from ISP
If you can define an iptables rule for it, you can decide how to deal with it. If, however, you know that its bad traffic, you should be trying to drop the packets at the perimeter of your network, not at a point well inside (or, you could argue, trying to do both is safer, but then it might be more difficut to administer...).

Quote:
So learn me oh wise ones. I am luke and you are OB1. Show me the path!!
Well, I don't have that many wrinkles...yet. The first tip is that one thing that determines how good the answers are that you get is how good the questions are that you ask.

I'm sure that you can do something very like the thing that you have described, but your description was hardly a system specification, and some of the descriptions were capable of more than one interpretation.
 
Old 05-11-2009, 12:23 AM   #7
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
Quote:
Originally Posted by joebpa View Post
Ok so unless someone knows of another way it looks as if I will need
DHCP - to handle giving out my IP's on the LAN side.
If you think you do not want to give static ip addresses, you will need DHCP server running. But if you give static ip addresses you may have more control over your network if you do not want all the machines to have similar access to the network.

Quote:
Originally Posted by joebpa View Post
Do I have to use DNS?
Can I get away with using a router/gateway to ensure I have Internet access from the LAN side.
IF the Squid is capable, can I just use the Squid to forward any internet requests out my eth0 (WAN) If this is possible then I don't see a need for DNS.
I still think I will need the Firewall, because I don't believe Squid can filter/block to the extent I desire.
I think squid can do a good amount of url filtering and putting up dansguardian will give you a lot of control over the content of the web traffic. You will and should need a firewall even if you are running squid for brute force attacks.
You should not need dns if you have a router/modem and if your isp has given you one. If you still want to put your own dns to keep isp dns away from users, then you can configure your dns to forward all the queries to your isp dns.
Quote:
Originally Posted by joebpa View Post
Is there a way to access webmin remotely? I would like to be able to access it from home/work/where ever i am?
You can access webmin remotely. You should consider configure webmin to know which requests to allow and from which ip addresses. And then you can use it remotely like
http://ipaddress:10000
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
make Xconfig doesn't work, make menuconfig does work Debian/KDE bucovaina78 Linux - Kernel 1 10-15-2008 01:26 PM
LXer: Ettercap Automates the Malicious Middleman LXer Syndicated Linux News 0 02-02-2008 12:10 AM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
Anyone using Middleman Flibble Linux - Software 0 06-16-2003 01:43 AM


All times are GMT -5. The time now is 01:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration