Site Navigation:       Home       Page1       Page2       Page3       Page4       Page5       Do more       Word of Mouth       Donate

 

 

Page 5 of 5:

 

Advanced.

 

If youíre choosing to go on, welcome to the advanced section.

 

First we are going to setup rssh  (restricted ssh)

 

Iím not going to spend too much time on this one. We are going to move pretty fast through this one, as many of its uses

are far more complicated than some of the software solutions that exists today.

  

SSH is awesome, but it gives the users access to way too much.

rssh gives you basic SSH functionality, with the ability to pick and choose what access to give them

 

apt-get install rssh

After the install completes, edit the file   /etc/rssh.conf

 

You should see something like this, make the following changes

 

 

Comment everything out except allowscp

 

And change the umask to 777

 

 

  

Then click save and close

  

Thatís probably throwing up some red flags to you. 777 means full access right?

In file permissions it does, umask is the opposite. Setting the umask to 777 will result in the exact opposite file permissions 000

 

As you can tell, we are really locking down this user. To the point of paranoia.

 

With file permissions of 000, only root will be able to see these files. Thatís because we are going to use this user, in a batch file, to remotely backup

files from a Windows PC. His password will be in plain text in said batch file, and could be compromised.

So we want to make sure, even if the password fell into the wrong hands, that they couldnít do anything with it.

 

Next letís create an rssh user, named        backupbot

 

Navigate to the Users and Groups module, and click on Create a new user

 

Now when you make a new user, rssh is available as a shell you can choose from for newly created users.

 

If you donít see it in the drop down menu, just choose    other    and browser to     /usr/bin/rssh

 

See below, this user I created, I put in shell           /usr/bin/rssh

 

Select normal password, give this user a password

 

  

 

And, you want to make sure you donít select to make him in other modules.

 

This user is going to be an rssh user only

 

 

 

 

Now for the next level of paranoia. Navigate to user backupbot home directory, and set the following permissions.

 

 

 

 

 

 

With these permissions, that user wonít even be able to see the files they upload. This is because if someone finds this password in your batch file, you donít want them browsing the home directory.

 

 

Thatís some pretty extreme lock down we just did. You can take it even further with chroot in rssh, and use it to jail the user inside a directory. And you can use the file permissions to inherit a group that doesnít exist, or doesnít have a user in it. Iím not going to go too much into the rest of this setup, but here are some hints if youíre interested in pursuing it.

 

 

You could go to Puttys website      

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

 

 

And download the following tools

 

PSCP.exe

 

and

 

PLINK.exe

 

These are rock solid secure, just like Putty is

 

You could use a command like this one, using a combination of PSCP and WinRar ( http://rarlabs.com )to do offsite backups of Windows PCs over a secure connection.

 

===================================================================================== 

rem  start batch file

 

cd %userprofile%

 

taskkill /f /im OUTLOOK.EXE

 

"c:\program files\winrar\rar.exe" a -agHH-MM-SS--MMM-DD-YYYY %computername%_My_Docs_Folder_Win2K_XP "my documents"

 

"c:\program files\winrar\rar.exe" a -agHH-MM-SS--MMM-DD-YYYY %computername%_Docs_Folder_WinVista_7 "documents"

 

%temp%\pscp.exe -4 -2 -P 22 -l backupbot -pw abc123 *.rar backupbot@kevin.gotdns.org:

 

exit

rem  end batch file

======================================================================================

 

 

This command closes Outlook if itís running, and then compresses the users my documents folder into a single file, then uploads it.

 

It will name the backup file the same name as the userís computer, and tell you if itís Windows 2000\XP, or Vista\7 and add the date.

 

 

As you can see the password abc123 is exposed, thatís why the permissions have to be so tight.

 

================================================================== 

rem  start batch file

  

%temp%\pscp.exe -4 -2 -P 22 -l backupbot -pw abc123 *.rar backupbot@kevin.gotdns.org:

 

rem  end batch file

==================================================================

  

But even if it fell into the wrong hands, there isnít much of anything they could do with it.

 

Of course a disk space quota is important for any user, always set disk space quotas to prevent abuse.

 

 

Also this will be an outgoing request from your users PCs, so you donít have to worry about a firewall configuration on the users end at all.

 

Thatís PSCP 

 

Next is PLINK

 

PLINK is a really cool SSH tunneling tool. You can secure almost anything you want to do, because you can wrap the entire communication up in an SSH tunnel, much like a VPN connection. Everything you do on the port you specified for the tunnel, will be secured by SSH. And this will be also be an outgoing request from your users PCs, so you donít have to worry about a firewall configuration at all.

 

For PLINK you could do something like this

 

====================================================================== 

rem start batch file

 

%temp%\plink.exe -ssh -4 -P 22 -l backupbot -pw abc123 -R 5900:localhost:5900 kevin.gotdns.org

 

rem end batch file

======================================================================

 

 

This would create an awesomely secure tunnel form your users PCs to yours. Port 5900 is VNC, so when you launch VNC from your network, then you can remote the Windows PC user over that tunnel, with no firewall config needed on the users side.

 

 

But I donít want to spend too much time on those because there are easier alternatives.

 

If youíre looking to remote a user, just use Logme.IN software at http://logme.in or TeamViewer at http://www.teamviewer.com  both work very very well. These are free for personal use and mostly web based, there is no configuration needed on either side. You can login without the need for an account, and all traffic is outbound, so again, no firewall worries. My favorite one is TeamViewer.

 

If youíre looking to do offsite backups of user files. You should use something like Cobian backup, over your LAN to a local Linux box running Samba. And then have that Linux box use the Webmin Filesystem Backup module to schedule offsite backups to another Linux box over SSH. Or something like RSYNC or jailed SFTP or SSHFS. Or even easier just use Carbonite, they do all the work for you. http://carbonite.com

 

But itís good to have the knowledge above, and I mostly talk about it so you know to not pick SSH when giving someone else an account to your Linux box. SSH by default lets them change directory to wherever they want. And without jailing knowledge, your files are way too exposed. So think this rssh = SSH for users besides yourself.

 

Thatís about it for those.

 

 

letís stop for a second and talk about virtualization and encryption.

 

Virtualization

 

As of the original writing of the webpage \ how-to. VMWare server was the best virtualization server solution around. Now days, if youíre planning a VMWare server or Hypervisor there are many more options, and in my opinion, better options.

 

For this reason my VMWare server guide has been archived Here Its no longer recommended, i would recommend This

 

 

File encryption.

 

In the same way that local backups pale in comparison to offsite backups. File encryption pales to Filesystem encryption. We are talking about this now because you are in the Advanced how-to.

 

If you canít lock the door where this Linux box is. If you canít setup a $20 webcam too watch for people trying to steal your Linux box. If youíve got enemies at the FBIÖ :- )

Then you would want to setup complete Filesystem encryption. Anything less than encryption at the Filesystem level is un-acceptable. This is really easy to setup. Start this how-to all over again, and on page 12, choose LVM encryption.

 

Thatís it, except for the format taking a couple days (literally) your computer will boot up and ask for a password before mounting the drives, without the correct password, itís as if the data doesnít exist. Iíve tried to break it, leaving just one letter off the right password. No go, itís so very strong. Itís the only one worth doing. I prefer to only use it on laptops, it can make data rescue a pain in the butt. And I have a fat pad-lock on every one of my servers, so as far as what I practice, I only do this on laptops and servers Iím solely responsible for.

 

But once you chose LVM encryption, the kernel will be built correctly during setup, and you can then tweak it via Webmin under the

Hardware \ Local Volume Management module (LVM)

Make sure your first Linux experience isnít with encryption. It can make disaster recovery a pain, and remote reboots arenít really going to work for you, as youíre prompted for a password to reboot. A couple Google searches will teach you how to hardcode that password in, but hopefully you see that flaw in that. I prefer to not hide the key next to the lock :- )

 

If this is your first Linux experience, hold off until your third or fourth time before you dive into that. But itís amazing, and worth the effort.

 

 

 

Ok, we have come to the final part of our how-to. The next steps deal with setting up your Linux box as a router and then optionally, a local DDNS server. Setting up your Linux box as a router means anytime you want to reboot or trouble-shoot. Your users will have no internet access. So make sure this is something you really want to do.

 

And I say DDNS not DNS because it (D)ynamically updates your local DNS records via your DHCP clients. Basically your DHCP clients will all get DNS entries automatically, when they get their DHCP leases, very cool stuff. Extremely useful on a large network, but can be a little overkill on a small one. I have a problem where I memorize IP address, because I am weird like that, and wind up never using the DNS name. But your users will never remember IP address, thatís when it becomes necessary, and the flexibility of name control on your network is nice.

 

 

Ok, truth is your about to build a very powerful router. So letís do this. Warning!!! These next steps will disconnect you from the internet for a very long period of time. You might want to finishes reading the how-to before moving on.

 

 

Warning, if you have ADSL, DSL, PPOE and or an All-In-One Modem\Gateway\Router, you may not want to continue.

 

This how-to was written mostly for Cable internet users, and or small business users on a LAN wishing to create a sub network \ private network.

 

Even Cable internet users, if you have All-In-One Modem\Gateway\Router, you may not want to continue.

 

The reasons ADSL, DSL, and or an All-In-One Modem\Gateway\Router users may not want to continue is, this how-to walks you through setting up your computer as a drop in replacement for your router. But if your router is an all-in-one solution, you canít really remove it from your network, as the modem still needs to do its function in order to get you out to the internet. You could disable the routing feature of the all-in-one, but it would still be powered on and using electricity, and sitting next to a computer doing the same exact function.

 

And even if you decided to disable those features and continue on, most ADSL and DSL modems use proprietary instructions written in their firmware that wonít let you back out to the internet without passing through its NAT first, so disabling that function would unfortunately break your internet connection.

 

So long story short, only continue if you have a setup, where the modem is a piece of hardware all by itself, (this is usually only cable subscribers, as in cable TV or coax cable modem) and or a internet source with a public IP address without PPOE, and or youíre on a small business network and your wanting to create a sub network behind your current network.

 

 

You will also need a second network card to continue. You will later be installing this into your Linux server.

 

You will need to set a couple Static IP addresses, as you are going to be without DHCP for awhile.

 

If your Linux server is still DHCP, you must change it to static. Also if youíre still using a static IP address

of 192.168.2.111 (x.x.x.111) or 192.168.2.174 (x.x.x.174) You should change it to 192.168.2.1 (x.x.x.1) before continuing.

It is good practice to have your router and gateway be      x.x.x.1    basically the first IP address of your scheme. Youíre about

to turn this box into a router \ gateway, so change the IP address if you havenít already. You can refer to pages 48 and 49 if you

forgot how to make this change. And reboot to make the change affective.

 

 

You will need to temporarily set your Windows PC to use a static IP address, within your same IP scheme. Iím going to use IP address 192.168.2.9 on my Windows PC. There are some screen shots on the next page on how to do this. Donít move on until you have figured out how to give you Windows PC a static IP address within your same IP scheme.

  

If you right-click on the network card (Local Area Connection) on your Windows PC, and go to properties, we can walk through how to set that up.

 

You should see something like this

 

 

 

 

 

 

Right-click on it and go to Properties

 

 

You should see something like this

 

 

 

Click-on    Internet Protocol TCP\IP        and then click Properties

*Note, if your screen shows IPv4 and IPv6, choose IPv4

You should see something like this, make the following changes and click   OK

 

 

If these numbers look French to you, refer to earlier pages for an IP scheme refresher.

Click OK again, as many times as it takes to get out of those screens, and then reboot your Windows PC.

At this point, if youíre using my same numbering scheme, you should have a Windows PC with a static IP address of 192.168.2.9

 

And a Linux server, with one NIC, with a static IP address of 192.168.2.1

 

 

 

For now on we will be referring to your original Network card (eth0) as    eth_safe        that is the one with IP address 192.168.2.1

 

And the new NIC, the second one (eth1) as    eth_bad     thatís jumping a little ahead, as we havenít even installed it yet, its just important you grasp this before moving on.

 

eth_safe will be the LAN side of your network, and eth_bad will be your WAN side of your network.

 

  

Before moving on, make sure you can still get to Webmin from your Windows PC.

Webmin should now be at      https://192.168.2.1:10000         if youíre following my numbering scheme.

*If you just recently changed the IP address, Webmin will take an extra long to load the first time you open it, just give it a minute.

 

We need to stop the Firewall from loading at startup on your Linux server. The configuration of it is no longer valid now that you want to do routing. Navigate to the Linux Firewall module, and stop it from loading at startup.

 

  

You should see something like this

 

 

 

 

Change   Active at boot   to     No

Then click the   Active at boot    button to make it stick, then click the   Apply Configuration    button

 

Reboot your Linux server, you should have no active firewall at this point.

 

Using putty, paste in the following command and hit enter. apt-get install bind9 dhcp3-server

 

Reboot your Linux server

 

Triple check that your firewall is still down by logging back into Webmin and Navigating back to the Firewall Module, and make sure that button still says No.

 

 

Power off your current router (example: Linksys) and remove it from your network. Note, this assumes you have a switch you will be using instead. If not, you can still use the 4 LAN ports on your old Linksys router. And re-introduce it back into your network as a switch. As long as you donít ever plug anything into the WAN port of the Linksys router ever again. Put a piece of tape over it if you have to, and never use it again. (Some router models call it an uplink port)

 

Never use the Uplink port or WAN port on the Linksys router ever again, this will cause it to act just like a switch. If it has wireless capabilities thatís ok, later I will show you how to make that work with your new setup.

 

  

Removing your Linksys router from your network, and or using it as a switch instead of a router can be kind of hard to picture the first time you do it. So I drew you a few pictures. This first one would be an example of salvaging your current wireless router.

 

 

 

 

 

 

This second view would be if you ditched your Linksys router all together, and just used an actual switch.

 

 

 

 

 

 

This third view would be if you used both a switch and a wireless router (AKA wireless access point)

 

 

 

 

 

Decide which picture best describes what you want to do, and then shut off the Linux box.

 

After powering off your Linux box, install the second network card inside the computer, but do not plug the cable in yet!

 

AgainÖ do not plug the cable in ! Only your original network card you started this how-to with should have a cable going into it. Keep the cable coming from your ISP out of the picture for now, it should be sitting there not plugged into anything.

 

Once you have the NIC properly installed, power on the Linux box.

 

Once we configure it, the new NIC will then be known to the system as   eth1   and known to us as eth_bad

 

Visually you will know it as your WAN port, but we will continue to refer to that as eth_bad.

 

It just helps in visualizing whatís going on, as this will be the NIC eventually connected to the big bad internet, via your Cable\DSL modem.

 

eth0, or our trusted NIC, the one plugged into your switch will be referred to as eth_safe. Just for clarification, Iím calling your old Linksys router with a piece of tape over the old WAN port, a switch.

 

 

Later in the how-to, when we setup our firewall rules, we will trust everything from eth_safe, so itís important to stop here if you donít understand that. You have 2 NICs now, one is eventually going to be plugged into the Cable or DSL modem, thatís eth_bad. And again, it should not have a cable plugged into it right now.

 

If later you get confused, eth_safe should have a static \ private IP address, and eth_bad should have a DHCP IP address it obtained from outside this network, better known as a Public Address. If that doesnít make sense to you, donít continue the how-to until it does. Or maybe keep reading without doing, a wrong choice here could expose your network to the outside world.

 

If your Linux box has internet access right now, stop! You have done something wrong.

  

Next we are going to configure  eth_bad  (eth1)

 

 

 Using the Webmin File Manager module, navigate to and edit file

 

/etc/network/interfaces

 

Go ahead and enter the following info, or copy \ paste. 

 

allow-hotplug eth1

iface eth1 inet dhcp

 

 

 

You can Ignore that up /sbin/ifconfig  part for now

 

Also enter anything you might be missing for eth0.  Once everything looks good, click on Save and Close

 

 

Hopefully you wonít need that ď/up/sbin mtuĒ line, we will talk about that later

 

Reboot your Linux box to activate that new NIC

 

You canít really test all that speed, duplex, and MTU stuff until you have a cable plugged in. So we will have to come back to that later. Donít plug the cable in yet, just remind yourself later to check that out. Like you did on earlier in this how-to, use a combination of ifconfig, mii-tool and ethtool to make sure you have the right speed, duplex, and MTU settings. These problems are rare, but nasty.

 

In that last print screen you could see I had a problem with the MTU on this NIC and had to force it. Hopefully you wonít have that problem, I rarely see it. But if you do, just Google search the right MTU settings for your ISP. Cable modems and LAN are almost always 1500 MTU, some DSL connections I have seen are 1400+ MTU. Docsis 2.0 = 10\100, Docsis 3.0 = 10\100\1000. A Google search should show the right setting for your situation. Try Google first, most people at your ISP customer support center wonít know what you are talking about :- )

 

 

We are now going to change a setting that is going to allow packet forwarding between to two NICs. This is reason we have done so many overkill security settings, because after you make this change eth_bad with be able to forward packets to eth_safe and vice versa

 

 

Navigate the File Manager module, and edit file

 

 

/etc/sysctl.conf

 

 

Add or un-comment the following line

 

net.ipv4.ip_forward=1

 

 

 

 

Now is a good time to reboot, This reboot will enable packet forwarding between the two NICs

 

You computer may take a long time to start up, as its searching for DHCP on eth_bad, but there is no cable plugged in yet, just wait a few  more minutes than usual, it will come up. Do not plug in the cable yet.

 

Next we are going to setup the DHCP server, it will hand out DHCP IP addresses to your internal network, originating from eth_safe (eth0) and feeding addresses to anything behind it (your switch)

 

 

You already have the DHCP server installed, we just have to tell it which NIC to use and enable it. Navigate to the DHCP Sever module, and click on    Edit Network Interface

 

 

 

 

 

 

 

 

You should see something like this

 

 

 

 

 

 

Choose (eth_safe) eth0 and click save

 

 

You should be returned to the main DHCP screen, click on Add a new Subnet

 

 

 

 

 

 

You should see something like this, make the following changes

 

Subnet description Ė Make something up
Network address - 192.168.2.0
Netmask - 255.255.255.0
Address range Ė 192.168.2.50  - 192.168.2.99

 

 

 

 

 

 

 

Leave all the other options alone and click   Create Now   and or   Save   depending on what your screen looks like.

 

 

Now a new icon should have appeared on the main DHCP server page underneath Subnets, called 192.168.2.0. Click this icon, you will be returned to a screen similar to the one you just left except it has some new buttons at the bottom. Click the one that says "Edit Client Options".

 

Make the following changes

 

 

 

Subnet mask - 255.255.255.0
Default routers - 192.168.2.1
Broadcast address - 192.168.2.255
DNS servers - 192.168.2.1

 

 

 

You will have to hit save twice, here and the next screen.

 

 

You should be returned to the main DHCP screen, where you can start the DHCP server

 

 

 

 

You now have a fully functioning DHCP server. You should be able to release the IP address on your Windows PC, and get a new one handed out from your Linux box.

 

If you donít know how to release your IP, just reboot your Windows PC, that will do it to.

*If youíre using a static IP address on your Windows PC, you would have to switch it to DHCP to see the fruits of your labor.

 

 

At this point you have your Windows PC plugged into your switch, and your switch plugged into eth_safe

 

  

If your wireless there are a couple setting changes you to need make on the old wireless router

(Wireless switch \ Wireless access point)

 

You should be able to access the wireless routers admin webpage using your Windows PC and cable going into one of its LAN ports.

Login and make the following changes.

 

-Disable its Built-in DHCP server

 

-Change its routing function from a Gateway to Router (not all models have this feature, if not, just leave it at Gateway)

 

-Disable its Built-in Firewall

 

-And optionally you can delete all your Port-Forwarding, NAT, DDNS, and any other custom settings on your old router, as they are no longer functioning in this scenario. All that will be handled by your Linux server from now on, so these settings are not longer doing anything for you.

 

You can then use the 4 LAN ports just like a switch, never using the WAN port again.

(the WAN port is usually 10\100, so you may have just removed a future bottle-neck in your network)

 

 

And voila, now you have a wireless router that is dumbed down to act like a wireless switch instead.

If you had to set a static IP address to talk to your Wireless router (aka wireless switch) donít forget to set yourself back to DHCP.

 

Whatís nice about this setup is you can now put that wireless router wherever you want in your house or building

(as long as there is wiring going to it)

 

Youíre no longer confined to have it next to your Cable \ DSL modem. Which is normally in some closet somewhere surrounded by lead and 4 foot thick walls :- )

 

Smart placement of your Wireless router is the key to good signal strength.

  

 

Next we need to destroy the current Firewall configuration so we can set it up the right way.

Even though itís not loading right now, it still has all the wrong settings in it.

 

 

Navigate to the Linux Firewall Module, and click the Reset Firewall button

 

 

 

 

 

You should then see a screen like this, make the following changes

 

 

 

 

 

 

 

Do Network Address Translation (nat) on eth_bad    (eth1)

 

 

If you see a checkbox about starting the Firewall at startup, make sure that is not checked.

Like before, we want a way back in if we mess something up

 

 

Once your screen matches mine, Click    Setup Firewall

 

 

 

You should see something like this

 

 

 

 

 

 

 

 

At the bottom of the screen change    Active at Boot     to    No

And press the          Active at boot     button

And then press the Apply Configuration button

 

We do eventually want it activate at boot, just not yet

 

Change the field at the top, next to the    Showing IPtable button

 

 

Click the drop down arrow and select      Packet Filtering  (filter)

 

 

 

 

 

Once you are sure you in the filter screen

Set the default action for   (Forward)   to drop

 

Then click the   Set Default Action To    button next to it

 

 

 

 

Do not click the Apply Configuration button, not yet anyway

 

 

 

Do the same thing for   (INPUT)

 

 

 

 

 

 

 

Do not click the Apply Configuration button, not yet anyway. However make sure you are clicking the Set Default Action button.

It wonít let you change those both at the same time, so double check that (FORWARD) and (INPUT) are set to     Drop

And double check that you have clicked the    Set Default Action To:    button for both

 

 

 

 

 

Double check that your screen looks like this

Do not hit Apply yet

 

ďIfĒ you accidently hit apply and have locked yourself out, just manually reboot the Linux box. We donít have these rules in startup yet, so a reboot will get you back in for now. Once we are sure it is working, we will finally put in startup.

Letís talk a brief second about the Firewall and the settings we are going to make.

 

The Linux firewall works with three IP tables:

 

MANGLE, PREROUTING and FILTER.

 

The actual firewall part is done with FILTER

 

 

In this configuration we are going to allow anything and everything on eth_safe (eth0) because that network card is internal, and is running from the Linux box, to a local switch inside your network. We are going to allow everything from (lo) the local loopback interface. We are going to block everything (with the exception of outgoing traffic) on eth_bad (eth1) as that network card is exposed to the internet, as it is running from the Linux box, to your high-speed modem or internet feed. The idea is for eth_bad to be a way out to the internet, not a way in, unless requested from behind the Firewall, or explicitly specified by you.

 

 

And any PortForwarding you might need is done in PREROUTING, and then passed to the FILTER (FORWARD). Thatís why later when we setup PortForwarding, we have to make sure we allow them in both places.

 

 

OK, Letís configure the Firewall

 

  

Here is a glance at rules we will be defining

 

INPUT

Accept if protocol is ICMP (This is optional, but recommended, very handy)


Accept if incoming interface is lo


Accept if incoming interface is eth_safe (eth0)


Accept if incoming interface is eth_bad (eth1)

and state of connection is ESTABLISHED,RELATED

FORWARD

Accept if incoming interface is eth_safe (eth0)

and outgoing interface is eth_bad (eth1)


Accept if incoming interface is eth_bad (eth1)

and outgoing interface is eth_safe (eth0)

and state of connection is ESTABLISHED,RELATED

  

 

To add these rules, click the   Add Rule    button, under INPUT

 

 

 

 

 

 

 

 

 

You should see something like this

Make the following changes for ICMP  (ping)

 

 

 

 

 

 

Then click Create

 

 

You should see something like this

 

 

 

 

 

 

 

 

Click the    Add Rule    button again

 

  

You should see something like this

 

Make the following changes for lo  (LoopBack)

 

 

 

 

Then click Create

 

 

 

Click the    Add Rule    button again

You should see something like this

 

Make the following changes for eth_safe  (eth0)

 

 

 

 

Then click Create

Click the    Add Rule    button again

 

 

You should see something like this

Make the following changes for eth_bad  (eth1)

 

 

 

 

You have to hold down the control button on your keyboard to select more than one item.

Select both Established and Related

 

 

 

 

 

Then click Create

 

  

 

You should now be seeing something like this

 

 

 

 

 

 

Now under the FORWARD section, click    Add Rule

 

 

You should see something like this

 

Make the following changes for forwards from eth_safe to eth_bad

 

 

 

Then click Create

 

 

Click the    Add Rule    button again , make sure your still under FORWARD

You should see something like this

 

Make the following changes for forwards from eth_bad to eth_safe

 

 

 

 

 

Then click Create

 

You should see something like this

 

 

 

 

 

 

Cross your fingers and click the    Apply Configuration   button

Did you disconnected from Webmin? Can you still click around on the other modules?

If you can, then congratulations, you did everything right.

 

If you got disconnected, and your sure your plugged into eth_safe, then you did something wrong, you can turn off the firewall by manually rebooting your computer.

 

 

If you didnít get disconnected then you are ready to put the Firewall in startup.

 

 

 

Navigate back to the Linux Firewall module, and change the Activate at Boot

to    yes     and click the    Activate at boot      button.

 

 

 

 

 

 

And then click Apply Configuration

 

It is now safe to plug your cable into eth_bad, now you should have two cables in the same machine.

 

The cable coming from your Cable\DSL modem, or your ISP \ internet connection, goes into eth_bad (eth1)

 

The cable from eth_safe (eth0) should be leading back to switch inside your private network.

 

Once you have both cables where they are supposed to be, reboot your Linux box.

 

 

After the Linux box reboots, use the Command Shell module to run

The ifconfig command

 

 

ifconfig

 

 

*Note, if there is just too much information on the screen for you after you run   ifconfig

You can instead runÖ 

 

ifconfig eth0

 

ifconfig eth1

 

etcÖ.

 

 

And only see the details for the NIC you specify after the command

 

 

 

You should see at least 3 network interfaces, you will have more than that if you did the VMware portion of this how-to

 

 

 

 

 

 

eth_bad (eth1)  should be getting a Public DHCP IP address from your ISP.

 

This IP address should look a little weird to you, and in most cases, shouldnít start with 192.168

 

Also, this is a good time to make sure the MTU, speed and duplexes are correct.

 

 

If youíre not getting a Public IP address for eth_bad (eth1) somethingís wrong.

It could be as simple as your ISP is doing MAC address restrictions, meaning they want you to call them every time you get a new router.

 

 

You can do that, call them and give them the MAC address for eth1

(also known as the hardware address)

 

Or you can clone your old routers MAC address, so eth1 acts like its MAC address is the same as your old router, then you donít have to call your ISP. Because they wonít know there was a change. But in most cases, you have to call your ISP and give them the MAC address for eth_bad

 

 

If you still want to try and clone your old routers MAC address, navigate to the File Manager module, and edit

The file          /etc/network/interfaces

 

 

 

  

Comment out the line that says allow-hotplug eth1

 

And replace it with these two lines

 

auto eth1

hwaddress ether xx:xx:xx:xx:xx:xx

 

Use your old routers WAN port MAC address in place of these numbers and or xís

 

 

 

This will force eth1 (eth_bad) to act like it has the MAC address you specified.

 

Save and Close

 

Reboot your Linux box

 

Do an ifconfig

 

And you should see that eth1 now has that MAC address you specified and has a public IP address.

At this point your server is configured as a working router/dns/dhcp server. It should work ok in this setup for everything you need it to do

 

The rules implement thus far create a very simple (yet powerful) firewall that allows absolutely nothing in from the outside world unless it is part of an established connection. It also assumes the internal network is completely trusted and allows unfettered access to the server and outside world from the internal network. This is the default setting for pretty much every NAT device ever.

At this point you are effectively finished. You can just leave your server as a simple router with no other rules at the point. It is very secure and will work fine for most purposes. If, however, you want to run publicly accessible servers, then we need to add some additional rules.

 

If the server youíre trying to get to is on this very same Linux box, then itís just an INPUT rule in the filter. For example, if you want to be able to SSH (Putty) into this Linux box from the outside world, that is INPUT rule, or exception to the firewall. That wouldnít involve PREROUTING or FORWARD at all.

 

Letís setup a port 22 Firewall Exception so you can SSH in from the outside world.

 

 

 

 

Navigate back to the Linux Firewall module, make sure youíre in the FILTER screen, and make a new rule underneath INPUT

 

 

 

 

 

 

 

You should see something like this, make the following changes

 

 

 

 

And then click Create

 

These are the easiest exceptions to make, as your explicitly allowing information coming into eth_bad (eth1) to not be dropped by the firewall. Thatís it for port 22, go ahead and make anymore you might need. Donít forget to make good use of the Clone Rule button inside each rule, it can make things much easier for you. Just Clone it, and change the port, and youíre done.

 

 

You should see something like this

 

 

 

 

 

 

Make anymore that you need, for example, if you clicked on  the port 22 exception, and cloned it, then change the port to 10000, you would then have a port 10000 exception for Webmin. And just keep cloning and changing the info until you have all that you need.

 

Then hit Apply Configuration

 

You should limit the number of direct INPUT rules you allow, as these open up ways into your router, whereas your router should be as invisible as possible. This is still secure, SSH (Putty) is pretty amazing stuff, and Webmin is https, just try to limit the number of holes you allow directly into the router like this.

 

A better way to get into your network and manage systems is to PortForward to another computer already inside your network, and execute commands from there.

 

For example, your Windows PC will accept Remote Desktop connections on port 3389.

 

So if you created a PortForwarding rule, the router can use the PREROUTING and FORWARD feature to redirect your connection to a computer inside your network, and once inside, youíre totally trusted by the Firewall, all without exposing the router itself.

 

Windows Remote Desktop also offers some high level encryption options, so-far we havenít made any Firewall exceptions that arenít highly encrypted, and thatís a beautiful thing.

 

Chance are, you will have more than one computer inside your network, that you want to access ports 3389 and port 22 on. Thatís not a problem, as you can forward an external number, to an internal number.

 

For example, we can make  PREROUTING and FORWARD rules that says

 

 

Anything coming in on port 25505, PortForward that to computer 192.168.2.5:3389

 

Anything coming in on port 25506, PortForward that to computer 192.168.2.6:3389

 

Anything coming in on port 25507, PortForward that to computer 192.168.2.7:3389

 

Anything coming in on port 25522, PortForward that to computer 192.168.2.8:22

 

 

Specifying 25522 for that last one

This leaves port 22 available for the INPUT rule we made earlier

 

Anything coming in on port 22, allow directly into the router

 

This way you can have a bunch of computers, using all the same ports internally, and just specify some meaningless high-port at the end of the hostname or Public IP address. Then tell the router what computer that is really supposed to go too.

 

These require a little bit more work on your part, as you have to specify them in two parts of the Linux Firewall module. One as a PREROUTING rule, and one as a FORWARD rule. But one you have one set done, you can use that Clone rule feature to complete the rest.

 

Navigate back to the Linux Firewall Module and this time make sure you are in the Network Address Translation table

 

 

Make sure you are in the PREROUTING section, and Click on   Add Rule

 

 

You should see something like this, make the following changes

 

 

 

 

 

Then click on Create

 

 

 

You should see something like this

 

 

 

 

 

Thatís one part of two, for the next part of that, Navigate to the Packet Filtering table.

 

You should see something like this

 

 

 

 

 

 

Make sure youíre in the FORWARD section, and then click Add Rule

 

 

 

You should see something like this, make the following changes

 

 

 

 

 

Then click the Create button

 

You should be returned to the main Firewall screen, where you can hit

Apply Configuration

 

 

 

What you just did was allow a PortForward to happen from the outside world, to a computer behind your firewall. And as long as you have encryption enabled in your remote desktop clients, you donít have too much you have to worry about.

 

 

Now external remote desktop requests like this

 

 

 

 

 

Will be forwarded to computer 192.168.2.5:3389

 

Inside your network

 

 

That first rule was kind of a lot of work to create.

 

But now you can use the Clone rule button, inside of each rule, to quickly and easily make more PortForwards.

 

 

Just donít forget to do it in both places when PortForwardingÖ

 

NAT \ POSTROUTING

 

And

 

FILTER \ FORWARD

 

 

As you can see from all those static numbers your entering, it would be a good idea if the computers inside your network had static IP address or DHCP reservations.

 

 

 

Setting up a DHCP reservation is the best choice. Navigate back to the DHCP Server module, and we will setup a DHCP reservation for a computer inside the network.

 

 

 

 

 

 

Make sure youíre underneath the Hosts and Host Groups field, and click on

Add a new host

 

 

 

You should see something like this, make the following changes

 

* Hardware address would be the MAC address of the computer inside your network, that you want to always have IP address 192.168.2.5

 

 

 

 

 

 

Click Save

 

 

 

You should see something like this

 

 

Hit Apply Changes

And restart the computer inside your network with that MAC address, and it will forever get the IP address of 192.168.2.5

 

 

Do this for any computer you have a firewall exception for.

 

Thatís about it for the firewall exceptions and PortForwarding.

 

You shouldnít have any problems with you Virtual Machines, as they run bridged off of eth_safe. But if you do, just add a couple rules for your VM nics, similar for what you did for lo and eth_safe

 

The VM nics are usually called something like VMnet1 and VMnet8, and should be available from the same drop down menus as everything else you just did. But I havenít had any issues so far in the bridged VM mode.

 

If you want to remotely access the VMware server from the outside world, you need to allow ports 8333 and 902.

 

If the VMware server and the router are the same computer, this is just a simple INPUT rule, similar to the one you made for port 22.

 

If the VMware server is on a different computer inside your LAN, and not on the router itself, you would need to setup four rules. Two PREROUTING rules (8333 and 902) and two FORWARD rule (8333 and 902)

 

As far as security goes, thatís a little more access than I want from the outside world, I donít want just anybody to be able to get to my VMware server webpage, so if youíre going to do this, you should take advantage of the source address option.

 

 

 

Source address is supported in all of the firewall rules.

 

By limiting a source address, you make something available to the outside world, but only if you have the right ďfromĒ  IP address.

 

See below I am allowing connections on port 8333

But only if the computer im at has IP address 204.69.xxx.xxx

 

 

 

 

 

 

Only thing to be aware of is itís got to be your public address. If youíre at work or on another network, your local IP address is probably not your Public IP address.

 

For example, when Iím at work, my computer gets a 10.10.xxx.xxx IP address. But my Public IP address is 204.69.xxx.xxx

 

So in my Firewall exception I would use the public address. And then port 8333 is only accessible from my work network. Granted itís anybody at my work place, as we all have the same public IP address, but youíve still eliminated most of the possible connection from the rest of the world.

 

 

 

If you donít know what your Public IP is. You can go to

http://whatismyip.com/

 

And a webpage will pop up and tell you.

 

And as far as the port 902. thatís for the VMware player. You should be doing most of your stuff through remote desktop, and not the VMware player. But sometimes you will need the player, so you will need port 902 open as well.

 

Earlier we made a port 22 exception, as a PortForward from 25522. you probably wonít need to do too many of these, not to SSH (Putty) connection anyway.

 

You can from within Putty, connect to as many other SSH computers as you like. Meaning if you SSH into your router, and youíre in a Putty window. You can simply type

 

ssh wood@192.168.2.5

 

Where wood is the username you want to use

 

And from within your current SSH connection to your router, it will connect you to computer 192.168.2.5 inside your private network, without a need to PortForward anything. And when you exit or logout of that session, youíre returned back to your SSH screen on your router. Pretty cool stuff.

 

 

Youíre almost done with the router setup.

 

 

If you were using a DDNS update client on your old router, to keep your hostname current, like this one, from Linksys

 

 

 

 

 

Youíre going to have to install the Linux equivalent (ddclient)

So that your hostname stays up to date

  

 

Launch a Putty session or navigate to the SSH2 module and

 

Type the following command

 

apt-get update

 

 

 

And then press the enter key on your keyboard

 

 

 

After that finishes

 

 

Type the following command

 

 

apt-get install ddclient

 

 

 

And then press the enter key on your keyboard

You should see something like this

 

 

 

 

Press the Enter key on your keyboard

 

 

You should see something like this, answer the on screen questions

 

 

 

 

You should see something like this, answer the on screen questions

 

*This is an example, enter your own information, and do not copy mine

 

 

 

 

 

 

 

 

 

Pay close attention to this next question

 

 

 

 

Make sure you enter eth_bad here, because you want it to update from your public IP interface, not your private interface.

 

So if you have been following this how-to word for word, then you would enter

eth1 in the box above.

 

 

Press the Enter key on your keyboard

 

 

 

You should then be returned to the command prompt

 

 

 

You can type exit and close Putty

 

Youíre not done with ddclient yet, there is three more configs you have to do.

 

 

Using the File Manager module, edit the file

 

/etc/ddclient.conf

 

 

 

 

 

 

You should see something like this

 

Add the following two lines

 

daemon=300

 

ssl=yes

 

 

 

 

 

Click the       Save and Close button

 

 

Using the File Manager module, edit the file

 

/etc/default/ddclient

 

 

 

Make sure    run_ipup   is set to   false

 

Make sure    run_daemon   is set to    true

 

Make sure    daemon_interval  is set to the same interval you set in   /etc/ddclient.conf

 

Save and Close

 

 

Restart your Linux box

 

 Navigate to the Command Shell module, and execute the following command

 

/etc/init.d/ddclient status

 

 

 

 

 

As long as you see      ddclient is running

 

You know its launching at startup, and checking for changes

 

Next execute the following command

 

/etc/init.d/ddclient restart

 

 

And as long as you donít see any errors, you should be all set.

 

Donít worry that its checking every 300 seconds, I know that sounds too aggressive.

But itís actually comparing your IP address to a local file, so youíre not beating up the DYNDNS website like it sounds.

 

 

Your also sending that username and password over ssl encryption. So you might even be better off then you were with your old router

 

 

Thatís about it for ddclient

 

 

Next we are going to setup a local DNS server.

 

This is not only a local DNS how-to, but itís also a local DDNS how-to, meaning Dynamic DNS. It will not only control the naming on your local network, but will also allow your DHCP clients to build, update, and maintain the list of their own computer names \ DNS entries.

 

I wouldnít recommend setting this up on a small network. Itís a pain in the butt the first time you do it, and itís very picky if you start making changes. Iím not saying it isnít stable, its rock solid stable, Iím just saying itís easy to break if you want to tweak it later on.

 

On small networks I find myself just referring to everything by their IP addresses, so make sure this is something you want to do before you continue.

 

OK, letís get started

 

First stop the bind service. This service has to be stopped every time you want to make changes to it, itís very picky like that.

 

You can either type

 

/etc/init.d/bind9 stop

 

Or you can navigate to the Bootup and Shutdown module, and stop it from there.

 

 

If you have given your router eth_safe (eth0) a static IP (which you already did if you have been following this how-to) we need to double check and make sure your computer name still matches the static IP address change in the following files

 

/etc/hosts

 

 

Where it says 127.0.0.1 add localhost.localdomain

 

Where it says 127.0.1.1, change it to your static IP address and servers hostname

 

 

 

Click Save and Close

  

 

Then edit file

 

/etc/hostname

 

 

 

 

 

And make sure your servers hostname is in there

 

Click Save and Close

  

 

Then edit file

 

/etc/resolv.conf

 

 

 

 

 

Write down all the info inside that file, and then delete everything inside this file.

 

Donít just #comment it out, actually highlight and delete the contents of the file. Just delete the contents, (all the words inside) donít delete the actual file.

 

Although that info is important, we are going to use our DHCP server settings to overwrite this file at startup, but it just appends to the file, and doesnít always overwrite, so we have to make sure its empty first.

 

 

 

Click Save and Close

 

Then edit file

 

/etc/dhcp3/dhcpd.conf

 

Underneath         DNS Update Styles

 

Change it to       ddns-update-style interim;

 

Remove the ; comment in front of word      authoritative

This will make your Linux box the authoritative DHCP server for this network.

 

And under the part that reads

 

subnet 192.168.2.0 netmask 255.255.255.0 {

 

Paste in the following

 

            ddns-domainname "diy.lan.";

            allow client-updates;

            option domain-name "diy.lan.";

            max-lease-time 999999;

            default-lease-time 888888;

            range 192.168.2.50 192.168.2.99;

            ddns-rev-domainname "2.168.192.in-addr.arpa.";

            option broadcast-address 192.168.2.255;

            option subnet-mask 255.255.255.0;

            option routers 192.168.2.1;

            ddns-updates on;

            option domain-name-servers 192.168.2.1;

                        }

             

 

You should have something like this

 

 

 

 

Some of that should look a little weird to you

 

Like this.      ddns-rev-domainname "2.168.192.in-addr.arpa.";

 

Thatís for reverse DNS

 

 

You may have to tweak it to fit your needs.

 

 

If you were on a 10.10.50.xxx network, you would use

 

ddns-rev-domainname "50.10.10.in-addr.arpa.";

 

 

Or

If you were on a 192.168.0.xxx, you would use

 

 

ddns-rev-domainname "0.168.192.in-addr.arpa.";

 

 

Or

If you were on a 192.168.1.xxx, you would use

 

 

ddns-rev-domainname "1.168.192.in-addr.arpa.";

 

 

Itís just written backwards, and in place of the last octet, you just put rev instead

 

 

Also make sure you adjust these to fit your scheme

 

option domain-name-servers 192.168.2.1;

ddns-domainname "diy.lan.";

 

 

That would be the IP address of eth_safe (eth0) on your router

 

And then the local domain name that you selected on page 9

 

 

Once you have all that entered correctly, press Save and Close

 

 

Youíre not done with that file yet, because we have to make a secret key for DNS and DHCP to share with each other, so that only your DHCP clients are able to update the server.

 

To do this, open up a Putty window or SSH2 module, and run the following commands

 

cd /options

 

 

 

Then press the enter key on your keyboard

 

Then run the following command

  

 

dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpupdate

 

 

 

This will create a 128bit HMAC-MD5 key file called kdhcpupdateXXXX.key

In the /options folder

  

 

Open the File Manger module, and navigate to the /options folder

 

Edit the Kdhcpupdate file that ends with .key

 

 

You should see something like this

 

 

 

 

 

That last solid string of numbers is your key

 

Do not share this key with anyone, consider this very confidential

 

 

 

Highlight the key, and copy it

 

 

Then navigate back to editing the file

 

/etc/dhcp3/dhcpd.conf

 

 

And under the part that says

 

# Use this to send dhcp log messages to a different log file (you also

# have to hack syslog.conf to complete the redirection).

log-facility local7;

 

 

 

 

Paste in the following

 

 

 

key dhcpupdate {

  algorithm hmac-md5;

  secret Oh+VKKP7uemLxrWg9lwwwQ==;

}

 

zone diy.lan. {

            primary 127.0.0.1;

            key dhcpupdate;

            }

 

zone 2.168.192.in-addr.arpa. {

            primary 127.0.0.1;

            key dhcpupdate;

            }

  

 

You should see something like this

 

 

 

Of course you need to use your own key here, not the example key above

Again keep that key confidential

 

 

Leave the IP addresses alone, they should be 127.0.0.1

 

But tweak the zone name to be the same as the domain name you picked

 

And tweak the reverse DNS address to fit your scheme

 

 

Then click Save and Close

 

Next edit the file

 

/etc/dhcp3/dhclient.conf

 

 

And add the following two lines

 

 

supersede domain-name "diy.lan";

 

supersede domain-name-servers 127.0.0.1;

  

 

You should see something like this

 

 

Then click Save and Close

 

This is the file that is going to append to   /etc/resolv.conf   at startup

So youíre all set for both of these files now

 

Next navigate to the /var/lib/ folder

And use the File Manager module to create a new folder called   bind

 

  

 

With 0775 permission, and both owner and group  as bind

 

 

 

 

If the directory is already there, thatís cool too. Just change the permissions, groups, and owners to match

 

 

 

  

 

Now go inside that directory and create the following two files

 

 

 

diy.lan.db

 

2.168.192.in-addr.arpa        

 

   

 

 

You should see something like this

 

 

 

 

 

 

 

And something like this

 

 

 

 

 

 

 

 

 

Save both

 

 

Set both of the files to the following permissions, And bind as both the user and group

 

 

 

 

These are some seriously wack file permissions, but bind gets a little crazy sometimes, and I find it works best this way

 

 

 

Next, use the File Manger module to edit the file

 

 

/var/lib/bind/diy.lan.db

 

 

 

And paste in the following

 

 

 

 

$ORIGIN .

$TTL 86400    ; 1 day

diy.lan                          IN SOA           deb32server1.diy.lan. admin.diy.lan. (

                                                2009122871 ; serial

                                                28800      ; refresh (8 hours)

                                                7200       ; retry (2 hours)

                                                604800     ; expire (1 week)

                                                86400      ; minimum (1 day)

                                                )

                                    NS       deb32server1.diy.lan.

                                    MX      10 deb32server1.diy.lan.

$ORIGIN diy.lan.

deb32server1               A         192.168.2.1

printer1                        A         192.168.2.74

sanx1                          A         192.168.2.5

; is bind stopped

; did you update the serial number

; sometimes root should be the owner and bind should be the group

; hit enter here, must have one blank line, and only one

 

 

 

 

You should see something like this

 

 

 

 

 

It still wants you to have that     MX 10 YourHostname.diy.lan     entry even if itís not really a mail server.

 

Add all computers here that have a static IP address, the rest will populate themselves when they get a DHCP lease.

 

This program is so very picky about the following

 

Spacing, the file must end with one blank line, just one

Donít have bind running when youíre editing these files

And changing the serial number, +1 every time you make a change (itís the date)

Sometimes it wants root to be the file or folder owner, and bind to be the group.

 

 

Next, use the File Manger module to edit the file

 

 

 

/var/lib/bind/2.168.192.in-addr.arpa     

 

 

 

And paste in the following

 

 

 

$ORIGIN .

$TTL 86400    ; 1 day

2.168.192.in-addr.arpa            IN SOA           deb32server1.diy.lan. admin.diy.lan. (

                                                2009122871 ; serial

                                                28800      ; refresh (8 hours)

                                                7200       ; retry (2 hours)

                                                604800     ; expire (1 week)

                                                86400      ; minimum (1 day)

                                                )

                                    NS       deb32server1.diy.lan.

$ORIGIN 2.168.192.in-addr.arpa.

1                                  PTR     deb32server1.diy.lan.

5                                  PTR     sanx1.diy.lan.

74                                PTR     printer1.diy.lan.

; is bind stopped

; did you update the serial number

; sometimes root should be the owner and bind should be the group

; hit enter here, must have one blank line, and only one

 

 

 

 

You should see something like this

 

 

 

This program is so very picky about the following

 

 

Spacing, the file must end with one blank line, just one

Donít have bind running when youíre editing these files

And changing the serial number, +1 every time you make a change (itís the date)

Sometimes it wants root to be the file or folder owner, and bind to be the group.

 

 

 

Next, using the File Manager module edit the file

 

 

/etc/bind/named.conf.local

 

 

Paste in the following info

 

 

 

key dhcpupdate {

  algorithm hmac-md5;

  secret Oh+VKKP7uemLxrWg9lwwwQ==;

};

 

 

zone "diy.lan" IN {

    type master;

    file "/var/lib/bind/diy.lan.db";

    allow-update { key dhcpupdate; };

 

};

 

zone "2.168.192.in-addr.arpa" {

    type master;

    file "/var/lib/bind/2.168.192.in-addr.arpa";

    allow-update { key dhcpupdate; };

 

};

 

 

 

You should see something like this

 

 

 

 

 

Of course you need to put your own key in there, and tweak the IP scheme if different

 

Click  Save and Close

 

Next, using the File Manager module edit the file

 

 

/etc/bind/named.conf.options

 

 

Paste in the following info

*But donít use the same DNS servers or ďforwardersĒ as I did, make sure obtain that info from your ISP.

 

 

 

 

forwarders {

                        216.146.35.35;

                        216.146.36.36;

                        71.9.127.107;

                        };

 

            auth-nxdomain no;    # conform to RFC1035

 

       listen-on {

             192.168.2.1; # listen on local interface only

                         127.0.0.1;   # Make sure machine can get to itself

             };

 

            listen-on-v6 { none; };

};

 

  

 

You should see something like this

 

 

 

Do not use the same forwarders I did, make sure obtain that info from your ISP.

 

Those are your Public DNS servers

 

In the above example, Iím using two DNS servers from dyndns.org (safe surfer) and then one from my ISP

 

Click  Save and Close

 

Thatís about it for dynamically updating local DNS

You should be able to reboot your Linux box, and then reboot your Windows PC, and the process should be underway.

 

There are several ways to test to make sure itís working

 

You can try pinging computers by their name, and they should reply.

 

You should notice that your ping results are automatically appending the domain name for you. Meaning if you ping the computer name  

Sanx1

 

You should see itís actually ping the entire name Sanx1.diy.lan.

Without you actually typing all of that.

 

 

This is of course assuming your PC is set to DHCP and not Static.

  

 

You should also be able to run the following command from your Linux box

And see all kinds of good info

 

host Ėl diy.lan

 

 

 

 

 

 

And the reverse, on your Windows PCís, you should be able to do

ping Ėa IPaddress

 

 

And the ping should return back with the computer name

 

 

 

If you were following how-to very closely, you were probably expecting that name to come back as BlueDell. Your right, Iím just on a different network today.

 

 

Another cool feature is you can edit the files

 

/var/lib/bind/diy.lan.db

 

/var/lib/bind/2.168.192.in-addr.arpa

 

 

And add multiple names for the same computer. You could have computer 192.168.2.5 respond to as many different names as you want. You could trick your roommates into thinking they each had their own personal server, by giving the same server multiple names like

 

 

Server4room1

Server4room2

Server4room3

 

Even though they are actually all the same computer.

 

There are more practical uses for that feature, but you can certainly have fun with it too.

 

Well thatís about it for DNS

 

Just remember when editing those DNS files, stop the bind service first. And always up the serial number plus one when editing, and always end the file with a blank line.

 

There is always awesome trouble-shooting info in syslog, for whatever problem you might be having. If you are seeing permission denied errors, it probably wants root to be the owner of the file, and bind to be the group. (file permissions)

 

A pretty common problem is the journals will get out of sync. All you have to do is delete them and reboot. They are in the   /var/lib/bind/   folder (.jnl) and are create by the bind service.

 

  

Syslog is your friend

 

 

 

 

  

And check your local email for notices of problems and statuses

 

 

 

 

  

 

Since we added another network card, we need to make sure Samba is for sure listening on your private network card.

 

We have done a lot of steps already to prevent this, but you canít be too careful here.

 

Navigate back to the Samba Windows File Sharing module

 

 

 

 

 

Click on Edit Config File       

 

 

You should see something like this

 

Make sure both of those two lines are un-commented

(meaning remove the leading # or ;)

 

And change the lines to this

 

interfaces = 127.0.0/8 eth0

 

bind interfaces only = yes

 

 

 

 

Where eth0 is eth_safe, Save the changes

 

 

And restart the Samba service

 

 

Here is how you can check to make sure itís working the way it is supposed to.

 

 

Navigate to the Command Shell module and execute the following command

 

netstat -tapn | grep smbd

 

 

 

 

 

Your concern is with the numbers on the left

 

Those represent the interfaces Samba is listening on

  

 

 

 

 

If you see anything other than

 

192.168.2.xxx

 

And

 

127.0.0.1

 

 

On the left, then there is something wrong, disconnect your internet cable and figure it out.

 

If you have been following this how-to closely, you probably expected that print screen above to show IP 192.168.2.1. Your right, im just on a different computer today.

 

 

This command would make a good Custom Command button to, as itís hard to remember

 

netstat -tapn | grep smbd

 

 

 

That brings us to the end of the how-to, I hope you enjoyed it. Donít forget to visit my Website, http://woodel.com  and click on the blog link(s)

 

 

 

Now you can stop logging in as username root, and start using username wood.

Or whatever name you picked on page 1.

 

 

You can run an     apt-get update       and finally an          apt-get dist-upgrade

 

That will ensure you have the latest patches and upgrades for the Debian OS.

 

 

 

Thanks ! Enjoy !!

 

 

-Kevin Elwood          \            KevinTheComputerGuy

 

  

You can find my email address, more how-toís, and blog link(s) on my homepage    http://woodel.com

 

If you would like to do even more with your server, you can find additional info here† http://woodel.com/domore

 


Site Navigation:       Home       Page1       Page2       Page3       Page4       Page5       Do more       Word of Mouth       Donate