Site Navigation : Donations & Solutions Knowledge Base Woodel User Access Word of Mouth !!
- Have questions? Got problems? Visit the Blog for (this) topic
- Stuck on Page #1? Cant get Webmin to install? Try watching the video
- Want to setup a software Raid for your Operating System? Try watching the video
Page Navigation : Page1 Page2 Page3 Page4 Page5 Do more
Page 5 of 5:
My stuff will always be free for personal use, but if you would still like to contribute, you can donate money towards this, or one
Advanced.
If you’re choosing to go on, welcome to the advanced section.
First we are going to setup rssh (restricted ssh)
I’m not going to spend too much time on this one. We are going to move pretty fast through this one, as many of its uses are far
more complicated than some of the software solutions that exists today.
SSH is awesome, but it gives the users access to way too much. rssh gives you basic SSH functionality, with the ability to pick and
choose what access to give them, Which is perfect for giving users shell access.
Due to a typo in an earlier version, you may have missed this install, its apt-get install rssh
If you are not sure, just run it again. After the install completes, edit the file /etc/rssh.conf
You should see something like this, make the following changes
Comment everything out except allowscp
And change the umask to 777
Then click save and close
That’s probably throwing up some red flags to you. 777 means full access right?
In file permissions it does, umask is the opposite. Setting the umask to 777 will result in the exact opposite file permissions 000
As you can tell, we are really locking down this user. To the point of paranoia.
With file permissions of 000, only root will be able to see these files. That’s because we are going to use this user, in a batch file, to remotely backup
files from a Windows PC. His password will be in plain text in said batch file, and could be compromised.
So we want to make sure, even if the password fell into the wrong hands, that they couldn’t do anything with it.
Next let’s create an rssh user, named backupbot
Navigate to the Users and Groups module, and click on Create a new user
Now when you make a new user, rssh is available as a shell you can choose from for newly created users.
If you don’t see it in the drop down menu, just choose other and browser to /usr/bin/rssh
See below, this user I created, I put in shell /usr/bin/rssh
Select normal password, give this user a password
And, you want to make sure you don’t select to make him in other modules.
This user is going to be an rssh user only
Now for the next level of paranoia. Navigate to user backupbot home directory, and set the following permissions.
With these permissions, that user won’t even be able to see the files they upload. This is because if someone finds this password in your batch file, you don’t want them browsing the home directory.
That’s some pretty extreme lock down we just did. You can take it even further with chroot in rssh, and use it to jail the user inside a directory. And you can use the file permissions to inherit a group that doesn’t exist, or doesn’t have a user in it. I’m not going to go too much into the rest of this setup, but here are some hints if you’re interested in pursuing it.
You could go to Puttys website
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
And download the following tools
PSCP.exe
and
PLINK.exe
These are rock solid secure, just like Putty is
You could use a command like this one, using a combination of PSCP and WinRar ( http://rarlabs.com )to do offsite backups of Windows PCs over a secure connection.
=====================================================================================
rem start batch file
cd %userprofile%
taskkill /f /im OUTLOOK.EXE
"c:\program files\winrar\rar.exe" a -agHH-MM-SS--MMM-DD-YYYY %computername%_My_Docs_Folder_Win2K_XP "my documents"
"c:\program files\winrar\rar.exe" a -agHH-MM-SS--MMM-DD-YYYY %computername%_Docs_Folder_WinVista_7 "documents"
%temp%\pscp.exe -4 -2 -P 22 -l backupbot -pw abc123 *.rar backupbot@kevin.gotdns.org:
exit
rem end batch file
======================================================================================
This command closes Outlook if it’s running, and then compresses the users my documents folder into a single file, then uploads it.
It will name the backup file the same name as the user’s computer, and tell you if it’s Windows 2000\XP, or Vista\7 and add the date.
As you can see the password abc123 is exposed, that’s why the permissions have to be so tight.
==================================================================
rem start batch file
%temp%\pscp.exe -4 -2 -P 22 -l backupbot -pw abc123 *.rar backupbot@kevin.gotdns.org:
rem end batch file
==================================================================
But even if it fell into the wrong hands, there isn’t much of anything they could do with it.
Of course a disk space quota is important for any user, always set disk space quotas to prevent abuse.
Also this will be an outgoing request from your users PCs, so you don’t have to worry about a firewall configuration on the users end at all.
That’s PSCP
Next is PLINK
PLINK is a really cool SSH tunneling tool. You can secure almost anything you want to do, because you can wrap the entire communication up in an SSH tunnel, much like a VPN connection. Everything you do on the port you specified for the tunnel, will be secured by SSH. And this will be also be an outgoing request from your users PCs, so you don’t have to worry about a firewall configuration at all.
For PLINK you could do something like this
======================================================================
rem start batch file
%temp%\plink.exe -ssh -4 -P 22 -l backupbot -pw abc123 -R 5900:localhost:5900 kevin.gotdns.org
rem end batch file
======================================================================
This would create an awesomely secure tunnel form your users PCs to yours. Port 5900 is VNC, so when you launch VNC from your network, then you can remote the Windows PC user over that tunnel, with no firewall config needed on the users side.
But I don’t want to spend too much time on those because there are easier alternatives.
If you’re looking to remote a user, just use Adobe’s ConnectNow software at http://acrobat.com (click on Web Conferencing) or TeamViewer at http://www.teamviewer.com/index.aspx both work very very well. These are free and web based and there is no configuration needed on either side. Your user can login as Guest without a need for an account, and all traffic is outbound, so again, no firewall worries. The Acrobat one even works on Macintosh.
If you’re looking to do offsite backups of user files. You should use something like Cobian backup, over your LAN to a local Linux box running Samba. And then have that Linux box use the Webmin Filesystem Backup module to schedule offsite backups to another Linux box over SSH. Or something like RSYNC or jailed SFTP or SSHFS.
But it’s good to have the knowledge above, and I mostly talk about it so you know to not pick SSH when giving someone else an account to your Linux box. SSH by default lets them change directory to wherever they want. And without jailing knowledge, your files are way too exposed. So think this rssh = SSH for users besides yourself.
That’s about it for those.
Next we are going to setup VM Ware Server. This is optional, as it requires a really fast computer with tons of ram and hard-drive space. If you don’t have 100+GB of hard drives space and a couple extra gigs of ram, you should probably skip this part.
When you’re done setting this up, you will have a separate https webpage (not within webmins menus) that you can use to control and create Virtual machines. Virtual machines use file(s) on your server that it treats as a hard-drive. And you can install Operating systems into these files. So your server, with no keyboard and mouse can host multiple GUI virtual operation systems, that you control over Remote Desktop, VNC, Or the VMWare Player. We are going to walk through how to install VMWare Server, and install a virtual instance of Windows 7. It’s amazing what you can do with these virtual machines. You can choose bridged networking, and it will appear as a computer on your network. You can create snapshots before making changes and revert back to those snapshots. Or my favorite… set it up “independent non-persistent”. You can make all the changes you want, you can reboot a million times, and all your changes stay there. But it you chose shutdown, instead of reboot, it will then revert back to the original settings. I find that feature to be priceless.
So first you have to download VMware Sever from VMware’s website
https://www.vmware.com/tryvmware/?p=server20&lp=1
I can’t provide a direct link to the file. And or put one on my server. Even though VMWare Server is free, they make you register your email address, and send you your serial number that way. Make sure to use a real email address when registering, as they are going to email you the serial number, you have to have that to complete the install.
Make sure once you finally get logged in, that you’re downloading VMWare Server for Linux (preferably version 2.02xxxxxxxxxxxxxx) That’s the version I used. You want the binary file, in .gz format.
It should look something like this
Make sure to get the right version. If you running a 64bit version of Linux, then download the 64-bit installer. If you’re running a 32bit version of Linux, then download the 32bit installer.
Download this file using your windows PC, and we will upload it to the Linux box, and then move it into place.
If this is your first time uploaded a large file to your Linux box, you will notice the Upload and Download manager will take way too long, and will probably fail. So you will want to use FTP or Samba. If your using FTP, make sure to use account name uploadman as his home directory is not exposed to the web. You don’t want to share this file with anyone, this is your own registered copy. If using Samba use account name wood or the name you chose on page 18
If you never went back and made that account work with Samba, just use one of the roommate accounts that aren’t in use.
Once you have uploaded that giant VMWare installer file, Open up Webmin and navigate to the File Manager Module. Navigate to the home directory you uploaded the installer file to. Remember uploadmans home directory is in a different place than your other users, he is in /home/uploadman and not /mymounts.
Once you find the installer, cut and paste it to the /options directory.
I’m on a different computer today and will be using the 64bit installer, so my filename may look a little different than yours.
Wait for the paste to finish, then navigate to the options directory, and highlight the VMWare file by clicking on it once
Once you highlight the file, click extract button at the top
Choose Yes
If you’re hurting for space you could choose yes, then delete
But if you’re hurting for space you probably shouldn’t be installing this :- )
That file is uber compressed, so give it a couple minutes to finish.
When it’s finished, you should have a folder like this one
You’re done with the File Manager for now, the rest of the setup will be done command line.
Do yourself a favor and use Putty. The SSH2 module is very convenient, but I haven’t figured out the copy and paste problems yet, and I want you to be able to copy and paste these next few commands exactly, so let’s use Putty.
Login to Putty as username root
And change directory to the /options directory
Type cd /options
Then type dir, or ls –a
And press the enter key on your keyboard
Then type cd vmware-server-distrib
or cd vmw*
Note vmw* will only work if that is the only folder in that directory starting with vmw
Remember you can also copy\paste these commands
Once you’re in the vmware-server-distrib folder, type dir
You should see something like this
Run apt-get update Then type the following command, and hit enter on your keyboard.
Copy and paste it exactly as shown, even that uname part, that’s not your name, copy it exactly.
apt-get install linux-headers-`uname -r` libxi6 libx11-6 libx11-dev libxtst6 psmisc build-essential x11-common libxau6 libxdmcp6 libx11-data libxrender1 libice6 libxext6
It may ask you a few times if you are sure, say yes
After that completes, run the following command, and hit the enter key
./vmware-install.pl
It’s going to ask you a bunch of questions, you can hit enter to almost all of them. Hitting enter accepts the default answer to the questions that it’s asking you. Almost all are the correct answer, with the exception of a few preferences
So far all of these have just been enter
You can also hit enter for that last question in the print-screen, yes it is ok to invoke that process
It’s ok that these two failed
It trying to stop services that don’t exist yet, just hit enter
Click enter to read the End User agreement
You will have to press enter like 100 times to get to the bottom. Holding down the enter key works nicely for this part if you have already read it before.
You can tell they assumed people would just hold down the enter key, as the next question makes you type yes
Type yes and hit the enter key
It’s time to slow down here and pay close attention when you get asked this question.
Press enter to say yes, but get ready to pay attention
If you get this warning about gcc versions, say no !!!!!!!!!!!!!!!!!
No should be the default answer, so you can still get away with pressing enter
Saying no will kick you out of the installer, that’s ok, that’s what we want
Type the following command and press enter on your keyboard
export CC=/usr/bin/gcc-4.1
*remember you can copy\paste
It will just do it, and not tell you anything back, this is what we want
Now type the following command and press enter
vmware-config.pl
This will re-start the installer right where we left off
Again these fails are ok
Say yes to this question by pressing enter
You shouldn’t get the gcc error this time.
As long as you don’t get that gcc error again, you can keep saying yes for the following.
*Never say yes to that gcc error
The screen will start scrolling very fast as it installs the modules.
When you get to this question, say yes, it’s just making sure the gcc error is fixed
If all goes well, the gcc error is gone and the installer will continue
You can say yes, press enter for these
Keep pressing enter, these default answer and network names are perfect
Say no when asked to configure a 2nd NAT device, this is the default answer anyway, so pressing enter will work here too.
Don’t be alarmed by that weird looking IP address. That is a private address for the VM’s if you choose to not expose them to the network, and pretty much make them invisible. We will cover that later.
You can say yes, we won’t use it, but this is the best time to set it up
You can keep hitting enter until you are asked if you want to setup a 2nd host only network. Say no, one is enough.
Don’t be alarmed by the weird IP addressed, we won’t even use them.
The default answer to the second host-only prompt is no, that’s what we want, go ahead and click enter.
You can say yes to this, this isn’t the gcc error
Write down these port numbers, you will need them later
Just hit enter to the admin question. This tells the computer you want to use your root password, just hit enter
Finally the question we have been waiting for.
This question and the gcc error are the only reasons you couldn’t just close your eyes and hold down the enter key.
It’s asking you where to keep the virtual machines at, you want this to be your data drive
/mymounts/vraid/vm folder
Or /mymounts/d2p1/vm depending on your setup
As this is your big hard-drive and you don’t want the vm files on your os drive, slowing down your OS.
That VM folder doesn’t exist yet, so it’s going to warn you it’s going to create it.
Notice its warning you it’s going to make some parent folders, this is OK, say yes
Next it will ask you for your serial number. That should be in your email by now.
Copy and paste the serial number in there and press enter
For the VIX questions you can keep hitting enter
You should finally see something like this, you done installing the VMWare Server
Earlier you wrote down some port numbers
Should look something like this
Now open up an internet explorer page on your Windows PC and type
https://your-linux-box-ip:8333
*Note, this isn’t working in Firefox at the present time, but I am sure they will fix it soon. And is probably more
Of a Java problem then a Firefox problem. It does work on IE 7, IE 8 and Chrome
Today my IP is 192.168.2.5
So I would type
https://192.168.2.5:8333
Get ready to be really impressed :- )
If you get the certificate error, say yes or continue
It is completely safe
Login as root
And viola !!!
Your own VMWare Server, running on a non-gui OS !
If you’re prompted to install the plug-in, go ahead and do so.
Notice its calling your /mymounts/vraid/vm folder a Datastore
And it’s named that Datastore standard
These are just VMWare terms, when you’re inside VMWare refer to it as Datastore standard, and when you’re in Webmin refer to it as /mymount/vraid/vm
Now we are ready to install a virtual instance of windows. Im going to do Windows 7, you can do any flavor you want. If you don’t have a Windows CD, you could setup Linux instead. The steps will be pretty much the same.
Go stick the Windows installer CD\DVD into the CD\DVD drive of the Linux box, and then come back.
…or even better, upload an .iso of the CD via Samba or FTP, then use the Webmin File Manager module to move it into /mymounts/vraid/vm
*Similar to the same way you got the VMWare installer into the /options folder
If you doing the .iso file
Once you get it pasted into the /mymounts/vraid/vm folder
Make sure the permissions are 755, im not sure what user the process uses, so 755 should make it accessible.
*reminder, use the Info button to change permissions
Once you have either the disk in the drive or the .iso uploaded, return to the VMWare Server Management webpage and click on the Virtual Machines tab, and then click on
Create Virtual Machine
You should see something like this
I called it “from scratch” because this isn’t the only way to make one. You can actually download the VMware converted from VMware’s website, and capture images of real computers on your network, and import them into your server. Never needing to actually build them, and they bootup and act just like the real thing. It’s really impressive, and also free. But let’s get back to building ours from scratch.
After you name it, click next, you should see something like this.
Chose your operating system
*Windows 7 wasn’t in the list, you can usually get away with choosing something close. It’s just trying to determine what type of file system and hardware you’re going to use, so choosing something close usually works.
Click next
I usually go with double the Recommended ram size, and 1 Processor.
Click next
Click create new virtual disk
You should see something like this
I doubled it from 16GB to 32GB
And told it to allocate the space now
Click next
Here is that cool feature I was telling you about, don’t enable it now, as you want it to remember all the changes your doing. But if you get to a point where you want it to start forgetting changes, here is where the setting is at
Again, don’t select that now, you can change that later once the OS is installed. But I wanted to show you where it was at. It’s under the hard-drive properties of each virtual machine you create.
Click on Add and network Adapter
Choose Bridged
Click next
If you’re using a real CD\DVD disk, click next
If you’re using an .iso like me, then click Use and ISO Image
You should see something like this (if you selected iso)
Click on Browse, find the .iso under your datastore, under inventory. And click OK
Click next
Choose don’t add a floppy drive
And click next
Choose Add a USB controller
and click next
Put a check box next to Power on your Virtual Machine now
And click Finish
You should notice a new entry under the Inventory tab
Click on the Virtual Machine name
Then click on Console
As soon as that progress bar gets to 100%, you should start to see the virtual machine boot up.
*it takes a long time the first time, because we told it to allocate that disk space, so its making a 32GB file right now, be patient.
Once it gets to 100%, it will say
Powered on, click anywhere in the screen to open the virtual machine
Click in the black box, and you should get a pop up, with the new virtual machine
You should see something like this
Eventually you will get to a screen where you can start installing the OS
Pretty awesome right
This view is called a console view or player view. You probably won’t get a lot of use out of this view. Except for the initial install, and maybe some trouble-shooting. Once your installer finished, the Virtual Machine will get an IP address, then you can remote desktop into it (if Windows) and it will appear to you as a real computer, just like any other computer on your network.
It’s pretty limitless what you can do with this stuff. You can create raids that are actually just copies of the same files. You can create virtual switches, which are actually a bunch of virtual nics on the same computer.
Earlier we mentioned NAT and Host-Only networks. We aren’t going to use those in this how-to. Those are private networks, between your Virtual computers and your server. One is totally private (host only) and the other acts like there is a router between you and the real network. This is useful of you want to run servers that aren’t allowed on the real network. Example, if you want to play around with a DHCP server, you wouldn’t want two of those on your real network. We will only be using Bridged, this way the virtual computer acts like a real computer, and shows up on your network with a real IP address, just like a real computer would.
Don’t be scared to format your Virtual Machines hard drives. This won’t re-format your Linux Box hard-drive. These are just files to your Linux box, acting like hard-drives for the Virtual machines.
You will probably be tempted to share your /mymounts/vraid/vm folder using Samba
Don’t do that. It’s way too easy to run into an access violation. Do like we did earlier and use a combination of different shares, and the Webmin File Manager to move files in and out of that Share. And make sure to always power down your Virtual Machines before clicking, touching, moving any vm files around (this included just copying)
If your mouse cursor seems stuck inside the vm, just press Ctrl + Alt on your keyboard to release it
You should eventually find yourself at the virtual machines desktop. Again this player view is the worst performance mode, you will want to remote desktop into it, once you have all the IP, Firewall, and port-forwarding settings in place.
The player mode is mostly for the initial setup, trouble shooting, guest access, and maybe if you do any VPN type stuff…. You could benefit from the player view, but strive to get into a remote desktop session for way better performance.
As far as guest \ cloud user access, you can provide shortcuts directly to the player mode. Navigate back to your https :8333 page, click on the virtual machine you want to give access to, and look over in the right-most pane
You should see something like this
If you click on create shortcut
It will let you download a link you can send to people, to access the virtual machine in player mode.
This is pretty amazing stuff, but be careful here!. This 600 plus page how-to would be about 600,000 pages if we had to talk about local \ internal security. We can skip a lot of that because all access to your internal network from the bid bag internet is blocked. If you give someone access to a bridged VM, it the exact same thing as them walking in with a laptop and plugging directly into your network. They are now on your wired, internal, trusted private network. And following this how-to, we trust all internal wired computers.
So, don’t give these shortcuts to anyone who you don’t trust as a local user inside your network. And remember… this view is the worst performance view, consider giving them remote desktop access instead.
I only give these shortcuts to people who aren’t savvy enough to remote desktop in. Or need boot time access to the drive.
If you find yourself needing to add more storage or Datastores as VMware calls them. And you have decided you want to add network storage instead of another local harddrive. VMware is going to try to walk you through setting up a NIS server.
Don’t do that, that’s too much work for something so simple. Use Samba instead. It will appear in the VMware options that you can’t. But you can trick it using Samba. Just mount a file share to another computer using the Disk and Filesystem module, mount type SMBFS
(like you did earlier ) and VMware will think that folder or mount-point is a another local drive, and will set it up as a Datastore.
If you’re going to be doing really hardcore stuff, then you should connect to an iSCSI server. But for non enterprise use, the share will work just fine, and only takes seconds to setup.
Your VMware server will see /mymounts/samba2dot6/
As a local folder in the add Datastore wizard, and won’t bother you to set up a NIS server.
That’s about it for VMware, pretty amazing stuff, enjoy.
*Side note, If this VMware Server doesn’t meet your needs, you can take it to the next level and setup an ESXi server. On a dedicated 64-bit computer you can install VMware’s ESXi operating system. Just go to http://vmware.com make and account, and download the ESXi iso. The install will erase your hard drive and install the proprietary ESXi operating system. All it does is host Virtual Machines, but it’s very good at it. You manage your Virtual Machines remotely using VMwares Vsphere client, it’s pretty amazing stuff, if you needed something more than what we have done here.
That’s it for VMware.
Next let’s stop for a second and talk about file encryption. In the same way that local backups pale in comparison to offsite backups. File encryption pales to Filesystem encryption. We are talking about this now because you are in the Advanced how-to.
If you can’t lock the door where this Linux box is. If you can’t setup a $20 webcam too watch for people trying to steal your Linux box. If you’ve got enemies at the FBI… :- )
Then you would want to setup complete Filesystem encryption. Anything less than encryption at the Filesystem level is un-acceptable. This is really easy to setup. Start this how-to all over again, and on page 12, choose LVM encryption.
That’s it, except for the format taking a couple days (literally) your computer will boot up and ask for a password before mounting the drives, without the correct password, it’s as if the data doesn’t exist. I’ve tried to break it, leaving just one letter off the right password. No go, it’s so very strong. It’s the only one worth doing. I prefer to only use it on laptops, it can make data rescue a pain in the butt. And I have a fat pad-lock on every one of my servers, so as far as what I practice, I only do this on laptops and servers I’m solely responsible for.
But once you chose LVM encryption, the kernel will be built correctly during setup, and you can then tweak it via Webmin under the
Hardware \ Local Volume Management module (LVM)
Make sure your first Linux experience isn’t with encryption. It can make disaster recovery a pain, and remote reboots aren’t really going to work for you, as you’re prompted for a password to reboot. A couple Google searches will teach you how to hardcode that password in, but hopefully you see that flaw in that. I prefer to not hide the key next to the lock :- )
If this is your first Linux experience, hold off until your third or fourth time before you dive into that. But it’s amazing, and worth the effort.
Ok, we have come to the final part of our how-to. The next steps deal with setting up your Linux box as a router and then optionally, a local DDNS server. Setting up your Linux box as a router means anytime you want to reboot or trouble-shoot. Your users will have no internet access. So make sure this is something you really want to do.
And I say DDNS not DNS because it (D)ynamically updates your local DNS records via your DHCP clients. Basically your DHCP clients will all get DNS entries automatically, when they get their DHCP leases, very cool stuff. Extremely useful on a large network, but can be a little overkill on a small one. I have a problem where I memorize IP address, because I am weird like that, and wind up never using the DNS name. But your users will never remember IP address, that’s when it becomes necessary, and the flexibility of name control on your network is nice.
Ok, truth is your about to build a very powerful router. So let’s do this. Warning!!! These next steps will disconnect you from the internet for a very long period of time. You might want to finishes reading the how-to before moving on.
Warning, if you have ADSL, DSL, PPOE and or an All-In-One Modem\Gateway\Router, you may not want to continue.
This how-to was written mostly for Cable internet users, and or small business users on a LAN wishing to create a sub network \ private network.
Even Cable internet users, if you have All-In-One Modem\Gateway\Router, you may not want to continue.
The reasons ADSL, DSL, and or an All-In-One Modem\Gateway\Router users may not want to continue is, this how-to walks you through setting up your computer as a drop in replacement for your router. But if your router is an all-in-one solution, you can’t really remove it from your network, as the modem still needs to do its function in order to get you out to the internet. You could disable the routing feature of the all-in-one, but it would still be powered on and using electricity, and sitting next to a computer doing the same exact function.
And even if you decided to disable those features and continue on, most ADSL and DSL modems use proprietary instructions written in their firmware that won’t let you back out to the internet without passing through its NAT first, so disabling that function would unfortunately break your internet connection.
So long story short, only continue if you have a setup, where the modem is a piece of hardware all by itself, (this is usually only cable subscribers, as in cable TV or coax cable modem) and or a internet source with a public IP address without PPOE, and or you’re on a small business network and your wanting to create a sub network behind your current network.
You will also need a second network card to continue. You will later be installing this into your Linux server.
You will need to set a couple Static IP addresses, as you are going to be without DHCP for awhile.
If your Linux server is still DHCP, you must change it to static. Also if you’re still using a static IP address
of 192.168.2.111 (x.x.x.111) or 192.168.2.174 (x.x.x.174) You should change it to 192.168.2.1 (x.x.x.1) before continuing.
It is good practice to have your router and gateway be x.x.x.1 basically the first IP address of your scheme. You’re about
to turn this box into a router \ gateway, so change the IP address if you haven’t already. You can refer to pages 48 and 49 if you
forgot how to make this change. And reboot to make the change affective.
You will need to temporarily set your Windows PC to use a static IP address, within your same IP scheme. I’m going to use IP address 192.168.2.9 on my Windows PC. There are some screen shots on the next page on how to do this. Don’t move on until you have figured out how to give you Windows PC a static IP address within your same IP scheme.
If you right-click on the network card (Local Area Connection) on your Windows PC, and go to properties, we can walk through how to set that up.
You should see something like this
Right-click on it and go to Properties
You should see something like this
Click-on Internet Protocol TCP\IP and then click Properties
*Note, if your screen shows IPv4 and IPv6, choose IPv4
You should see something like this, make the following changes and click OK
If these numbers look French to you, refer to earlier pages for an IP scheme refresher.
Click OK again, as many times as it takes to get out of those screens, and then reboot your Windows PC.
At this point, if you’re using my same numbering scheme, you should have a Windows PC with a static IP address of 192.168.2.9
And a Linux server, with one NIC, with a static IP address of 192.168.2.1
For now on we will be referring to your original Network card (eth0) as eth_safe that is the one with IP address 192.168.2.1
And the new NIC, the second one (eth1) as eth_bad that’s jumping a little ahead, as we haven’t even installed it yet, its just important you grasp this before moving on.
eth_safe will be the LAN side of your network, and eth_bad will be your WAN side of your network.
Before moving on, make sure you can still get to Webmin from your Windows PC.
Webmin should now be at https://192.168.2.1:10000 if you’re following my numbering scheme.
*If you just recently changed the IP address, Webmin will take an extra long to load the first time you open it, just give it a minute.
We need to stop the Firewall from loading at startup on your Linux server. The configuration of it is no longer valid now that you want to do routing. Navigate to the Linux Firewall module, and stop it from loading at startup.
You should see something like this
Change Active at boot to No
Then click the Active at boot button to make it stick, then click the Apply Configuration button
Reboot your Linux server, you should have no active firewall at this point.
Triple check by logging back into Webmin and Navigating back to the Firewall Module, and make sure that button still says No.
Power off your current router (example: Linksys) and remove it from your network. Note, this assumes you have a switch you will be using instead. If not, you can still use the 4 LAN ports on your old Linksys router. And re-introduce it back into your network as a switch. As long as you don’t ever plug anything into the WAN port of the Linksys router ever again. Put a piece of tape over it if you have to, and never use it again. (Some router models call it an uplink port)
Never use the Uplink port or WAN port on the Linksys router ever again, this will cause it to act just like a switch. If it has wireless capabilities that’s ok, later I will show you how to make that work with your new setup.
Removing your Linksys router from your network, and or using it as a switch instead of a router can be kind of hard to picture the first time you do it. So I drew you a few pictures. This first one would be an example of salvaging your current wireless router.
This second view would be if you ditched your Linksys router all together, and just used an actual switch.
This third view would be if you used both a switch and a wireless router (AKA wireless access point)
Decide which picture best describes what you want to do, and then shut off the Linux box.
After powering off your Linux box, install the second network card inside the computer, but do not plug the cable in yet!
Again… do not plug the cable in ! Only your original network card you started this how-to with should have a cable going into it. Keep the cable coming from your ISP out of the picture for now, it should be sitting there not plugged into anything.
Once you have the NIC properly installed, power on the Linux box.
Once we configure it, the new NIC will then be known to the system as eth1 and known to us as eth_bad
Visually you will know it as your WAN port, but we will continue to refer to that as eth_bad.
It just helps in visualizing what’s going on, as this will be the NIC eventually connected to the big bad internet, via your Cable\DSL modem.
eth0, or our trusted NIC, the one plugged into your switch will be referred to as eth_safe. Just for clarification, I’m calling your old Linksys router with a piece of tape over the old WAN port, a switch.
Later in the how-to, when we setup our firewall rules, we will trust everything from eth_safe, so it’s important to stop here if you don’t understand that. You have 2 NICs now, one is eventually going to be plugged into the Cable or DSL modem, that’s eth_bad. And again, it should not have a cable plugged into it right now.
If later you get confused, eth_safe should have a static \ private IP address, and eth_bad should have a DHCP IP address it obtained from outside this network, better known as a Public Address. If that doesn’t make sense to you, don’t continue the how-to until it does. Or maybe keep reading without doing, a wrong choice here could expose your network to the outside world.
If your Linux box has internet access right now, stop! You have done something wrong.
Next we are going to configure eth_bad (eth1)
Using the Webmin File Manager module, navigate to and edit file
/etc/network/interfaces
Go ahead and enter the following info, or copy \ paste.
allow-hotplug eth1
iface eth1 inet dhcp
You can Ignore that up /sbin/ifconfig part for now
Also enter anything you might be missing for eth0. Once everything looks good, click on Save and Close
Hopefully you won’t need that “/up/sbin mtu” line, we will talk about that later
Reboot your Linux box to activate that new NIC
You can’t really test all that speed, duplex, and MTU stuff until you have a cable plugged in. So we will have to come back to that later. Don’t plug the cable in yet, just remind yourself later to check that out. Like you did on earlier in this how-to, use a combination of ifconfig, mii-tool and ethtool to make sure you have the right speed, duplex, and MTU settings. These problems are rare, but nasty.
In that last print screen you could see I had a problem with the MTU on this NIC and had to force it. Hopefully you won’t have that problem, I rarely see it. But if you do, just Google search the right MTU settings for your ISP. Cable modems and LAN are almost always 1500 MTU, some DSL connections I have seen are 1400+ MTU. Docsis 2.0 = 10\100, Docsis 3.0 = 10\100\1000. A Google search should show the right setting for your situation. Try Google first, most people at your ISP customer support center won’t know what you are talking about :- )
We are now going to change a setting that is going to allow packet forwarding between to two NICs. This is reason we have done so many overkill security settings, because after you make this change eth_bad with be able to forward packets to eth_safe and vice versa
Navigate the File Manager module, and edit file
/etc/sysctl.conf
Add or un-comment the following line
net.ipv4.ip_forward=1
Now is a good time to reboot, This reboot will enable packet forwarding between the two NICs
You computer may take a long time to start up, as its searching for DHCP on eth_bad, but there is no cable plugged in yet, just wait a few more minutes than usual, it will come up. Do not plug in the cable yet.
Next we are going to setup the DHCP server, it will hand out DHCP IP addresses to your internal network, originating from eth_safe (eth0) and feeding addresses to anything behind it (your switch)
You already have the DHCP server installed, we just have to tell it which NIC to use and enable it. Navigate to the DHCP Sever module, and click on Edit Network Interface
You should see something like this
Choose (eth_safe) eth0 and click save
You should be returned to the main DHCP screen, click on Add a new Subnet
You should see something like this, make the following changes
Subnet description – Make something up
Network address - 192.168.2.0
Netmask - 255.255.255.0
Address range – 192.168.2.50 - 192.168.2.99
Leave all the other options alone and click Create Now and or Save depending on what your screen looks like.
Now a new icon should have appeared on the main DHCP server page underneath Subnets, called 192.168.2.0. Click this icon, you will be returned to a screen similar to the one you just left except it has some new buttons at the bottom. Click the one that says "Edit Client Options".
Make the following changes
Subnet mask - 255.255.255.0
Default routers - 192.168.2.1
Broadcast address - 192.168.2.255
DNS servers - 192.168.2.1
You will have to hit save twice, here and the next screen.
You should be returned to the main DHCP screen, where you can start the DHCP server
You now have a fully functioning DHCP server. You should be able to release the IP address on your Windows PC, and get a new one handed out from your Linux box.
If you don’t know how to release your IP, just reboot your Windows PC, that will do it to.
*If you’re using a static IP address on your Windows PC, you would have to switch it to DHCP to see the fruits of your labor.
At this point you have your Windows PC plugged into your switch, and your switch plugged into eth_safe
If your wireless there are a couple setting changes you to need make on the old wireless router
(Wireless switch \ Wireless access point)
You should be able to access the wireless routers admin webpage using your Windows PC and cable going into one of its LAN ports.
Login and make the following changes.
-Disable its Built-in DHCP server
-Change its routing function from a Gateway to Router (not all models have this feature, if not, just leave it at Gateway)
-Disable its Built-in Firewall
-And optionally you can delete all your Port-Forwarding, NAT, DDNS, and any other custom settings on your old router, as they are no longer functioning in this scenario. All that will be handled by your Linux server from now on, so these settings are not longer doing anything for you.
You can then use the 4 LAN ports just like a switch, never using the WAN port again.
(the WAN port is usually 10\100, so you may have just removed a future bottle-neck in your network)
And voila, now you have a wireless router that is dumbed down to act like a wireless switch instead.
If you had to set a static IP address to talk to your Wireless router (aka wireless switch) don’t forget to set yourself back to DHCP.
What’s nice about this setup is you can now put that wireless router wherever you want in your house or building
(as long as there is wiring going to it)
You’re no longer confined to have it next to your Cable \ DSL modem. Which is normally in some closet somewhere surrounded by lead and 4 foot thick walls :- )
Smart placement of your Wireless router is the key to good signal strength.
Next we need to destroy the current Firewall configuration so we can set it up the right way.
Even though it’s not loading right now, it still has all the wrong settings in it.
Navigate to the Linux Firewall Module, and click the Reset Firewall button
You should then see a screen like this, make the following changes
Do Network Address Translation (nat) on eth_bad (eth1)
If you see a checkbox about starting the Firewall at startup, make sure that is not checked.
Like before, we want a way back in if we mess something up
Once your screen matches mine, Click Setup Firewall
You should see something like this
At the bottom of the screen change Active at Boot to No
And press the Active at boot button
And then press the Apply Configuration button
We do eventually want it activate at boot, just not yet
Change the field at the top, next to the Showing IPtable button
Click the drop down arrow and select Packet Filtering (filter)
Once you are sure you in the filter screen
Set the default action for (Forward) to drop
Then click the Set Default Action To button next to it
Do not click the Apply Configuration button, not yet anyway
Do the same thing for (INPUT)
Do not click the Apply Configuration button, not yet anyway. However make sure you are clicking the Set Default Action button.
It won’t let you change those both at the same time, so double check that (FORWARD) and (INPUT) are set to Drop
And double check that you have clicked the Set Default Action To: button for both
Double check that your screen looks like this
Do not hit Apply yet
“If” you accidently hit apply and have locked yourself out, just manually reboot the Linux box. We don’t have these rules in startup yet, so a reboot will get you back in for now. Once we are sure it is working, we will finally put in startup.
Let’s talk a brief second about the Firewall and the settings we are going to make.
The Linux firewall works with three IP tables:
MANGLE, PREROUTING and FILTER.
The actual firewall part is done with FILTER
In this configuration we are going to allow anything and everything on eth_safe (eth0) because that network card is internal, and is running from the Linux box, to a local switch inside your network. We are going to allow everything from (lo) the local loopback interface. We are going to block everything (with the exception of outgoing traffic) on eth_bad (eth1) as that network card is exposed to the internet, as it is running from the Linux box, to your high-speed modem or internet feed. The idea is for eth_bad to be a way out to the internet, not a way in, unless requested from behind the Firewall, or explicitly specified by you.
And any PortForwarding you might need is done in PREROUTING, and then passed to the FILTER (FORWARD). That’s why later when we setup PortForwarding, we have to make sure we allow them in both places.
OK, Let’s configure the Firewall
Here is a glance at rules we will be defining
INPUT
Accept if protocol is ICMP (This is optional, but recommended, very handy)
Accept if incoming interface is lo
Accept if incoming interface is eth_safe (eth0)
Accept if incoming interface is eth_bad (eth1)
and state of connection is ESTABLISHED,RELATED
FORWARD
Accept if incoming interface is eth_safe (eth0)
and outgoing interface is eth_bad (eth1)
Accept if incoming interface is eth_bad (eth1)
and outgoing interface is eth_safe (eth0)
and state of connection is ESTABLISHED,RELATED
To add these rules, click the Add Rule button, under INPUT
You should see something like this
Make the following changes for ICMP (ping)
Then click Create
You should see something like this
Click the Add Rule button again
You should see something like this
Make the following changes for lo (LoopBack)
Then click Create
Click the Add Rule button again
You should see something like this
Make the following changes for eth_safe (eth0)
Then click Create
Click the Add Rule button again
You should see something like this
Make the following changes for eth_bad (eth1)
You have to hold down the control button on your keyboard to select more than one item.
Select both Established and Related
Then click Create
You should now be seeing something like this
Now under the FORWARD section, click Add Rule
You should see something like this
Make the following changes for forwards from eth_safe to eth_bad
Then click Create
Click the Add Rule button again , make sure your still under FORWARD
You should see something like this
Make the following changes for forwards from eth_bad to eth_safe
Then click Create
You should see something like this
Cross your fingers and click the Apply Configuration button
Did you disconnected from Webmin? Can you still click around on the other modules?
If you can, then congratulations, you did everything right.
If you got disconnected, and your sure your plugged into eth_safe, then you did something wrong, you can turn off the firewall by manually rebooting your computer.
If you didn’t get disconnected then you are ready to put the Firewall in startup.
Navigate back to the Linux Firewall module, and change the Activate at Boot
to yes and click the Activate at boot button.
And then click Apply Configuration
It is now safe to plug your cable into eth_bad, now you should have two cables in the same machine.
The cable coming from your Cable\DSL modem, or your ISP \ internet connection, goes into eth_bad (eth1)
The cable from eth_safe (eth0) should be leading back to switch inside your private network.
Once you have both cables where they are supposed to be, reboot your Linux box.
After the Linux box reboots, use the Command Shell module to run
The ifconfig command
ifconfig
*Note, if there is just too much information on the screen for you after you run ifconfig
You can instead run…
ifconfig eth0
ifconfig eth1
etc….
And only see the details for the NIC you specify after the command
You should see at least 3 network interfaces, you will have more than that if you did the VMware portion of this how-to
eth_bad (eth1) should be getting a Public DHCP IP address from your ISP.
This IP address should look a little weird to you, and in most cases, shouldn’t start with 192.168
Also, this is a good time to make sure the MTU, speed and duplexes are correct.
If you’re not getting a Public IP address for eth_bad (eth1) something’s wrong.
It could be as simple as your ISP is doing MAC address restrictions, meaning they want you to call them every time you get a new router.
You can do that, call them and give them the MAC address for eth1
(also known as the hardware address)
Or you can clone your old routers MAC address, so eth1 acts like its MAC address is the same as your old router, then you don’t have to call your ISP. Because they won’t know there was a change. But in most cases, you have to call your ISP and give them the MAC address for eth_bad
If you still want to try and clone your old routers MAC address, navigate to the File Manager module, and edit
The file /etc/network/interfaces
Somewhere under allow-hotplug eth1
Put the following command
hwaddress ether xx:xx:xx:xx:xx:xx
Use your old routers WAN port MAC address in place of these numbers and or x’s
This will force eth1 (eth_bad) to act like it has the MAC address you specified.
Save and Close
Reboot your Linux box
Do an ifconfig
And you should see that eth1 now has that MAC address you specified and has a public IP address.
At this point your server is configured as a working router/dns/dhcp server. It should work ok in this setup for everything you need it to do
The rules implement thus far create a very simple (yet
powerful) firewall that allows absolutely nothing in from the outside world
unless it is part of an established connection. It also assumes the internal
network is completely trusted and allows unfettered access to the server and
outside world from the internal network. This is the default setting for pretty
much every NAT device ever.
At this point you are effectively finished. You can just leave your server as a
simple router with no other rules at the point. It is very secure and will work
fine for most purposes. If, however, you want to run publicly accessible
servers, then we need to add some additional rules.
If the server you’re trying to get to is on this very same Linux box, then it’s just an INPUT rule in the filter. For example, if you want to be able to SSH (Putty) into this Linux box from the outside world, that is INPUT rule, or exception to the firewall. That wouldn’t involve PREROUTING or FORWARD at all.
Let’s setup a port 22 Firewall Exception so you can SSH in from the outside world.
Navigate back to the Linux Firewall module, make sure you’re in the FILTER screen, and make a new rule underneath INPUT
You should see something like this, make the following changes
And then click Create
These are the easiest exceptions to make, as your explicitly allowing information coming into eth_bad (eth1) to not be dropped by the firewall. That’s it for port 22, go ahead and make anymore you might need. Don’t forget to make good use of the Clone Rule button inside each rule, it can make things much easier for you. Just Clone it, and change the port, and you’re done.
You should see something like this
Make anymore that you need, for example, if you clicked on the port 22 exception, and cloned it, then change the port to 10000, you would then have a port 10000 exception for Webmin. And just keep cloning and changing the info until you have all that you need.
Then hit Apply Configuration
You should limit the number of direct INPUT rules you allow, as these open up ways into your router, whereas your router should be as invisible as possible. This is still secure, SSH (Putty) is pretty amazing stuff, and Webmin is https, just try to limit the number of holes you allow directly into the router like this.
A better way to get into your network and manage systems is to PortForward to another computer already inside your network, and execute commands from there.
For example, your Windows PC will accept Remote Desktop connections on port 3389.
So if you created a PortForwarding rule, the router can use the PREROUTING and FORWARD feature to redirect your connection to a computer inside your network, and once inside, you’re totally trusted by the Firewall, all without exposing the router itself.
Windows Remote Desktop also offers some high level encryption options, so-far we haven’t made any Firewall exceptions that aren’t highly encrypted, and that’s a beautiful thing.
Chance are, you will have more than one computer inside your network, that you want to access ports 3389 and port 22 on. That’s not a problem, as you can forward an external number, to an internal number.
For example, we can make PREROUTING and FORWARD rules that says
Anything coming in on port 25505, PortForward that to computer 192.168.2.5:3389
Anything coming in on port 25506, PortForward that to computer 192.168.2.6:3389
Anything coming in on port 25507, PortForward that to computer 192.168.2.7:3389
Anything coming in on port 25522, PortForward that to computer 192.168.2.8:22
Specifying 25522 for that last one
This leaves port 22 available for the INPUT rule we made earlier
Anything coming in on port 22, allow directly into the router
This way you can have a bunch of computers, using all the same ports internally, and just specify some meaningless high-port at the end of the hostname or Public IP address. Then tell the router what computer that is really supposed to go too.
These require a little bit more work on your part, as you have to specify them in two parts of the Linux Firewall module. One as a PREROUTING rule, and one as a FORWARD rule. But one you have one set done, you can use that Clone rule feature to complete the rest.
Navigate back to the Linux Firewall Module and this time make sure you are in the Network Address Translation table
Make sure you are in the PREROUTING section, and Click on Add Rule
You should see something like this, make the following changes
Then click on Create
You should see something like this
That’s one part of two, for the next part of that, Navigate to the Packet Filtering table.
You should see something like this
Make sure you’re in the FORWARD section, and then click Add Rule
You should see something like this, make the following changes
Then click the Create button
You should be returned to the main Firewall screen, where you can hit
Apply Configuration
What you just did was allow a PortForward to happen from the outside world, to a computer behind your firewall. And as long as you have encryption enabled in your remote desktop clients, you don’t have too much you have to worry about.
Now external remote desktop requests like this
Will be forwarded to computer 192.168.2.5:3389
Inside your network
That first rule was kind of a lot of work to create.
But now you can use the Clone rule button, inside of each rule, to quickly and easily make more PortForwards.
Just don’t forget to do it in both places when PortForwarding…
NAT \ POSTROUTING
And
FILTER \ FORWARD
As you can see from all those static numbers your entering, it would be a good idea if the computers inside your network had static IP address or DHCP reservations.
Setting up a DHCP reservation is the best choice. Navigate back to the DHCP Server module, and we will setup a DHCP reservation for a computer inside the network.
Make sure you’re underneath the Hosts and Host Groups field, and click on
Add a new host
You should see something like this, make the following changes
* Hardware address would be the MAC address of the computer inside your network, that you want to always have IP address 192.168.2.5
Click Save
You should see something like this
Hit Apply Changes
And restart the computer inside your network with that MAC address, and it will forever get the IP address of 192.168.2.5
Do this for any computer you have a firewall exception for.
That’s about it for the firewall exceptions and PortForwarding.
You shouldn’t have any problems with you Virtual Machines, as they run bridged off of eth_safe. But if you do, just add a couple rules for your VM nics, similar for what you did for lo and eth_safe
The VM nics are usually called something like VMnet1 and VMnet8, and should be available from the same drop down menus as everything else you just did. But I haven’t had any issues so far in the bridged VM mode.
If you want to remotely access the VMware server from the outside world, you need to allow ports 8333 and 902.
If the VMware server and the router are the same computer, this is just a simple INPUT rule, similar to the one you made for port 22.
If the VMware server is on a different computer inside your LAN, and not on the router itself, you would need to setup four rules. Two PREROUTING rules (8333 and 902) and two FORWARD rule (8333 and 902)
As far as security goes, that’s a little more access than I want from the outside world, I don’t want just anybody to be able to get to my VMware server webpage, so if you’re going to do this, you should take advantage of the source address option.
Source address is supported in all of the firewall rules.
By limiting a source address, you make something available to the outside world, but only if you have the right “from” IP address.
See below I am allowing connections on port 8333
But only if the computer im at has IP address 204.69.xxx.xxx
Only thing to be aware of is it’s got to be your public address. If you’re at work or on another network, your local IP address is probably not your Public IP address.
For example, when I’m at work, my computer gets a 10.10.xxx.xxx IP address. But my Public IP address is 204.69.xxx.xxx
So in my Firewall exception I would use the public address. And then port 8333 is only accessible from my work network. Granted it’s anybody at my work place, as we all have the same public IP address, but you’ve still eliminated most of the possible connection from the rest of the world.
If you don’t know what your Public IP is. You can go to
And a webpage will pop up and tell you.
And as far as the port 902. that’s for the VMware player. You should be doing most of your stuff through remote desktop, and not the VMware player. But sometimes you will need the player, so you will need port 902 open as well.
Earlier we made a port 22 exception, as a PortForward from 25522. you probably won’t need to do too many of these, not to SSH (Putty) connection anyway.
You can from within Putty, connect to as many other SSH computers as you like. Meaning if you SSH into your router, and you’re in a Putty window. You can simply type
ssh wood@192.168.2.5
Where wood is the username you want to use
And from within your current SSH connection to your router, it will connect you to computer 192.168.2.5 inside your private network, without a need to PortForward anything. And when you exit or logout of that session, you’re returned back to your SSH screen on your router. Pretty cool stuff.
You’re almost done with the router setup.
If you were using a DDNS update client on your old router, to keep your hostname current, like this one, from Linksys
You’re going to have to install the Linux equivalent (ddclient)
So that your hostname stays up to date
Launch a Putty session or navigate to the SSH2 module and
Type the following command
apt-get update
And then press the enter key on your keyboard
After that finishes
Type the following command
apt-get install ddclient
And then press the enter key on your keyboard
You should see something like this
Press the Enter key on your keyboard
You should see something like this, answer the on screen questions
You should see something like this, answer the on screen questions
*This is an example, enter your own information, and do not copy mine
Pay close attention to this next question
Make sure you enter eth_bad here, because you want it to update from your public IP interface, not your private interface.
So if you have been following this how-to word for word, then you would enter
eth1 in the box above.
Press the Enter key on your keyboard
You should then be returned to the command prompt
You can type exit and close Putty
You’re not done with ddclient yet, there is three more configs you have to do.
Using the File Manager module, edit the file
/etc/ddclient.conf
You should see something like this
Add the following two lines
daemon=300
ssl=yes
Click the Save and Close button
Using the File Manager module, edit the file
/etc/default/ddclient
Make sure run_ipup is set to false
Make sure run_daemon is set to true
Make sure daemon_interval is set to the same interval you set in /etc/ddclient.conf
Save and Close
Restart your Linux box
Navigate to the Command Shell module, and execute the following command
/etc/init.d/ddclient status
As long as you see ddclient is running
You know its launching at startup, and checking for changes
Next execute the following command
/etc/init.d/ddclient restart
And as long as you don’t see any errors, you should be all set.
Don’t worry that its checking every 300 seconds, I know that sounds too aggressive.
But it’s actually comparing your IP address to a local file, so you’re not beating up the DYNDNS website like it sounds.
Your also sending that username and password over ssl encryption. So you might even be better off then you were with your old router
That’s about it for ddclient
Next we are going to setup a local DNS server.
This is not only a local DNS how-to, but it’s also a local DDNS how-to, meaning Dynamic DNS. It will not only control the naming on your local network, but will also allow your DHCP clients to build, update, and maintain the list of their own computer names \ DNS entries.
I wouldn’t recommend setting this up on a small network. It’s a pain in the butt the first time you do it, and it’s very picky if you start making changes. I’m not saying it isn’t stable, its rock solid stable, I’m just saying it’s easy to break if you want to tweak it later on.
On small networks I find myself just referring to everything by their IP addresses, so make sure this is something you want to do before you continue.
OK, let’s get started
First stop the bind service. This service has to be stopped every time you want to make changes to it, it’s very picky like that.
You can either type
/etc/init.d/bind9 stop
Or you can navigate to the Bootup and Shutdown module, and stop it from there.
If you have given your router eth_safe (eth0) a static IP (which you already did if you have been following this how-to) we need to double check and make sure your computer name still matches the static IP address change in the following files
/etc/hosts
Where it says 127.0.0.1 add localhost.localdomain
Where it says 127.0.1.1, change it to your static IP address and servers hostname
Click Save and Close
Then edit file
/etc/hostname
And make sure your servers hostname is in there
Click Save and Close
Then edit file
/etc/resolv.conf
Write down all the info inside that file, and then delete everything inside this file.
Don’t just #comment it out, actually highlight and delete the contents of the file. Just delete the contents, (all the words inside) don’t delete the actual file.
Although that info is important, we are going to use our DHCP server settings to overwrite this file at startup, but it just appends to the file, and doesn’t always overwrite, so we have to make sure its empty first.
Click Save and Close
Then edit file
/etc/dhcp3/dhcpd.conf
Underneath DNS Update Styles
Change it to ddns-update-style interim;
Remove the ; comment in front of word authoritative
This will make your Linux box the authoritative DHCP server for this network.
And under the part that reads
subnet 192.168.2.0 netmask 255.255.255.0 {
Paste in the following
ddns-domainname "diy.lan.";
allow client-updates;
option domain-name "diy.lan.";
max-lease-time 999999;
default-lease-time 888888;
range 192.168.2.50 192.168.2.99;
ddns-rev-domainname "2.168.192.in-addr.arpa.";
option broadcast-address 192.168.2.255;
option subnet-mask 255.255.255.0;
option routers 192.168.2.1;
ddns-updates on;
option domain-name-servers 192.168.2.1;
}
You should have something like this
Some of that should look a little weird to you
Like this. ddns-rev-domainname "2.168.192.in-addr.arpa.";
That’s for reverse DNS
You may have to tweak it to fit your needs.
If you were on a 10.10.50.xxx network, you would use
ddns-rev-domainname "50.10.10.in-addr.arpa.";
Or
If you were on a 192.168.0.xxx, you would use
ddns-rev-domainname "0.168.192.in-addr.arpa.";
Or
If you were on a 192.168.1.xxx, you would use
ddns-rev-domainname "1.168.192.in-addr.arpa.";
It’s just written backwards, and in place of the last octet, you just put rev instead
Also make sure you adjust these to fit your scheme
option domain-name-servers 192.168.2.1;
ddns-domainname "diy.lan.";
That would be the IP address of eth_safe (eth0) on your router
And then the local domain name that you selected on page 9
Once you have all that entered correctly, press Save and Close
You’re not done with that file yet, because we have to make a secret key for DNS and DHCP to share with each other, so that only your DHCP clients are able to update the server.
To do this, open up a Putty window or SSH2 module, and run the following commands
cd /options
Then press the enter key on your keyboard
Then run the following command
dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpupdate
This will create a 128bit HMAC-MD5 key file called kdhcpupdateXXXX.key
In the /options folder
Open the File Manger module, and navigate to the /options folder
Edit the Kdhcpupdate file that ends with .key
You should see something like this
That last solid string of numbers is your key
Do not share this key with anyone, consider this very confidential
Highlight the key, and copy it
Then navigate back to editing the file
/etc/dhcp3/dhcpd.conf
And under the part that says
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
Paste in the following
key dhcpupdate {
algorithm hmac-md5;
secret Oh+VKKP7uemLxrWg9lwwwQ==;
}
zone diy.lan. {
primary 127.0.0.1;
key dhcpupdate;
}
zone 2.168.192.in-addr.arpa. {
primary 127.0.0.1;
key dhcpupdate;
}
You should see something like this
Of course you need to use your own key here, not the example key above
Again keep that key confidential
Leave the IP addresses alone, they should be 127.0.0.1
But tweak the zone name to be the same as the domain name you picked
And tweak the reverse DNS address to fit your scheme
Then click Save and Close
Next edit the file
/etc/dhcp3/dhclient.conf
And add the following two lines
supersede domain-name "diy.lan";
supersede domain-name-servers 127.0.0.1;
You should see something like this
Then click Save and Close
This is the file that is going to append to /etc/resolv.conf at startup
So you’re all set for both of these files now
Next navigate to the /var/lib/ folder
And use the File Manager module to create a new folder called bind
With 0775 permission, and both owner and group as bind
If the directory is already there, that’s cool too. Just change the permissions, groups, and owners to match
Now go inside that directory and create the following two files
diy.lan.db
2.168.192.in-addr.arpa
You should see something like this
And something like this
Save both
Set both of the files to the following permissions, And bind as both the user and group
These are some seriously wack file permissions, but bind gets a little crazy sometimes, and I find it works best this way
Next, use the File Manger module to edit the file
/var/lib/bind/diy.lan.db
And paste in the following
$ORIGIN .
$TTL 86400 ; 1 day
diy.lan IN SOA deb32server1.diy.lan. admin.diy.lan. (
2009122871 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS deb32server1.diy.lan.
MX 10 deb32server1.diy.lan.
$ORIGIN diy.lan.
deb32server1 A 192.168.2.1
printer1 A 192.168.2.74
sanx1 A 192.168.2.5
; is bind stopped
; did you update the serial number
; sometimes root should be the owner and bind should be the group
; hit enter here, must have one blank line, and only one
You should see something like this
It still wants you to have that MX 10 YourHostname.diy.lan entry even if it’s not really a mail server.
Add all computers here that have a static IP address, the rest will populate themselves when they get a DHCP lease.
This program is so very picky about the following
Spacing, the file must end with one blank line, just one
Don’t have bind running when you’re editing these files
And changing the serial number, +1 every time you make a change (it’s the date)
Sometimes it wants root to be the file or folder owner, and bind to be the group.
Next, use the File Manger module to edit the file
/var/lib/bind/2.168.192.in-addr.arpa
And paste in the following
$ORIGIN .
$TTL 86400 ; 1 day
2.168.192.in-addr.arpa IN SOA deb32server1.diy.lan. admin.diy.lan. (
2009122871 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS deb32server1.diy.lan.
$ORIGIN 2.168.192.in-addr.arpa.
1 PTR deb32server1.diy.lan.
5 PTR sanx1.diy.lan.
74 PTR printer1.diy.lan.
; is bind stopped
; did you update the serial number
; sometimes root should be the owner and bind should be the group
; hit enter here, must have one blank line, and only one
You should see something like this
This program is so very picky about the following
Spacing, the file must end with one blank line, just one
Don’t have bind running when you’re editing these files
And changing the serial number, +1 every time you make a change (it’s the date)
Sometimes it wants root to be the file or folder owner, and bind to be the group.
Next, using the File Manager module edit the file
/etc/bind/named.conf.local
Paste in the following info
key dhcpupdate {
algorithm hmac-md5;
secret Oh+VKKP7uemLxrWg9lwwwQ==;
};
zone "diy.lan" IN {
type master;
file "/var/lib/bind/diy.lan.db";
allow-update { key dhcpupdate; };
};
zone "2.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/2.168.192.in-addr.arpa";
allow-update { key dhcpupdate; };
};
You should see something like this
Of course you need to put your own key in there, and tweak the IP scheme if different
Click Save and Close
Next, using the File Manager module edit the file
/etc/bind/named.conf.options
Paste in the following info
*But don’t use the same DNS servers or “forwarders” as I did, make sure obtain that info from your ISP.
forwarders {
216.146.35.35;
216.146.36.36;
71.9.127.107;
};
auth-nxdomain no; # conform to RFC1035
listen-on {
192.168.2.1; # listen on local interface only
127.0.0.1; # Make sure machine can get to itself
};
listen-on-v6 { none; };
};
You should see something like this
Do not use the same forwarders I did, make sure obtain that info from your ISP.
Those are your Public DNS servers
In the above example, I’m using two DNS servers from dyndns.org (safe surfer) and then one from my ISP
Click Save and Close
That’s about it for dynamically updating local DNS
You should be able to reboot your Linux box, and then reboot your Windows PC, and the process should be underway.
There are several ways to test to make sure it’s working
You can try pinging computers by their name, and they should reply.
You should notice that your ping results are automatically appending the domain name for you. Meaning if you ping the computer name
Sanx1
You should see it’s actually ping the entire name Sanx1.diy.lan.
Without you actually typing all of that.
This is of course assuming your PC is set to DHCP and not Static.
You should also be able to run the following command from your Linux box
And see all kinds of good info
host –l diy.lan
And the reverse, on your Windows PC’s, you should be able to do
ping –a IPaddress
And the ping should return back with the computer name
If you were following how-to very closely, you were probably expecting that name to come back as BlueDell. Your right, I’m just on a different network today.
Another cool feature is you can edit the files
/var/lib/bind/diy.lan.db
/var/lib/bind/2.168.192.in-addr.arpa
And add multiple names for the same computer. You could have computer 192.168.2.5 respond to as many different names as you want. You could trick your roommates into thinking they each had their own personal server, by giving the same server multiple names like
Server4room1
Server4room2
Server4room3
Even though they are actually all the same computer.
There are more practical uses for that feature, but you can certainly have fun with it too.
Well that’s about it for DNS
Just remember when editing those DNS files, stop the bind service first. And always up the serial number plus one when editing, and always end the file with a blank line.
There is always awesome trouble-shooting info in syslog, for whatever problem you might be having. If you are seeing permission denied errors, it probably wants root to be the owner of the file, and bind to be the group. (file permissions)
A pretty common problem is the journals will get out of sync. All you have to do is delete them and reboot. They are in the /var/lib/bind/ folder (.jnl) and are create by the bind service.
Syslog is your friend
And check your local email for notices of problems and statuses
Since we added another network card, we need to make sure Samba is for sure listening on your private network card.
We have done a lot of steps already to prevent this, but you can’t be too careful here.
Navigate back to the Samba Windows File Sharing module
Click on Edit Config File
You should see something like this
Make sure both of those two lines are un-commented
(meaning remove the leading # or ;)
And change the lines to this
interfaces = 127.0.0/8 eth0
bind interfaces only = yes
Where eth0 is eth_safe, Save the changes
And restart the Samba service
Here is how you can check to make sure it’s working the way it is supposed to.
Navigate to the Command Shell module and execute the following command
netstat -tapn | grep smbd
Your concern is with the numbers on the left
Those represent the interfaces Samba is listening on
If you see anything other than
192.168.2.xxx
And
127.0.0.1
On the left, then there is something wrong, disconnect your internet cable and figure it out.
If you have been following this how-to closely, you probably expected that print screen above to show IP 192.168.2.1. Your right, im just on a different computer today.
This command would make a good Custom Command button to, as it’s hard to remember
netstat -tapn | grep smbd
That brings us to the end of the how-to, I hope you enjoyed it. Don’t forget to visit my Website, http://woodel.com and click on the blog link(s)
Now you can stop logging in as username root, and start using username wood.
Or whatever name you picked on page 1.
You can run an apt-get update and finally an apt-get upgrade
That will ensure you have the latest patches and upgrades for the Debian OS.
Thanks ! Enjoy !!
-Kevin Elwood \ KevinTheComputerGuy
You can find my email address, more how-to’s, and blog link(s) on my homepage http://woodel.com
If you would like to do even more with your server, you can find additional info here http://woodel.com/domore
Page Navigation : Page1 Page2 Page3 Page4 Page5 Do more
* This how-to is try at your own risk, with absolutely no warranty, no promises, and no guarantees. I cannot be held accountable for claims, statements, or damages of any kind. This how-to is for personal use only, and I reserve all rights.