Associate
- Joined
- 24 Jun 2007
- Posts
- 1,869
- Location
- Landan.
Evening all,
I've decided to relearn some of the Linux fundamentals and also hopefully acquire some new knowledge along the way.
The plan is to completely redo my home network and incorporate a host of new services. As such I hope to make this thread a bit of a project log, that will hopefully spur me to keep going and maybe inspire some others (ego++)...
I'll post links to whatever articles/posts/sites I've used, and give information where I've had to deviate from the info given within.
To start:
Proposed Network Layout
(changed from topology to layout as to not seem like a ******
)
And here's a brief description of what each machine is doing:
[1] Maya
OpenWRT installed on a Netgear DG834G. I've got OpenWRT successfully onto the box, but it's losing its settings upon a reboot. Furthermore, doing a df every partition is full, that suggests something is wrong with where/how it's installed/flashed. Has anybody on here modded the DG834G before?
Once I can get OpenWRT to keep its settings, this box is going to be a preliminary firewall (with the O2 router/modem just acting in bridge mode (presuming it can do that!)). It's main purpose is to segment the network with it's support for VLANs.
If you look at the diagram, Remus is my work PC, and it's in the office along with the existing router. There is then a Cat5 cable that trails half way around the house to the computer room which houses all the rest of the equipment.
The idea is to have Maya keep all internet traffic on VLAN1, and pass it via Port 2 to Zanex in the other room. Zanex will then act as a firewall for any external traffic, and pass VLAN2 onto my computer room network, or back along the same cable to Remus in the office. Remus will be on an untagged port, so will be oblivious to the fact that it's on a VLAN. The only tagged ports will be the two that connect Zanex and Maya.
[2] Zanex
Router, firewall, DNS and DHCP.
DNS
Started on DNS yesterday (albeit a dry run on Zeno) with help from this guide, and it all seems to work fine, as can be seen using dig on zanex:
However, I am having a strange problem - when doing an nslookup or a ping, the reverse DNS string is being appended to the name - a la:
Windows (Xenon)
Linux (Zanex)
Anybody any idea why it's doing that? I know it'll be something stupid, but gave up looking at 4AM last night
Update:
Figured the above out, or rather a colleague did - I'd forgotten the . on the end of the reverse DNS string
DNS is working now; just doing some more testing.
Firewall
Think I'm going to just stick with iptables, as it's the firewall I know most about or rather have the most experience with. Though just for arguments sake - is there anything else I should be looking at?
It would be nice to have a web interface for iptables, as I don't always want to shell into a box and debug tables for a simple problem. The initial configuration will be done via the command line though, merely as a test to prove I can actually do it.
Just thinking about it... is this a stupid place to have a firewall? Should I just be using iptables on Maya? Furthermore... should Maya look after all the essentials (DHCP/DNS/Firewall/Routing)?
I suppose that could make more sense in hindsight. However, Zanex will still have to act as a gateway/firewall in order for the VLANs to work...
Hmm, confused myself now.
Routing
I've used OSPF on Cisco routers in the past, and as such I've come to like dynamic routing protocols for their ease of use and reduncancy. I realise in a small network such as mine the needs are small, and it could all be done statically.
However, this is as much about taking on new skills as being practical. As such, I've been doing some research into Quagga - has anybody used it before? And if so, any good links to how-to's or docs?
Zanex is also going to be my OpenVPN gateway for work, and also as a OpenVPN server for my own network. The purpose being that I can access my (remote) work network from anywhere on the internal network - and also, if I'm working remotely from anywhere, I connect via OpenVPN to my server at home, and can then route through to my work network via the VPN. Just to clarify before I go any further with this, does anyone know if it's even possible to have a single box acting as both a server and a client?
DHCP
DHCP Setup is going to be pretty simple. I'm going to do DNS mapping, so the entries are going to look like:
I'll then have a pool of five for random clients to connect, however I want to be warned, by e-mail or indeed text if possible, when an unknown MAC address connects. My first thought would be to use logwatch and filter using a regexp or similar for the suspicious DHCP requests - does anyone know of a better way to do this?
It would also be awesome if unknown clients are only allowed out to the internet, and not allowed to reach anywhere in the internal network. What would be the the way to do this? Plug another network card into zanex and hook up WAP1 directly, and then do firewalling on there?
[3] Zeno
Zeno is to act as:
Web Server (Apache 2)
Going to host a basic, publicly accessible WordPress install, already hacked together a WordPress theme here. It isn't going to be a blog as such, just giving links etc to things I've found useful.
In addition to that it'll host a web interface for the underlying mail server, haven't quite decided on what interface to use. I really like @Mail's interface, but the fact that it costs a couple of billion quid to buy a license, I may avoid using it. What's currently 'the best' in the webmail stakes? The only one I have any experience with is squirrelmail, and that had a pretty awful GUI when I used it last (albeit a few years ago now..).
GlassFish Server
For use with NetBeans; have yet to set it up in Linux/manually, but I imagine a simple apt-get will get it halfway there.
Just had a quick look in apt-cache, apt-get install glassfishv2 looks like it'll do it. Will have a play with that tomorrow.
TFTP/PXEboot Server
The idea behind this is to have imaging across the network, to an iSCSI target on Archos. To backup an entire workstation/laptop, all I want to do is reboot, select network boot, and then have pxeboot load a linux rescue CD, which in turn auto-diskdump's any partitions.
This could potentially be a lot of work, and at the moment is low priority.
Subversion Server
Got this all working today, and imported all my existing Java projects via Netbeans on Xenon. Install was pretty painless, used this guide whenever I got lost/stuck.
However, it's only working over HTTP at the moment, and so passwords are sent in clear text. Once I've got my OpenSSL CA set up I'll move it over to SSL using the rest of the guide mentioned above.
Mail Server
Now this is one thing I have little experience of: setting up a mailserver. We use exim in work - should I stick with that? Any advice on this subject would be gratefully received.
Update (08/07/09):
Decided to go with exim and cyrus, using the guides here and here. Tis a work in progress, just going to take another look at it in a minute. I mistakenly installed both services on zanex instead of zeno Teach me for working so late.
I'm also looking at web based front ends for my mail server. Squirrel Mail is looking really dated, are there any others I should take a look at? Shame @mail isn't free, it's excellent in GUI terms.
SSH Server
Pretty much bog standard. However, I want external access to only be allowed if a certificate is provided as well as the usual credentials. The thing is that I use Windows on my laptop, and so I'd need to pass the cert via Putty. Does anybody do a similar thing at the moment?
Kerberos
Ideally I'd like Kerberos authentication on all of the Linux machines, so after a kinit lm/admin I can then shell to any other box and authenticate using my keberos ticket from there on in...
This isn't something I've looked at in great depth and so I'll have a lot of reading ahead of me I'm sure. With that said, reading this article/post it may be easier than I'm lead to believe...
OpenSSL CA
I'm currently porting over the OpenSSL config from an old VM, though I'll probably recreate the whole thing from scratch anyway as it's a bit of a mess as it stands. I'd like to have the CA publicly accessible so the CRL can be accessed via the cert's inbuilt URI. The CA will also be responsible for key and cert generation for OpenVPN.
Usenet/Transmission/iSCSI client
I'm going to run the clients on Zeno, and have them save via iSCSI to Archos... simple as that really, though I doubt in practice it will be that easy.
Asterisk Server
I've set up a working Asterisk server in the past using AsteriskNOW in a VM (purely as a SIP gateway), and after a brief learning curve (namely learning the asterisk conf file) everything worked smoothly. However, that was cheating - I want to now set it up from scratch (from binary, not source) to really get to grips with it. I'm also planning on buying a cheap Cisco IP phone off eBay considering they're now around £40. Yes, I'm only buying it for the ringtone - "du-du-duu-dooo"
[4] Archos
A relatively low powered machine with a shed load of storage. Currently have one 250GB SATA drive, and 1 x 250GB, 1x 500GB, 1x 300GB external drives to donate to it.
However, considering everything minus the 250GB SATA drive is already full, I'm going to order two 1Tb drives on Wednesday, and two further 1Tb drives a month later (no guesses for why)...
I'll then decide what RAID configuration to have them in. The idea will be to have the 4 1Tb drives in RAID (either two arrays in RAID1 or RAID10), and have the external drives as expendable dumps (for downloads and backups etc).
However, without splurging on a hardware RAID card, I don't know if I'll be asking too much of an old P4 system to do two software RAID arrays. Even if it does run and work fine, will it be dog slow?
There is also the great debate of what to run on it, FreeNAS or OpenFiler... currently I'm siding with OpenFiler, as it's a generally more polished product and the word on the 'street' is that development has slowed on FreeNAS. And whilst FreeNAS has a wider support for protocols etc, I just want this as a dedicated storage box, with apps like transmission running on Zeno. Also, it's built around FreeBSD, and I've had issues with hardware in the past...
----------------------------------------------------------------------------
Things that I wish I'd known when I'd started
This segment is for the stupid little things that would have saved me an awful lot of time wasted had I known them when I first started playing with Linux...
Bash
bash#> CTRL-R - search through your bash history
bash#> sudo !! - repeat the last typed command as root
bash#> !55 - repeat the 55th typed command from your bash history (view your history by using the history command)
bash#> Alt-. - Add the argument to your previous command to the terminal (keep pressing it to cycle). (Submitted by vidda)
$ while [ 1 ] ; do command1 ; done - run `command1` on a loop.
$ while [ 1 ] ; do command1 ; command2 ; sleep 10 ; done - run `command1` the `command2` on a loop every 10 seconds.
$ mount | awk '{print $2}' - print column 2 of a tabulated output (replace mount with the command that produces the output)(this is called using a hammer to crack a nut, as awk is a whole nother programming language), you can also set the delimiter by hand.
$ grep -i terms /file/to/search - case insensitive grepping.
$ grep -v terms /file/to/search - inverse grepping.
$ command | grep terms - grepping the output of a command.
$ command | wc -l - count the lines of the command output.
$ echo $(($NUM+9)) - do maths between $(( and )), in this case adding 9 to the variable "NUM".
$ ./configure && make && sudo make install - && does the latter command only if the prior command returned status 0 (ie. it worked).
$ echo $? - show the status code of the last command to run (remember echo is a command).
(Submitted by BigglesPiP)
-------------------------------------------------------------------------
Well, that's it for now. I'd welcome feedback/advice/criticism on any aspect of the above.
I'll try and keep the thread updated as often as possible.
EDIT: Damn. Huge post is huge.
I've decided to relearn some of the Linux fundamentals and also hopefully acquire some new knowledge along the way.
The plan is to completely redo my home network and incorporate a host of new services. As such I hope to make this thread a bit of a project log, that will hopefully spur me to keep going and maybe inspire some others (ego++)...
I'll post links to whatever articles/posts/sites I've used, and give information where I've had to deviate from the info given within.
To start:
Proposed Network Layout
(changed from topology to layout as to not seem like a ******
)
And here's a brief description of what each machine is doing:
[1] Maya
OpenWRT installed on a Netgear DG834G. I've got OpenWRT successfully onto the box, but it's losing its settings upon a reboot. Furthermore, doing a df every partition is full, that suggests something is wrong with where/how it's installed/flashed. Has anybody on here modded the DG834G before?
Once I can get OpenWRT to keep its settings, this box is going to be a preliminary firewall (with the O2 router/modem just acting in bridge mode (presuming it can do that!)). It's main purpose is to segment the network with it's support for VLANs.
If you look at the diagram, Remus is my work PC, and it's in the office along with the existing router. There is then a Cat5 cable that trails half way around the house to the computer room which houses all the rest of the equipment.
The idea is to have Maya keep all internet traffic on VLAN1, and pass it via Port 2 to Zanex in the other room. Zanex will then act as a firewall for any external traffic, and pass VLAN2 onto my computer room network, or back along the same cable to Remus in the office. Remus will be on an untagged port, so will be oblivious to the fact that it's on a VLAN. The only tagged ports will be the two that connect Zanex and Maya.
[2] Zanex
Router, firewall, DNS and DHCP.
DNS
Started on DNS yesterday (albeit a dry run on Zeno) with help from this guide, and it all seems to work fine, as can be seen using dig on zanex:
Code:
root@zanex:/home/lm# dig xenon.lmorgan69a.doesntexist.org
; <<>> DiG 9.5.1-P2 <<>> xenon.lmorgan69a.doesntexist.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8731
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;xenon.lmorgan69a.doesntexist.org. IN A
;; ANSWER SECTION:
xenon.lmorgan69a.doesntexist.org. 38400 IN A 192.168.1.20
;; AUTHORITY SECTION:
lmorgan69a.doesntexist.org. 38400 IN NS zeno.lmorgan69a.doesntexist.org.
;; ADDITIONAL SECTION:
zeno.lmorgan69a.doesntexist.org. 38400 IN A 192.168.1.10
;; Query time: 0 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sun Jul 5 20:42:33 2009
;; MSG SIZE rcvd: 101
root@zanex:/home/lm#Windows (Xenon)
Code:
C:\Users\Luke>nslookup google.com
Server: [B]lmorgan69a.doesntexist.org.1.168.192.in-addr.arpa[/B]
Address: 192.168.1.10
Non-authoritative answer:
Name: google.com
Addresses: 74.125.127.100
74.125.45.100
74.125.67.100
Code:
root@zanex:/home/lm# ping zeno
PING zeno.lmorgan69a.doesntexist.org (192.168.1.10) 56(84) bytes of data.
64 bytes from [B]lmorgan69a.doesntexist.org.1.168.192.in-addr.arpa [/B](192.168.1.10): icmp_seq=1 ttl=64 time=0.161 ms
64 bytes from lmorgan69a.doesntexist.org.1.168.192.in-addr.arpa (192.168.1.10): icmp_seq=2 ttl=64 time=0.209 ms
^C
--- zeno.lmorgan69a.doesntexist.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.161/0.185/0.209/0.024 ms
root@zanex:/home/lm#Update:
Figured the above out, or rather a colleague did - I'd forgotten the . on the end of the reverse DNS string
DNS is working now; just doing some more testing.Firewall
Think I'm going to just stick with iptables, as it's the firewall I know most about or rather have the most experience with. Though just for arguments sake - is there anything else I should be looking at?
It would be nice to have a web interface for iptables, as I don't always want to shell into a box and debug tables for a simple problem. The initial configuration will be done via the command line though, merely as a test to prove I can actually do it.
Just thinking about it... is this a stupid place to have a firewall? Should I just be using iptables on Maya? Furthermore... should Maya look after all the essentials (DHCP/DNS/Firewall/Routing)?
I suppose that could make more sense in hindsight. However, Zanex will still have to act as a gateway/firewall in order for the VLANs to work...
Hmm, confused myself now.
Routing
I've used OSPF on Cisco routers in the past, and as such I've come to like dynamic routing protocols for their ease of use and reduncancy. I realise in a small network such as mine the needs are small, and it could all be done statically.
However, this is as much about taking on new skills as being practical. As such, I've been doing some research into Quagga - has anybody used it before? And if so, any good links to how-to's or docs?
Zanex is also going to be my OpenVPN gateway for work, and also as a OpenVPN server for my own network. The purpose being that I can access my (remote) work network from anywhere on the internal network - and also, if I'm working remotely from anywhere, I connect via OpenVPN to my server at home, and can then route through to my work network via the VPN. Just to clarify before I go any further with this, does anyone know if it's even possible to have a single box acting as both a server and a client?
DHCP
DHCP Setup is going to be pretty simple. I'm going to do DNS mapping, so the entries are going to look like:
Code:
host xenon{
hardware ethernet 00:1d:09:35:dd:2d;
fixed-address xenon;
}It would also be awesome if unknown clients are only allowed out to the internet, and not allowed to reach anywhere in the internal network. What would be the the way to do this? Plug another network card into zanex and hook up WAP1 directly, and then do firewalling on there?
[3] Zeno
Zeno is to act as:
- Web Server (Apache2)
- GlassFish Java WebApp server
- TFTP/PXEboot Server
- SVN Repo
- Mail Server
- SSH Server
- Kerberos PDC
- OpenSSL Certificate Authority
- Usenet grabber (SABnzbd)
- Transmission client
- iSCSI client
- Asterisk Server
Web Server (Apache 2)
Going to host a basic, publicly accessible WordPress install, already hacked together a WordPress theme here. It isn't going to be a blog as such, just giving links etc to things I've found useful.
In addition to that it'll host a web interface for the underlying mail server, haven't quite decided on what interface to use. I really like @Mail's interface, but the fact that it costs a couple of billion quid to buy a license, I may avoid using it. What's currently 'the best' in the webmail stakes? The only one I have any experience with is squirrelmail, and that had a pretty awful GUI when I used it last (albeit a few years ago now..).
GlassFish Server
For use with NetBeans; have yet to set it up in Linux/manually, but I imagine a simple apt-get will get it halfway there.
Just had a quick look in apt-cache, apt-get install glassfishv2 looks like it'll do it. Will have a play with that tomorrow.
TFTP/PXEboot Server
The idea behind this is to have imaging across the network, to an iSCSI target on Archos. To backup an entire workstation/laptop, all I want to do is reboot, select network boot, and then have pxeboot load a linux rescue CD, which in turn auto-diskdump's any partitions.
This could potentially be a lot of work, and at the moment is low priority.
Subversion Server
Got this all working today, and imported all my existing Java projects via Netbeans on Xenon. Install was pretty painless, used this guide whenever I got lost/stuck.
However, it's only working over HTTP at the moment, and so passwords are sent in clear text. Once I've got my OpenSSL CA set up I'll move it over to SSL using the rest of the guide mentioned above.
Mail Server
Now this is one thing I have little experience of: setting up a mailserver. We use exim in work - should I stick with that? Any advice on this subject would be gratefully received.
Update (08/07/09):
Decided to go with exim and cyrus, using the guides here and here. Tis a work in progress, just going to take another look at it in a minute. I mistakenly installed both services on zanex instead of zeno
Teach me for working so late.I'm also looking at web based front ends for my mail server. Squirrel Mail is looking really dated, are there any others I should take a look at? Shame @mail isn't free, it's excellent in GUI terms.
SSH Server
Pretty much bog standard. However, I want external access to only be allowed if a certificate is provided as well as the usual credentials. The thing is that I use Windows on my laptop, and so I'd need to pass the cert via Putty. Does anybody do a similar thing at the moment?
Kerberos
Ideally I'd like Kerberos authentication on all of the Linux machines, so after a kinit lm/admin I can then shell to any other box and authenticate using my keberos ticket from there on in...
This isn't something I've looked at in great depth and so I'll have a lot of reading ahead of me I'm sure. With that said, reading this article/post it may be easier than I'm lead to believe...
OpenSSL CA
I'm currently porting over the OpenSSL config from an old VM, though I'll probably recreate the whole thing from scratch anyway as it's a bit of a mess as it stands. I'd like to have the CA publicly accessible so the CRL can be accessed via the cert's inbuilt URI. The CA will also be responsible for key and cert generation for OpenVPN.
Usenet/Transmission/iSCSI client
I'm going to run the clients on Zeno, and have them save via iSCSI to Archos... simple as that really, though I doubt in practice it will be that easy.
Asterisk Server
I've set up a working Asterisk server in the past using AsteriskNOW in a VM (purely as a SIP gateway), and after a brief learning curve (namely learning the asterisk conf file) everything worked smoothly. However, that was cheating - I want to now set it up from scratch (from binary, not source
) to really get to grips with it. I'm also planning on buying a cheap Cisco IP phone off eBay considering they're now around £40. Yes, I'm only buying it for the ringtone - "du-du-duu-dooo" [4] Archos
A relatively low powered machine with a shed load of storage. Currently have one 250GB SATA drive, and 1 x 250GB, 1x 500GB, 1x 300GB external drives to donate to it.
However, considering everything minus the 250GB SATA drive is already full, I'm going to order two 1Tb drives on Wednesday, and two further 1Tb drives a month later (no guesses for why
)...I'll then decide what RAID configuration to have them in. The idea will be to have the 4 1Tb drives in RAID (either two arrays in RAID1 or RAID10), and have the external drives as expendable dumps (for downloads and backups etc).
However, without splurging on a hardware RAID card, I don't know if I'll be asking too much of an old P4 system to do two software RAID arrays. Even if it does run and work fine, will it be dog slow?
There is also the great debate of what to run on it, FreeNAS or OpenFiler... currently I'm siding with OpenFiler, as it's a generally more polished product and the word on the 'street' is that development has slowed on FreeNAS. And whilst FreeNAS has a wider support for protocols etc, I just want this as a dedicated storage box, with apps like transmission running on Zeno. Also, it's built around FreeBSD, and I've had issues with hardware in the past...
----------------------------------------------------------------------------
Things that I wish I'd known when I'd started
This segment is for the stupid little things that would have saved me an awful lot of time wasted had I known them when I first started playing with Linux...
Bash
bash#> CTRL-R - search through your bash history
bash#> sudo !! - repeat the last typed command as root
bash#> !55 - repeat the 55th typed command from your bash history (view your history by using the history command)
bash#> Alt-. - Add the argument to your previous command to the terminal (keep pressing it to cycle). (Submitted by vidda)
$ while [ 1 ] ; do command1 ; done - run `command1` on a loop.
$ while [ 1 ] ; do command1 ; command2 ; sleep 10 ; done - run `command1` the `command2` on a loop every 10 seconds.
$ mount | awk '{print $2}' - print column 2 of a tabulated output (replace mount with the command that produces the output)(this is called using a hammer to crack a nut, as awk is a whole nother programming language), you can also set the delimiter by hand.
$ grep -i terms /file/to/search - case insensitive grepping.
$ grep -v terms /file/to/search - inverse grepping.
$ command | grep terms - grepping the output of a command.
$ command | wc -l - count the lines of the command output.
$ echo $(($NUM+9)) - do maths between $(( and )), in this case adding 9 to the variable "NUM".
$ ./configure && make && sudo make install - && does the latter command only if the prior command returned status 0 (ie. it worked).
$ echo $? - show the status code of the last command to run (remember echo is a command).
(Submitted by BigglesPiP)
-------------------------------------------------------------------------
Well, that's it for now. I'd welcome feedback/advice/criticism on any aspect of the above.
I'll try and keep the thread updated as often as possible.
EDIT: Damn. Huge post is huge.
Last edited:
Only discovered it today after realising I didn't have Visio installed and doing a 'I'm feeling lucky' search for "online visio" 
)... however, for 'day-to-day' servers, i.e. servers I like to tinker with and expand etc, I can't fault Debian/Ubuntu.. or more specifically, I can't fault the package management system.