Fire Your Small ISP
GNU/Linux Server is the most power-packed one to fire an ISP. Install a GNU/Linux server to the network.In this server setup and configuration procedure,I have made certain assumptions and policies. Those were designed keeping in mind the requirements that we found in typical organizations.To start off I assume that most of the needed packages are already installed in the GNU/Linux server. Now we will set up a ADSL connection with that server[1],and up some static IP addresses,
Now we have to configure the following setups one bye one.
Firewalling, DHCP, TCP-wrappers, DNS. Set up some domain names, sendmail,
POP3, Apache .
- STEP ONE: Configure the network
First, get ADSL or an equivalent 24x7 connection to the internet.Now, you MUST get static IP's if you want to do what I've done. This is non- optional, without static IP all those things are quite impossible.
One static IP would be sufficient, but in this case,some organization sells static IP's in sets of "eight"--of which, five are usable.
A brief idea of our network setup
Network address: 206.111.66.136
Subnet mask: 255.255.255.248
Broadcast Address: 206.111.66.143
Default Gateway: 206.111.66.142
Available addresses: 206.111.66.137-141 (five)
Hub One (Public) Computer Hub Two (Private)
206.111.66.137 iA/NT Server[*] 10.0.0.1
206.111.66.138 iA/Linux 10.0.0.2
iA/95-98 WS 10.0.0.10-50 (DHCP)
206.111.66.142 C***o DSL Router
The GNU/Linux server here is a Pentium - III, running GNU/Linux, with 64MB RAM and a MacH44
video card. It has ONE 1.08 GB HDD, and a cheap IDE CDROM. I have an SMC NIC (tulip) and a Pro/100 (eepro) in it.
Obviously the IP addresses were a range assigned by the Organization. For these, we are paying RS. xyz /year on TOP of the basic DSL service rate.
Things to remember:
Set up IP Forwarding and masquerading in the Linux .
The steps in the howto are actually doable on this score.
- Turn OFF IP forwarding on the NT[*] machine.
Turn OFF every service (server, workstation, etc.) on the Internet NIC on the
NT
machine, except TCP/IP transport, which is the minimum needed to run Internet
Information Server.[*]
Turn ON IP forwarding and masquerading on the GNU/Linux server.
Enable DHCP scope settings to point your DNS server and default gateway to the
'private' side of the GNU/Linux machine.
- Enable TCP Wrapper protection for just about everything on the GNU/Linux box:
/etc/hosts.allow:
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL:127.0.0.1
ALL:206.111.66.136/255.255.255.248
ALL:10.0.0.0/255.0.0.0
ALL:134.134.0.0/255.255.0.0
sendmail:KNOWN
named:ALL
/etc/hosts.deny:
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL:ALL
- Do and Don't
DO NOT let the Organization to register your domain name(s) for you. Do it yourself, going
directly to internic.net to do so.
- STEP TWO: Register your domain names
http://internic.net/
Internic has a tool you can use to see if your preferred domain name is taken.
Their 'register a domain name' tool is pretty friendly to use, with a few tricks ----
DO choose two different nameservers, and make sure they are in domains for which you are one of the contacts. They WILL reject your application if you do not supply two different IP addresses for the servers, and they WILL reject your application if you supply name servers in a domain for which you are not a contact.Of course, nothing says you have to be running DNS 'for real' on your secondary server.
The simplest way to make sure you get your domain name entered correctly is to do it yourself. You WILL need to know the two correct IP addresses, but other than that, most of the stuff should be pretty straightforward, like your billing address.
It's probably a good idea to register a domain name using an email address which you are never likely to lose. I used tuser@me.org because it's merely a pointer to wherever I want it to be. I suppose I could have used a yahoo.com name or something like that, but I'm a snob. Internic will mail you your whole registration agreement, including four or five
screenfulls of legalese. You mail it back to the address indicated, and you get set up within a day, although it may take a while for the domain name to propagate to everywhere in the world. They will bill you later, and you can pay via credit
card; their automated phone payment system is reasonable to use.
- STEP THREE: Set up your DNS
Do read the GNU/Linux HOWTO on DNS. Although it's too tough to understand. You can Get _DNS and BIND_ from www.oreilly.com and start reading at chapter 4, "Setting up BIND". If you want a conceptual introduction to DNS as well, start reading at chapter
1.
Rather than giving a whole intro to DNS, I'm just going to cover three types of
records:
Addresses, Mail eXchangers, and Canonical Names: A, MX, and CN.
NAMED the DNS server, is started automagically at boot (unless you unchecked it
during
the install process), and reads the file /etc/named.boot.
/etc/named.boot:
directory /var/named
primary 0.0.127.in-addr.arpa db.127.0.0
primary myserver.org db.myserver
primary testserver.org db.testserver
primary 0.0.10.in-addr.arpa db.10.0.0
primary 66.111.206.in-addr.arpa db.206.111.66
cache . named.ca
As you can see, /etc/named.boot references a lot of db files. These are all located
in
in /var/named, as one might guess from the first line. Here are the two most
interesting of the files:
/var/named/db.myserver:
myserver.org. IN SOA linux.myserver.org. tuser.me.org. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after one hour
604800 ; Expire after one week
86400 ) ; Min TTL 1 day
myserver.org. IN NS linux.myserver.org.
;
; Hosts
;
myserver.org. IN A 206.111.66.137
linux.myserver.org. IN A 206.111.66.138
gateway.myserver.org. IN A 206.111.66.142
;
; Aliases
;
ns1.myserver.org. IN CNAME linux.myserver.org.
ns2.myserver.org. IN CNAME myserver.org.
www.myserver.org. IN CNAME myserver.org.
off.myserver.org. IN CNAME myserver.org.
ftp.myserver.org. IN CNAME linux.myserver.org.
mail.myserver.org. IN CNAME linux.myserver.org.
smtp.myserver.org. IN CNAME linux.myserver.org.
mx.myserver.org. IN CNAME linux.myserver.org.
pop3.myserver.org. IN CNAME linux.myserver.org.
users.myserver.org. IN CNAME linux.myserver.org.
linux-eth0.myserver.org. IN CNAME linux.myserver.org.
linux-eth1.myserver.org. IN A 10.0.0.2.
off-priv.myserver.org. IN A 10.0.0.1.
;
; mail alias records
;
myserver.org. IN MX 0 linux.myserver.org.
/var/named/db.testserver:
testserver.org. IN SOA linux.myserver.org. tuser.acme.org. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after one hour
604800 ; Expire after one week
86400 ) ; Min TTL 1 day
testserver.org. IN NS linux.myserver.org.
;
; Hosts
;
testserver.org. IN A 206.111.66.138
gateway.testserver.org. IN A 206.111.66.142
;
; Aliases
;
ns1.testserver.org. IN CNAME testserver.org.
ns2.testserver.org. IN CNAME myserver.org.
www.testserver.org. IN CNAME testserver.org.
ftp.testserver.org. IN CNAME testserver.org.
mail.testserver.org. IN CNAME testserver.org.
smtp.testserver.org. IN CNAME testserver.org.
mx.testserver.org. IN CNAME testserver.org.
pop.testserver.org. IN CNAME testserver.org.
- Things to remember:
"A" records are the real names of the machines. CNAME records just point to real "A" records. A CNAME record can point to a record that isn't part of the same domain name. MX records determine who gets SMTP mail for a particular name. In this case, linux.myserver.org gets all mail for everyone. This is quite useful, because I wanted http://myserver.org/ to go to the IIS web server, but for the GNU/Linux machine to get all the email.
- Other trivia:
Every record in the files ends with . This is not a mistake, it's a feature. The email address user.me.org. translates to user@me.org; it's just a funky format that named parses better.SOA stands for 'start of authority', and I never bothered messing with the numbers, just copied 'em out of the book. They have to do with the caching of addresses, and you probably won't care either.You DO have to ftp a named.ca file from internic. It tells your DNS about the
rest of the 'root' servers on the Internet, so it can ask them about something it can't find locally.
The in-addr.arpa files are for reverse-DNS lookup, which maps IP addresses to
actual hostnames. You need to set this up too, but I'm not going to cover it today. Remember that sendmail:KNOWN line in /etc/hosts.allow? That tells the mail server to allow connections, but ONLY from hosts whose IP address it can resolve into a fully qualified domain name. This is one line of defense against spammers.So, once you've got your DNS set up and running, set up your resolv.conf file. /etc/resolv.conf:
search myserver.org
nameserver 206.111.66.138
This file is the *client* for name services lookup; it tells nslookup where to go. It's possible, but not generally useful, to set up a DNS server on a machine without that machine looking at itself for DNS resolution. So, this file tells my machine to a) look for "unqualified" host names in the myserver.org domain, and 2) look at itself for its own name resolution. Test, test, and test this. Use nslookup. In nslookup, set type=mx to resolve mail
exchanger hosts.
- STEP FOUR: Set up sendmail and related services
Here are some relevant lines from /etc/sendmail.cf:
# file containing names of hosts for which we receive email
Fw/etc/sendmail.cw
# "Smart" relay host (may be null)
DSpop.sttl.uswest.net
# who I masquerade as (null for no masquerading) (see also $=M)
DMmail.myserver.org
# file containing IP numbers of machines which can use our relay
F{LocalIP} /etc/mail/ip_allow
# location of alias file
O AliasFile=/etc/aliases
So, there are three more files we need to care about.
/etc/sendmail.cw just contains all your aliases. Everything which you have an
MX or
CNAME line pointing to this host for, should have its FQDN in here:
# sendmail.cw - include all aliases for your machine here.
myserver.org
mail.myserver.org
pop.myserver.org
members.myserver.org
mx.myserver.org
testserver.org
mail.testserver.org
pop.testserver.org
members.testserver.org
mx.testserver.org
/etc/mail/ip.allow is the list of machines that can "relay" through our system.
This
setup of sendmail defaults to deny all relaying, so in order for a mail client
to
send through this system, its IP must be in this file:
10.0.0.1
10.0.0.10
10.0.0.11
10.0.0.12
10.0.0.13
10.0.0.14
10.0.0.15
10.0.0.16
10.0.0.17
Pretty straightforward. The DHCP addresses for the five clients start at 10.0.0.10,
so
ONLY machines coming through my private network will ever be able to relay mail.
I
don't want anyone relaying XXX porno ads through a mail server I set up for my
church.
/etc/aliases takes the general form of:
alias: account
So that I can say:
# User aliases
jonathan: testserver
tuser: testserver
- SETTING UP POP3
Side note:
This is a great time to introduce the concept of installing packages that you forgot or neglected to install from the CD during the initial system load. I deselected IMAP support without realizing that IMAP and POP3 are included in
the same package :
Name : imap Distribution: Organization
Version : 4.1.BETA Vendor: Something Software
Release : 11 Build Date: Thu May 07 20:53:25 2002
Install date: (not installed) Build Host: porky.redhat.com
Group : Networking/Daemons Source RPM: imap-4.1.BETA-11.src.rpm
Size : 1385678
Packager : Something Software
Summary : provides support for IMAP and POP network mail protocols
Description :
IMAP is a server for the POP (Post Office Protocol) and IMAP mail protocols.The POP protocol allows a "post office" machine to collect mail for users and have that mail downloaded to the user's local machine for reading. The IMAP protocol provides the functionality of POP, and allows a user to read mail on a remote machine without moving it to his local mailbox. POP3 is used by the mail clients (netscape) on the church's workstations for the staff to send and read their email. Remember that their addresses are allowed ALL access
in /etc/hosts.allow, so they can POP to me.
- STEP FIVE: Set up Other things
- PINE:
I love pine, the freeware terminal-based mail reader from UW. But seriously, I like Pine 4 because it makes sense of all those stupid HTML and MIME encoded messages that people with bad netscape configurations send. I also happen to maintain Pine for the VDCE Common Tools distribution, better known as /usr/intel, so I knew where to get the latest version without having to RTFM. Pine can be ftp'ed from ftp.cac.washington.edu. gunzip, tar -xf, ./build slx,
and you'll have a new set of binaries. For the lazy, you can fetch precompiled binaries from the same FTP site, but that's not as fun.
- NEWS:
I only have a 1.08 GB HDD, I can't possibly want to spool any usenet news to my
machine. But I want to use trn to read/post news. How can I do this? Easy. Set a variable NNTPSERVER=news.uswest.net in my ~/.bashrc We're paying Some Organization for ISP service, so I can feel free to use them for any of
the scummy, administration-intensive tasks (maintaining news feeds, delivering non-local
mail) that I don't feel like messing with, while keeping control over the things
that I DO want to manage.
- SSH:
I need to be able to talk to hosts which demand SSH authentication. SSH stands
for Secure SHell, and it provides an encrypted path to connect from one system to another. Unlike telnet or ftp, passwords are NOT sent in the clear with SSH. But I can't use SSH through the firewall here at work, so I have to telnet out to the
Internet (this host) and use SSH from (t)here. Note that this is a far less than ideal way to use SSH, because between the Internet firewall and this GNU/Linux host, I've got a "clear" connection, so I do not have the ideal end-to-end encryption.
But the security level on anything I do via this method is not high enough to warrant losing sleep over this.
Since I'm not going to be using the r- commands (rcp,
rsh, rlogin) much, if at all, from
this machine, I went ahead and installed SSH in place of all those commands:
ftp://ftp.cs.hut.fi/pub/ssh
(gunzip, tar -xf, etc.)
./configure --with-rsh=/usr/bin/rsh --program-transform-name='s/^s/r/'
make
make install
I just did that yesterday, and I still don't have a lot of experience with it
yet, but
it appears to be working fine.
- Apache:
Apache (httpd) comes standard with GNU/Linux, and will be started automagically if installed, unless you uncheck that option at install. Out of the box, apache just works. But you can get it to serve different pages for your different aliases quite simply, by using the VirtualHost directive in /etc/httpd/conf/httpd.conf:
ServerAdmin webmaster@testserver.org
DocumentRoot /home/testserver/public_html
ServerName testserver.org
ErrorLog logs/testserver.org-error_log
TransferLog logs/testserver.org-access_log
Thus, http://testserver.org/ goes to a different place than http://linux.myserver.org/ does. I can have an arbitrarily large number of these virtual web sites running on one machine.
I have tried to mention some resources on set up a GNU/Linux Server to reach the highest levels of performance. Thetips provided here are merely the collection of all information gathered from the Net and some of my experiences which I have got during my brush with the GNU/Linux world. It is recommanded to backup all your data before tuning your GNU/Linux box, because those may induces some changes which may not be compatible with you current setup.
I have tried these on Intel P-III and Intel P-IV platforms with 128 MB RAM.
For NTServer and ISS [*] ©2003 Microsoft Corporation. All rights reserved.
[1] You can issue command adsl-setup to start the configuration of DSL line.
More on http://linuxperf.nl.linux.org/
|
Cheap Reseller Hosting 
