The Intranet server lies inside the firewall and serves clients on the local network. All those services, like mail and file and print, which handle user data and are potential security hazards if exposed to the Internet, are hosted on the Intranet server and are protected behind the firewall. It also makes sense to run services like DHCP and Web proxy on the Intranet server as they are of use only to the LAN they serve.
Unlike the gateway server, the Intranet server should be a fairly powerful machine depending on the number of users who will use its services. For the moment, we’ll bunch all the services on a single machine, which is also typical for most small- to medium-sized environments.
Wherever possible, we’ve tried to implement access control and authentication to reduce abuses.
As per our plan of action, the following services will be set up on the Intranet box.
User authentication: All user account management is to be done on the Intranet server using standard Linux tools like useradd, userdel, and passwd. Services like POP, IMAP, proxy, etc, will refer to the flat files (/etc/passwd) for authentication.
Internal DNS: Unlike external DNS, internal DNS will be set up in such a way that it will provide name service for our zone pcquest.com. All hosts inside the LAN will use this server for name resolution. If the internal DNS server receives queries for hosts outside the local domain, it will use the DNS service running on the gateway server as a forwarder.
The DNS article (page 118) will talk about configuring Bind 9 as an internal DNS server for the zone pcquest.com with forwarding support.
DHCP: DHCP (Dynamic Host Configuration Protocol) allows for dynamic allocation of network settings to both Windows and Linux clients. We’ll discuss the DHCP server setup and client (Windows and Linux) configuration in the DHCP server configuration article on page 123.
Mail: Here, we’ll walk through a typical mail setup using Sendmail for your domain. Dial-up and leased line setups will also be discussed with SMTP relay and spam control, and users will have the choice of using POP3 or IMAP for sending and receiving mail. See Setting Up a Mail Server on page 127.
Web proxy: How do you share a choked dial-up link among your bandwidth-hungry users? Squid is a very powerful and industrial-strength proxy server, which can do wonders on a saturated link. Squid configuration is discussed with emphasis on access control and authentication.
File and print: Samba is an NT-compatible file and print server for Unix. It can do most of the things an NT server can do and is very robust and stable. Samba is an ideal replacement for NT on most small- and medium-sized networks. In the article Samba for File and Print (page 132), we’ll talk about setting a Samba-controlled NT domain for your Windows 9x and NT clients.
The installFor your convenience, we’ve provided a ‘PCQ Intranet Server’ install option on the installation CD, which will install all the necessary packages for setting up the Intranet server. If you haven’t chosen this option, don’t worry, the packages which need to be installed are also mentioned individually in the articles.
Intranet server post-install configuration
Let’s do some basic checking to see whether the network settings for the Intranet server have been configured correctly.
Network interfaces: eth0 and eth1
Use ‘ifconfig’ command to list network interfaces
~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:80:C8:3E:C7:E7
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255. 255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
................
Interrupt:11 Base address:0xc000
eth1 Link encap:Ethernet HWaddr 00:50:FC:2A:6A:0D
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
................
Interrupt:10 Base address:0x1000
<..>
eth0 and eth1 should have the following settings respectively.
eth0: IP Address: 192.168.0.2
Netmask: 255.255.255.0
Bcast: 192.168.0.255
eth1: IP Address: 192.168.1.1
Netmask: 255.255.255.0
Bcast: 192.168.1.255
Routing tables
The route command will print out the routing tables.
~# route -n | |||||||
Kernel IP routing table | |||||||
Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface |
192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth1 |
192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth0 |
192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | lo |
0.0.0.0 | 192.168.0.1 | 0.0.0.0 | UG | 0 | 0 | 0 | eth0 |
The default gateway (0.0.0.0) should be set to the IP address of the gateway server (192.168.0.1).
DNS settings
~# cat /etc/resolv.conf
search pcqlinux.com
nameserver 127.0.0.1 # localhost
nameserver 202.54.1.30 # VSNL’s DNS server
Host’s settings
~# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 intranet.pcqlinux.com intranet localhost.localdomain localhost
This is not adequate for our setup. Change /etc/hosts to the following.
127.0.0.1 | localhost.localdomain | localhost |
192.168.1.1 | intranet.pcqlinux.com | intranet |
192.168.0.2 | gateway.pcqlinux.com | gateway |
We are adding the IP address of the gateway server (192.168.0.1) so that it can be resolved without DNS.
Hostname and gateway settings
~# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=intranet.pcqlinux.com
GATEWAY=192.168.0.1
If the HOSTNAME and GATEWAY is set to anything else, change it to reflect the correct
settings. The fully qualified domain name of the Intranet server is ‘intranet.pcqlinux.com’ and gateway is 192.168.0.1
Configuring NAT on the Intranet server
The Intranet server will blindly masquerade (NAT) the internal network for outgoing traffic. We’ll use ipchains for doing the NAT part.
Create a file in /etc/rc.d/rc.fw with the following lines.
#!/bin/bash
# Load the ipchains kernel module
/sbin/modprobe ipchains
# MASQ the full 192.168.1.0/24 network
#
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
# Masq only 192.168.1.51
# /sbin/ipchains -A forward -s 192.168.1.51 -j MASQ
# List rules
/sbin/ipchains -L -n
Make rc.fw executable and at the end of /etc/rc.d/rc.local, add this line
/etc/rc.d/rc.fw
~# chmod 755 /etc/rc.d/rc.fw # make rc.fw executable
Now rc.fw will be run each time the system boots.
To enable IP forwarding in the kernel, edit /etc/sysctl.conf and change
# Disables packet forwarding
net.ipv4.ip_forward=0
to:
# Disables packet forwarding
net.ipv4.ip_forward=1
Restart the network interface. Run rc.fw to load the NAT rules for this session.
~# service network interface
~# cd /etc/rc.d
~# ./rc.fw
Testing
Step 1: Gateway-Internet
On the gateway server, bring up the link and ping a public IP. If it works go to Step 2, else check network and firewall settings on the gateway server.
gateway ~# ping 202.54.1.30 # CTRL+C aborts
PING 202.54.1.30 (202.54.1.30) from 192.168.0.1 : <...>
Step 2: Intranet-Gateway-Internet
On the Intranet server, ping the gateway
intranet ~# ping 192.168.0.1
<..>
If it works, ping a public IP.
For the ping to a public IP to work, the NAT on the gateway should be working properly. If you are unable to ping, recheck the network and firewall settings on the
gateway
Step 3: Host-Intranet-Gateway-Internet
For the final test, let’s check whether we can ping a public IP from any host within the LAN. From a workstation on the LAN try the following tests.
Ping the Intranet server.
ws51 ~# ping 192.168.1.1
Ping the gateway server.
ws51 ~# ping 192.168.0.1
For this to work, the NAT on the Intranet server should be working correctly.
Finally, ping a public IP.
ws51 ~# ping 202.54.1.30
Now that we have our basic network settings alive and kicking, we can proceed to configuring the various services on the Intranet server. The following articles will take you through these configurations.
Shanker Balan is a technology research consultant with Exocore Consulting