14. How to Convert Your Linux Server into a Simple Router
Router/firewall appliances that provide basic Internet connectivity for a small office or home network are becoming more affordable every day, but when budgets are tight you might seriously want to consider modifying an existing Linux server to do the job.
Details on how to configure Linux firewall security are covered in Chapter 14, "Linux Firewalls Using iptables ", but you need to understand how to activate routing through the firewall before it can become a functioning networking device.
Configuring IP Forwarding
For your Linux server to become a router, you have to enable packet forwarding. In simple terms packet forwarding enables packets to flow through the Linux box from one network to another. The Linux kernel configuration parameter to activate this is named net.ipv4.ip_forward and can be found in the file /etc/sysctl.conf. Remove the "#" from the line related to packet forwarding.
Before:
# Disables packet forwarding
net.ipv4.ip_forward=0
After:
# Enables packet forwarding
net.ipv4.ip_forward=1
This enables packet forwarding only when you reboot at which time Linux will create a file in one of the subdirectories of the special RAM memory-based /proc filesystem. To activate the feature immediately you have to force Linux to read the /etc/sysctl.conf file with the sysctl command using the -p switch. Here is how it's done:
[root@bigboy tmp] sysctl -p
sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
kernel.sysrq = 0
kernel.core_uses_pid = 1
[root@bigboy tmp]#
Please refer to Appendix I for more information on adjusting kernel parameters.
15. Configuring Proxy ARP
If a server needs to send a packet to another device on the same network, it sends out an ARP request to the network asking for the MAC address of the other device.
If the same server needs to send a packet to another device on a remote network the process is different. The server first takes a look at its routing table to find out the IP address of the best router on its network that will be able to relay the packet to the destination. The server then sends an ARP request for the MAC address that matches the router's IP address. It then sends the packet to the router using the router's MAC address and a destination IP address of the remote server.
If there is no suitable router on its network, the server will then send out an ARP request for the MAC address of the remote server. Some routers can be configured to answer these types of ARP requests for remote networks. This feature is called proxy ARP. There are some disadvantages with this. One of the most common problems occurs if two routers are on the network configured for proxy ARP. In this scenario there is the possibility that either one will answer the local server's ARP request for the MAC address of the remote server. If one of the routers has an incorrect routing table entry for the remote network, then there is the risk that traffic to the remote server will occasionally get lost. In other words you can lose routing control.
Note: It is for this and other reasons that it is generally not a good idea to configure proxy ARP on a router. It is also good to always configure a default gateway on your server and use separate routing entries via other routers for all networks your default gateway may not know about.
Some types of bridging mode firewalls need to have proxy ARP enabled to operate properly. These devices are typically inserted as part of a daisy chain connecting multiple network switches together on the same LAN while protecting one section of a LAN from traffic originating on another section. The firewall typically isn't configured with an IP address on the LAN and appears to be an intelligent cable capable of selectively blocking packets.
If you need to enable proxy ARP on a Linux server the /proc filesystem comes into play again. Proxy ARP is handled by files in the /proc/sys/net/ipv4/conf/ directory. This directory then has subdirectories corresponding to each functioning NIC card on your server. Each subdirectory then has a file called proxy_arp. If the value within this file is 0, then proxy ARP on the interface is disabled; if the value is 1 then it is enabled.
You can use the /etc/sysctl.conf file mentioned in Appendix II to activate or disable proxy ARP. The next example activates proxy ARP, first for all interfaces and then for interfaces eth0 and wlan0.
#
# File: /etc/sysctl.conf
#
# Enables Proxy ARP on all interfaces
net/ipv4/conf/all/proxy_arp = 1
# Enables Proxy ARP on interfaces eth1 and wlan0
net/ipv4/conf/eth1/proxy_arp = 1
net/ipv4/conf/wlan0/proxy_arp = 1
You can then activate these settings with the sysctl command.
[root@bigboy tmp] sysctl -p
16. Configuring Your /etc/hosts File
The /etc/hosts file is just a list of IP addresses and their corresponding server names. Your server will typically check this file before referencing DNS. If the name is found with a corresponding IP address then DNS won't be queried at all. Unfortunately, if the IP address for that host changes, you also have to also update the file. This may not be much of a concern for a single server, but can become laborious if it has to be done companywide. For ease of management, it is often easiest to limit entries in this file to just the loopback interface and also the server's own hostname, and use a centralized DNS server to handle most of the rest. Sometimes you might not be the one managing the DNS server, and in such cases it may be easier to add a quick /etc/hosts file entry till the centralized change can be made.
192.168.1.101 smallfry
In the example above server smallfry has an IP address of 192.168.1.101. You can access 192.168.1.101 using the ping, telnet or any other network aware program by referring to it as smallfry. Here is an example using the ping command to see whether smallfry is alive and well on the network:
[root@bigboy tmp]# ping smallfry
PING zero (192.168.1.101) 56(84) bytes of data.
64 bytes from smallfry (192.168.1.101): icmp_seq=0 ttl=64 time=0.197 ms
64 bytes from smallfry (192.168.1.101): icmp_seq=1 ttl=64 time=0.047 ms
--- smallfry ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2017ms
rtt min/avg/max/mdev = 0.034/0.092/0.197/0.074 ms, pipe 2
[root@bigboy tmp]#
You can also add aliases to the end of the line which enable you to refer to the server using other names. Here we have set it up so that smallfry can also be accessed using the names tiny and littleguy.
192.168.1.101 smallfry tiny littleguy
You should never have an IP address more than once in this file because Linux will use only the values in the first entry it finds.
192.168.1.101 smallfry # (Wrong)
192.168.1.101 tiny # (Wrong)
192.168.1.101 littleguy # (Wrong)
17. The loopback Interface's localhost Entry
Usually the first entry in /etc/hosts defines the IP address of the server's virtual loopback interface. This is usually mapped to the name localhost.localdomain (the universal name used when a server refers to itself) and localhost (the shortened alias name). By default, Fedora inserts the hostname of the server between the 127.0.0.1 and the localhost entries like this:
127.0.0.1 bigboy localhost.localdomain localhost
When the server is connected to the Internet this first entry after the 127.0.0.1 needs to be the fully qualified domain name (FQDN) of the server. For example, bigboy.mysite.com, like this:
127.0.0.1 bigboy.my-site.com localhost.localdomain localhost
Some programs such as Sendmail are very sensitive to this and if they detect what they feel is an incorrect FQDN they will default to using the name localhost.localdomain when communicating with another server on the network. This can cause confusion, as the other server also feels it is localhost.localdomain.
Note: You must always have a localhost and localhost.localdomain entry mapping to 127.0.0.1 for Linux to work properly and securely.
Custom Search
No comments:
Post a Comment