Getting in the Fast Lane
Now that you have your card or cards set up, go ahead and boot into Linux. First, login or su as root and run the command ifconfig. You'll get a few paragraphs of information, stating the status of your network interfaces. At this point, your Ethernet interfaces (eth0, eth1) will not be listed, since you haven't configured them yet. The only interfaces listed should be the loop back interface, and anything else you have already set up.
What we wish to do now is set up each interface. In the case of a single Ethernet card system, issue the following command:
replacing x.x.x.x with your specified IP address. This number is provided by your ISP (Internet service provider). Also change the eth0 to whichever interface you wish the address to be mapped to. Now, run ifconfig as root. You will see the eth0 interface listed, with all the card details and transmission statistics. If you have a second card, issue the same command, this time with eth1 instead of eth0 and the internal network IP address. For your internal network, the addresses should be in the form of 192.168.0.0, with 192.168.1.1 being the machine that is going to host the connection. In other words, all your other machines should be assigned 192.168.1.1, 192.168.1.2, 192.168.1.3, etc. These IP addresses are not publicly routed on the Internet and should not interfere with the outside world.
With the interfaces set up, it's time to set up routing. This may sound complicated, but it is quite easy once you are familiar with the route command. This command controls the flow of data between all network interfaces. The route man page gives complete details of all the intricacies of this command. For now, use this series of commands to configure routing:
route add route add default gw route add -net 192.168.1.0 eth1
Replace the gateway_address flag with your actual gateway machine address, also provided by your ISP. The first two commands tell the machine that the host gateway_address can be accessed directly via the eth0 interface. The third command says that the default route (0.0.0.0, any machine) should be accessed through the gateway gateway_address. The last line indicates that any machine in network 192.168.1.0 can be accessed through the interface eth1. Put these three lines and the ifconfig line above into the startup script, usually found in /etc/rc.d for Slackware or /etc/rc.d/rc.init for Red Hat. Check your documentation for your distribution.
Now set up DNS resolutions by editing the /etc/resolv.conf file to include the following lines:
domain isp.com nameserver nameserver
Replace isp.com with your ISP's domain, and replace x.x.x.x with your ISP's primary name server, and y.y.y.y with your ISP's secondary name server. If you don't have a secondary name server, don't worry, only one is actually needed. After you've added these lines, save the files and reboot.
When your computer is back on-line, you will be able to use your cable modem on the host machine to execute the regular Internet functions such as FTP, TELNET and visiting the WWW.
To effectively share bandwidth between computers without actual IP addresses for each computer, use internal IP addresses as discussed above. The masquerading server forwards packets from each of the client machines to the Internet and relays the packets back to the client machines. This is done quite efficiently, with little noticeable load on the server. A tool called ipfwadm is used to set up “rules” for IP forwarding and denying. The following commands should also be added to one of your startup scripts (see Listing 1), after the ifconfig and route sections:
ipfwadm -F -p deny ipfwadm -F -a M -S 192.168.1.0/24 -D 0.0.0.0/0
The first command tells ipfwadm to change the policy for IP firewalling to deny. The second command is a little more complicated; it instructs ipfwadm to append the commands that follow, which in this case are the M, -S and -D flags. The M adds a masquerade rule, which states that all packets with a source address of 192.168.1.0 and a destination address of 0.0.0.0 (which basically means any host machine) are accepted. The /24 specifies the number of set bits in the netmask. Remember, in binary, you can only have a set or unset bit, and in netmasks, the value is always 255 or 11111111 in binary. You can also replace the 24 with the real netmask, which in this case would be 255.255.255.0. The zero in the -D rule just means that any netmask is allowed. The man page for ipfwadm for more details.
At this point, it is a good idea to restart, run all the scripts and load all the modules. If you don't want to bring the machine down, you can re-run the startup scripts and hope for the best.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- The Death of RoboVM
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- BitTorrent Inc.'s Sync
- The Humble Hacker?
- The US Government and Open-Source Software
- Open-Source Project Secretly Funded by CIA
- ACI Worldwide's UP Retail Payments
- New Container Image Standard Promises More Portable Apps
- AdaCore's SPARK Pro
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide