Webserver Project

When we installed an ADSL connection it seemed like a good idea to connect our network with a dedicated server to the internet instead of using one of our own machines where we are working with. Running CPU intensive tasks like compilers and games slowed down both the gateway computer and the network traffic.

At first we were running one of our machines as a proxy server (using WinProxy). This solution worked, but the problem was maintenance. On every machine in the network you need software that can connect through a proxy, something that is not always possible with the standard software supplied with your Operating System. Programs like FTP and Telnet don't work with a proxy, at least not the ones from Microsoft. Also the standard versions that come with Linux don't support this. So we had to install new software for this. And for all other programs (MS Internet Explorer, Netscape Navigator, Outlook, RealAudio Player, Seti@home, ...) you have to make special adjustments to use a proxy server.

IP Masquerading

So we came up with the idea to use a Linux box as gateway and use IP Masquerading instead of a proxy server to manage network traffic. When you are using Masquerading techniques you don't have to tell the software running on you machines in the internal network that you use a proxy. Only tell the machine (on Operating System level, not on Application Level) what you're gateway machine is and bingo ... Don't forget to tell the machine where the DNS server is, otherwise the machine cannot connect to internet properly to convert Domain Names into IP addresses.

IP Masquerade is a networking function in Linux similar to one-to-many NAT (Network Address Translation) found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other "internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows for this functionality even though these internal machines don't have an officially assigned IP addresses.
MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, all this outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation to create a VERY secure networking environment. With a well built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult.

Installing the software

Most of the software can be installed out of the box. We use RedHat 7.1 with a 2.4 kernel. This version supports the latest version of firewalling software, Netfilter with iptables. Older versions (2.2 kernels) use ipchains which works similar.
The ADSL software had to be downloaded separately, because the PPP deamon needs some adjustments to work with KPN's Mxtream. You can download this software from the ADSL4Linux website. With this software you can run PPP over an ethernet card, instead of a normal modem connection.
To check if the connection is still available we run a cron job every 10 minutes:

0,10,20,30,40,50 * * * *        /etc/ppp/cron_ppp

The script itself looks like this:

#!/bin/csh -f

# Script that checks if ppp0 device is present. If not then start
# ADSL connection again

set ppp=`/sbin/ifconfig | grep ppp0`
if ("A$ppp" == "A") then
  /usr/sbin/adsllogin
endif

Although the standard kernel worked directly with ADSL, we have recompiled the kernel, stripped all useless modules and added some extra features to support all out hardware. By doing this you can optimize the kernel performance, boottime and do a few extra things to increase security. Every piece of software that you don't use is an extra security risk. On average we see at least two attemps per day to break into our system (port scans, backdoor openings and other attacks). At the time of this writing the Code Red Worm is attacking our system. A few days ago we had 49 attacks on one day! So make sure your security is good enough before you put a machine 24 hour per day online. Similar numbers have been reported by friends who use cable modem, so it is a general problem.

Because we are mostly using Outlook to read our mail (except on Linux machines) we have added a POP3 daemon on our server as well. Now we don't have to log into the server to read the mail coming in.

Running your own domain

Since our external IP address is a static one we decided to get our own domainname. After doing a survey on the web and reading lots of articles I found a very cheap company called Gandi where you can register your domain. Since they don't do any Webhosting and prefer not to do DNS hosting (at least not primary DNS, although they can do it with certain limits) they don't have a lot of overhead. You can find cheaper companies (even for free), but they either place banners in your page, or they demand to host your website for a lot of money. We run our own primary DNS server and also host our own website, so the only thing we need is registration by an ICANN accredited registrar. This was very easy and 13 hours after registration we were known on the internet.
Setting up Sendmail was a bit more tricky. The configuration seemed not very difficult, but it only worked from the server to the outside world. It looks like either the kernel (Using Netfilter) or xinetd was preventing access to the sendmail port, so when I added sendmail to the list of services of xinetd and stopped using sendmail as a daemon it worked. The xinetd service looks like this:

service smtp
{
        socket_type             = stream
        protocol                = tcp
        wait                    = no
        user                    = mail
        server                  = /usr/local/sbin/tcpd/sendmail
        server_args             = -bs
        nice                    = 5
        instance                = 20
}

When you don't run it as a deamon you have to start a cronjob that checks every now and then to see if there is mail coming in:

*/10 * * * *    /usr/sbin/sendmail -q

Other services

We also installed a Network Time Daemon on our server to synchronize the system time with an other NTP server. Check out the latest software from www.ntp.org. Compile it and the software installs out of the box. Find a NTP server and add it to /etc/ntp.conf. Run ntpd and you have a machine that synchronizes itself automatically.
On the other Linux machines in the network you can install the same software and let it point to your own server (Master-Slave configuration). MS Windows also has a time synchronization program, but it only talks via NetBUI and is not using the SNTP protocol. So install for instance Automachron, a free utility that talks SNTP. Now all our machines run at the same precise time.