When we installed an ADSL connection it seemed like a good idea to connect
our network with a dedicated server to the internet instead of using one
of our own machines where we are working with. Running CPU intensive tasks like
compilers and games slowed down both the gateway computer and the network traffic.
At first we were running one of our machines as a proxy server (using WinProxy). This
solution worked, but the problem was maintenance. On every machine in the network
you need software that can connect through a proxy, something that is not always
possible with the standard software supplied with your Operating System. Programs
like FTP and Telnet don't work with a proxy, at least not the ones from Microsoft.
Also the standard versions that come with Linux don't support this. So we had to
install new software for this. And for all other programs (MS Internet Explorer,
Netscape Navigator, Outlook, RealAudio Player, Seti@home, ...) you have to
make special adjustments to use a proxy server.
So we came up with the idea to use a Linux box as gateway and use IP Masquerading
instead of a proxy server to manage network traffic. When you are using Masquerading
techniques you don't have to tell the software running on you machines in the
internal network that you use a proxy. Only tell the machine (on Operating System
level, not on Application Level) what you're gateway machine is and bingo ...
Don't forget to tell the machine where the DNS server is, otherwise the machine
cannot connect to internet properly to convert Domain Names into IP addresses.
IP Masquerade is a networking function in Linux similar to one-to-many NAT (Network
Address Translation) found in many commercial firewalls and network routers. For
example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the
IP Masquerade feature allows other "internal" computers connected to this Linux box
(via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading
allows for this functionality even though these internal machines don't have an
officially assigned IP addresses.
MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway.
To other machines on the Internet, all this outgoing traffic will appear to be from
the IP MASQ Linux server itself. In addition to the added functionality, IP
Masquerade provides the foundation to create a VERY secure networking environment.
With a well built firewall, breaking the security of a well configured masquerading
system and internal LAN should be considerably difficult.
Installing the software
Most of the software can be installed out of the box. We use RedHat 7.1 with a
2.4 kernel. This version supports the latest version of firewalling software, Netfilter
with iptables. Older versions (2.2 kernels) use ipchains which works similar.
The ADSL software had to be downloaded separately, because the PPP deamon needs some
adjustments to work with KPN's Mxtream. You can download this software from the
ADSL4Linux website. With this software you
can run PPP over an ethernet card, instead of a normal modem connection.
To check if the connection is still available we run a cron job every 10 minutes:
0,10,20,30,40,50 * * * * /etc/ppp/cron_ppp
The script itself looks like this:
# Script that checks if ppp0 device is present. If not then start
# ADSL connection again
set ppp=`/sbin/ifconfig | grep ppp0`
if ("A$ppp" == "A") then
Although the standard kernel worked directly with ADSL, we have recompiled the
kernel, stripped all useless modules and added some extra features to support all
out hardware. By doing this you can optimize the kernel performance, boottime and
do a few extra things to increase security. Every piece of software that you don't
use is an extra security risk. On average we see at least two attemps per day to
break into our system (port scans, backdoor openings and other attacks). At the time
of this writing the Code Red Worm is attacking our system. A few days ago we had
49 attacks on one day! So make sure your security is good enough before you put
a machine 24 hour per day online. Similar numbers have been reported by friends
who use cable modem, so it is a general problem.
Because we are mostly using Outlook to read our mail (except on Linux machines)
we have added a POP3 daemon on our server as well. Now we don't have to log into
the server to read the mail coming in.
Running your own domain
Since our external IP address is a static one we decided to get our own domainname.
After doing a survey on the web and reading lots of articles I found a very cheap
company called Gandi where you can register
your domain. Since they don't do any Webhosting and prefer not to do DNS hosting
(at least not primary DNS, although they can do it with certain limits) they don't
have a lot of overhead. You can find cheaper companies (even for free), but they
either place banners in your page, or they demand to host your website for a lot
of money. We run our own primary DNS server and also host our own website, so the
only thing we need is registration by an ICANN accredited registrar. This was very
easy and 13 hours after registration we were known on the internet.
Setting up Sendmail was a bit more tricky. The configuration seemed not very difficult,
but it only worked from the server to the outside world. It looks like either the
kernel (Using Netfilter) or xinetd was preventing access to the sendmail port, so
when I added sendmail to the list of services of xinetd and stopped using sendmail as
a daemon it worked. The xinetd service looks like this:
socket_type = stream
protocol = tcp
wait = no
user = mail
server = /usr/local/sbin/tcpd/sendmail
server_args = -bs
nice = 5
instance = 20
When you don't run it as a deamon you have to start a cronjob
that checks every now and then to see if there is mail coming in:
*/10 * * * * /usr/sbin/sendmail -q
We also installed a Network Time Daemon on our server to synchronize the system
time with an other NTP server. Check out the latest software from
www.ntp.org. Compile it and the software installs
out of the box. Find a NTP server and add it to /etc/ntp.conf. Run ntpd and you have
a machine that synchronizes itself automatically.
On the other Linux machines in the network you can install the same software and let it
point to your own server (Master-Slave configuration). MS Windows also has a
time synchronization program, but it only talks via NetBUI and is not using the
SNTP protocol. So install for instance Automachron, a free utility that talks SNTP.
Now all our machines run at the same precise time.