On July 6, Jack Wallen discussed setting up simple network solutions with Linux.If you couldn’t join us then, enjoy the transcript. We hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Note TechMail or on the Guild Meeting calendar.
On July 6, Jack Wallen discussed setting up simple network solutions with Linux. If you couldn’t join us then, enjoy the transcript. We hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Note TechMail or on the Guild Meeting calendar.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
Let’s talk Linux
JACK WALLEN: Hey, everyone! Welcome to tonight's Guild Meeting, where we’ll be talking about Linux!
MODERATOR: Hey, everyone! Thanks for stopping by tonight's Guild Meeting! Tonight, TechRepublic's own Jack Wallen, Jr., is here to discuss setting up simple networking solutions with Linux!
Tonight's chattiest member will be eligible to win this month's fantastic prize: Novell Press' Novell's CNE Study Guide for NetWare 5 (retailing at $175).
Jack, you ready to get started?
JACK WALLEN: Before I get on my soapbox (as you all know I do), I want to ask one simple question: What's the most difficult aspect of networking with Linux?
MODERATOR: Is it being compatible with the rest of the Microsoft Windows users in the office?
JACK WALLEN: You got it Miss Moderator. Let's hear it for Miss Moderator 2000!
MODERATOR: Dang, I thought I was being sarcastic!
TRENTCOOK: I’d say dealing with the firewall.
JACK WALLEN: Firewall is a good answer as well.
JIM MCINTYRE: It's all relative. Linux has an undue reputation for being complex. But I think the most difficult aspect of Linux is the volume of information to be absorbed.
TRENTCOOK: Good point.
JIM MCINTYRE: Priorities are sometimes difficult.
JACK WALLEN: Very correct, Jim. It's funny how you think there is not enough information on something when, in fact, there is too much sometimes. It's hard to wade through what is useful and what is not. For instance, look at the how-to list. Anyone ever take a look at the Linux networking how-tos? In any flavor?
LHJP: I’d say the most difficult aspect of networking with Linux is setting it up and having it work the first time.
JACK WALLEN: Don't worry, LHJP, we're going to try to help you out tonight.
JACK WALLEN: I first want to talk about setting up a basic network solution if no one minds. Let's take a look at the tools we have at our hands. Now I want to show a bias right now and say that we are going to focus on Red Hat Linux because with Red Hat Linux, you have some very powerful network configuration tools available. The first and foremost of them is netconf. Netconf is a “module” (so to speak) of the more powerful linuxconf tool. With netconf you can configure nearly every aspect of networking.
JIM MCINTYRE: Linuxconf itself is good, but 60,000 lines of code probably mean some security problems.
MIKE345: So is it Samba in Red Hat you use for networking?
JACK WALLEN: Samba is an amazing tool that allows you to integrate a Linux box with a Windows environment. Speaking of which, remind me later to tell you all about the most amazing tool of the month.
TRENTCOOK: Jack, I have a couple questions for you if you don’t mind. I’m setting up a firewall on RH 6.2. Do you know much about setting up IPMASQ?
JACK WALLEN: I know a bit about ip_chains and masquerading (if you're talking about using a Linux machine as a “gateway” so that others can masquerade its IP). Is that what we're talking about, Trent?
TRENTCOOK: Yes, sir. When I run /sbin/depmod -a for loading modules, I get /lib/modules/2.2.12-20/NET Wanpipe.0: unresolved symbols. I get about 16 errors like this. Do you know why?
JACK WALLEN: Well the first thing I see in that error is (and you'll pardon me for seeming like a snob) an old kernel. You are wanting to run a very modular kernel I take it, Trent?
TRENTCOOK: Yes, Jack, you are right. Odd thing is that I recompiled the kernel and did a make modules and make modules_install, but it still won’t load them at boot. Where did I go wrong?
JIM MCINTYRE: The problem is probably related to the last time you rebuilt your kernel. Did you run the make dep and make clean commands when you compiled?
TRENTCOOK: Yes, I did, Jim.
JACK WALLEN: Well as much as I hate to admit it, I prefer not to run modular kernels. This is primarily because I do so much testing and don't want to constantly be having to load and unload modules. I generally stick with the slower, more bulky stock kernels.
TRENTCOOK: I am using ipchains. It just seems the bad thing with me is getting the modules to load, either when loading the chains or even at boot after I’ve recompiled the kernel. I used all commands dep clean. What could be some hitch-ups from loading the modules? I did an lsmod, and the only modules that are running are the two for my NICs.
JACK WALLEN: Jim Mcintyre, do you want to take this kernel question?
JIM MCINTYRE: Trentcook, what type of connection are you using?
TRENTCOOK: The second question I have goes with the first. /sbin/modprobe ip_masq_raudio can’t locate module ip_masq_raudio? Do you know why it can’t find them?
JACK WALLEN: Did the 2.2.12 kernel even support the raudio? I didn't think it did. What I typically do with masq is load it through ipchains. I feel this is a bit more flexible and more secure, although slower. In order to enable IP masquerading, you have to first enable it on the machine that is connected directly to the outside network. In order to do that, you can insert the following two lines in your /etc/rc.d/rc.local script (or you can put it in an ipchains script, which is safer). The first line is echo 1 > zproc/sys/net/ipv4/ip_forward. The second line is ipchains -A forward -s PRIVATE_IP/255.255.0.0 -j MASQ. Where I have PRIVATE_IP, you'll insert the private IP addy like 172.22.1.0. One thing you really need to remember (or learn) is how to restart your network on your machine. When you make a change in Windows networking, what do you have to do? Anyone?
JACK WALLEN: You have to reboot! But with Linux, all you have to do is restart the network. In order to do this, you have to run only a very simple command (one you will soon memorize): /etc/rc.d/init.d/network restart. And that's all you have to do.
Setting up a Linux network
JACK WALLEN: So LGJP, you want to set up a network. I want you to define the parameters. Are you setting up a private network? How many machines will be on the network?
LHJP: I’m setting up a home network with two 486 DX 66 and a 686.
JACK WALLEN: What do you want to do with each machine? I'm assuming that the 686 is the desktop, the one 486 is a server, and the other 486 is a firewall. Am I correct?
LHJP: The 486 is a server, but I don’t have a firewall setup.
JACK WALLEN: Okay, let's start with your first 486 that will serve as your server. What you are going to do is assign it a private IP address. In netconf, you'll see in the basic host information a tab for each device. So in the first device, you'll give it a host name and domain name, say server.lhjp. Then you'll give it an ip addy like 172.22.1.1. Oh, before the IP, you'll have to give it a nickname; this can simply be “server.” After the IP addy, you'll need to skip down to the device name. This will be something like eth0 or eth1. If it's the first device, it will be eth0. Then you have to tell it which driver to use. Hopefully you're using a compatible card—3com 59x, realtek, faralon, and IBM are all good cards. Once you've selected the driver (from a drop-down list), you'll click OK and then move down to the Name Server Specification section. Here you want to configure your DNS if you're going to be going to an outside line. Once the DNS is entered, you'll then okay those and go to the Routing And Gateway section. This section is very important if you are connecting your private network to the outside world.
Within your network, one of those machines is going to be directly connected to the outside network. Let's say it's your firewall. Your firewall will have to have two NICS. One of these NICS will go to the outside world and one to your private network. The private network IP addy will be the gateway address for all your other machines. That is very important, especially when setting up ip masq. For those of you who don't know what ip masquerading is, it is the ability to have a “farm” (or a group) of machines all share one IP address to the outside world.
CLAUDEFERLAND: Jim McIntyre, is there a way of configuring RH or other Linux versions to use dynamic routing protocols, the way you would with RIP in NT?
JACK WALLEN: Okay, we have one question for Mr. McIntyre. By the way everyone, Mr. McIntyre is one of my regular Linux writers!
CLAUDEFERLAND: Mr. Wallen, feel free to answer, too.
JACK WALLEN: Isn't there a section in netconf that allows you to configure routing protocols?
CLAUDEFERLAND: Possibly, I'm quite new to networking with Linux, and Linux in general.
JACK WALLEN: I know very little about RIP in NT. Can you explain briefly what that is so I might be able to draw a comparison?
CLAUDEFERLAND: Let's say you want your machines to communicate over the Internet through your gateway. You could configure your gateway with dynamic routing protocols so that you wouldn't have to enter routing tables manually. This way, routers communicate automatically between themselves and update each other.
JIM MCINTYRE: If you use RIP, don't use routed in active mode. Routed broadcasts everything, whether it's correct or not. Gated allows the routes to be specified. This reduces information overload. Gated may also be used to send RIP updates to specific gateways, instead of a network-wide broadcast. On client machines, use routed -q or listen passively with routed.
I'm sorry. I didn't explain RIP. RIP (router information protocol) is used to advertise the status of routers and determine the path to use for data transfers.
CLAUDEFERLAND: Anything else Jim?
JIM MCINTYRE: Claude, you may also use gated to broadcast routing information as RIP. In general, gated gives you much more control. RIP is a fairly dumb protocol.
Claude, everything I just said applies to UNIX, so it is probably transferable to Linux.
CLAUDEFERLAND: Jim, where do routing protocols in Linux get more of their properties: link state or distance vector protocols?
JIM MCINTYRE: I'm pretty sure they are available to Linux. The choice depends upon the netcpmlexity and how much is known about remote network topologies.
CLAUDEFERLAND: Thanks for your help, Jim.
JIM MCINTYRE: Claude, glad to help out. Unfortunately, I can't be more precise.
TRENTCOOK: What would an error eth0:RTL8139 interrrup line blocked, status 4 mean? The NIC works, but every so often, that line pops up on the screen?
JACK WALLEN: That actually sounds not like a network problem but a hardware irq conflict. What type of NIC are you using?
TRENTCOOK: It’s actually a dlink 538 tx. There are two; both work, but I was thinking that they both are fighting for an interrupt or something?
JACK WALLEN: Are they the same type of card?
TRENTCOOK: Yes, sir, they are.
JACK WALLEN: That could be the problem. For some reason, Linux has issues with using the same type of card in a machine. It has to do with getting confused on devices. I bet if you swap one of those cards out with a different type (especially if they are 3Com), you won't have that problem.
TRENTCOOK: Thanks. I’ll give it a try.
Configuring your gateway
JACK WALLEN: Let's see about visiting some common problems with networks and some common debugging tools. One of the most common mistakes in Linux networking is forgetting to configure the gateway. Let's say you have an IP addy (and this is a fake addy I hope) of 184.108.40.206. Typically speaking (and there are exceptions of course) your gateway is going to be your IP addy with the last section truncated and a 1 added so your IP would be 220.127.116.11.
RZAM: I have a small network accessing the Internet through a cable modem with DHCP. Would it be possible for me to set up a mail server on my network using a Linux (or any) box?
JACK WALLEN: In Windows, when you're on a LAN, typically you don't ever have to touch anything with networking. It's usually configured for DHCP, and that's that. All networking information is handed out to you by a DHCP server. Linux can do this as well. In the same configuration tool (netconf), all you have to do is select DHCP, give the machine a name, enter the LAN's domain, configure which device and driver you are using, and you're off and running. Once you configure this, you simply run everyone's favorite command. Anyone want to try to tell me what that command is?
EENGELKING: Make? LOL
JACK WALLEN: Silly people. It’s /etc/rc.d/init.d/network restart.
Obtaining low-level security
TRENTCOOK: Are the access.deny and access files a good way for very low-level security?
JACK WALLEN: Okay, Trent. Do you mean hosts.deny and hosts.allow files?
TRENTCOOK: Yes, I do. Are these a good starting point for Linux net security?
JACK WALLEN: Those files are a way to deny certain services, but they really aren't a good thing to rely on. If you really want security, you should do one of two things (or both): Look into ipchains or use portsentry. Portsentry is a very good tool for basic security. What it does is monitor all incoming port requests, and when a request that is not allowed tries to come in, it logs it and puts the IP addy of the offender into the /etc/hosts.deny file. The host.deny file basically says that certain IP addys are not allowed access to services.
Can Linux ping?
CLAUDEFERLAND: Jack, does Linux have the equivalent of ping or traceroute commands to test connectivity?
JACK WALLEN: Yes, Claudeferland, within a console (or terminal or whatever you want to call it), you can use ping, ifconfig, traceroute, netstat, and all sorts of other tools. These are all very good debugging tools for networking.
A lot of people I know, when they have a networking problem, start up a browser to see if it's working. This isn't the best idea because it's slow and, to be honest, browsers are pretty stupid tools. They lack any sort of intelligence. The first thing I do when I have a networking problem is run ping. I first ping an internal IP addy and then an external host name (something like yahoo.com). This will tell you more than you think. If the internal addy works and the host.domain name does not, it could easily be your DNS. If the host.domain does not work, then try to ping an external IP address. I usually use my @home IP addy.
CLAUDEFERLAND: Sorry Jack. I just realized that my question might have been a little dumb. I was forgetting that all those config tools were linked to TCP/IP and, hence, were pretty much platform-independent.
JACK WALLEN: No problem. Many of those tools have migrated across.
JIM MCINTYRE: Claude, you will probably like the Linux versions of ping and traceroute much better than the MS versions.
A problem with pinging
TRENTCOOK: Jack, I have ipchains running, and I can ping the internal and external NIC of the Linux firewall. But for some reason, a ping to any external host on the Internet times out. I thought ICMP forward was all setup, and wouldn’t you think that I would not be able to ping the external NIC of the firewall from inside?
JACK WALLEN: If you run ipchains –L, what do you get on your POLICY statements? Are you getting any denies that would not allow traffic out? That happened to me.
I have an immense ipchains script that I run that had a catchall at the end that blocked most of my outgoing traffic.
TRENTCOOK: I want to set up something very secure, starting low and working my way up.
JACK WALLEN: Trent, would you like me to send you my ipchains script? You can take a look at it (and of course use it if you like).
TRENTCOOK: That would be great, Jack.
CLAUDEFERLAND: Trentcook, have you tried pinging from your gateway/firewall machine?
JACK WALLEN: Yes, I've pinged the old gateway and broadcast to see if the NIC is even responding.
A cool app
JACK WALLEN: Okay, before we have to end, I have to tell you about the single coolest app of the month. This month, I'm keen on a little ditty called LinNeighborhood.
EENGELKING: I’ve seen LinNeighborhood. It’s superb.
JACK WALLEN: LinNeighborhood is the network neighborhood of Linux and works just as easily and well! If you didn't gasp at that statement, then you've yet to try to fully integrate with a Windows environment. LinNeighborhood actually makes working in a Windows environment (with Linux) as easy as if you're on a Windows machine yourself. Basically, it is a front-end for both the smbmount and smbclient commands and runs them better than anyone I know can! If working within a Windows network has stopped you from using Linux, get LinNeighborhood, and you'll change your mind! Basically, all you have to do is configure your workgroup, and you're going. Of course, you have to have a working Samba configuration.
RZAM: I’m confused! Doesn't Samba do the same thing?
JACK WALLEN: Yes, it does, but this is the first GUI for Samba that actually works, and it somehow gets around a few of the problems that smbmount has.
Smbmount is the protocol that allows you to “mount” Windows shares on a Linux directory. The problem is that it eventually unmounts (if anything on the Windows share changes), and no one has seemed to solve this issue.
TRENTCOOK: Swat is an easy way to get Samba up and running as well.
KENNETH_ERICKSON: Where can I get LinNeighborhood?
CLAUDEFERLAND: Is LinNeighborhood an RPM you have to download?
JACK WALLEN: If you do a search on www.freshmeat.net for LinNeighborhood, you'll find the Web site and an RPM version.
Smbmounting from a Linux box
TRENTCOOK: What is the command-line syntax for smbmounting from a Linux box to Windows?
JACK WALLEN: The command-line syntax is smbmount //windows_machine/share_name /linux/mount/path, but you have to have smbmount with the root bit suid. Therefore, you have to run (beforehand - as root) chmod u+s /usr/smbmount.
(At least I think it's /usr/smbmount; it may be /usr/sbin/smbmount.… I've confused myself!)
KENNETH_ERICKSON: Where can I find more about firewalls?
JACK WALLEN: I have a Drill Down about Linux ipchains coming up. But in the meantime, there's a great book called Linux Firewalls. The publisher is New Riders or something like that.
JIM MCINTYRE: I've used the Linux Firewalls book from New Riders. It is very good.
JACK WALLEN: Thanks to all who attended tonight. If you have any Linux questions, please feel free to e-mail me at firstname.lastname@example.org, and I'll do everything I can to answer them!
MODERATOR: Thanks to everyone for stopping by tonight!
ADAVIS: Jack, you could help us out by having a Linux topic for each Guild Meeting.
JACK WALLEN: Hey, I'm trying to make them all Linux-centric! I'll see what I can do. Take care everyone. I'm out of here.
MODERATOR: Good night, everyone!
Our Guild Meetings feature topflight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Note TechMail or on the Guild Meeting calendar.
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.