Next Previous Contents

3. Common Administration Tasks

So many things to do, so little time! Here is where the fun begins. This section is rather network-centric, though many other tasks await you.

Networking is a vast subject which cannot be fully covered here. The reference is the NET-3 HOWTO, and most distributions provide documentation on setting up network services. Only a few points will be recalled here.

A quick to-do list for the services you may want to install: cron and timed tasks like calendar or reminder, Http, Samba, telnet/ssh access, anonymous ftp, POP/IMAP server, NFS services...

3.1 Network configuration

Although the actual method of starting network services of your distribution may be much more complex, the following script should be enough to get you started:

#!/bin/sh

# net-up.sh: set up network access

DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
NETWORK=192.168.1.0
GATEWAY=192.168.1.1

ifconfig $DEVICE $IPADDR netmask $NETMASK up
route add -net $NETWORK netmask $NETMASK $DEVICE
route add default gw $GATEWAY

This script is handy for enabling network access when you use a rescue disk. Obviously, this lets you only ping, ftp and telnet to the outside.

3.2 Sharing the Internet

One of the most useful tasks for a Linux server. Currently, most stock kernels come with IP firewalling, masquerading and forwarding enabled by default; if in doubt, consult the IP-Masquerade mini-HOWTO to learn how to enable them. Then install ipfwadm (kernels 2.0.x; http://www.xos.nl/linux/ipfwadm/) or ipchains (kernels 2.2.x; http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html). Remember to enable kernel modules for the services you need, e.g. for ftp you'll add this line to /etc/rc.d/rc.sysconfig:

/sbin/modprobe ip_masq_ftp

Other modules are usually found in /lib/modules/KERNEL-VERSION/ipv4.

Enabling IP masquerading for other machines in your local network is very simple. First, check the network initialisation scripts (/etc/sysconfig/network should be the right place) to see if they contain a line that reads FORWARD_IPV4=true. It's used to set /proc/sys/net/ipv4/ip_forward to 1 when the network subsystem comes up.

Add these lines to /etc/rc.d/rc.sysinit:

# default: packets cannot go reach the outside
/sbin/ipfwadm -F -p deny
# allow all machines on the local network to reach the Internet
/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
# alternatively, allow only these two machines
# /sbin/ipfwadm -F -a m -S 192.168.1.100/24 -D 0.0.0.0/0
# /sbin/ipfwadm -F -a m -S 192.168.1.101/24 -D 0.0.0.0/0

If you use a kernel of the 2.2.x series, use ipfwadm-wrapper instead of ipfwadm to get started quickly.

Now you'll want something to let client machines dial the ISP; I use Mserver ( http://cpwright.villagenet.com/mserver/). Edit etc/mserver.conf; the only entries that you should modify are ``checkhost'', ``shadow'', and ``cname''. Then define your connection(s). Obviously, install one of the available clients on the client machines.

3.3 Restricting Network Access

Let's suppose you connect to the Internet via PPP. Once you're connected, your machine may become vulnerable to attacks. Insert this in /etc/hosts.allow:

# only allow access to localhost
ALL: 127.

and this in /etc/hosts.deny:

# deny access to everyone
ALL: ALL

If you belong to a network with direct Internet access, you had better disable finger, telnet, and possibly other services for security reasons; use ssh instead of telnet. The file to edit is /etc/inet.conf. Alternatively, you can restrict network access putting this in /etc/hosts.allow:

in.telnetd: 192.168.1., .another.trusted.network
in.ftpd: 192.168.1., .another.trusted.network

and this in /etc/hosts.deny:

in.telnetd: ALL
in.ftpd: ALL

3.4 NFS Exports

It is common to export the home directories on the server; a problem arises if a user's UID and GID are not consistent across different machines. If user guido has UID/GID equal to 500 on server and UID/GID equal to 512 on client, a convenient configuration is this:

# /etc/exports
/tmp            my.client.machine(rw)
/home/guido     my.client.machine(rw,map_static=/etc/nfs/client.map)

In /etc/nfs/client.map you'll put this:

# /etc/nfs/client.map
# NFS mapping for client
#       remote          local
uid     512             500
gid     512             500

3.5 Name Server

Not written yet.


Next Previous Contents