So many things to do, so little time! Here is where the fun begins. This section is rather network-centric, though many other tasks await you.
Networking is a vast subject which cannot be fully covered here. The reference is the NET-3 HOWTO, and most distributions provide documentation on setting up network services. Only a few points will be recalled here.
A quick to-do list for the services you may want to install: cron and timed tasks like calendar or reminder, Http, Samba, telnet/ssh access, anonymous ftp, POP/IMAP server, NFS services...
Although the actual method of starting network services of your distribution may be much more complex, the following script should be enough to get you started:
#!/bin/sh
# net-up.sh: set up network access
DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
NETWORK=192.168.1.0
GATEWAY=192.168.1.1
ifconfig $DEVICE $IPADDR netmask $NETMASK up
route add -net $NETWORK netmask $NETMASK $DEVICE
route add default gw $GATEWAY
This script is handy for enabling network access when you use a rescue disk. Obviously, this lets you only ping, ftp and telnet to the outside.
One of the most useful tasks for a Linux server. Currently, most stock kernels come with IP firewalling, masquerading and forwarding enabled by default; if in doubt, consult the IP-Masquerade mini-HOWTO to learn how to enable them. Then install ipfwadm (kernels 2.0.x; http://www.xos.nl/linux/ipfwadm/) or ipchains (kernels 2.2.x; http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html). Remember to enable kernel modules for the services you need, e.g. for ftp you'll add this line to /etc/rc.d/rc.sysconfig:
/sbin/modprobe ip_masq_ftp
Other modules are usually found in /lib/modules/KERNEL-VERSION/ipv4.
Enabling IP masquerading for other machines in your local network is
very simple. First, check the network initialisation scripts
(/etc/sysconfig/network should be the right place) to see if
they contain a line that reads FORWARD_IPV4=true. It's used to set
/proc/sys/net/ipv4/ip_forward to 1 when the network subsystem
comes up.
Add these lines to /etc/rc.d/rc.sysinit:
# default: packets cannot go reach the outside
/sbin/ipfwadm -F -p deny
# allow all machines on the local network to reach the Internet
/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
# alternatively, allow only these two machines
# /sbin/ipfwadm -F -a m -S 192.168.1.100/24 -D 0.0.0.0/0
# /sbin/ipfwadm -F -a m -S 192.168.1.101/24 -D 0.0.0.0/0
If you use a kernel of the 2.2.x series, use ipfwadm-wrapper
instead of ipfwadm to get started quickly.
Now you'll want something to let client machines dial the ISP; I use Mserver ( http://cpwright.villagenet.com/mserver/). Edit etc/mserver.conf; the only entries that you should modify are ``checkhost'', ``shadow'', and ``cname''. Then define your connection(s). Obviously, install one of the available clients on the client machines.
Let's suppose you connect to the Internet via PPP. Once you're connected, your machine may become vulnerable to attacks. Insert this in /etc/hosts.allow:
# only allow access to localhost
ALL: 127.
and this in /etc/hosts.deny:
# deny access to everyone
ALL: ALL
If you belong to a network with direct Internet access, you had better
disable finger, telnet, and possibly other services for security reasons;
use ssh instead of telnet. The file to edit is
/etc/inet.conf. Alternatively, you can restrict network access
putting this in /etc/hosts.allow:
in.telnetd: 192.168.1., .another.trusted.network
in.ftpd: 192.168.1., .another.trusted.network
and this in /etc/hosts.deny:
in.telnetd: ALL
in.ftpd: ALL
It is common to export the home directories on the server; a problem arises
if a user's UID and GID are not consistent across different machines.
If user guido has UID/GID equal to 500 on server and UID/GID
equal to 512 on client, a convenient configuration is this:
# /etc/exports
/tmp my.client.machine(rw)
/home/guido my.client.machine(rw,map_static=/etc/nfs/client.map)
In /etc/nfs/client.map you'll put this:
# /etc/nfs/client.map
# NFS mapping for client
# remote local
uid 512 500
gid 512 500
Not written yet.