Configuration HOWTO: Common Administration Tasks

3. Common Administration Tasks

Here is where the fun begins. This section is rather network-centric, though many other tasks await you.

Networking is a vast subject which cannot be fully covered here. The reference is the NET-3 HOWTO, and most distributions provide documentation on setting up network services. Only a few points will be recalled here.

A quick to-do list for the services you may want to install: cron and timed tasks like calendar or reminder, Http, Samba, telnet/ssh access, anonymous ftp, POP/IMAP server, NFS...

3.1 Network Configuration

If your network card wasn't recognised at install time, don't worry: in most cases it's either NE2000 or 3c59x compatible. Issue the command modprobe ne or modprobe 3c59x and see if the relevant module is loaded, then add this line in /etc/conf.modules:


alias eth0 ne  # or 3c59x

Now you're ready to use netcfg or similar tool to set up the network configuration. The relevant files are /etc/HOSTNAME, etc/hosts, /etc/resolv.conf, /etc/sysconfig/network, and /etc/sysconfig/network-scripts/ifcfg-eth0; services should be started with scripts in /etc/rc.d/init.d.

This is a sample etc/hosts:


127.0.0.1               localhost
192.168.1.1             paleo.eocene.net        paleo
192.168.1.2             nautilus.eocene.net     nautilus

This is /etc/resolv.conf:


search df.unibo.it,eocene.net
nameserver 195.210.91.100

This is /etc/sysconfig/network (Red Hat-dependent):


NETWORKING=false
FORWARD_IPV4=true
HOSTNAME=nautilus.eocene.net
DOMAINNAME=eocene.net

And finally, /etc/sysconfig/network-scripts/ifcfg-eth0. This one, too, is Red Hat-dependent; it must be executable.


DEVICE=eth0
IPADDR=192.168.1.2
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
ONBOOT=no

Although the actual method of starting network services of your distribution may be much more complex, the following script should be enough to get you started:


#!/bin/sh

# net-up.sh: set up network access

DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
NETWORK=192.168.1.0
GATEWAY=192.168.1.1

ifconfig $DEVICE $IPADDR netmask $NETMASK up
route add -net $NETWORK netmask $NETMASK $DEVICE
route add default gw $GATEWAY

This script is handy for enabling network access when you use a rescue disk. Obviously, this lets you only ping, ftp and telnet to the outside; it won't start any daemon.

3.2 Network for Notebooks

When you plug the network PC card in, the script /etc/pcmcia/network will be executed. All it needs is a properly set up /etc/sysconfig/network-scripts/ifcfg-eth0.

Setting up the network can become a bit trickier, though. In fact, you must provide the right settings for each network you connect to, as well as settings for the notebook when it's not connected.

I rolled up a rough but functional solution. I use my notebook as a stand-alone machine, connecting to the net via PPP; at home, IP address 192.168.1.2; and at university, IP 137.204.x.y. So, I created a set of configuration files for each network; all these are kept in /etc/mobnet. A script is then used to select the working environment. For instance, this is /etc/mobnet/home.cfg:


# /etc/mobnet/home.conf

HOSTNAME=nautilus.eocene.net    # complete hostname
DOMAINNAME=eocene.net           # your domain
IPADDR=192.168.1.2
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
GATEWAY=192.168.1.1
FORWARD_IPV4=true
NAMESERVER=195.210.91.100       # required
SEARCH=df.unibo.it,eocene.net   # optional
SERVICES="inet httpd smb sshd"

This is mnet, the script I use to choose the network profile:


#!/bin/sh
# mnet: script to set up the "mobile network" configuration.
# Last modified: 15 July 2000

# start or stop services
activate_services()
{
  for service in $(echo $SERVICES) ; do
    [ -x /etc/rc.d/init.d/$service ] && /etc/rc.d/init.d/$service $1
  done
}

# usage
if [ $# = 0 ] ; then
  echo "Usage: mnet <config name>"
  echo "Example: mnet office"
  exit 1
fi

# check if the configuration exists
if [ ! -e /etc/mobnet/$1.conf ]; then
  echo "This configuration doesn't exist."
  exit 1
fi

# read the configuration
. /etc/mobnet/$1.conf

# set up the host name
echo $HOSTNAME > /etc/HOSTNAME
/bin/hostname $HOSTNAME

# set up the name server(s)
cat <<EOF > /etc/resolv.conf
# /etc/resolv.conf
search $SEARCH
nameserver $NAMESERVER
EOF

# stop previous services, if any
if [ -f /etc/mobnet/services.prev ]; then
  NEWSERVICES=$SERVICES
  . /etc/mobnet/services.prev
  activate_services stop
  SERVICES=$NEWSERVICES
fi

if [ $1 != "none" ]; then
# set up the network parameters
  cat <<EOF > /etc/sysconfig/network
  NETWORKING=yes
  FORWARD_IPV4=true
  HOSTNAME=$HOSTNAME
  DOMAINNAME=$DOMAINNAME
  GATEWAY=$GATEWAY
  GATEWAYDEV=eth0
EOF

  cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-eth0
  DEVICE=eth0
  IPADDR=$IPADDR
  NETMASK=$NETMASK
  NETWORK=$NETWORK
  BROADCAST=$BROADCAST
  ONBOOT=no
EOF
  /bin/chmod +x /etc/sysconfig/network-scripts/ifcfg-eth0
  
  # copy the other config files
  /bin/cp -f /etc/mobnet/hosts.$1       /etc/hosts
  /bin/cp -f /etc/mobnet/smb.conf.$1    /etc/smb.conf
  
  echo -n "Insert the network PC card and press <enter> when done: "
  read
    
  # OK, now start services
  activate_services start
  echo "SERVICES=\"$SERVICES\"" > /etc/mobnet/services.prev

else # it's not "none"

  cat <<EOF > /etc/sysconfig/network
  NETWORKING=false
  FORWARD_IPV4=false
  HOSTNAME=$HOSTNAME
  DOMAINNAME=$DOMAINNAME
EOF
  /bin/rm -f /etc/sysconfig/network-scripts/ifcfg-eth0*
  /sbin/ifconfig eth0 down
  echo "SERVICES=$SERVICES" > /etc/mobnet/services.prev
  echo "Now you may remove the PC card."
  exit 0

fi

# end of mnet.

As I said, it is rough and even not complete: other files may depend on the network, like /etc/fstab, /etc/exports, and /etc/printcap. Think about network printers and NFS shares. Feel free to adapt this bare-bone solution to your needs.

3.3 Sharing the Internet

One of the most useful tasks for a Linux server. Currently, most stock kernels come with IP firewalling, masquerading and forwarding enabled by default; if in doubt, consult the IP-Masquerade mini-HOWTO to learn how to enable them. Then install ipfwadm (kernels 2.0.x; http://www.xos.nl/linux/ipfwadm/) or ipchains (kernels 2.2.x; http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html). Remember to enable kernel modules for the services you need, e.g. for ftp you'll add this line to /etc/rc.d/rc.sysconfig:


/sbin/modprobe ip_masq_ftp

Other modules are usually found in /lib/modules/KERNEL-VERSION/ipv4.

Enabling IP masquerading for other machines in your local network is very simple. First, check the network initialisation scripts (/etc/sysconfig/network should be the right place) to see if they contain a line that reads FORWARD_IPV4=true. It's used to set /proc/sys/net/ipv4/ip_forward to 1 when the network subsystem comes up.

Add these lines to /etc/rc.d/rc.sysinit:


# default: packets cannot reach the outside
/sbin/ipfwadm -F -p deny
# allow all machines on the local network to reach the Internet
/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
# alternatively, allow only these two machines
# /sbin/ipfwadm -F -a m -S 192.168.1.100/24 -D 0.0.0.0/0
# /sbin/ipfwadm -F -a m -S 192.168.1.101/24 -D 0.0.0.0/0

If you use a kernel of the 2.2.x series, use ipfwadm-wrapper instead of ipfwadm to get started quickly. More information at http://ipmasq.cjb.net.

Now you'll want something to let client machines dial the ISP; I use Mserver ( http://cpwright.villagenet.com/mserver/). Edit etc/mserver.conf; the only entries that you should modify are ``checkhost'', ``shadow'', and ``cname''. Then define your connection(s). Obviously, install a suitable client on the client machines.

3.4 Restricting Network Access

Let's suppose you connect to the Internet via PPP. Once you're connected, your machine may become vulnerable to attacks. Insert this in /etc/hosts.allow:


# only allow access to localhost
ALL: 127.

and this in /etc/hosts.deny:


# deny access to everyone
ALL: ALL

If you belong to a network with direct Internet access, you had better disable finger, telnet, and possibly other services for security reasons; use ssh instead of telnet. The file to edit is /etc/inet.conf. Alternatively, you can restrict network access putting this in /etc/hosts.allow:


in.telnetd: 192.168.1., .another.trusted.network
in.ftpd: 192.168.1., .another.trusted.network

and this in /etc/hosts.deny:


in.telnetd: ALL
in.ftpd: ALL

3.5 NFS Exports

It is common to export home directories on the server; a problem arises if a user's UID and GID are not consistent across different machines. If user `guido' has UID/GID = 500 on server and UID/GID = 512 on client, a convenient configuration is this:


# /etc/exports
/tmp            my.client.machine(rw)
/home/guido     my.client.machine(rw,all_squash,anonuid=512,anongid=512)

3.6 Samba

Almost trivial, but there's always a little bit to do. If you want to connect Windows 98/NT clients, did you remember to read the docs and, in case, enable clear text passwords? The distribution includes .reg files for Win9x/NT/2000; if your clients can't connect to the Linux server, load them on every client.

Samba comes with a fairly complete sample /etc/smb.conf, but strangely it lacks a section showing how to (un)mount removable media. The clauses preexec and postexec do the trick:


[cdrom]
  comment = CD-ROM
  path = /mnt/cdrom
  public = yes
  read only = yes
; you might need to use "root preexec/postexec"
  preexec = mount /mnt/cdrom
  postexec = umount /mnt/cdrom

Also: you know what Swat is, don't you? Enable it adding this line in your /etc/inetd.conf:


swat      stream  tcp     nowait.400      root /usr/sbin/swat swat

and this in /etc/services:


swat            901/tcp

Restart inetd with SIGHUP, and point your browser to http://localhost:901.

Next Previous Contents