Linux Networking Cookbook Illllllllllllll

Linux Networking Cookbook

Carla Schroder

ULB Darmstadt

Illllllllllllll 16865915

O'REILIT

Beijing • Cambridge • Farnham • Koln • Paris • Sebastopol • Taipei • Tokyo

Table of Contents

Preface

xv

1. Introduction to Linux Networking

1

1.0 Introduction

1

2. Building a Linux Gateway on a Single-Board Computer 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13

Introduction Getting Acquainted with the Soekris 4521 Configuring Multiple Minicom Profiles Installing Pyramid Linux on a Compact Flash Card Network Installation of Pyramid on Debian Network Installation of'Pyramid on Fedora Booting Pyramid Linux Finding and Editing Pyramid Files Hardening Pyramid Getting and Installing the Latest Pyramid Build Adding Additional Software to Pyramid Linux Adding New Hardware Drivers Customizing the Pyramid Kernel Updating the Soekris comBIOS

3. Building a Linux Firewall 3.0 3.1 3.2 3.3 3.4

T

Introduction Assembling a Linux Firewall Box Configuring Network Interface Cards on Debian Configuring Network Interface Cards on Fedora Identifying Which NIC Is Which

12 12 14 17 17 19 21 24 26 27 28 28 32 33 34

36 36 44 45 48 50

3.5 Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address 3.6 Building an Internet-Connection Sharing Firewall on a Static WAN IP Address 3.7 Displaying the Status of Your Firewall 3.8 Turning an iptables Firewall Off 3.9 Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down . 3.10 Testing Your Firewall 3.11 Configuring the Firewall for Remote SSH Administration 3.12 Allowing Remote SSH Through a NAT Firewall 3.13 Getting Multiple SSH Host Keys Past NAT 3.14 Running Public Services on Private IP Addresses 3.15 Setting Up a Single-Host Firewall 3.16 Setting Up a Server Firewall 3.17 Configuring iptables Logging 3.18 Writing Egress Rules

4. Building a Linux Wireless Access Point 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18

Introduction Building a Linux Wireless Access Point Bridging Wireless to Wired Setting Up Name Services Setting Static IP'Addresses from the DHCP Server Configuring Linux and Windows Static DHCP Clients Adding Mail Servers to dnsmasq Making WPA2-Personal Almost As Good As WPA-Enterprise Enterprise Authentication with a RADIUS Server Configuring Your Wireless Access Point to Use FreeRADIUS Authenticating Clients to FreeRADIUS Connecting to the Internet and Firewalling Using Routing Instead of Bridging Probing Your Wireless Interface Card o> Changing the Pyramid Router's Hostname Turning Off Antenna Diversity Managing dnsmasq's DNS Cache Managing Windows'DNS Caches Updating the Time at Boot

Table of Contents

51 56 57 58 59 62 65 66 68 69 71 76 79 80

82 82 86 87 90 93 94 96 97 100 104 106 107 108 113 114 115 117 120 121

5. Building a VoIP Server with Asterisk 5.0 Introduction 5.1 Installing Asterisk from Source Code 5.2 Installing Asterisk on Debian . 5.3 Starting and Stopping Asterisk 5.4 Testing the Asterisk Server 5.5 Adding Phone Extensions to Asterisk and Making Calls 5.6 Setting Up Softphones 5.7 Getting Real VoIP with Free World Dialup 5.8 Connecting Your Asterisk PBX to Analog Phone Lines 5.9 Creating a Digital Receptionist 5.10 Recording Custom Prompts 5.11 Maintaining a Message of the Day 5.12 Transferring Calls 5.13 Routing Calls to Groups of Phones 5.14 Parking Calls 5.15 Customizing Hold Music 5.16 Playing MP3 Sound Files on Asterisk 5.17 DeliveringVoicemail Broadcasts 5.18 Conferencing with Asterisk 5.19 Monitoring Conferences 5.20 Getting SIP Traffic Through iptables NAT Firewalls 5.21 Getting IAX Traffic Through iptables NAT Firewalls 5.22 Using AsteriskNOW, "Asterisk in 30 Minutes" 5.23 Installing and Removing Packages on AsteriskNOW 5.24 Connecting Road Warriors and Remote Users

123 123 127 131 132 135 136 143 146 148 151 153 156 158 158 159 161 161 162 163 165 166 168 168 170 171

6. Routing with Linux 6.0 Introduction 6.1 Calculating Subnets with ipcalc 6.2 Setting a Default Gateway 6.3 Setting Up a Simple Local Router 6.4 Configuring Simplest Internet Connection Sharing 6.5 Configuring Static Routing Across Subnets 6.6 Making Static Routes Persistent 6.7 Using RIP Dynamic Routing on Debian 6.8 Using RIP Dynamic Routing on Fedora 6.9 Using Quagga's Command Line

173 173 176 178 180 183 185 186 187 191 192

Table of Contents

I vii

,6.10 6.11 6.12 6.13 6.14 6.15 6.16

Logging In to Quagga Daemons Remotely Running Quagga Daemons from the Command Line Monitoring RIPD Blackholing Routes with Zebra Using OSPF for Simple Dynamic Routing Adding a Bit of Security to RIP and OSPF Monitoring OSPFD

194 195 197 198 199 201 202

7. Secure Remote Administration with SSH 7.0 Introduction 7.1 Starting and Stopping OpenSSH 7.2 Creating Strong Passphrases 7.3 Setting Up Host Keys for Simplest Authentication 7.4 Generating and Copying SSH Keys 7.5 Using Public-Key Authentication to Protect System Passwords 7.6 Managing Multiple Identity Keys 7.7 Hardening OpenSSH 7.8 Changing a Passphrase 7.9 Retrieving a Key Fingerprint 7.10 Checking Configuration Syntax 7.11 Using OpenSSH Client Configuration Files for Easier Logins 7.12 Tunneling X Windows Securely over SSH 7.13 Executing Commands Without Opening a Remote Shell 7.14 Using Comments to Label Keys 7.15 Using DenyHosts to Foil SSH Attacks 7.16 Creating a DenyHosts Startup File 7.17 Mounting Entire Remote Filesystems with sshfs

204 204 207 208 209 211 213 214 215 216 217 218 218 220 221 222 223 225 226

8. Using Cross-Platform Remote Graphical Desktops 8.0 Introduction 8.1 Connecting Linux to Windows via rdesktop 8.2 Generating and Managing FreeNX SSH Keys 8.3 Using FreeNX to Run Linux from Windows 8.4 Using FreeNX to Run Linux from Solaris, Mac OS X, or Linux 8.5 Managing FreeNX Users 8.6 Watching Nxclient Users from the FreeNX Server 8.7 Starting and Stopping the FreeNX Server

228 228 230 233 233 238 239 240 241

viii I Table of Contents

8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22

Configuring a Custom Desktop Creating Additional Nxclient Sessions Enabling File and Printer Sharing, and Multimedia in Nxclient Preventing Password-Saving in Nxclient Troubleshooting FreeNX Using VNC to Control Windows from Linux Using VNC to Control Windows and Linux at the Same Time Using VNC for Remote Linux-fo-Linux Administration Displaying the Same Windows Desktop to Multiple Remote Users Changing the Linux VNC Server Password Customizing the Remote VNC Desktop Setting the Remote VNC Desktop Size Connecting VNC to an Existing X Session Securely Tunneling x 11 vnc over SSH Tunneling TightVNC Between Linux and Windows

9. Building Secure Cross-Platform Virtual Private Networks with OpenVPN 9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11

265

Introduction Setting Up a Safe OpenVPN Test Lab Starting and Testing OpenVPN Testing Encryption with Static Keys Connecting a Remote Linux Client Using Static Keys Creating Your Own PKI for OpenVPN Configuring the OpenVPN Server for Multiple Clients Configuring OpenVPNcto Start at Boot Revoking Certificates Setting Up the OpenVPN Server in Bridge Mode Running OpenVPN As a Nonprivileged User Connecting Windows Clients

265 267 270 272 274 276 279 281 282 284 285 286

10. Building a Linux PPTP VPN Server 10.0 10.1 10.2 10.3 10.4 10.5

242 244 246 246 247 248 250 252 254 256 257 258 259 261 262

287

Introduction sInstalling Poptop on Debian Linux Patching the Debian Kernel for MPPE Support Installing Poptop on Fedora Linux Patching the Fedora Kernel for MPPE Support Setting Up a Standalone PPTP VPN Server

287 290 291 293 294 295

Table of Contents

| ix

10.6 10.7 10.8 10.9 10.10

Adding Your Poptop Server to Active Directory Connecting Linux Clients to a PPTP Server Getting PPTP Through an iptables Firewall Monitoring Your PPTP Server Troubleshooting PPTP

11. Single Sign-on with Samba for Mixed Linux/Windows LANs 11.0 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 11.10 11.11 11.12

Introduction Verifying That All the Pieces Are in Place Compiling Samba from Source Code Starting and Stopping Samba Using Samba As a Primary Domain Controller Migrating to a Samba Primary Domain Controller from an NT4PDC Joining Linux to an Active Directory Domain Connecting Windows 95/98/ME to a Samba Domain Connecting Windows NT4 to a Samba Domain Connecting Windows NT/2000 to a Samba Domain Connecting Windows XP to a Samba Domain Connecting Linux Clients to a Samba Domain with Command-Line Programs Connecting Linux Clients to a Samba Domain with Graphical Programs

298 299 300 301 302

305 305 307 310 312 313 317 319 323 324 325 325 326 330

•i

12. Centralized Network Directory with OpenLDAP 12.0 12.1 12.2 12.3 12.4 12.5 12.6 12.7 12.8 12.9 12.10 12.11 12.12

Introduction Installing OpenLDAP on Debian Installing OpenLDAP on Fedora Configuring and Testing the OpenLDAP Server Creating a New Database on Fedora Adding More Users to Your Directory Correcting Directory Entries Connecting to a Remote OpenLDAP Server Finding Things in Your OpenLDAP Directory Indexing Your Database Managing Your Directory with Graphical Interfaces Configuring the Berkeley DB Configuring OpenLDAP Logging

332 332 339 341 341 344 348 350 352 352 354 356 358 363

12.13 Backing Up and Restoring Your Directory 12.14 Refining Access Controls 12.15 Changing Passwords

364 366 370

13. Network Monitoring with Nagios 13.0 Introduction , 13.1 Installing Nagios from Sources 13.2 Configuring Apache for Nagios 13.3 Organizing Nagios' Configuration Files Sanely 13.4 Configuring Nagios to Monitor Localhost 13.5 Configuring CGI Permissions for Full Nagios Web Access 13.6 Starting Nagios at Boot 13.7 Adding More Nagios Users 13.8 Speed Up Nagios with check_icmp 13.9 Monitoring SSHD 13.10 Monitoring a Web Server 13.11 Monitoring a Mail Server 13.12 Using Servicegroups to Group Related Services 13.13 Monitoring Name Services 13.14 Setting Up Secure Remote Nagios Administration with OpenSSH 13.15 Setting Up Secure Remote Nagios Administration with OpenSSL

371 371 372 376 378 380 389 390 391 392 393 397 400 402 403 405 406

14. Network Monitoring with MRTG 14.0 Introduction 14.1 Installing MRTG 14.2 Configuring SNMP on Debian 14.3 Configuring SNMP on Fedora 14.4 Configuring Your HTTP Service for MRTG 14.5 Configuring and Starting MRTG on Debian 14.6 Configuring and Starting MRTG on Fedora 14.7 Monitoring Active CPU Load 14.8 Monitoring CPU User and Idle Times 14.9 Monitoring Physical Memory =? 14.10 Monitoring Swap Space and Memory 14.11 Monitoring Disk Usage 14.12 Monitoring TCP Connections 14.13 Finding and Testing MIBs and OIDs 14.14 Testing Remote SNMP Queries

408 408 409 410 413 413 415 418 419 422 424 425 426 428 429 430

14.15 Monitoring Remote Hosts 14.16 Creating Multiple MRTG Index Pages 14.17 Running MRTG As a Daemon

432 433 434

15. Getting Acquainted with IPv6 15.0 Introduction 15.1 Testing Your Linux System for IPv6 Support 15.2 Pinging Link Local IPv6 Hosts 15.3 Setting Unique Local Unicast Addresses on Interfaces 15.4 Using SSH with IPv6 15.5 Copying Files over IPv6 with scp 15.6 Autoconfiguration with IPv6 15.7 Calculating IPv6 Addresses 15.8 Using IPv6 over the Internet

437 437 442 443 445 446 447 448 449 450

16. Setting Up Hands-Free Network Installations of New Systems 16.0 Introduction 16.1 Creating Network Installation Boot Media for Fedora Linux 16.2 Network Installation of Fedora Using Network Boot Media 16.3 Setting Up an HTTP-Based Fedora Installation Server 16.4 Setting Up an FTP-Based Fedora Installation Server 16.5 Creating a Customized Fedora Linux Installation 16.6 Using a Kickstart File for a Hands-off Fedora Linux Installation 16.7 Fedora Network Installation via PXE Netboot 16.8 Network Installation of a Debian System 16.9 Building a Complete Debian Mirror with apt-mirror 16.10 Building a Partial Debian Mirror with apt-proxy 16.11 Configuring Client PCs to Use Your Local Debian Mirror 16.12 Setting Up a Debian PXE Netboot Server 16.13 Installing New Systems from Your Local Debian Mirror 16.14 Automating Debian Installations with Preseed Files

452 452 453 455 457 458 461 463 464 466 468 470 471 472 474 475

17. Linux Server Administration via Serial Console & 17.0 Introduction 17.1 Preparing a Server for Serial Console Administration 17.2 Configuring a Headless Server with LILO 17.3 Configuring a Headless Server with GRUB 17.4 Booting to Text Mode on Debian

478 478 479 483 485 487

17.5 17.6 17.7 17.8 17.9 17.10

Setting Up the Serial Console Configuring Your.Server for Dial-in Administration Dialing In to the Server Adding Security Configuring Logging Uploading Files to the Server

489 492 495 496 497 498

18. Running a Linux Dial-Up Server 18.0 Introduction 18.1 Configuring a Single Dial-Up Account with WvDial 18.2 Configuring Multiple Accounts in WvDial 18.3 Configuring Dial-Up Permissions for Nonroot Users 18.4 Creating WvDial Accounts for Nonroot Users 18.5 Sharing a Dial-Up Internet Account 18.6 Setting Up Dial-on-Demand 18.7 Scheduling Dial-Up Availability with cron 18.8 Dialing over Voicemail Stutter Tones 18.9 Overriding Call Waiting 18.10 Leaving the Password Out of the Configuration File 18.11 Creating a Separate pppd Logfile

501 501 501 504 505 507 508 509 510 512 512 513 514

19. Troubleshooting Networks 19.0 Introduction 19.1 Building a Network Diagnostic and Repair Laptop 19.2 Testing Connectivity with ping 19.3 Profiling Your Network with FPing and Nmap 19.4 Finding Duplicate IP Addresses with arping 19.5 Testing HTTP Throughput and Latency with httping 19.6 Using traceroute, tcptraceroute, and mtr to Pinpoint Network Problems 19.7 Using tcpdump to Capture and Analyze Traffic 19.8 Capturing TCP Flags with tcpdump 19.9 Measuring Throughput, Jitter, and Backet Loss with iperf 19.10 Using ngrep for Advanced Packet Sniffing 19.11 Using ntop for Colorful and Quick Network Monitoring 19.12 Troubleshooting DNS Servers 19.13 Troubleshooting DNS Clients 19.14 Troubleshooting SMTP Servers

515 515 516 519 521 523 525 527 529 533 535 538 540 542 545 546

19.15 19.16 19.17 19.18 19.19

Troubleshooting a POP3, POP3s, or IMAP Server Creating SSL Keys for Your Syslog-ng Server on Debian Creating SSL Keys for Your Syslog-ng Server on Fedora Setting Up stunnel for Syslog-ng Building a Syslog Server

549 551 557 558 560

A. Essential References

563

B. Glossary of Networking Terms

566

C. Linux Kernel Building Reference

590

Index

599