Computer Science Networking

[morphy_richards]

Hi all,

I'm putting together a kind of general purpose network within my school for teaching computer science.
The network will have a few servers for things like ...
1) DNS, DHCP, an internet gateway etc.
2) A few LTSP servers

Internet will be provided by the school's LAN, however, the computing network needs to be isolated to protect the school network.
What would be the most sensible order to set this up? I imagine ...

1)An old PC with two network cards to be a router between school LAN and computing LAN.
2)One or more machines to provide services such as DNS, mail, DHCP, Samba or Kerburus, LDAP.
3)Some higher spec machines to act as LTSP servers.

Is that a sensible course of action?
Thanks

[FTrevorGowen]

...
1)An old PC with two network cards to be a router between school LAN and computing LAN.
2)One or more machines to provide services such as DNS, mail, DHCP, Samba or Kerburus, LDAP.
3)Some higher spec machines to act as LTSP servers.
...

W.r.t. 1) - FWIW, some years ago (before I acquired my first wireless router) I installed Smoothwall Linux on a similar setup to act as the household's main firewall & router which, IIRC ran pretty much 24/7 w/o problems. It seems to be still available as "Smoothwall Express".
Trev.

[rpdom]

Internet will be provided by the school's LAN, however, the computing network needs to be isolated to protect the school network.
What would be the most sensible order to set this up? I imagine ...

1)An old PC with two network cards to be a router between school LAN and computing LAN.
2)One or more machines to provide services such as DNS, mail, DHCP, Samba or Kerburus, LDAP.
3)Some higher spec machines to act as LTSP servers.

Is that a sensible course of action?

I used to use an old PC with Smoothwall Express, like Trevor mentioned, but the current version won't run on that system since they dropped support for some earlier CPUs.

I replaced it with a cheap wireless router (although I turned the wireless off, as I don't use that). It handles NAT, DNS, DHCP and uses a lot less power than an old PC.

I also have an old laptop running Debian. I disabled DNS and DHCP on the router and installed dnsmasq on the laptop instead. It's a lot more flexible and I can manage my home network addresses through it (as well as being able to trap certain advertising sites and direct them to a dummy local webserver). It also runs Samba for my wife's windows laptop, CUPS for printing, Apache2 for web stuff, MySQL and several NFS shares. Not bad for a slow old machine (Celeron 500MHz, 384MB)

[morphy_richards]

Currently I'm playing with ipkungfu
http://packages.debian.org/unstable/net/ipkungfu

It seems (like it should be) great!

It creates an iptables based firewall and router and creates internet connection sharing

I installed Debian on a PC with 2 NICs
One NIC to School Network
One to Computing.LAN

Next ...

apt-get install ipkungfu

Make a few changes to config files
Allow ip addresses of known hosts on the Computing.LAN network

Try to browse the web on a machine on the LAN
No joy
Aaargh

ping the router/firewall from the machine on the LAN - no problem
ping the machine on the LAN from the router - no problem

[morphy_richards]

I've finally got some of this working.
I probably had it (almost) working several times in different implementations and thrown it away and started from scratch over and over again.

My problem was and still kind of is DNS

I'm now using ClearOS(which is a stripped down Linux (based on Fedora I think) specifically configured for routing and firewalls.

Now I currently have it set up so that it has created a firewall/router between eth0 ("computing.lan") and eth1 (school network and internet)
My problem was with DNS. It's now set up so that the DNS used by my computing lan is the same as that the school network uses to resolve websites such as google.

This works for allowing machines on my network to resolve domains outside of my network however ...

I forsee problems in the future when little Bobby and his class try to make a webserver on a raspberry pi and plug it into the computing.lan
The school's DNS on 10.x.y.z doesn't know anything at all about bobbys_server.computing.lan and so that's not going to work when we try
http://bobbys_server.computing.lan/best_pets.html (or whatever)

Should / could I configure a raspberry pi to act as an internal DNS? Given the inordinate amount of time it's taken me to get this far, are there any helpful hints and tips from anyone on how best I could go about this?

Also - I suspect my firewall is probably configured to prevent attacks from the "outside" to the "inside" but as the "outside" in this case is a school network and the "inside" is a kind of sandbox populated by wannabe crackers - what extra steps should I take to protect the school network?

(Note to self - remember to uninstall network-manager and add a dns-nameservers x.x.x.x stanza to the /etc/network/interfaces filer on each edubuntu ltsp server)

[rpdom]

This is the sort of thing that dnsmasq is good at.

You set it up as the DHCP/DNS server for your local subnet. Add your local machine names to /etc/hosts on the machine it is running on. When some one queries a hostname, it will first check its local cache, then the local /etc/hosts, then the external DNS server.

So, if you put bobbys_server.computing.lan in its /etc/hosts as 10.x.y.z, that is what it will return to the querying machine.

(I also use it to trap certain "dodgy" websites, by putting them in /etc/hosts as the address of a local web server, so it just returns a 404)

[morphy_richards]

might need to do all this
https://help.ubuntu.com/community/UbuntuLTSP/ProxyDHCP
when configuring an edubuntu ltsp server to make a seperate sub-net for thin clients on a second NIC. Experimenting.

Would be nice to have each room work as a seperate sub-net but might be problematic

[morphy_richards]

might need to do all this
https://help.ubuntu.com/community/UbuntuLTSP/ProxyDHCP
when configuring an edubuntu ltsp server to make a seperate sub-net for thin clients on a second NIC. Experimenting.

Would be nice to have each room work as a seperate sub-net but might be problematic

That made bad things happen ...

By the way, what's a good name for a DNS server?

eg. I named my gateway collossus (after the Collossus of Rhodes who stood over the harbour entrance to Rhodes)
But what would you call something that names things?

[morphy_richards]

By the way, what's a good name for a DNS server?

Lexicon?

[morphy_richards]

This is the sort of thing that dnsmasq is good at.

I just did a simple dnsmasq install on a raspberry pi running raspbian, added hosts as you described and tried pinging the two servers I currently have and then did

Code: Select all

ssh pi@lexicon

from a ltsp thin client running on a separate subnet in my classroom, used it to update the etc/hosts file to contain a few more addresses and then rebooted.

Very exciting!

edit - still not convinced that lexicon is the best name for a dns server, nevertheless ...

Next ... configuring dhcp!

[morphy_richards]

Using this as a tutorial to configure dnsmasq as dhcp server.
http://www.techrepublic.com/blog/openso ... rvices/293

[aTao]

edit - still not convinced that lexicon is the best name for a dns server, nevertheless ...

oneoneeight?

[morphy_richards]

oneoneeight?

hmmm...

Irritatingly my ClearOS router seems to have blown up overnight.

dmar: IOMMU: failed to map dmar0.

[morphy_richards]

Rebuilt the thing...

Ran into another issue. Silly me ... if you make a router/gateway/firewall (for example clearOS in gateway mode) it includes dhcp.

Setting up dhcp somewhere else (like on my "lexicon" raspberry pi based dns) bad things happen.

...although I'm not convinced the dhcp that's built into the clearOS router works very well Need to do more fiddling.

[morphy_richards]

I changed the DHCP server built into ClearOS to be none-authorative (cant see how to actually switch it off).
Have enabled the DHCP part of dnsmasq and configured settings in /etc/dnsmasq.conf

I would expect to be able to plug a laptop into my main network now and for it to pick up settings if it's network manager is set to DHCP then it would just ... work.

However, in order to get a new machine such as an ibook to connect to the web via my network I still have to manually:
assign an ip address, netmask, gateway, dns-nameservers.

Especially assigning an external dns-nameserver is crucial to browsing web pages and my internal dns server for resolving internal machine names... but why is dhcp not doing this?

Anyway, now creating a new Ubuntu server "athena". This will be the SSO and file server. I intend to use this guide
Apparantly I need to create a Network Time Protocol (NTP) server.

[rpdom]

I put my dnsmasq config in /etc/dnsmasq.d/local as that saves me having to modify the default config file.

The relevant bits of that files are:

Code: Select all

# Local Configuration file for dnsmasq.
#
# See /etc/dnsmasq.conf for details on what these options do

no-resolv
server=ip_of_external_DNS_1
server=ip_of_external_DNS_2

local=/internal_domain_name/

expand-hosts

domain=internal_domain_name

dhcp-range=192.168.1.200,192.168.1.219,1h

dhcp-host=raspi
dhcp-host=raspi2
dhcp-host=raspi3
#(and so on)

dhcp-option=option:router,192.168.1.1
# The next line means that this server is the DNS server
dhcp-option=option:ntp-server,0.0.0.0

dhcp-authoritative

In my /etc/ntp.conf I have uncommented the line

Code: Select all

broadcast 192.168.1.255

to allow this machine to be an NTP server for the local subnet.

[morphy_richards]

Thanks...

In my raspberry pi have just made the following /etc/dnsmasq.d/local
Now testing .....

Code: Select all

    # Local Configuration file for dnsmasq.
    #
    # See /etc/dnsmasq.conf for details on what these options do

    no-resolv
    server=10.192.160.10       
    #server=ip_of_external_DNS_2

    local=/internal_domain_name/

    expand-hosts

    domain=internal_domain_name

    dhcp-range=192.168.0.50,192.168.0.219,1h

    dhcp-host=lexicon
    #(and so on)

    dhcp-option=option:router,192.168.0.2
    # The next line means that this server is the DNS server
    dhcp-option=option:ntp-server,0.0.0.0

    dhcp-authoritative

[morphy_richards]

That almost worked perfectly. On the ibook with DHCP it picks up an ip address, subnet mask, search domain and DNS server but no router (gateway)

Should I delete my /etc/resolv.conf file if I am adding settings in /etc/dnsmasq.d/local.?

Some great news though ...

Code: Select all

athena_admin@athena:~$ nslookup athena
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	athena
Address: 192.168.0.4

athena_admin@athena:~$ nslookup 192.168.0.4
Server:		127.0.0.1
Address:	127.0.0.1#53

4.0.168.192.in-addr.arpa	name = athena.computing.lan.

athena_admin@athena:~$ 

Only a blimmin Fully Qualified Domain Name that is both forward- and reverse-resolvable! Ay? Ay?

That certainly wasnt working before your help

(ps. still need to make a NTP server somewhere on the network)

[morphy_richards]

A random afterthought...

I've configured the ltsp server "lovelace" with 2 network interfaces. eth0 goes to the subnet for all the berryterminals for that room (192.168.1.x) wheras eth1 goes to the main computing.lan (192.168.0.x)...

If I configure lovelace so that it uses athena as a kerberus server for login authentication, will there be an issue with logging in users as the berryterminals are all on a different subnet?

[morphy_richards]

For an NTP I am going to use my Ubuntu "Athena" server.

sudo apt-get install ntp

configure /etc/ntp.conf as rpdom suggests further back

broadcast 192.168.0.255

Configuring my "lexicon" Raspberry Pi based DNS server to use athena for NTP ...
configure /etc/ntp.conf
uncomment the lines

disable auth
broadcastclient

Now, do the same on "lovelace", mt ltsp server

sudo apt-get install ntp
configure /etc/ntp.conf
uncomment the lines

disable auth
broadcastclient

repeat for all servers.

[morphy_richards]

weirdly on my Raspberry Pi it's never had the correct date / time

eg... doing this now (11:47 on Mon 29th April)

Code: Select all

lexicon_admin@lexicon ~ $ date
Wed Feb 13 01:56:12 UTC 2013
lexicon_admin@lexicon ~ $ 

My Pi has an active internet connection (eg. pinging google works) and additionally I've told it to use athena as the NTP server.

Setting it manually with
sudo date -s "29 APR 2013 11:50:00"
and then
sudo shutdown -r now

Code: Select all

lexicon_admin@lexicon ~ $ date
Mon Apr 29 11:53:46 UTC 2013
lexicon_admin@lexicon ~ $ 

That's better.

[morphy_richards]

Okay, what's going on

Code: Select all

athena_admin@athena:~$ ping lovelace
PING lovelace (192.168.0.10) 56(84) bytes of data.
64 bytes from lovelace.computing.lan (192.168.0.10): icmp_req=1 ttl=64 time=0.192 ms

it's there but if I try to ssh to the server with the whole network address included I get ...

Code: Select all

ssh lovelace_admin@lovelace.computing.lan
ssh: Could not resolve hostname lovelace.computing.lan: Name or service not known

However ssh into just the hostname works ...

Code: Select all

ssh lovelace_admin@lovelace
lovelace_admin@lovelace's password: 

nslookup says its fine too...

Code: Select all

 nslookup lovelace.computing.lan
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	lovelace.computing.lan
Address: 192.168.0.10

[morphy_richards]

I dont understand.

If I add ...

192.168.0.10 lovelace

... to the local /etc/hosts file on lovelace then I am able to ssh into lovelace.computing.lan otherwise only ssh lovelace works from another host.

I havent had to do this for the other servers though. For example ssh pi.lexicon.computing.lan works fine!

But everythying else (ping, nslookup) resolves it as I would expect.

[morphy_richards]

I've now modified my hosts file on my dnsmasq server by adding .computing.lan and then the hostname only as an alias.

Code: Select all

#127.0.1.1      lexicon.computing.lan   lexicon

192.168.0.2     collossus.computing.lan collossus

192.168.0.3     lexicon.computing.lan   lexicon

192.168.0.4     athena.computing.lan    athena

192.168.0.10    lovelace.computing.lan  lovelace

However, I thought the lines below in dnsmasq.conf would do this:

Code: Select all

# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
#     as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
#    domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
domain=computing.lan

[morphy_richards]

Now trying to set up Kerberos for SSO!

This guide is rubbish (https://help.ubuntu.com/community/Kerberos) [edit - no I take that back, it's me who is rubbish]

It says you need to
$ sudo apt-get install krb5-kdc krb5-admin-server
$ sudo dpkg-reconfigure krb5-kdc
However before you do $ sudo dpkg-reconfigure krb5-kdc
I think you need to do
$ sudo krb5_newrealm

...hmmm .... okkaayyy.... so I've done that ...

Principals are entries in the Kerberos database that represent users or services on the network.

Okay. So it's a user that can use the SSO.

Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers.

Having a look at /etc/krb5kdc/kadm5.acl ... error opening file

Well, I'll try : "using the addprinc subcommand of the kadmin.local program"
$ kadmin.local
Authenticating as principal athena_admin/admin@COMPUTING.LAN with password.
kadmin.local: Permission denied while initializing kadmin.local interface


What gave me the idea this would be easy.?