Creating a Gentoo server/ router

[pentium4borg]

Hey everyone. I'm new around here so if some of this has already been answered please point me in the proper direction.


Here's my situation: I've got a lowish-end box at home running Gentoo as a server, and I'm moving back to college on Friday. In the dorms, we only get 1 network port, and I'm taking my server, desktop, and laptop with me to college, so I've ordered a 4-port ethernet card (I don't have it yet, it's being shipped to my dorm), and am planning on setting up my server as a router. At present, my router has a network adapter in the motherboard (eth0), and one other adapter PCI card (eth1). Kernel drivers are set up and both work. When my other card is installed, I should have eth2-eth5 as well.

Eventually, I would like to be able to have all client machines access the internet, and no ports should be blocked inside my server's network. Any connections on any ports to the internet originating from inside the router should not be blocked, if possible. I'm running an HTTP, FTP, NFS, Samba, SSH, and soon IMAP server on the router that I need visible externally. (I'm also running postfix but that's for localhost only).

Here is a diagram of my current network setup: http://www.p4borg.net/stuff/network-diagram.png. (This is valid while I'm still at home, when I'm at school the 192.168.0.x computers will be other computers in my dorm room, like my roommate's computer, so same principle.)

I'd like to also run an NTP server that will be accessible to the external LAN computers (192.168.0.x) as well as my network computer (192.168.1.x), but not to the internet. All other services should be accessible to the internet.

I've had some success getting the internal machines on the internet (Remember I only have 1 LAN port at the moment), but NFS doesn't work (I can't mount shares on my internal network) and computers on my internal LAN (.1.x) can't talk to computers outside in the external LAN (.0.x). Finally, I'd like to have my computers' hostnames resolve to whatever their LAN IPs are at any given moment, but I have no idea where to start on that either.


Thanks so much everyone!

[NeddySeagoon]

pentium4borg,

If I were doing what you are doing, I would use your router PC as is and add a switch for all your other hardware.
The router then provides firewalling, network address translation and a DHCP server, so it all 'just works'.
The multi-port ethernet card is a complication you can do without.

Check your router against the home router guide
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[pentium4borg]

NeddySeagoon,

For reasons I don't want to get into, I'd rather not buy a switch (it's sorta out of my control), so I'd like to make this work with the hardware I have.

I've actually been through the Home Router Guide (sorry for not mentioning that before), and some of the stuff works. I guess the main thing I'm working on is getting my LAN computers talking to the external LAN computers, as well as getting hostnames automatically resolved and NFS working. I'm pretty much cluseless whe it comes to iptables, which is probably where all my issues can be resolved, and I don't know where to begin with the hostname resolution.

Also, when my multi-port card comes in, do all of eth1-eth5 need to be set to 192.168.1.1? Can multiple NICs have the same address? (How does a hardware router do this?)

[xnij2]

The home router guide worked a treat and had my 486 up and running as a router fairly fast (2 network cards + switch). Worked really well, although it took a while to boot up . Retired it just the other week -- been powering on for quite a few years.

I used Shorewall as a firewall instead of messing about with iptables directly.

[Carlo]

Divide your server into virtual machines, be it VMware or Xen, to minimize the possibililty to have to clean and setup the whole machine again, if a single service should be compromised.
_________________
Please make sure that you have searched for an answer to a question after reading all the relevant docs.

[pentium4borg]

Hey, I figured out how to do multiple NICs on one subnet, I built a bridge!

I don't know if it's possible to have 192.168.0.x talk to my LAN or not, but I'll keep poking around.

Does anyone know how to run an NFS server or FTP server from behind iptables? They both seem to half-work, eg port 21 is open, but then when I try to get to my server it connects but can't retrieve the file list.

Thanks again for all your suggestions!

[NeddySeagoon]

pentium4borg,

FTP needs two ports 21 is one of them. Look in /etc/services
Also investigate passive mode FTP

NFS is not secure - don't run it though a firewall. If you really need to, tunnel it over ssh somehow, or run a Virtual Private Network
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[pentium4borg]

I found FTP also needs port 20 ("ftp-data") in /etc/services. Now it seems to be working.

I'm trying to run NFS for just my LAN clients (192.168.1.x), but I no longer think it's an iptables issue: it turns out that NFS actually works, but takes several minuts to mount. in /var/log/messages, "rpc.mountd authenticated mount request [etc.]" shows up right after I start mount whatever, but then it hangs at the command line for 2-3 minutes before it finishes mounting. Unmounting is normal. Any ideas about this?

[think4urs11]

Check that portmap is running on the client (/etc/init.d/portmap start)
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

[pentium4borg]

Yep, portmap wasn't running on the clients. I started portmap and my NFS shared mounted normally. I believe everything is running smoothly now.

[pentium4borg]

I've got one more thing to finish setting this up ...

I've got my NICs all bridged into a bridge called lan0 now. DHCP and DNS seem to be working, but sometimes when I plug in another computer to a routed port, the router's bridge logs "entering disabled state", then "enetering learning state", etc. When this happens, it usually takes 2-3 tries to get an IP address (when it's successful it's quick like normal). Any idea what might be causing such a delay? I'd like to be able to plug in a device and have it assigned an address quickly like a normal hardware router.

The bridge lines of my /etc/conf.d/net look like:

config_lan0=( "192.168.1.1 netmask 255.255.255.0" )
brctl_lan0=( "stp on" "setbridgeprio 2" "setfd 4" "sethello 4" "setmaxage 4" )

Thanks again everyone!