n00b needs help setting up a linux router!

[SMoo]

Well, I'm no n00b to Gentoo, but I'm a total n00b in the areas I'm fixin to venture into.

I'm going to be in charge of getting our new church building set up, and I've got a server with Gentoo on it already.
It's an older Proliant 5500, but it has tons of hard drive space.

Here are the specs:

2x PIII Xeon 400, 133 MHz FSB (will be adding 2 more when they come in from eBay)
2gb EDO RAM (Also bought 2gb more on eBay)
Mylex DAC960 PCI RAID controller (The original Compaq wouldn't see the 146's)
7x146gb 15k SCSI drives, RAID 5
1x Compaq Netelligent 10/100 NIC (External for Time Warner cable modem)
1x Broadcom tigon3 10/100/1000 NIC (Internal for gigabit network)
If it's important, there's an ATI Rage 128 onboard

Now, here are the things I want to do with this box:

1) VPN server
2) Proxy (Transparent or otherwise I don't care)
3) Router (from eth0 to eth1)
4) Samba file storage
5) Do sexy things with SNMP (ie shut down if UPS sends the appropriate trap, etc)
6) Making backups of PC's would be nice, but not necessary
7) Fax server possibly
DHCP server -required
9) DNS server -required
10) More things added later

I've got VPN set up, as well as Samba. I'm halfway through getting DHCP running, and 5% of getting DNS working.

I know there's alot of information that will be needed, and I will add it when I get home tonight (The ISA server at work prevents my SSH to the box at home).

In the mean time, can anyone point out some good how-to's or guides for some of these things?

Thanks!

[GoofballJM1]

The Gentoo Wiki Site is your friend.

Also the Official Gentoo Documentation has a router guide among 2 dozen other tutorials.

Documentation is why I have been using Gentoo for nearly 3 years. It's better than any other distro I have used.
_________________
"Great spirits have often encountered violent opposition from weak minds." - Albert Einstein

[erik258]

[opentaka]

calling yourself noob just makes you look stupid and it doesn't grant you additional priority to get help.
there are several documentations you can find about this by just searching few seconds.
http://www.gentoo.org/doc/en/home-router-howto.xml
etc.

the router part is just an app forwarding the packets(iptables), dhcp can be configured by searching dhcpd howto, samba for samba howto, for proxy, I prefer squid, dns can be configured by seraching for bind or djbdns

so I suggest to search for individual daemons you need for your router.

cheers,
_________________
"Being defeated is often a temporary condition. Giving up is what makes it permanent" - Marilyn vos Savant

[SMoo]

Thanks for all the replies.

I understand that the Gentoo documentation is truly great, however, it's only as good as theoretics allows. I much prefer experience to text. I've also never been good at learning from a book... I'm a more hands-on type of person. A typical ISTJ.

At any rate, here are some config files:

/etc/dhcp/dhcpd.conf:

ddns-update-style none;
authoritative;

subnet 10.10.77.0 netmask 255.255.255.0 {
range 10.10.77.10 10.10.77.199;
option domain-name-servers 10.10.77.1;
option domain-name "xxxxxxxxx.org";
option routers 10.10.77.1;
option broadcast-address 10.10.77.255;
default-lease-time 86400;
max-lease-time 86400;
}


/etc/bind/named.conf:

options {
directory "/var/bind";

// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};

listen-on-v6 { none; };
listen-on { 127.0.0.1; };

// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};

// if you have problems and are behind a firewall:
//query-source address * port 53;
pid-file "/var/run/named/named.pid";
forwarders {
24.93.35.63;
24.93.35.62;
};
forward first;
};

// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info

//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };

zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};

zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};


I followed a howto to get VPN working. It's located here:
https://forums.gentoo.org/viewtopic-t-470858-highlight-vpn+howto.html

That works fine now.

I used a howto for Samba as well. Here:
https://forums.gentoo.org/viewtopic-t-338602-highlight-quick+samba+howto.html

It's very cimple, but there's no need to keep secret files at a church. Samba is working.

DHCP I muddled through on my own, and that seems to work fine.

Maybe some example config files would help?

I'm not asking anyone to do this for me, I'm just asking to be pointed in the right direction.

[erik258]

I want to give you props for absorbing a bit of low temperature flaming (I almost defended you on the newb point, as i think that shows respect for your betters as it were -- in which i don't count myself*) and thrown back a nice looking overview on doing just what you wanted. The dhcp and dns stuff is very valuable to me so I want to thank you.

well done, very well done.



* for what it's worth, newbies need help, whereas anyone who really deserves assistance can usually figure it out on their own. Sure, its obvious how much of a newb someone is (and i think you've made it clear that you aren't one ; ) ) , but it's nice when you don't have to remind them of that to convince them to follow your directions ; ) these forums don't have a problem with that, usually.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit!

[SMoo]

Thanks Erik,

I' m not a Gentoo n00b, but I'm a n00b in these areas in particular. Things like opentaka's comment about me looking stupid doesn't bother me. Maybe it's because I'm married, and have heard worse?
I should've mentioned that I've searched through alot of documentation and still wanted pointers.

I don't mean to make this thread dreary or a flamebox, but someone may also be searching for answers, and if they read this thread, it may help them as well.


Now, an update:

I've abandoned dhcpd and bind in favor of dnsmasq and iptables, since the church doesn't have a need for the advnaced features of them. If I need more routing, I'll add another NIC and VLAN the Cisco switch for that. Much easier.

I followed a guide on setting up IP-Masquerade, iptables, and dnsmasq, found here:
http://gentoo-wiki.com/HOWTO_setup_a_home-server

I also got squid set up, albeit in a very basic manner, following the same guide. Obvious changes were made (Like I'm using an IP range of 10.10.77.xxx and not the usual 192.168.x.x).

Also, I've been looking at the various firewalls that are available. I'm interested in people's opinions on them. Here are my concerns:

1) Ease of use. The folks that may work on this system later are *NOT* linux savvy by any means.
2) Rules. I want to keep people out and block some websites.
We're going to have youth group there and there are 13 year old boys in it. Guess what they're going to try when given carte blanche over an internet connection?! You guessed it, and I want to stop it before it starts!
3) Remote management. If no one can follow my direction, I want to be able to do it myself.

Any ideas?

[erik258]

1) Ease of use. The folks that may work on this system later are *NOT* linux savvy by any means.
My roomates are smart people, but not really linux savvy. One of them isn't even really computer savvy (although remarkably intellegent, so maybe that's why) and doesn't know linux at all but still manages to use my computers with great succes, as long as I am around to fix problems as they occur. That i think is the big invaluable step - you need to know exactly what needs to work. I find that trial and error is the best way to do it. Have people start using the computers and configure them so that the people can be successful.

2) Rules. I want to keep people out and block some websites.
my firewall setup seems to be holding up under the scrutiny of 160+ views. No responses yet. It seems to work well for me too. Stateful firewall, so ports >1024 can be closed by default without interfering with network services. I'm not sure how to go about blocking certain websites. I know you could drop traffic to those sights @ your firewall, but I don't know how you'd get such a list of blocked ips and how you'd update it.

3) Remote management. If no one can follow my direction, I want to be able to do it myself.
Open up ssh to the outside world. If you don't want sshbot traffic, you'll have to open up a port other than 22. Try 222 or something, and nobody will know that sshd is listening to the port -- security by obscurity. It will fool the bots, and strong passwords will fool the bots and everybody else. From there, you can log in to the other computers on the network and configure things as needs be.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit!

[medicineman]

[nobspangle]

iptables is your firewall, if you want to make it easier to configure try shorewall.

DansGuardian is the way to for your content filter, it should be easy to set up since you already have squid.