Book Image

Linux Networking Cookbook

By : Agnello Dsouza, Gregory Boyce
5 (1)
Book Image

Linux Networking Cookbook

5 (1)
By: Agnello Dsouza, Gregory Boyce

Overview of this book

Linux can be configured as a networked workstation, a DNS server, a mail server, a firewall, a gateway router, and many other things. These are all part of administration tasks, hence network administration is one of the main tasks of Linux system administration. By knowing how to configure system network interfaces in a reliable and optimal manner, Linux administrators can deploy and configure several network services including file, web, mail, and servers while working in large enterprise environments. Starting with a simple Linux router that passes traffic between two private networks, you will see how to enable NAT on the router in order to allow Internet access from the network, and will also enable DHCP on the network to ease configuration of client systems. You will then move on to configuring your own DNS server on your local network using bind9 and tying it into your DHCP server to allow automatic configuration of local hostnames. You will then future enable your network by setting up IPv6 via tunnel providers. Moving on, we’ll configure Samba to centralize authentication for your network services; we will also configure Linux client to leverage it for authentication, and set up a RADIUS server that uses the directory server for authentication. Toward the end, you will have a network with a number of services running on it, and will implement monitoring in order to detect problems as they occur.

Related Content you might be interested in

Current Title:

Small book image
Linux Networking Cookbook
Agnello Dsouza | Gregory Boyce
Jun, 2016 | 152 pages
No titles found
Table of Contents (19 chapters)
Linux Networking Cookbook
Linux Networking Cookbook
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Configuring a Router
Configuring a Router
Introduction
Setting up the physical network
Configuring IPv4
Configuring IPv4 permanently
Connecting two networks
Enabling NAT to the outside
Setting up DHCP
Setting up a firewall with IPtables
Setting up port forwarding
Adding VLAN Tagging
2
Configuring DNS
Configuring DNS
Introduction
Setting up your system to talk to a nameserver
Setting up a local recursive resolver
Configuring dynamic DNS on your local network
Setting up a nameserver for your public domain
Setting up a slave nameserver
3
Configuring IPv6
Configuring IPv6
Introduction
Setting up an IPv6 tunnel via Hurricane Electric
Using ip6tables to firewall your IPv6 traffic
Route an IPv6 netblock to your local network
4
Remote Access
Remote Access
Introduction
Installing OpenSSH
Using OpenSSH as a basic shell client
Using OpenSSH to forward defined ports
Using OpenSSH as a SOCKS proxy
Using OpenVPN
5
Web Servers
Web Servers
Introduction
Configuring Apache with TLS
Improving scaling with the Worker MPM
Setting up PHP using an Apache module
Securing your web applications using mod_security
Configuring NGINX with TLS
Setting up PHP in NGINX with FastCGI
6
Directory Services
Directory Services
Introduction
Configuring Samba as an Active Directory compatible directory service
Joining a Linux box to the domain
7
Setting up File Storage
Setting up File Storage
Introduction
Serving files with SMB/CIFS through Samba
Granting authenticated access
Setting up an NFS server
Configuring WebDAV through Apache
8
Setting up E-mail
Setting up E-mail
Introduction
Configuring Postfix to send and receive e-mail
Setting up DNS records for e-mail delivery
Configuring IMAP
Configuring authentication for outbound e-mail
Configuring Postfix to support TLS
Blocking spam with Greylisting
Filtering spam with SpamAssassin
9
Configuring XMPP
Configuring XMPP
Introduction
Installing ejabberd
Configuring DNS for XMPP
Configuring the Pidgin client
10
Monitoring Your Network
Monitoring Your Network
Introduction
Installing Nagios
Adding Nagios users
Adding Nagios hosts
Monitoring services
Defining commands
Monitoring via NRPE
Monitoring via SNMP
11
Mapping Your Network
Mapping Your Network
Introduction
Detecting systems on your network with NMAP
Detecting Systems Using Arp-Scan
Scanning TCP ports
Scanning UDP ports
Identifying services
Identifying operating systems
12
Watching Your Network
Watching Your Network
Introduction
Setting up centralized logging
Installing a Snort IDS
Managing your Snort rules
Managing Snort logging
Index
Index

Setting up a firewall with IPtables

We touched upon iptables a little while discussing NAT, but now we're going to go a bit deeper into configuring a secure firewall for your network.

How to do it…

A properly configured firewall should be configured in a default deny configuration with specific allows (Whitelist) for what you want to accept:

# iptables -A INPUT -i lo -j ACCEPT 
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -P INPUT DROP 
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A FORWARD -i eth0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth2 \
-j MASQUERADE
# iptables -A FORWARD -i eth2 -o eth0 -m \
state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -j ACCEPT

How it works…

We start off by setting an ACCEPT policy on traffic destined to the local system on the localhost adapter (-i lo). A lot of software expects to be able to communicate over the localhost adapter, so we want to make sure we don't inadvertently filter it.

Next, we set an ACCEPT policy for any packet that matches a state (-m state) of ESTABLISHED, RELATED. This command accepts packets which are a part of, or related to, an established connection. ESTABLISHED should be pretty straightforward. RELATED packets are special cases that the connection tracking module needs to have a prior knowledge of. An example of this is the FTP protocol operating in active mode. The FTP client in active mode connects to the server on port 21. Data transfers however, operate on a second connection originating from the ftp server from port 20. During the operation of the connection, the port 21 packets are ESTABLISHED, while the port 20 packets are RELATED.

The third command accepts any TCP connection (-p tcp) destined for port 22 (--dport 22) that is destined for your system. This rule allows you to SSH into the machine.

Next, we will define the default policies. By default, we drop packets on the INPUT and FORWARD chains and accept packets on the OUTPUT chain.

The last three lines you'll recognize from the NAT section, which tells the firewall to allow any packets starting on the internal network and heading out to the Internet.

Additional ACCEPT rules based upon destination ports can be opened as needed as INPUT lines, like the port 22 one.

Previous Section
End of Section 9
Next Section