Church Network

jimmy20013 · 07-27-2006, 12:41 AM

I volunteer as a computer tech for my church. We have 4 computers and they get infected inspite of firewalls, anitivirus, ec. My question is, Is it possible to build a computer with *NIX on it that connects to the internet and the other computers connect through this computer. Also how can I use this computer as a central backup server to backup important files on other computers?

Law · 07-27-2006, 02:47 AM

So you want to use Linux as a server to share the Internet connection and also function as a file server for backup? What Linux distro are you interested in? It is very possible; all you really need is to setup IPTable so the Linux OS will function as a NAT router. You can file share between Windows machine using Samba also.

jimmy20013 · 07-27-2006, 03:29 AM

What distro do you suggest? Is there a link that you can point me to that can help me with the setup. Thanks.

talldude123 · 07-27-2006, 03:37 AM

www.linux.com.

There are many to choose from. And they're free, just download the ISO and burn to CD-R.

jimmy20013 · 07-27-2006, 04:04 AM

Is OpenBSD a good choice or should I use a micro-distribution like coyote?

Law · 07-27-2006, 12:59 PM

I recommend Fedora Core, because this guide that I have attached is from my book. I probably won't be able to come up with my own Linux guide since I just deleted my Fedora Core partition like 6 months ago. Like the book said, you should use a dedicated hardware router, doing IPTable is not easy for someone who is new to it. If you want to go ahead, the guide is below.

Downloading and Installing Fedora Core is a whole new section I won't explain. You can get FC at http://fedora.redhat.com/

What you will need:
The server machine with two network cards and FC installed running the 2.6.x Kernel.

Switch or Hub

Straight-through cables

Broadband Internet (Ethernet connection, DSL, Cable)

Sharing an Internet Connection Using NAT

On the Internet there are a lot of scripts available that set up Internet connection sharing using iptables. Each of the scripts boils down to the same few basic iptables commands with minor differences. This section discusses those few statements to explains how a connection can be shared.

There are two ways you can share a single connection to the Internet (one IP address). Both involve setting up NAT to alter addresses in and forward packets. The first allows clients (browsers, mail readers, and so on) on several systems on a LAN to share a single IP address to connect to servers on the Internet. The second allows servers (mail, web, FTP, and so on) on different systems on a LAN to provide their services over a single connection to the Internet. You can use iptables to set up one or both of these configurations. In both cases, you need to set up a system that is a router: It must have two network connectionsone connected to the Internet and the other to the LAN.

For optimum security, use a dedicated system as a router. Because data transmission over a connection to the Internet, even a broadband connection, is relatively slow, using an slower, older system as a router does not generally slow down a LAN. This setup gives you some defense against intrusion from the Internet. A workstation on the LAN can also function as a router, but this setup means you have data on a system that is directly connected to the Internet. The following sections discuss the security of each setup.

The examples in this section assume that the device named eth0 connects to the Internet on 10.255.255.255 and that eth1 connects to the LAN on 192.168.0.1. Substitute the devices and IP addresses that your systems use. If you use a modem to connect to the Internet, you need to substitute ppp0 (or another device) for eth0 in the examples.

In order for the examples in this section to work, you must turn on IP forwarding. First, give the following command and make sure everything is working:

# /sbin/sysctl -w net.ipv4.ip_forward=1

Once you know that iptables is working the way you want, change the 0 to a 1 in the following line in /etc/sysctl.conf to make the kernel always perform IP forwarding:

net.ipv4.ip_forward = 0

Connecting Several Clients to a Single Internet Connection

Configuring the kernel of the router system to allow clients on multiple, local systems on the LAN to connect to the Internet requires you to set up IP masquerading, or SNAT (source NAT). IP masquerading translates the source and destination addresses in the headers of network packets that originate on local systems and the packets that remote servers send in response to those packets. These packets are part of connections that originate on a local system. The example in this section does nothing to packets that are part of connections that originate on the remote systems (on the Internet): These packets cannot get past the router system, providing a degree of security.

The point of rewriting the packet headers is to allow systems with different local IP addresses to share a single IP address on the Internet. The router system translates the source or origin address of packets from local systems to that of the Internet connection, so that all packets passing from the router to the Internet appear to come from a single system, 10.255.255.255 in the example. All packets sent in response by remote systems on the Internet to the router system have the address of the Internet connection, 10.255.255.255 in the example, as their destination address. The router system remembers each connection and alters the destination address on each response packet to that of the local, originating system.

The router system is established by four iptables commands, one of which sets up a log of masqueraded connections. The first command puts the first rule in the FORWARD chain of the FILTER (default) table (A FORWARD):

# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

To match this rule, a packet must be
1. Received on eth0 (coming in from the Internet): i eth0.
2. Going to be sent out on eth1 (going out to the LAN): o eth1.
3. Part of an established connection or a connection that is related to an established connection: --state ESTABLISHED,RELATED.
The kernel accepts (j ACCEPT) packets that meet these three criteria. Accepted packets pass to the next appropriate chain/table. Packets that are not accepted pass to the next rule in the FORWARD chain. Packets from the Internet that attempt to create a new connection are not accepted by this rule.
The second command puts the second rule in the FORWARD chain of the FILTER table:
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

To match this rule, a packet must be
1. Received on eth1 (coming in from the LAN): i eth1.
2. Going to be sent out on eth0 (going out to the Internet): o eth0.
The kernel accepts packets that meet these two criteria, which means that all packets that originate locally and are going to the Internet are accepted. Accepted packets pass to the next appropriate chain/table. Packets that are not accepted pass to the next rule in the FORWARD chain.
The third command puts the third rule in the FORWARD chain of the FILTER table:
# iptables -A FORWARD -j LOG

This rule has no match criteria so it acts on all packets it processes. This rule's action is to log packets, which means it logs packets from the Internet that attempt to create a new connection.
Packets that get to the end of the FORWARD chain of the FILTER table are done with the rules set up by iptables and are handled by the local tcp stack. Packets from the Internet that attempt to create a new connection on the router system are accepted or returned, depending on whether the service they are trying to connect to is available on the router system.
The fourth command puts the first rule in the POSTROUTING chain of the NAT table. Only packets that are establishing a new connection are passed to the NAT table. Once a connection has been set up for SNAT or MASQUERADE, the headers on all subsequent ESTABLISHED and RELATED packets are altered the same way as the first packet. Packets that are sent in response to these packets automatically have their headers adjusted so that they return to the originating local system.
# iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE

To match this rule, a packet must be
1. Establishing a new connection (otherwise it would not have come to the NAT table).
2. Going to be sent out on eth0 (going out to the Internet): o eth0.
The kernel MASQUERADEs all packets that meet these criteria, which means that all locally originating packets that are establishing new connections have their source address changed to the address that is associated with eth0 (10.255.255.255 in the example).
Following are the four commands together:
# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# iptables -A FORWARD -j LOG
# iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE
You can put these commands in /etc/rc.local or in a script called by this file on the router system to have them executed each time the system boots. Or you can put them in /etc/sysconfig/iptables, leaving off the iptables command at the start of each line. When you put the commands in the iptables file, they are be executed by the iptables init script each time it is called.
To limit the local systems that can connect to the Internet, you can add a s (source) match criterion to the last command as shown following:
# iptables -t NAT -A POSTROUTING -o eth0 -s 192.168.0.0-192.168.0.32 -j MASQUERADE
In the preceding command, s 192.168.0.0-192.168.0.32 causes only packets from an IP address in the specified range to be MASQUERADEd.

Connecting Several Servers to a Single Internet Connection

DNAT (destination NAT) can set up rules to allow clients from the Internet to send packets to servers on the LAN. This example sets up an SMTP mail server on 192.168.1.33 and an HTTP (Web) server on 192.168.1.34. Both protocols use TCP; SMTP uses port 25 and HTTP uses port 80, so the rules match TCP packets with destination ports of 25 and 80. The example assumes the mail server does not make outgoing connections and uses another server on the LAN for DNS and mail relaying. Both commands put rules in the PREROUTING chain of the NAT table (A PREROUTING t NAT):
# iptables -A PREROUTING -t NAT -p tcp --dport 25 --to-source 192.168.0.33:25 -j DNAT
# iptables -A PREROUTING -t NAT -p tcp --dport 80 --to 192.168.0.34:80 -j DNAT
To match these rules, the packet must use the TCP protocol (p tcp) and have a destination port of 25 (first rule, --dport 25) or 80 (second rule, --dport 80).
The --to-source is a target specific to the PREROUTING and OUTPUT chains of the NAT table; it alters the destination address and port of matched packets as specified. As with MASQUERADE and SNAT, subsequent packets in the same and related connections are appropriately altered.
The fact that the servers cannot originate connections means that neither server can be exploited to participate in a DDoS attack on systems on the Internet and cannot send private data from the local system back to a malicious user's system.

Summary

The iptables utility is used to set up firewalls that help to prevent unauthorized access to a system or network. An iptables command sets up or maintains in the kernel rules that control the flow of network packets; rules are stored in chains. Each rule has a criteria part and an action part, called a target. When the criteria part matches a network packet, the kernel applies the action from the rule to the packet.
There are three tables that hold chains: Filter, NAT, and Mangle. Filter, the default table, DROPs or ACCEPTs packets based on their content. NAT, the Network Address Translation table, translates the source or destination field of packets. Mangle is used exclusively to alter TOS (Type of Service), TTL (Time To Live), and MARK fields in a packet. The connection tracking machine, handled by the conntrack module, defines rules that match on the state of the connection a packet is part of.
In an emergency you can give the following command to unload all iptables modules from the kernel and set a policy of DROP for all tables.

# /sbin/service iptables panic

Law · 07-27-2006, 12:59 PM

Any questions? LOL

Law · 07-27-2006, 01:27 PM

If you want to use OpenBSD 2.9, there is a really great guide on the Internet on setting up a basic router.

http://www.homenethelp.com/openbsd/bsd-firewall.asp

You can find a ton of information at google. My 2nd link doesn't seem to work, just do a search for internet connection sharing on linux.

jimmy20013 · 07-27-2006, 07:24 PM

Thanks Law. I am very grateful that you took the time to stop-by and help.

07-27-2006, 12:41 AM	#1 (permalink)
jimmy20013 Newb Techie Join Date: Jul 2006 Posts: 7	Church Network I volunteer as a computer tech for my church. We have 4 computers and they get infected inspite of firewalls, anitivirus, ec. My question is, Is it possible to build a computer with *NIX on it that connects to the internet and the other computers connect through this computer. Also how can I use this computer as a central backup server to backup important files on other computers?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

07-27-2006, 02:47 AM	#2 (permalink)
Law Wizard Techie Join Date: Aug 2005 Posts: 4,171	So you want to use Linux as a server to share the Internet connection and also function as a file server for backup? What Linux distro are you interested in? It is very possible; all you really need is to setup IPTable so the Linux OS will function as a NAT router. You can file share between Windows machine using Samba also.

07-27-2006, 03:29 AM	#3 (permalink)
jimmy20013 Newb Techie Join Date: Jul 2006 Posts: 7	What distro do you suggest? Is there a link that you can point me to that can help me with the setup. Thanks.

07-27-2006, 03:37 AM	#4 (permalink)
talldude123 Banned Join Date: May 2005 Posts: 7,937	www.linux.com. There are many to choose from. And they're free, just download the ISO and burn to CD-R.

07-27-2006, 04:04 AM	#5 (permalink)
jimmy20013 Newb Techie Join Date: Jul 2006 Posts: 7	Is OpenBSD a good choice or should I use a micro-distribution like coyote?

07-27-2006, 12:59 PM	#6 (permalink)
Law Wizard Techie Join Date: Aug 2005 Posts: 4,171	I recommend Fedora Core, because this guide that I have attached is from my book. I probably won't be able to come up with my own Linux guide since I just deleted my Fedora Core partition like 6 months ago. Like the book said, you should use a dedicated hardware router, doing IPTable is not easy for someone who is new to it. If you want to go ahead, the guide is below. Downloading and Installing Fedora Core is a whole new section I won't explain. You can get FC at http://fedora.redhat.com/ What you will need: The server machine with two network cards and FC installed running the 2.6.x Kernel. Switch or Hub Straight-through cables Broadband Internet (Ethernet connection, DSL, Cable) Sharing an Internet Connection Using NAT On the Internet there are a lot of scripts available that set up Internet connection sharing using iptables. Each of the scripts boils down to the same few basic iptables commands with minor differences. This section discusses those few statements to explains how a connection can be shared. There are two ways you can share a single connection to the Internet (one IP address). Both involve setting up NAT to alter addresses in and forward packets. The first allows clients (browsers, mail readers, and so on) on several systems on a LAN to share a single IP address to connect to servers on the Internet. The second allows servers (mail, web, FTP, and so on) on different systems on a LAN to provide their services over a single connection to the Internet. You can use iptables to set up one or both of these configurations. In both cases, you need to set up a system that is a router: It must have two network connectionsone connected to the Internet and the other to the LAN. For optimum security, use a dedicated system as a router. Because data transmission over a connection to the Internet, even a broadband connection, is relatively slow, using an slower, older system as a router does not generally slow down a LAN. This setup gives you some defense against intrusion from the Internet. A workstation on the LAN can also function as a router, but this setup means you have data on a system that is directly connected to the Internet. The following sections discuss the security of each setup. The examples in this section assume that the device named eth0 connects to the Internet on 10.255.255.255 and that eth1 connects to the LAN on 192.168.0.1. Substitute the devices and IP addresses that your systems use. If you use a modem to connect to the Internet, you need to substitute ppp0 (or another device) for eth0 in the examples. In order for the examples in this section to work, you must turn on IP forwarding. First, give the following command and make sure everything is working: # /sbin/sysctl -w net.ipv4.ip_forward=1 Once you know that iptables is working the way you want, change the 0 to a 1 in the following line in /etc/sysctl.conf to make the kernel always perform IP forwarding: net.ipv4.ip_forward = 0 Connecting Several Clients to a Single Internet Connection Configuring the kernel of the router system to allow clients on multiple, local systems on the LAN to connect to the Internet requires you to set up IP masquerading, or SNAT (source NAT). IP masquerading translates the source and destination addresses in the headers of network packets that originate on local systems and the packets that remote servers send in response to those packets. These packets are part of connections that originate on a local system. The example in this section does nothing to packets that are part of connections that originate on the remote systems (on the Internet): These packets cannot get past the router system, providing a degree of security. The point of rewriting the packet headers is to allow systems with different local IP addresses to share a single IP address on the Internet. The router system translates the source or origin address of packets from local systems to that of the Internet connection, so that all packets passing from the router to the Internet appear to come from a single system, 10.255.255.255 in the example. All packets sent in response by remote systems on the Internet to the router system have the address of the Internet connection, 10.255.255.255 in the example, as their destination address. The router system remembers each connection and alters the destination address on each response packet to that of the local, originating system. The router system is established by four iptables commands, one of which sets up a log of masqueraded connections. The first command puts the first rule in the FORWARD chain of the FILTER (default) table (A FORWARD): # iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT To match this rule, a packet must be 1. Received on eth0 (coming in from the Internet): i eth0. 2. Going to be sent out on eth1 (going out to the LAN): o eth1. 3. Part of an established connection or a connection that is related to an established connection: --state ESTABLISHED,RELATED. The kernel accepts (j ACCEPT) packets that meet these three criteria. Accepted packets pass to the next appropriate chain/table. Packets that are not accepted pass to the next rule in the FORWARD chain. Packets from the Internet that attempt to create a new connection are not accepted by this rule. The second command puts the second rule in the FORWARD chain of the FILTER table: # iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT To match this rule, a packet must be 1. Received on eth1 (coming in from the LAN): i eth1. 2. Going to be sent out on eth0 (going out to the Internet): o eth0. The kernel accepts packets that meet these two criteria, which means that all packets that originate locally and are going to the Internet are accepted. Accepted packets pass to the next appropriate chain/table. Packets that are not accepted pass to the next rule in the FORWARD chain. The third command puts the third rule in the FORWARD chain of the FILTER table: # iptables -A FORWARD -j LOG This rule has no match criteria so it acts on all packets it processes. This rule's action is to log packets, which means it logs packets from the Internet that attempt to create a new connection. Packets that get to the end of the FORWARD chain of the FILTER table are done with the rules set up by iptables and are handled by the local tcp stack. Packets from the Internet that attempt to create a new connection on the router system are accepted or returned, depending on whether the service they are trying to connect to is available on the router system. The fourth command puts the first rule in the POSTROUTING chain of the NAT table. Only packets that are establishing a new connection are passed to the NAT table. Once a connection has been set up for SNAT or MASQUERADE, the headers on all subsequent ESTABLISHED and RELATED packets are altered the same way as the first packet. Packets that are sent in response to these packets automatically have their headers adjusted so that they return to the originating local system. # iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE To match this rule, a packet must be 1. Establishing a new connection (otherwise it would not have come to the NAT table). 2. Going to be sent out on eth0 (going out to the Internet): o eth0. The kernel MASQUERADEs all packets that meet these criteria, which means that all locally originating packets that are establishing new connections have their source address changed to the address that is associated with eth0 (10.255.255.255 in the example). Following are the four commands together: # iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # iptables -A FORWARD -j LOG # iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE You can put these commands in /etc/rc.local or in a script called by this file on the router system to have them executed each time the system boots. Or you can put them in /etc/sysconfig/iptables, leaving off the iptables command at the start of each line. When you put the commands in the iptables file, they are be executed by the iptables init script each time it is called. To limit the local systems that can connect to the Internet, you can add a s (source) match criterion to the last command as shown following: # iptables -t NAT -A POSTROUTING -o eth0 -s 192.168.0.0-192.168.0.32 -j MASQUERADE In the preceding command, s 192.168.0.0-192.168.0.32 causes only packets from an IP address in the specified range to be MASQUERADEd. Connecting Several Servers to a Single Internet Connection DNAT (destination NAT) can set up rules to allow clients from the Internet to send packets to servers on the LAN. This example sets up an SMTP mail server on 192.168.1.33 and an HTTP (Web) server on 192.168.1.34. Both protocols use TCP; SMTP uses port 25 and HTTP uses port 80, so the rules match TCP packets with destination ports of 25 and 80. The example assumes the mail server does not make outgoing connections and uses another server on the LAN for DNS and mail relaying. Both commands put rules in the PREROUTING chain of the NAT table (A PREROUTING t NAT): # iptables -A PREROUTING -t NAT -p tcp --dport 25 --to-source 192.168.0.33:25 -j DNAT # iptables -A PREROUTING -t NAT -p tcp --dport 80 --to 192.168.0.34:80 -j DNAT To match these rules, the packet must use the TCP protocol (p tcp) and have a destination port of 25 (first rule, --dport 25) or 80 (second rule, --dport 80). The --to-source is a target specific to the PREROUTING and OUTPUT chains of the NAT table; it alters the destination address and port of matched packets as specified. As with MASQUERADE and SNAT, subsequent packets in the same and related connections are appropriately altered. The fact that the servers cannot originate connections means that neither server can be exploited to participate in a DDoS attack on systems on the Internet and cannot send private data from the local system back to a malicious user's system. Summary The iptables utility is used to set up firewalls that help to prevent unauthorized access to a system or network. An iptables command sets up or maintains in the kernel rules that control the flow of network packets; rules are stored in chains. Each rule has a criteria part and an action part, called a target. When the criteria part matches a network packet, the kernel applies the action from the rule to the packet. There are three tables that hold chains: Filter, NAT, and Mangle. Filter, the default table, DROPs or ACCEPTs packets based on their content. NAT, the Network Address Translation table, translates the source or destination field of packets. Mangle is used exclusively to alter TOS (Type of Service), TTL (Time To Live), and MARK fields in a packet. The connection tracking machine, handled by the conntrack module, defines rules that match on the state of the connection a packet is part of. In an emergency you can give the following command to unload all iptables modules from the kernel and set a policy of DROP for all tables. # /sbin/service iptables panic

07-27-2006, 12:59 PM	#7 (permalink)
Law Wizard Techie Join Date: Aug 2005 Posts: 4,171	Any questions? LOL

07-27-2006, 01:27 PM	#8 (permalink)
Law Wizard Techie Join Date: Aug 2005 Posts: 4,171	If you want to use OpenBSD 2.9, there is a really great guide on the Internet on setting up a basic router. http://www.homenethelp.com/openbsd/bsd-firewall.asp You can find a ton of information at google. My 2nd link doesn't seem to work, just do a search for internet connection sharing on linux.

07-27-2006, 07:24 PM	#9 (permalink)
jimmy20013 Newb Techie Join Date: Jul 2006 Posts: 7	Thanks Law. I am very grateful that you took the time to stop-by and help.