User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Computer Science Networking

Tue Apr 16, 2013 3:11 pm

Hi all,

I'm putting together a kind of general purpose network within my school for teaching computer science.
The network will have a few servers for things like ...
1) DNS, DHCP, an internet gateway etc.
2) A few LTSP servers

Internet will be provided by the school's LAN, however, the computing network needs to be isolated to protect the school network.
What would be the most sensible order to set this up? I imagine ...

1)An old PC with two network cards to be a router between school LAN and computing LAN.
2)One or more machines to provide services such as DNS, mail, DHCP, Samba or Kerburus, LDAP.
3)Some higher spec machines to act as LTSP servers.

Is that a sensible course of action?
Thanks

User avatar
FTrevorGowen
Forum Moderator
Forum Moderator
Posts: 5052
Joined: Mon Mar 04, 2013 6:12 pm
Location: Bristol, U.K.
Contact: Website

Re: Computer Science Networking

Tue Apr 16, 2013 9:04 pm

morphy_richards wrote: ...
1)An old PC with two network cards to be a router between school LAN and computing LAN.
2)One or more machines to provide services such as DNS, mail, DHCP, Samba or Kerburus, LDAP.
3)Some higher spec machines to act as LTSP servers.
...
W.r.t. 1) - FWIW, some years ago (before I acquired my first wireless router) I installed Smoothwall Linux on a similar setup to act as the household's main firewall & router which, IIRC ran pretty much 24/7 w/o problems. It seems to be still available as "Smoothwall Express".
Trev.
Still running Raspbian Jessie on some older Pi's (an A, B1, B2, B+, P2B, 3xP0, P0W) but Stretch on my 2xP3A+, P3B+, P3B, B+, A+ and a B2. See: https://www.cpmspectrepi.uk/raspberry_pi/raspiidx.htm

User avatar
rpdom
Posts: 15004
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Computer Science Networking

Wed Apr 17, 2013 6:49 am

morphy_richards wrote:Internet will be provided by the school's LAN, however, the computing network needs to be isolated to protect the school network.
What would be the most sensible order to set this up? I imagine ...

1)An old PC with two network cards to be a router between school LAN and computing LAN.
2)One or more machines to provide services such as DNS, mail, DHCP, Samba or Kerburus, LDAP.
3)Some higher spec machines to act as LTSP servers.

Is that a sensible course of action?
I used to use an old PC with Smoothwall Express, like Trevor mentioned, but the current version won't run on that system since they dropped support for some earlier CPUs.

I replaced it with a cheap wireless router (although I turned the wireless off, as I don't use that). It handles NAT, DNS, DHCP and uses a lot less power than an old PC.

I also have an old laptop running Debian. I disabled DNS and DHCP on the router and installed dnsmasq on the laptop instead. It's a lot more flexible and I can manage my home network addresses through it (as well as being able to trap certain advertising sites and direct them to a dummy local webserver). It also runs Samba for my wife's windows laptop, CUPS for printing, Apache2 for web stuff, MySQL and several NFS shares. Not bad for a slow old machine :) (Celeron 500MHz, 384MB)

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Tue Apr 23, 2013 2:48 pm

Currently I'm playing with ipkungfu
http://packages.debian.org/unstable/net/ipkungfu

It seems (like it should be) great!

It creates an iptables based firewall and router and creates internet connection sharing

I installed Debian on a PC with 2 NICs
One NIC to School Network
One to Computing.LAN

Next ...

apt-get install ipkungfu

Make a few changes to config files
Allow ip addresses of known hosts on the Computing.LAN network

Try to browse the web on a machine on the LAN
No joy
:x Aaargh

ping the router/firewall from the machine on the LAN - no problem
ping the machine on the LAN from the router - no problem
:?

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Wed Apr 24, 2013 1:28 pm

I've finally got some of this working.
I probably had it (almost) working several times in different implementations and thrown it away and started from scratch over and over again.

My problem was and still kind of is DNS

I'm now using ClearOS(which is a stripped down Linux (based on Fedora I think) specifically configured for routing and firewalls.

Now I currently have it set up so that it has created a firewall/router between eth0 ("computing.lan") and eth1 (school network and internet)
My problem was with DNS. It's now set up so that the DNS used by my computing lan is the same as that the school network uses to resolve websites such as google.

This works for allowing machines on my network to resolve domains outside of my network however ...

I forsee problems in the future when little Bobby and his class try to make a webserver on a raspberry pi and plug it into the computing.lan
The school's DNS on 10.x.y.z doesn't know anything at all about bobbys_server.computing.lan and so that's not going to work when we try
http://bobbys_server.computing.lan/best_pets.html (or whatever)

Should / could I configure a raspberry pi to act as an internal DNS? Given the inordinate amount of time it's taken me to get this far, are there any helpful hints and tips from anyone on how best I could go about this?

Also - I suspect my firewall is probably configured to prevent attacks from the "outside" to the "inside" but as the "outside" in this case is a school network and the "inside" is a kind of sandbox populated by wannabe crackers - what extra steps should I take to protect the school network?

(Note to self - remember to uninstall network-manager and add a dns-nameservers x.x.x.x stanza to the /etc/network/interfaces filer on each edubuntu ltsp server)

User avatar
rpdom
Posts: 15004
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Computer Science Networking

Wed Apr 24, 2013 2:12 pm

This is the sort of thing that dnsmasq is good at.

You set it up as the DHCP/DNS server for your local subnet. Add your local machine names to /etc/hosts on the machine it is running on. When some one queries a hostname, it will first check its local cache, then the local /etc/hosts, then the external DNS server.

So, if you put bobbys_server.computing.lan in its /etc/hosts as 10.x.y.z, that is what it will return to the querying machine.

(I also use it to trap certain "dodgy" websites, by putting them in /etc/hosts as the address of a local web server, so it just returns a 404)

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Thu Apr 25, 2013 9:40 am

might need to do all this
https://help.ubuntu.com/community/UbuntuLTSP/ProxyDHCP
when configuring an edubuntu ltsp server to make a seperate sub-net for thin clients on a second NIC. Experimenting.

Would be nice to have each room work as a seperate sub-net but might be problematic

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Thu Apr 25, 2013 10:35 am

morphy_richards wrote:might need to do all this
https://help.ubuntu.com/community/UbuntuLTSP/ProxyDHCP
when configuring an edubuntu ltsp server to make a seperate sub-net for thin clients on a second NIC. Experimenting.

Would be nice to have each room work as a seperate sub-net but might be problematic
That made bad things happen ...

By the way, what's a good name for a DNS server?

eg. I named my gateway collossus (after the Collossus of Rhodes who stood over the harbour entrance to Rhodes)
But what would you call something that names things?

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Thu Apr 25, 2013 12:21 pm

morphy_richards wrote:
By the way, what's a good name for a DNS server?
Lexicon?

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Thu Apr 25, 2013 2:46 pm

rpdom wrote:This is the sort of thing that dnsmasq is good at.

I just did a simple dnsmasq install on a raspberry pi running raspbian, added hosts as you described and tried pinging the two servers I currently have and then did

Code: Select all

ssh pi@lexicon
from a ltsp thin client running on a separate subnet in my classroom, used it to update the etc/hosts file to contain a few more addresses and then rebooted.

Very exciting!

edit - still not convinced that lexicon is the best name for a dns server, nevertheless ...

Next ... configuring dhcp!

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Fri Apr 26, 2013 8:22 am

Using this as a tutorial to configure dnsmasq as dhcp server.
http://www.techrepublic.com/blog/openso ... rvices/293

User avatar
aTao
Posts: 1087
Joined: Wed Dec 12, 2012 10:41 am
Location: Howlin Eigg

Re: Computer Science Networking

Fri Apr 26, 2013 8:28 am

morphy_richards wrote: edit - still not convinced that lexicon is the best name for a dns server, nevertheless ...
oneoneeight?
>)))'><'(((<

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Fri Apr 26, 2013 9:06 am

aTao wrote: oneoneeight?
hmmm...

Irritatingly my ClearOS router seems to have blown up overnight.

dmar: IOMMU: failed to map dmar0.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Fri Apr 26, 2013 11:11 am

Rebuilt the thing...

Ran into another issue. Silly me ... if you make a router/gateway/firewall (for example clearOS in gateway mode) it includes dhcp.

Setting up dhcp somewhere else (like on my "lexicon" raspberry pi based dns) bad things happen.

...although I'm not convinced the dhcp that's built into the clearOS router works very well :? Need to do more fiddling.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Fri Apr 26, 2013 2:08 pm

I changed the DHCP server built into ClearOS to be none-authorative (cant see how to actually switch it off).
Have enabled the DHCP part of dnsmasq and configured settings in /etc/dnsmasq.conf

I would expect to be able to plug a laptop into my main network now and for it to pick up settings if it's network manager is set to DHCP then it would just ... work.

However, in order to get a new machine such as an ibook to connect to the web via my network I still have to manually:
assign an ip address, netmask, gateway, dns-nameservers.

Especially assigning an external dns-nameserver is crucial to browsing web pages and my internal dns server for resolving internal machine names... but why is dhcp not doing this? :?

Anyway, now creating a new Ubuntu server "athena". This will be the SSO and file server. I intend to use this guide
Apparantly I need to create a Network Time Protocol (NTP) server.

User avatar
rpdom
Posts: 15004
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Computer Science Networking

Fri Apr 26, 2013 2:34 pm

I put my dnsmasq config in /etc/dnsmasq.d/local as that saves me having to modify the default config file.

The relevant bits of that files are:

Code: Select all

# Local Configuration file for dnsmasq.
#
# See /etc/dnsmasq.conf for details on what these options do

no-resolv
server=ip_of_external_DNS_1
server=ip_of_external_DNS_2

local=/internal_domain_name/

expand-hosts

domain=internal_domain_name

dhcp-range=192.168.1.200,192.168.1.219,1h

dhcp-host=raspi
dhcp-host=raspi2
dhcp-host=raspi3
#(and so on)

dhcp-option=option:router,192.168.1.1
# The next line means that this server is the DNS server
dhcp-option=option:ntp-server,0.0.0.0

dhcp-authoritative
In my /etc/ntp.conf I have uncommented the line

Code: Select all

broadcast 192.168.1.255
to allow this machine to be an NTP server for the local subnet.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Fri Apr 26, 2013 3:02 pm

Thanks...

In my raspberry pi have just made the following /etc/dnsmasq.d/local
Now testing .....

Code: Select all

    # Local Configuration file for dnsmasq.
    #
    # See /etc/dnsmasq.conf for details on what these options do

    no-resolv
    server=10.192.160.10       
    #server=ip_of_external_DNS_2

    local=/internal_domain_name/

    expand-hosts

    domain=internal_domain_name

    dhcp-range=192.168.0.50,192.168.0.219,1h

    dhcp-host=lexicon
    #(and so on)

    dhcp-option=option:router,192.168.0.2
    # The next line means that this server is the DNS server
    dhcp-option=option:ntp-server,0.0.0.0

    dhcp-authoritative

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Fri Apr 26, 2013 3:21 pm

That almost worked perfectly. On the ibook with DHCP it picks up an ip address, subnet mask, search domain and DNS server but no router (gateway) :?

Should I delete my /etc/resolv.conf file if I am adding settings in /etc/dnsmasq.d/local.?

Some great news though ...

Code: Select all

athena_admin@athena:~$ nslookup athena
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	athena
Address: 192.168.0.4

athena_admin@athena:~$ nslookup 192.168.0.4
Server:		127.0.0.1
Address:	127.0.0.1#53

4.0.168.192.in-addr.arpa	name = athena.computing.lan.

athena_admin@athena:~$ 
Only a blimmin Fully Qualified Domain Name that is both forward- and reverse-resolvable! Ay? Ay? ;) 8-)

That certainly wasnt working before your help :)

(ps. still need to make a NTP server somewhere on the network)

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Fri Apr 26, 2013 3:29 pm

A random afterthought...

I've configured the ltsp server "lovelace" with 2 network interfaces. eth0 goes to the subnet for all the berryterminals for that room (192.168.1.x) wheras eth1 goes to the main computing.lan (192.168.0.x)...

If I configure lovelace so that it uses athena as a kerberus server for login authentication, will there be an issue with logging in users as the berryterminals are all on a different subnet?

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Mon Apr 29, 2013 10:31 am

For an NTP I am going to use my Ubuntu "Athena" server.

sudo apt-get install ntp

configure /etc/ntp.conf as rpdom suggests further back

broadcast 192.168.0.255

Configuring my "lexicon" Raspberry Pi based DNS server to use athena for NTP ...
configure /etc/ntp.conf
uncomment the lines

disable auth
broadcastclient

Now, do the same on "lovelace", mt ltsp server

sudo apt-get install ntp
configure /etc/ntp.conf
uncomment the lines

disable auth
broadcastclient

repeat for all servers.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Mon Apr 29, 2013 10:54 am

weirdly on my Raspberry Pi it's never had the correct date / time

eg... doing this now (11:47 on Mon 29th April)

Code: Select all

lexicon_admin@lexicon ~ $ date
Wed Feb 13 01:56:12 UTC 2013
lexicon_admin@lexicon ~ $ 
My Pi has an active internet connection (eg. pinging google works) and additionally I've told it to use athena as the NTP server.

Setting it manually with
sudo date -s "29 APR 2013 11:50:00"
and then
sudo shutdown -r now

Code: Select all

lexicon_admin@lexicon ~ $ date
Mon Apr 29 11:53:46 UTC 2013
lexicon_admin@lexicon ~ $ 
That's better. :?

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Mon Apr 29, 2013 11:14 am

Okay, what's going on :evil:

Code: Select all

athena_admin@athena:~$ ping lovelace
PING lovelace (192.168.0.10) 56(84) bytes of data.
64 bytes from lovelace.computing.lan (192.168.0.10): icmp_req=1 ttl=64 time=0.192 ms
it's there but if I try to ssh to the server with the whole network address included I get ...

Code: Select all

ssh lovelace_admin@lovelace.computing.lan
ssh: Could not resolve hostname lovelace.computing.lan: Name or service not known
However ssh into just the hostname works ...

Code: Select all

ssh lovelace_admin@lovelace
lovelace_admin@lovelace's password: 
nslookup says its fine too...

Code: Select all

 nslookup lovelace.computing.lan
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	lovelace.computing.lan
Address: 192.168.0.10

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Mon Apr 29, 2013 11:38 am

I dont understand.

If I add ...

192.168.0.10 lovelace

... to the local /etc/hosts file on lovelace then I am able to ssh into lovelace.computing.lan otherwise only ssh lovelace works from another host.

I havent had to do this for the other servers though. For example ssh pi.lexicon.computing.lan works fine!

But everythying else (ping, nslookup) resolves it as I would expect. :?

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Mon Apr 29, 2013 1:02 pm

I've now modified my hosts file on my dnsmasq server by adding .computing.lan and then the hostname only as an alias.

Code: Select all

#127.0.1.1      lexicon.computing.lan   lexicon

192.168.0.2     collossus.computing.lan collossus

192.168.0.3     lexicon.computing.lan   lexicon

192.168.0.4     athena.computing.lan    athena

192.168.0.10    lovelace.computing.lan  lovelace

However, I thought the lines below in dnsmasq.conf would do this:

Code: Select all

# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
#     as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
#    domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
domain=computing.lan

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Computer Science Networking

Mon Apr 29, 2013 1:56 pm

Now trying to set up Kerberos for SSO!

This guide is rubbish (https://help.ubuntu.com/community/Kerberos) [edit - no I take that back, it's me who is rubbish]

It says you need to
$ sudo apt-get install krb5-kdc krb5-admin-server
$ sudo dpkg-reconfigure krb5-kdc
However before you do $ sudo dpkg-reconfigure krb5-kdc
I think you need to do
$ sudo krb5_newrealm

...hmmm .... okkaayyy.... so I've done that ...
Principals are entries in the Kerberos database that represent users or services on the network.
Okay. So it's a user that can use the SSO.
Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers.
Having a look at /etc/krb5kdc/kadm5.acl ... error opening file :shock:

Well, I'll try : "using the addprinc subcommand of the kadmin.local program"
$ kadmin.local
Authenticating as principal athena_admin/admin@COMPUTING.LAN with password.
kadmin.local: Permission denied while initializing kadmin.local interface
:shock: :o

What gave me the idea this would be easy.?

Return to “Networking and servers”