Originally Published: Thursday, 23 November 2000 Author: Chris Campbell
Published to: enhance_articles_sysadmin/Sysadmin Page: 1/1 - [Printable]

Linux and Windows NT 4.0: Part VII

Whether for Internet connectivity or wide area networking to various physical locations, routing has become an invaluable asset to networking. Although routers have existed since the original ARPAnet, they have become increasing more common in corporate environments as the 1990's trend of local area networking grew into Wide and Metropolitan area networks.

   Page 1 of 1  

Whether for Internet connectivity or wide area networking to various physical locations, routing has become an invaluable asset to networking. Although routers have existed since the original ARPAnet, they have become increasing more common in corporate environments as the 1990's trend of local area networking grew into Wide and Metropolitan area networks.

Companies such as Cisco, Lucent and Xylan have offered router appliances.In fact,Cisco has become one of the world's most affluent companies. Although it is perfectly fine to purchase appliances to do the task, sometimes there just isn't $2000 lying around for a router. So, because of choice or cost, an administrator may choose to use a computer to do this task. To this end, the functionality of routing has been added to both Windows NT and Linux. Once again, there are commercial offerings to perform this functionality, both in the form of internal hardware and software, but we will cover the methods native to the operating systems.

Routing in Windows NT

The first step in both Windows NT and Linux is to add a second network interface card. One card must be connected to the local area network, the second being routed to the network that the LAN will use. The local NIC must have a local IP address and be functioning. The external NIC must also function, obviously, but it must have an IP address in the external range.

There are two kinds of routing Windows NT can handle, dynamic and static. Dynamic routing means that the routing tables are automatically handled, reducing administrative work, but potentially causing an increase in network traffic. Static routing is limited to manually entered fixed routing tables.

On Windows NT, to add dynamic routing services:

START -> SETTINGS -> CONTROL PANEL -> NETWORK

Click the "SERVICES" tab. Click "Add". Select "RIP for Internet Protocol" from the generated list. Click the "ROUTING" tab. Click "Enable IP Forwarding". After copying files, the installation will continue and reboot.

any additional configuration. If this works, excellent! This has been problematic in my experiences, especially in configurations that have additional routers existing on the network. (It does not update the route table properly sometimes to include the additional network's information.)

On Windows NT, to add static routing services:

START -> SETTINGS -> CONTROL PANEL -> NETWORK

Click the "ROUTING" tab. Click "Enable IP Forwarding". After copying files, the installation will continue and reboot.

To set the routing information, go to command line and type:

c:\>route /P {add} {network address} mask
{subnet mask} {gateway}
{delete} {change}
So let's add a route to a hypothetical network. To add a route to the 10.10.10 subnet through the gateway of 10.10.10.122, we would type:
c:\>route /P add 10.10.10.0 mask 255.255.255.0 10.10.10.122
To view the routing table, type:
c:\>route print
To clear the gateway entries, type:
c:\>route /F
The route utility can also use destination names. These are converted to addresses based upon the data in the c:\winnt\system32\drivers\etc\networks file. To use such a format, add to the file:
{network name}{IP Address}
Two final notes. The gateway specified with the route command must be an address local to the network that the routing machine is on. The other important item of note is that the route utility will not accept a subnet mask of 255.255.255.255.

Routing in Linux

Like almost any essential task in Linux, there are many ways to set-up routing. Here we will briefly cover just one such way. For the benefit of readers with older distributions, we will cover routing procedures that function in both newer and older Linux's. Again, for more advanced tasks, be sure to read the how-to's.

Here, we will utilize two commands, route and ifconfig. First bind addresses and subnet masks to the adapters using ifconfig:

# ifconfig lo 127.0.0.1 netmask 255.0.0.0 broadcast 127.255.255.255 up
# ifconfig eth0 10.10.0.1 netmask 255.255.255.0 up
# ifconfig eth1 10.10.2.1 up
next, build the routing table by adding the networks and gateway:

# route add -net 127.0.0.0 dev lo
# route add -net 10.10.0.0 netmask 255.255.255.0 dev eth0
# route add -net 10.10.2.0 dev eth1
# route add -net 10.10.3.0 netmask 255.255.255.0 gw 10.10.0.3
# route add default gw 10.10.0.4

The contents of the routing table can be viewed by typing;

# route -n [ed: Or "netstat -r" ]

Some distributions that may require information should also be added into /etc/gateways for the routed daemon to find.

It is crucial to read the documentation on this as the networks, subnets and IP information may change drastically, depending on your local network settings.

Firewalls

The concept of a firewall has become very popular as the paranoia of would-be crackers and "script kiddies" has spread throughout social consciousness. Not that this paranoia is totally unwarranted; there seems to be an increasing number of occurrences where systems have been compromised or denied service by ego-fueled kids who think that they are 'h4x0r5' because they can execute someone else's code or compromise well-known exploits. There are also cases of compromised systems due to more menacing means such as greed, but that is quite a bit less common. So until Emmanuel Goldstein realizes that there's no point to the club since signaling system 7 and sends the kiddies back home to grow up, firewalls are a necessity.

Setting Firewall restrictions in Windows NT:

On Windows NT, to add firewall services:

START -> SETTINGS -> CONTROL PANEL -> NETWORK

Click the "PROTOCOLS" tab. Click "TCP/IP Protocol" and then "Properties." Next, click the "Advanced" Box and then check off "Enable Security" and then click the "Configure" button beneath it. Here, Windows NT allows the specification of TCP/IP ports to allow and deny. If routing has been configured, the server can be set to allow or deny services of the external network, while having different access available to the internal networking. A list of ports to services is found in c:\winnt\system32\drivers\etc\services.

Microsoft does offer a much easier interface for blocking ports, as well as IP addresses and networks with their Back Office Proxy Server. We will cover Proxy server in a future segment, when we begin to move into the Back Office Suite.

As with the routing under Linux, there are multiple ways to do firewall restrictions:

To restrict via IP addresses or networks, edit /etc/hosts.deny to specify any IP information to be denied access. This will access to all others. A more secure method would to be to edit /etc/hosts.allow instead and specify *only* the machines that you desire to have access. The latter would not be good for Internet servers as it is overly exclusive.

Firewall rules may be set in the form of port-specific rules using the ipfwadm command, but the use of ipchains is now encouraged over ipfwadm. To satisfy the old school-types, we cover ipfwadm here, and Sysadmin's own Bradley Marshall has written and excellent piece on ipchains, which can be found here

Specifying an ideal firewall rule set here would be a little lengthy, (also not everyone's needs are the same). Instead we will set the firewall so that we can browse the web (port 80) going out, but will refuse any Web requests coming in. (Obviously if the port is not indicated in /etc/services or is not configured in inetd, then the requests would not work anyway, but they'd still be allowed in. The firewall would block it entirely.)

# ipfwadm -O -a accept -P tcp -S 10.10.10.0/24 -D 0/0 80
# ipfwadm -O -a deny -P tcp -S 10.10.10.0/24 -D 0/0
The first allows all traffic going to port 80 on the 10.10.10 subnet to go to its destination but the second rule denies everything. Since the accept rule for port 80 is before the deny rule (it's at the top) it will be matched first before it's denied whereas traffic on all other ports doesn't match the first rule and will be denied.

Also note this is on the output queue (-O) whereas the first one is on the input queue (-I).

As with Windows NT, restricting access can be done easier typically with proxy servers, both commercial and non-commercial, and we will cover this in a coming series on more advanced NT to Linux subjects as we move into the Microsoft Back Office Suite.

Again, checking the man pages and documentation is a must before attempting to do any of this. Even experimental configurations can wreak havoc on a network. Good documentation of tests and changes is not only proper system administration practice, but is an invaluable asset when problems do arise. Network security is not something to be approximate about. It must be exact and done properly to be anything but detrimental. Research and planning are the key to a secure environment. As far as external intruders go, good hiring practices are the only thing that can protect you from the possible dangerous elements within your organization.

Linux and Windows NT 4.0: Basic Administration - Part I

Linux and Windows NT 4.0: Basic Administration - Part II

Linux and Windows NT 4.0: Basic Administration - Part III

Linux and Windows NT 4.0: Basic Administration - Part IV

Linux and Windows NT 4.0: Basic Administration - Part V

Linux and Windows NT 4.0: Basic Administration - Part VI





   Page 1 of 1