Originally Published: Sunday, 10 October 1999 Author: Brad Marshall
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Printable]

October 10 - 16
Basic Intranet Configuration
by Brad Marshall

This article follows on from my previous article which introduced basic concepts for an intranet, and services that you can run. This article will cover basic network configuration, both for the client and the router, and touch on some fundamental services that you should run...

   Page 1 of 1  

Basic Network Configuration for an Intranet

This article follows on from my previous article which introduced basic concepts for an intranet, and services that you can run. This article will cover basic network configuration, both for the client and the router, and touch on some fundamental services that you should run.

The first choice that must be made is what IP range to use - as mentioned in the last article, you should choose one of the reserved IP addresses, as defined in RFC 1918. A good choice for a basic intranet is as follows:

    IP address: 192.168.x.y # where 1 > y < 254 Broadcast: 192.168.x.255 Network: 192.168.x.0 Netmask: 255.255.255.0
Securing the router is very important - see the articles by David Jericho and Jim Hewlett on post installation security - these are a good starting point for any Linux box. A good rule to follow is if you don't need a service, turn it off.

Configuring PPP is best done by some of the ready made packages available - under Debian, pppconfig seems to be pretty reasonable. Other packages that do a similar job (some graphical, some text) are available from Freshmeat.net. See the ISP-Hookup-HOWTO for more details on this.

One of the more popular ways of connecting an intranet to the Internet is using IP masquerading. To enable this, first you need to recompile your kernel with the following options (I'm using kernel 2.2 for this) - see the Kernel-HOWTO for more details on compiling your kernel.

    Code maturity level options
      Prompt for development and/or incomplete code/drivers
    Network firewalls IP: firewalling IP: always defragment (required for masquerading) IP: masquerading IP: ICMP masquerading IP: masquerading special modules support
There are many options that you can compile in, such as quality of service, various firewalling options, and advance router functionality, but none of this is required for simple IP masquerading.

To enable basic ip masquerading, simply run the following commands:

    # Enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Flush the forwarding rules /sbin/ipchains -F forward # Set the default policy for forwarding to deny /sbin/ipchains -P forward DENY # Enable ip masq for your local subnet to anywhere /sbin/ipchains -A forward -j MASQ -s 192.168.x.0/24 -d 0.0.0.0/0
This enables ip masquerading access for your local subnet to any destination. You can easily restrict access people have by modifying these rules - see the and Jason Tackaberry's article on firewalls for more details. There are ip masq modules you need to load to enable certain protocols, such as CUSEEME, Real Audio, Quake, and a few others - see /lib/modules/`uname -r`/ipv4/ for the actual modules.

The next protocol to set up is DNS - the most common program used for this is ISC's Bind. To install it, either download a package for your distribution, or compile from source. After compiling it, you need to set up a domain for your intranet - we'll be using .intranet as an example domain, and assuming you are using 192.168.1.0. What we'll be doing is setting up your router as a primary DNS server for both .intranet, and 1.168.192.in-addr.arpa (the reverse entries for 192.168.1), and restricting access to it to the local intranet. To do this, add the following lines to your /etc/named.conf (this assumes you are using the current version of bind, 8.2):

    acl localhosts { 192.168.1.0/24; }

    zone "intranet" { type master; file "named.intranet"; allow-query { localhosts; }; };

    zone "1.168.192.in-addr.arpa" { type master; file "named.192.168.1"; allow-query { localhosts; }; };

After adding these lines to named.conf, create the following files in /var/named: named.intranet
        ;
        ; BIND data file for .intranet
        ;
        @       IN      SOA     intranet. root.router.intranet. (
                    YYYYMMDDxx         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Default TTL

IN NS router.intranet. IN A 192.168.1.1 router IN A 192.168.1.1 foo IN A 192.168.1.10

and then named.192.168.1
        ;
        ; BIND reverse data file for 192.168.1.0
        ;
        @       IN      SOA     intranet. root.router.intranet. (
                        YYYYMMDDxx         ; Serial
                                    604800         ; Refresh
                                      86400         ; Retry
                                   2419200         ; Expire
                                     604800 )       ; Default TTL
        ;
        @       NS      router.intranet.
        1        PTR     router.intranet.
        10      PTR     foo.intranet.
As you can see, the format is pretty straight forward - there are a couple of things to be aware of, however. It is important to update the serial number after every change, before restarting the daemon. A common format to use is given as an example - it is useful in that you can easily tell the last time a zone was updated. The other important bit to notice is the ``.'' at the end of the hostnames - this specifies that the hostname is canonical. If you don't have the ``.'', bind assumes you are referring to a host in the current domain, and appends the domain - this leads to the common situation of router.intranet.intranet - doubling up of the domain name. For further information on this, see the DNS-HOWTO.

This is enough for your intranet to connect to the internet - there is much more functionality you can provide, and this will be covered in the next article in this series. Further functionality can include a web proxy, to reduce traffic, a DHCP server, to make it easier to configure clients, and much more.





   Page 1 of 1