At 10:52 17/05/01 +0100, Ian Drake, IT, SE Dunbartonshire wrote:
>got ADSL installed yesterday, it's great, I'm loving the broadband
>revolution.
>
>Problem is that the USB modem use PPoPa which I know nothing about, and to
>tell the truth I have never used anything more complicated than a mouse
>plugged into a USB port (under Linux anyways).
>
Every supplier I've spoken to about this says if you want to run multiple
clients you must buy a ethernet adsl modem & pay much more than the USB
cost. Still I won't tell if you don't.
>So I'm putting some feelers out to find out if anyone has any advice on
>setting up a NAT server running Linux.
>I downloaded both ISO images for Mandrake 8.0 (kernel 2.4 I think). Anyone
>got any ides on the next steps?
>
Do you really need to use NAT? Proxying offers a lot of benefits over
simple NAT; you can always connect to the Email server - admittedly less of
an issue with ADSL then with POTS, cacheing, content and access controls,
simpler firewall config. I've got DNS (bind), Email (fetchmail/sendmail),
Http[s] (squid), ftp (squid) and nntp leafnode) proxying at the office
supporting 50 users off a 56k modem. Works a treat.
Port forwarding may also be advisable if your going to run a server behind
the connection (which again, isn't really allowed by most providers). I've
used delegate which works reliably, although can be overkill for some
applications. AIR xinetd will do basic forwarding, as will iptables
(transparent proxying). Given that you've got a nearly-always-on connection
this might be a better way of handling Email rather than NAT or config'ing
your own proxy server, but web
>and general advice on firewalling under 2.4
block everything!
Seriously, you're going to have an always on connection - we get portscans,
probes and deliberate attacks on the machine I've described above at least
once a week and that's on a dial-upconnection! My top tips for firewalls:
1) Do run a proper private network address (10.0.0.0/8 or 192.168.0.0/16).
It is this rather than NAT which provides some security.
2) Avoid explicitly referencing the address on your internet connection
device in your firewall script if you can - that way you don't need to
reconfigure your firewall if your provider changes your host / network
address.
3) If you recompile your kernel don't allow source routed packets and
CONFIG_SYN_COOKIES
4) disable services which you don't use (Ok - so this one is obvious, but
you'd be surprised how many professional system administrators overlook
this - on a stock HPUX 10.20 box you can get unfettered access to tftp
which gives you read/write access to the whole system!).
HTH
Colin
--------------------------------------------------------------------
http://www.lug.org.uk http://www.linuxportal.co.uk
http://www.linuxjob.co.uk http://www.linuxshop.co.uk
--------------------------------------------------------------------
