[TriLUG] newbie needs help with IP setup, part 2: static IP?

Tom Roche Tom_Roche at pobox.com
Wed Dec 5 16:44:22 EST 2007 

summary: the router/DHCP/DNS proposal sounds good! Just please lemme
know if I can put that all on a LEAF box (or equivalent).

details:

<warning: ascii art/>

following up from
http://www.trilug.org/pipermail/trilug/Week-of-Mon-20071203/052336.html
note that our current physical network is like

                                          cat5-- backend
                                         /
--TWC cable-- Surfboard --cat5-- minihub
                                         \
                                          cat5-- lane

Tom Roche Wed Dec 5 12:47:12 EST 2007
 >> [requirements in] ascending order of preference:

 >> 0 My laptop, the lane, and the backend talk exclusively to each
 >>   other on their subnet (i.e. "in the basement," currently). For
 >>   that, static private (or direct-access only) networking should
 >>   suffice (no?), but one would be required to be on the subnet to
 >>   access anything. This is secure for deployment, but a PITA for
 >>   development.

 >> 1 My laptop, the lane, and the backend can talk to each other
 >>   anywhere in the world. For that static public (or remote-access
 >>   allowed) networking is required (no?). This is good for
 >>   development, insecure for deployment.

 >> 2 Enable toggling between private and public networking on demand.
 >>   Normal mode will be for the co-op to run the POS privately/
 >>   securely (no external access). But for development, or if we need
 >>   the remote folks to get hands-on, we could enable external access
 >>   (by changing POS config files, router config, etc).

Magnus Hedemark Wed Dec 5 15:28:34 EST 2007 (rearranged)
 > As mentioned before, the very first thing you should be doing at
 > this point is installing a router between the TWC Surfboard and the
 > minihub. Not only is this a huge security issue, but from a network
 > architecture standpoint you need to establish a private network that
 > can access the Internet (but not the other way around).

OK. As previously mentioned, we're short on cash, but we have some
spare boxes, so I'm assuming that, for now, I can just setup a LEAF
box and use that? (Or is their a preferred package for creating linux
routers?) Below I'll assume that's an good option, and that
the resulting physical network will be like

                                                        cat5-- backend
                                                       /
--TWC cable-- Surfboard --cat5-- LEAF --cat5-- minihub
                                                       \
                                                        cat5-- lane

 > [The following] takes slightly more work, but has a nice payoff in
 > terms of long-term management.

 > Configure your POS terminals as DHCP clients.

 > Establish a dhcpd daemon on your server node. This will require
 > *disabling* dhcp on the router that you still need to install. :)

Not sure what you mean by "server" in the current network. Could I
instead just enable DHCP on the LEAF box? Below I'll assume so, and
that "server" == "LEAF":

 > You can set up dhcp lease reservations in your /etc/dhcp/dhcpd.conf
 > file.

 > Example, from an old Sun workstation that is no longer on my network
 > (sanitized a wee bit):

 > #begin example
 > host bluegill {
 >         hardware ethernet 08:00:20:12:34:56;
 >         ddns-hostname bluegill;
 >         fixed-address 192.168.1.2;
 > }
 > #end example

 > So if host "bluegill" asks the dhcp server for a lease, it will
 > *always* get 192.168.1.2.

 > The payoff of this is that if you need to change your network
 > infrastructure around, you don't need to change anything on the POS
 > terminals. Just change it on the dhcp server and the next time the
 > dhcp client tries to renew its lease, it will pick up the changes.
 > Great way to add new nameservers or what have you.

 > Going this route you also would need to set up dynamic dns on your
 > server (also not too hard).

 > Relevant lines from dhcpd.conf:

 > #begin
 > ddns-update-style interim;
 > key DHCP_UPDATER_KEY {
 >   algorithm HMAC-MD5.SIG-ALG.REG.INT;
 >   secret [sanitized];
 > };

 > zone EXAMPLE.COM. {
 >   primary 127.0.0.1;
 >   key DHCP_UPDATER_KEY;
 > }

 > zone 1.168.192.in-addr.arpa. {
 >   primary 127.0.0.1;
 >   key DHCP_UPDATER_KEY;
 > }

 > option domain-name "example.com";
 > option domain-name-servers 192.168.1.1;
 > #end

 > This will update a DNS server running on the same host as dhcpd when
 > new leases are added.

OK, so I should also run DNS on the LEAF box? E.g. I could do a Ubuntu
Server Edition install, take the "DNS Server" option (which I believe
includes SSH), and add the LEAF packages?

 > It will tell all dhcp clients that the domain name is "example.com"
 > and use the name server "192.168.1.1".

 > You'll also want to define a subnet and a pool:
 > #begin
 > subnet 192.168.1.0 netmask 255.255.255.0 {
 >         option routers 192.168.1.254;
 >         option subnet-mask 255.255.255.0;
 >         pool {
 >                 max-lease-time 28800;
 >                 range dynamic-bootp 192.168.1.100 192.168.1.199;
 >                 deny unknown-clients;
 >         }
 > }
 > #end

 > Note that the "deny unknown-clients;" line will prevent a machine
 > from getting a lease if it is not pre-registered in dhcpd.conf. It's
 > optional.

 > A registration can be something simple like this, without a reserved
 > IP address or anything:

 > #begin
 > host xbox {
 >         hardware ethernet 00:0d:3a:3d:76:b7;
 >         ddns-hostname xbox;
 > }
 > #end

 > You also need to edit your BIND configuration file to include stuff
 > like this:

 > #begin
 > key DHCP_UPDATER_KEY {
 >   algorithm HMAC-MD5.SIG-ALG.REG.INT;
 >   secret [sanitized];
 > };

 > zone "example.com" IN {
 >         type master;
 >         file "/etc/bind/example.com.zone";
 >         allow-update { key DHCP_UPDATER_KEY; };
 > };

 > zone "1.168.192.in-addr.arpa" IN {
 >         type master;
 >         file "/etc/bind/1.168.192.rev";
 >         allow-update { key DHCP_UPDATER_KEY; };
 > };
 > #end

 > That will tell BIND to allow dhcpd to send it dynamic updates as new
 > leases are handed out.

 >> * It would be very convenient to be able to access each box
 >>   remotely while we're getting this setup. The POS' lead developers
 >>   are in Minneapolis and Portland, and a fair amount of
 >>   customization is usually required--co-ops have different
 >>   membership structures/ policies, states have different tax codes
 >>   (there are no NC users currently), etc.

 > When you get your router configured, pass port 22/tcp traffic to
 > your server (ssh). Once someone ssh's into that, they are
 > effectively on your network and can ssh from there to other hosts.

Or just allow SSH into the lane and backend, rather than into the LEAF
box, no? (Although presumably I'll need SSH on the LEAF box to, e.g.,
configure DNS.)

 > Other protocols can be tunneled over ssh, such as vnc, to
 > effectively permit a full GUI experience if necessary.

Probably not necessary. The POS is basically 2 PHP apps, plus drivers
for the POS peripherals, so as long as outsiders can

* SSH in

* do HTTP GET's inbound (worst case, SSH in and http://localhost)

we should be golden.

 > Start private, then open a hole in the firewall to permit ssh and
 > nothing more. VPN is another option but takes a bit more work to get
 > set up & troubleshoot.

Sounds good! Please just lemme know if LEAF is an option; otherwise
I'll hafta start shaking folks down for a Real Router (tm).

 > (are you the same Tom Roche from IBM, btw?)

Formerly: my group got whacked end of June :-( OTOH, that gives me
time to work on this :-)

TIA, Tom Roche <Tom_Roche at pobox.com>

More information about the TriLUG mailing list