Configuring RedHat 7.2 as a Server System (v3)

The Gateway Server

This will help you install RedHat 7.2 to function in the following environment, with some optional properties:

Basic Assumptions

You must know the answer to the following questions:

Does your system have a dynamic or static IP address?
Do you plan on providing IP-masquerading functions to an inside network?
Do you plan on providing a mail system, with IMAP or POP services provided to selected clients?

Normal instructions are in plain text. Material dealing with DNS connections is in blue. Material dealing with IP-masquerading is in green. And finally, anything commands or other typeins you should enter at on your linux machine will be in red-bold. For example, if you see

ls -la

it indicates you should enter those characters. The terminating RETURN or ENTER key is assumed.

Your outgoing connection is a fast line (Mine was a cable modem, not a router). This line can be either fixed-IP, or dynamic IP. There's some discussion about various connections.
You have a Network card (eth0) that interfaces to the Internet.
You want to run a web server on your gateway Machine

If you use IdahoQuad.com as your dns server

You have subscribed to the service of IdahoQuad.com
You need to keep us informed of any address changes

If you want to do IP Masquerading for an internal network

You have an second network card (eth1) that interfaces to your home network, probably with the help of an Ethernet Hub or Switch.
You have a home network of trusted machines, some of which might be portables and would benefit from DHCP.
You want to run fun stuff on your internal Windows machines, like mail, IRC, ICQ, AOL/IM, Yahoo Messenger, FTP, etc. I can't speak for games, since that's not my interest. (needed only if you're doing Masquerading).

Assumptions

In my environment, I had several PC's, and I dedicated one of them to be my Linux gateway. I will call this machine the Gateway machine. I equipped it with two network cards, one (eth0) connected to the internet, and the other (eth1) connected to a hub, to which my internal machines were connected. You won't need the second adaptor unless you're doing Network Address Translation (Masquerading).

1. Loading the Gateway Machine

Install RedHat 7.2 from the supplied CD.

When you bootstrap from a CD, you get to chose the installation display type. I chose text , since I did not intend installing X on the server. Follow all the suggested defaults. They're pretty obvious.

Window Title Choice Comments

Language Selection English

Keyboard Selection US

Mouse Selection None Since this is a text system, we really don't need any mouse

Installation Type Server This seems to include most of the desired stuff

Disk Partitioning Setup Autopartition The setup seems to make the right choices

Automatic Partitioning Remove all partitions on this system
Select only hda for the installation We assume no data will survive, but the system will reside on the first disk only

Partitioning OK An interesting display

Boot Loader Configuration Use GRUB Boot Loader

Boot Loader Configuration Choose the MBR

Boot Loader Configuration OK I don't think you need special parameters to the Kernel, and I don't think you need a boot password.

Network Configuration Fill in the data correct for your situation

Firewall Configuration Choose None We'll fix this later

Time Zone Selection Make it right

Root Password Choose carefully There is a remedy if you forget, but you don't want an easily guessed one.

Add User Add at least one user. Please include the user "daku", as well as your own account.

Package Group Selection Unselect the Classic X window System
Select the Web Server.
Check the Select Individual Packages

Individual Package Selection

Package Group Add these Remove these

Somewhere imap, only if you're going to provide mail services

Applications/Archiving zip
unzip

Applications/Internet lynx

Applications/Multimedia netpbm-progs

Applications/System linuxconf

Documentation
(optional) apache-manual

System Environment/Daemons mod_bandwidth
dhcp (if you're masquerading)
ntp
wu-ftpd pidentd (only if you're Masquerading)

Video Configuration If it arises, you can skip the X-configuration

I used the supplied default functions for everything else. If Package Dependencies appear, allow them to be fulfilled.

Complete the install (many minutes). You can make a boot diskette at this time, but it's not required.

Reload the machine. Make sure you revise the boot sequence in your ROM, so it doesn't start with the CD. When your system comes up, you're running without any firewall protection, but it will be for only a very short time. If you get invitations from kudzu, choose the yes-configure option. This is Linux's Plug-and-Play detection.

The Network can be configured at this point, but you still will have to give the local machine a name.

First, after you log in as root, type:

hostname your-host-name
such as
hostname alpha.beta.com

The name you choose here makes a difference, so you should choose the DNS name by which you are known to the outside world. This is important if you ever hope to do any mail functions, since SMTP involves a reverse dns lookup.

2. First Configuration

Internet access will be important, so that's our first job. So, type:

linuxconf

You should read the Introduction, which gives you an idea of how to navigate, and then choose quit.

Go to Config -> Networking -> Client tasks -> Host name and IP network devices Fill in the following information:

Heading Value Comments
Host name + domain yourhost.yourdomain.com This is the simple name by which your system knows itself. This should match the value you defined as the hostname above.
Adaptor 1 Enabled X
Adaptor 1 Config Mode Choose. If you select DHCP, nothing else matters.
Adaptor 1
Primary name + domain yourhost.yourdomain.com This should be a copy of the Host Name field.
Details of adaptor If you're manual, fill in the details

Adaptor 1 .... The net device and Kernel Module should be filled in automatically; the rest should be empty
Configuring eth1 is needed only if you plan on supporting masquerading (Network Address Translation, NAT)
Adaptor 2 Enabled X if you plan on using an internal network. You can always turn this on later.
Adaptor 2 Config Mode Manual This is the DHCP master for your internal network
Adaptor 2 Primary name + domain xxx Whatever you choose to enter. It probably doesn't matter
Adaptor 2 IP address 192.168.1.2 The IP address you choose here is important for the first three digits. If you change the 4th field, you'll have to modify the dhcpd configuration I load later. You will find me using 192.168.1.* all over the place. I personally have adopted the convention that the fixed IP addresses are 192.168.1.1 - 192.168.1.127, and the dynamic ones are awarded from 128 up.
Adaptor 2 Netmask (opt) 255.255.255.0

Heading	Value	Comments
Host name + domain	yourhost.yourdomain.com	This is the simple name by which your system knows itself. This should match the value you defined as the hostname above.
Adaptor 1 Enabled	X
Adaptor 1 Config Mode		Choose. If you select DHCP, nothing else matters.
Adaptor 1 Primary name + domain	yourhost.yourdomain.com	This should be a copy of the Host Name field.
Details of adaptor		If you're manual, fill in the details
Adaptor 1 ....		The net device and Kernel Module should be filled in automatically; the rest should be empty
Configuring eth1 is needed only if you plan on supporting masquerading (Network Address Translation, NAT)
Adaptor 2 Enabled	X	if you plan on using an internal network. You can always turn this on later.
Adaptor 2 Config Mode	Manual	This is the DHCP master for your internal network
Adaptor 2 Primary name + domain	xxx	Whatever you choose to enter. It probably doesn't matter
Adaptor 2 IP address	192.168.1.2	The IP address you choose here is important for the first three digits. If you change the 4th field, you'll have to modify the dhcpd configuration I load later. You will find me using 192.168.1.* all over the place. I personally have adopted the convention that the fixed IP addresses are 192.168.1.1 - 192.168.1.127, and the dynamic ones are awarded from 128 up.
Adaptor 2 Netmask (opt)	255.255.255.0

Use the Accept function to return to Linuxconf's main screen.

If you are using static IP addresses for your eth0 configuration, you should walk through the Name Server, Routing and Host-Name search path screens to make sure all is good.

At this point, your network should work. Reboot your machine.

3. Second Configuration

At this point, I can remotely enter your system and watch what goes on. Your system will be vulnerable for a few minutes.

Type the command screen and then I can join you and watch.

Find Control->Control Panel->Control Service Activity and modify stuff as follows:

Control Service Desired Setting
apmd Manual, unless you're on a portable with batteries
gpm Manual, since we don't use a mouse
httpd Auto
ipchains Manual
lpd Manual, unless you have a printer
ntpd Automatic, and start it.
xfs Manual

Control Service	Desired Setting
apmd	Manual, unless you're on a portable with batteries
gpm	Manual, since we don't use a mouse
httpd	Auto
ipchains	Manual
lpd	Manual, unless you have a printer
ntpd	Automatic, and start it.
xfs	Manual

After you've finished these, use Dismiss to return to linuxconf.

Space down to the date & time selection inside the control section, enter it. Put an X in the "store in GMT Format, and set up your time zone (use the (control)X to open up the options). For the "get date" option, I chose the server

ntp0.cornell.edu

Hit accept

You can now exit linuxconf, selecting Act/Changes, then Do it. With luck, all should work without complaint, and you return to the Linuxconf main screen.

Use Dismiss and you should be back at the shell prompt. With luck, lots of stuff should be working, and your system is vulnerable. So, try a simple ping just to make sure stuff is working, and we'll proceed with the fixups. A reboot is Not necessary (Isn't Linux nice?)

3.2 Moving the special files

I have saved that has a bunch of files on it that make your work easier. Download the diskette image and unzip it expanding directories onto a clean formatted diskette using your windows machine. The root directory on the diskette should contain two files (import and part1) and one directory (data).

You now mount the diskette on your new linux box, and execute a script on it.

You must type in the following sequence

The typein The explanation
mount -t vfat /dev/fd0 /mnt/floppy Mounts the floppy as a MSDos file system
. /mnt/floppy/part1 Runs the script. Note the initial period; it's important. You will be asked a set of questions to which you should respond either Y or N.

The NAT question asks whether you plan on having a second interface supporting an internal masqueraded network. If you choose Y, several utilities are installed.
The DYNDNS question asks whether you have a static IP address for your primary connection, or whether you use the services of dyndns.org.
See below for a discussion of what's happening.
This form of the command puts all the output into the file /usr/part1.out, so we can look at it when it's done.
You can monitor the output by opening another window (hit alt-F2), and typing
tail -f /usr/part1.out
Don't worry about the "dude" diagnostics. That is what OIDENTD talks about.

umount /dev/fd0 Dismount the diskette. Always wait until the light on the diskette drive goes out before removing the diskette.

The typein	The explanation
`mount -t vfat /dev/fd0 /mnt/floppy`	Mounts the floppy as a MSDos file system
`. /mnt/floppy/part1`	Runs the script. Note the initial period; it's important. You will be asked a set of questions to which you should respond either Y or N. The NAT question asks whether you plan on having a second interface supporting an internal masqueraded network. If you choose Y, several utilities are installed. The DYNDNS question asks whether you have a static IP address for your primary connection, or whether you use the services of dyndns.org. See below for a discussion of what's happening. This form of the command puts all the output into the file /usr/part1.out, so we can look at it when it's done. You can monitor the output by opening another window (hit alt-F2), and typing tail -f /usr/part1.out Don't worry about the "dude" diagnostics. That is what OIDENTD talks about.
umount /dev/fd0	Dismount the diskette. Always wait until the light on the diskette drive goes out before removing the diskette.

Here are the files you just copied in

File Function Tailoring
/root/scripts A collection of scripts
/root/scripts/httpd_logger A cron job to rotate HTTP logs
/root/scripts/export_to_floppy A job to recreate the above diskette
/etc/dhcpd.conf DHCP daemon configuration
/etc/firewall.conf The firewall configuration
/etc/init.d/firewall The firewall script
/etc/rc.d/fixup An extra after rc.local
/etc/xinetd.d/oidentd The controls for Oinetd
/etc/xinetd.d/telnet Telnet daemon permissions The "only_from" argument probably needs to be augmented by adding any IP addresses that are allowed to TELNET in.
/etc/xinetd.d/wu-ftp WU-FTP daemon permissions See above.
/etc/httpd/conf/extras.conf My tailoring of the Apache server
Install oidentd This is the daemon that allows you to run mIRC behind the firewall.

File	Function	Tailoring
/root/scripts	A collection of scripts
/root/scripts/httpd_logger	A cron job to rotate HTTP logs
/root/scripts/export_to_floppy	A job to recreate the above diskette
/etc/dhcpd.conf	DHCP daemon configuration
/etc/firewall.conf	The firewall configuration
/etc/init.d/firewall	The firewall script
/etc/rc.d/fixup	An extra after rc.local
/etc/xinetd.d/oidentd	The controls for Oinetd
/etc/xinetd.d/telnet	Telnet daemon permissions	The "only_from" argument probably needs to be augmented by adding any IP addresses that are allowed to TELNET in.
/etc/xinetd.d/wu-ftp	WU-FTP daemon permissions	See above.
/etc/httpd/conf/extras.conf	My tailoring of the Apache server
Install oidentd	This is the daemon that allows you to run mIRC behind the firewall.

3.3 Adjusting stuff

Some of the files you just loaded need some localization. For this, you'll need an editor (I use "vi"). The things you have to do are:

Run crontab -e. Each crontab entry consists of a time mask (minute, hour, day-of-month, month-of-year, day-of-week) followed by a command. In any field, you can enter a number, an asterisk, or */n, the last item implying every "n". Note that the commands on the first and third line in the instructions below start with a period, a space, a slash.
Add the following lines:

10 0 * * * . /root/scripts/httpd_logger daku
*/5 * * * * . /root/scripts/update_network
0 1 * * * /usr/sbin/up2date -fu
which has the effect of running the "httpd_logger" procedure at 10 past midnight every night. Replace the word "daku" with whatever is the name of your special user, the one selected to receive the system-wide error and security logs for monitoring. If you instead wanted peform this at 11:09pm (local time), you'd enter the first line as
9 23 * * * . /root/scripts/httpd_logger daku
The second line (update_network) is needed only if you use dyndns, and informs dyndns.org of any IP address change by testing once every 5 minutes.. The third line performs a nightly update at 00:01 (one minute past midnight) via the RedHat network.
Edit /etc/xinted.d/telnet and if needed modify the only_from to contain 192.168.1.0/24 my-internet-address.
This specifies that Telnet will be permitted only from the internal network, and from my quasi-static IP address.
Edit /etc/xinetd.d/wu-ftpd and make the same change as for /etc/xinetd.d/telnet.
Edit /etc/firewall.conf to tailor it to your own situation.
If you are masquerading, edit the line that begins with RELAY_TO_128= and enter the port numbers of interest. It turns out that whatever you enter here is discarded if you don't have eth1. These ports are forwarded from the firewall through the masquerading directly to the windows machine at 192.168.1.128. Ports 5631 and 5632 are used for PC-Anywhere; ports 4901-5000 are used for IRC's DCC protocol.
Change the line beginning with OPEN_PORTS and enter the port numbers to which you will attach the Apache web server. I avoid port 80 because it's often hacked.
Edit /root/.forward to direct root mail to you. Note that this file's name begins with a dot. If you want to receive it at your home address, enter that address as the one and only line in that file.
Internal mail is generated whenever crontab runs those timed jobs. That should be 2 messages per day assuming no IP changes occur.
Edit /etc/httpd/conf/extras.conf to reflect local conditions. This is hard to describe, but
- Make sure the "Listen" port(s) agree with what you allowed in the firewall
- Adapt (or delete) virtual servers as needed
- Fix the host name and webmaster address as needed

4. Updating and Fixing

Remove the diskette (unless your boot rom doesn't look at diskettes) and reboot. Your gateway machine should now work with the firewall.

Your next step is to register your RedHat LInux with the Redhat folks, so that we can perform a huge set of updates. Assuming you have the registration number, you run the program

rhn_register

and follow directions. After you've successfully done that, you can run your first update by typing in

up2date -fu

and watch the bits fly. Remember that we perform this action every night.

5. Adding a Disk

You've just added a second hard-drive. Remember the naming convention for ATA drives: hdxn, where:
x is one of the letters, a,b,c.... corresponding to the physical drive
n is a partition number.

Device name Where
/dev/hda1 Primary, Master, first partition
/dev/hda2 Primary, Master, Second partition
/dev/hda3 Primary, Master, Third partition
/dev/hda4 Primary, Master, Fourth partition, usually an extended one, which contains other partitions.
/dev/hdb1 Primary, Slave, often a CD
/dev/hdc1 Secondary Master
/dev/hdd1 Secondary Slave
/dev/hde1 Tertiary master, in case you have an extra IDE card.

Device name	Where
/dev/hda1	Primary, Master, first partition
/dev/hda2	Primary, Master, Second partition
/dev/hda3	Primary, Master, Third partition
/dev/hda4	Primary, Master, Fourth partition, usually an extended one, which contains other partitions.
/dev/hdb1	Primary, Slave, often a CD
/dev/hdc1	Secondary Master
/dev/hdd1	Secondary Slave
/dev/hde1	Tertiary master, in case you have an extra IDE card.

Let's assume you have a new empty disk and it attaches as the secondary master. This makes its UNIX name /dev/hdc1. You also have to decide where you'll mount the device in the Unix file system. The steps are:

mkfs /dev/hdc1 This is much like the "format" command in DOS.
mkdir /mount-name Where you will be mounting the new disk
tune2fs -j /dev/hdc1 This creates the journaling structures on the disk
mount -t ext3 /dev/hdc1 /mount-name This mounts the device at the place indicated.

6. Adding a User, the Hard Way

When you add a user and you need web access, there are a few changes to make. We assume that you added the user via linuxconf. The problem will be the security of the directories, and to allow the web-server to come looking.

In the below, let's assume you've added a new user named newguy, via Linuxconf, and you specified /home/newguy as his home directory. The following assumes you are running as 'root'

Adjusting Permissions

You have to allow the web server to access the user's directory. All it needs is pass-through access, which allows it to traverse the directory without being able to list it.

chmod 711 /home/newguy
mkdir /home/newguy/public_html
chmod 711 /home/newguy/public_html
chown newguy.newguy /home/newguy/public_html

Adding a virtual web server

My technique is to rely upon a special port number for this user. So, let's assume you assign him a port number webport. This will typically be a number in the 80xx range, or maybe in the 10xxx range.

Modify /etc/firewall.conf to add webport to the list of OPEN_PORTS.

Modify /etc/httpd/conf/extras.conf at the end by adding the following set of lines:

Listen webport
<VirtualHost * *:webport>
ServerAdmin me@daku.org
ServerName your-machine-name:webport
DocumentRoot /home/newguy/public_html
Options Includes FollowSymLinks
LogFormat Combined
TransferLog "|rotatelogs /var/log/httpd/newguy_access_log 86400"
ErrorLog "|rotatelogs /var/log/httpd/newguy_error_log 86400"
</VirtualHost>

Adding a User the Easy Way

The above steps happen automatically if you run the script:

. /root/scripts/new_user name password port

where the name is the name of the user, password is his password (which I haven't been able to make work), and port is the port number for his web services.

You will have to go back into LINUXCONF to set this user's password; I haven't found a way to do it successfully in the script.

Activating Mail

If you want your Linux machine to be able to send mail, you need do nothing. If, however, you wish to receive mail from the outside world, or relay mail from selected clients to the outside, you have some work to do.

Manually edit /etc/mail/sendmail.mc, and comment out the two lines discussed at the end of the file. The result should say:
# DAEMON_OPTIONS('Port=smtp,Addr=127.0.0.1, Name=MTA')
# FEATURE('accept_unresolvable_domains')dnl
The file /etc/mail/virtualusers instructs SENDMAIL to deposit mail destined for a given user in a place other than that user's local name. If you want all mail deposited in a specific account, you add the line
@your-domain.com the-user
Use linuxconf and add support for sendmail. Go to Linuxconf Management -> Modules, and check "sendmail".
Use Linuxconf (you may have to exit and restart it) to adjust mail, at Config->ServerTasks->Mail delivery system(sendmail) -> basic-> configure basic information
the "Present your System as" should have your primary domain name, and check the appropriate box. I also Enabled relay control, RBL, and left the rest as specified.
Still in Linuxconf, space down to Anti-Spam filters, and in "Setting Relay email from by IP", I entered my internal network address in the form 192.168.1. (that last period is important.
Activate changes (rebuilds configuration) and ...

The Front Page Server

Hidden behind the gateway is a FrontPage apache server. Because port 80 is not available, the tricks are:

Administration is sent to frontpage.daku.org.
The dyndns setting redefines this as www2.daku.org:13090
My NAT firewall maps port 13090 to 192.168.1.101:8090
The frontpage machine accepts admin on 8090

The user access is as follows. Assume an external customer with a domain name sammygarden.com.

Using IdahoQuad.com, the names are remapped:
sammygarden.com redirected to telford.daku.org:13080
www.sammygarde.com redirected to telford.daku.org:13080
My NAT firwall maps port 13080 to 192.168.1.101:80
The frontpage machine has a virtual webserver for www.sammygarden.com
The frontpage machine has a user account named sammygarden

mkfs /dev/hdc1	This is much like the "format" command in DOS.
mkdir /mount-name	Where you will be mounting the new disk
tune2fs -j /dev/hdc1	This creates the journaling structures on the disk
mount -t ext3 /dev/hdc1 /mount-name	This mounts the device at the place indicated.

Listen webport
<VirtualHost * :webport*>
	ServerAdmin	me@daku.org
	ServerName	your-machine-name:webport
	DocumentRoot	/home/newguy/public_html
	Options	Includes FollowSymLinks
	LogFormat	Combined
	TransferLog	"\|rotatelogs /var/log/httpd/newguy_access_log 86400"
	ErrorLog	"\|rotatelogs /var/log/httpd/newguy_error_log 86400"
</VirtualHost>