Using the following steps, it’s possible to set up a chrooted debian DNS master server in under 5 minutes. It’s assumed that you have an understanding of BIND and zone files.
Parts of this guide (the chroot mainly) are taken from a longer guide at howtoforge.
Lines in italic are to be entered into the shell.
apt-get update
apt-get install bind9
/etc/init.d/bind9 stop
vim /etc/default/bind9
Change:
OPTIONS=”-u bind”
To:
OPTIONS=”-u bind -t /var/lib/named”
vim /etc/bind/named.conf.options
Change the ‘forwarders’ line to the DNS of your ISP
forwarders { x.x.x.x; };
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/*
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
vim /etc/init.d/syslogd
Change:
SYSLOGD=”"
To:
SYSLOGD=”-a /var/lib/named/dev/log”
echo “nameserver 127.0.0.1 > /etc/resolv.conf
/etc/init.d/sysklogd restart
/etc/init.d/bind9 start
ping www.google.com
If that works, then you’ve got a running BIND master server!
I’ve had a pretty stable VPN setup on my networks for some time now, and I thought others might like a guide on how to get everything working. I had trouble following the threads explaining the concepts, so I spent some time getting it all working myself.
This can all be done using the free hamachi version. I have a premium license so I can make the network more secure by having to authorise new members.
This guide covers connecting a windows XP machine to private networks with linux and windows machines acting as the routing nodes.
I have 2 networks in my office, 10.1.0.0 and 10.2.0.0. I use the VPN for connecting my laptop to these networks from home.
Setting up the ‘client’ XP machine (the one which needs to VPN into the networks)
- Download and install hamachi
- Create a new network specifically for the VPN.
- Add ‘RoutedTunneling 1′ to hamachi-override.ini and restart Hamachi. You may need to create this file by clicking Configure, Preferences, System, Open Configuration Folder - then create hamachi-override.ini
- Click Start, Run and type ‘regedit’, then set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter to 1
- Reboot and open hamachi.
First ’server’ - Windows (10.1.0.53 is the example local IP)
Follow the instructions above, but instead of creating a new network, join the one you previously created. That’s all you need to do to get a windows server set up.
Linux ’servers’ (10.2.0.201 on my local network)
- cd /opt
- wget http://files.hamachi.cc/linux/hamachi-0.9.9.9-20-lnx.tar.gz
- tar -zxvf hamachi-0.9.9.9-20-lnx.tar.gz
- cd hamachi-0.9.9.9-20-lnx/
- mkdir /dev/net
- make install
- tuncfg/tuncfg
- hamachi-init
- hamachi start
- hamachi set-nick servername
- hamachi login
- hamachi join networkname networkpassword
- hamachi go-online networkname
- echo 1 > /proc/sys/net/ipv4/ip_forward
Note that whenever the linux machines are rebooted, /proc/sys/net/ipv4/ip_forward will reset to 0.
The server nodes are now setup to forward IPv4 packets around the network.
This next step is where most problems will occur. The server nodes will forward packets to the network, but other machines on the local networks don’t know where to send data to 5.x.x.x addresses. I set up rules on our firewall which work something like:
Requests to 5.0.0.0/8 need to be routed to 10.1.0.53 on the 10.1 network
Requests to 5.0.0.0/8 need to be routed to 10.2.0.201 on the 10.2 network
This is one rule for each of the networks I need to access. I’m not sure how to do this in different firewall setups so I’m not much help here.
Everything is now setup, but the ‘client’ node doesnt know where to send packets to any of the 10.1 or 10.2 networks. To fix this, we need to create routes on the machine. I created 2 batch files, one to connect the VPN, and one to disconnect.
Connect batch file
|
@title Connecting Hamachi VPN Tunnels
@echo Connecting Hamachi VPN Tunnels
@echo -connecting to 10.1.0.0 network…
@route add 10.1.0.0 mask 255.255.255.0 [HAMACHI ADDRESS OF MACHINE ON 10.1]
@echo -connecting to 10.2.0.0 network…
@route add 10.2.0.0 mask 255.255.255.0 [HAMACHI ADDRESS OF MACHINE ON 10.2]
@echo .
@echo VPN Connected.
@echo To disconnect, run the disable batch file or reboot the system.
@echo .
@pause |
Obviously you’ll need to put the hamachi IP’s of each of the server nodes in this file.
Disconnect batch file
| |
@title Disable Hamachi VPN Tunnels
@echo Disconnecting Hamachi VPN Tunnels
@echo -disconnecting 10.1.0.0
@route delete 10.1.0.0
@echo -disconnecting 10.2.0.0
@route delete 10.2.0.0
@echo .
@echo VPN Disconnected
@echo .
@pause |
At this point everything is set up and ready to connect. You will need full connectivity to all the server nodes which you are using (green icons in hamachi).
Then you run the batch file to connect the VPN (or just type the route commands into a command prompt manually). Test pinging the local address of the server nodes, then other addresses inside the remote network.
Diagnostics
First, try pinging the local address of one of the server nodes (10.1.0.53 in my example). If this doesnt work, then my guess is that the route command hasn’t been done correctly.
Next, try pinging another machine on the local network (10.1.0.50 for example). If this doesnt work, then it’s likely that the server node isn’t forwarding the packets correctly, or the responses from the machine you’re pinging aren’t being sent back to the server node properly - check the firewall routing and make sure you’ve set /proc/sys/net/ipv4/ip_forward to 1.
Note that this whole setup will only work if the client node is actually off of the local network at the time you try to connect. By this, I mean that when I am at work, my laptop has the IP 10.1.0.56 and it connects out via 10.1.0.1 - obviously the VPN wont work while I’m at work because the route command will override the default gateway route and stop me connecting out at all.
This is something I always forget how to do, so I’ll post it here.
When copying or connecting between Linux servers, the most straightforward solution is to use SSH or SCP. The only problem is that you’ll need to enter the password for the remote machine every time you connect, making this not very useful for scheduled scripts such as backups.
The easiest way to do this is to use public/private keys. To create a key on the local machine, do the following:
ssh-keygen -t rsa
Then just press enter at all of the prompts. This will create a keyfile called ~/.ssh/id_rsa.pub which you will need to copy to the remote machine.
ssh user@host “cat >> .ssh/authorized_keys” < ~/.ssh/id_rsa.pub
If the file ~/.ssh/authorized_keys doesn’t exist, you’ll need to create it, and ensure that it’s permissions are correct:
-rw-r–r– 1 root root 1412 2007-04-25 08:36 authorized_keys
Once this is done, you should be able to SSH and SCP to the remote machine without a password.
Obviously, from a security point of view this is a bad idea (especially if you’re doing it as root), but there are a lot of occasions where it can be useful.
