Last time I blogged about my idea of setting up a gateway / server system for a home LAN using Arch Linux. I've set up the base system and GNOME, cleaned up all packages I didn't need, and left the wireless router connected to the modem so that all systems on the LAN can access the Internet while I'm setting up the gateway.
The next thing I'm going to do is set up dnsmasq and openssh. At this point, I will rewire the wireless router to my gateway system, and connect the modem to the other ehternet interface on my gateway.
First off, the conenctions.
[modem]==cat5==[gateway]==cat5==[wl/router]))) ((([laptop]
Now the two interfaces on my gateway are Realtek RTL8111/8168B gigabit ethernet on my motherboard, and a Hangzhou Silan Microelectronics RTL8139D PCI ehternet card (very cheap, sub $10 card I bought just to practice home networking). The first one is far more powerful than the other so I'll use that for my LAN, and the other one will simply connect the modem and the gateway. The first interface is called eth0 and the second one is eth1.
Congiguring network interfaces
First, let's configure the network interfaces. Open the file /etc/rc.conf and modify the relevant parts so it reads:
eth0="eth0 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.16" eth1="dhcp" INTERFACES=(eth0 eth1)
I only need a handful of IP addresses so I set the broadcast to 10.0.0.16. The IP of the gateway is 10.0.0.1, so it gives me a total of 14 available addresses. More than enough. eth1 interface is configured by DHCP using the internal DHCP server of the modem. I thought I'd apply the new settings by simply restarting the network daemon, but in the end I had to reboot...
The reason my subnet must be in 10.0.0.x range is that my modem assigns the other interface a range 192.168.x.x range. Therefore, I need my LAN on a different range.
Setting up dnsmasq
Next, I set up dnsmasq. First, install it by issuing the following command.
pacman -S dnsmasq
Then I configure it using the tutorial in the ArchWiki, and man pages for dnsmasq. The configuration file for dnsmasq is located at /etc/dnsmasq.conf. In that file, modify/uncomment the following lines:
interface=eth0 # Set this (and domain: see below) if you want to have a domain # automatically added to simple names in a hosts-file. expand-hosts # Set the domain for dnsmasq. this is optional, but if it is set, it # does the following things. # 1) Allows DHCP hosts to have fully qualified domain names, as long # as the domain part matches this setting. # 2) Sets the "domain" DHCP option thereby potentially setting the # domain of all systems configured by DHCP # 3) Provides the domain part for "expand-hosts" domain=foxenboxen.loc # This is an example of a DHCP range where the netmask is given. This # is needed for networks we reach the dnsmasq DHCP server via a relay # agent. If you don't know what a DHCP relay agent is, you probably # don't need to worry about this. dhcp-range=10.0.0.2,10.0.0.15,255.255.255.0,3h
I included the original comments from the file to help you with configuration. I suggest you read the other comments as well.
Apart from the above, I also bount the MAC address of my laptop's wireless interface to a single IP address, by including in the config file the following line:
dhcp-host=XX:XX:XX:XX:XX:XX,minifox,10.0.0.2,6h
The "minifox" above is the host name (how I named my laptop, isn't it cute?), and "6h" is the lease time. Now every time my laptop requests an IP address, it will get that same IP. It's like static IP, really.
After you have configured dnsmasq, you can start it by issuing /etc/rc.d/dnsmasq start as root. At this point, all systems on the LAN can connect to the gateway using DHCP. No traffic is routed yet, so you can't access the Internet, but it allows you to set up openssh, and remotely administer the system.
Setting up OpenSSH
OpenSSH was born in the OpenBSD camp. It's one of the fun things you can do with a network. Basically, it allows you to jump into a remote host over an encrypted line, and work there as if it were your own machine (almost).
To spice things up, I will set up OpenSSH for passwordless login using a RSA key pair.
Install OpenSSH by issuing the usual pacman -S openssh. Add the following to /etc/hosts.allow:
sshd sshd1 sshd2 : ALL : allow
This means allow SSH access to all ("ALL") hosts. Don't worry, it's quite secure as it is, if you have set up reasonably strong passwords (which you should, by the way) for all your local accounts.
Next, start the openssh daemon with /etc/rc.d/sshd start. Now, let's assume you want to administer the gateway from your laptop. Then install OpenSSH on your laptop as well. First we generate the RSA key:
ssh-keygen -t rsa
Enter your password for the key when asked to do so. Make it a nice long password. I have two ways of coming up with good ones. First, think of a random word which means something to you, but it's not in the dictionary. Or... You can think of a very long sentence with punctuation and all that.
If you didn't touch the defaults, you should have ended up with a file called id_rsa, and it's pair id_rsa.pub. Those shoud be in ~/.ssh/. Now, we will copy the .pub file to our gateway:
scp ~/.ssh/id_rsa.pub remote_user@10.0.0.1:my_rsa.pub
Password:
.....
After the file is copied, we must log in to the gateway using the passwordful approach, and add the key to authorized keys.
ssh remote_user@10.0.0.1
When we are logged in, we need to copy the contents of my_rsa.pub to ~/.ssh/authorized_keys on the remote host. To do that, simply:
cat ~/my_rsa.pub >> ~/.ssh/authorized_keys
Now let's set up the SSH daemon to use the keys.
Modify the file /etc/ssh/sshd_config:
# it's good to change the default port... doesn't do miracles, but it helps Port 5000 ListenAddress 10.0.0.1:2990 # use only protocol 2 (there is protocol 1, too, but we don't need it) Protocol 2 # We will allow no root login, allow total of 6 tries before we reject # and we'll allow only one user with a funny name to log in # (you have to create the user, of course) LoginGraceTime 1m PermitRootLogin no StrictModes yes MaxAuthTries 6 AllowUsers aterad # Finally, we don't allow passwordful authentication PasswordAuthentication no
Before you restart the OpenSSH daemon, make sure the AllowUsers' user has you public key in ~/.ssh/authorized_keys, or you won't be able to log in. When you restart the daemon and try to log in to the gateway, you will be asked to provide the password for your key. After you enter the password, you will be automatically logged in. Now, we call this "passwordless" because it doesn't use the passwords on your gateway, but a local one which is sent encrypted over to the gateway. Much more secure, don't you think?
This is about it. Next time, we'll deal with shorewall firewall, and a few other things.
