Contents

TALIN on TCP/IP

Monday, December 12, 2005

read book now

HOME

VIEW

MAIL

BOOK Reviews

 

SUBJECT: Static IP Addresses

 

 

Talin (Talin@ACM.org) Talin's third law:

http://www.sylvantech.com/~talin "Politeness doesn't scale."

read book now

HOME

VIEW

MAIL

 

 

 

Jerry,

I want to clear up some points about static IP addresses. I have a farily sophisticated setup here, which may be more than you want, but on the other hand you have more computers than I do so perhaps it's worth considering.

First of all, you need a static address if you are going to run any kind of server that is accessible to the outside world. (If the address is dynamic, then people from the outside won't know which address to send packets to.) If you don't plan of having people send packets to you, then you don't need a fixed address.

Note that you don't have to have as many static addresses as you have machines. You only have to have a static address for each machine that can directly talk to the outside world. In my case, that's only one machine, Janus, because I use the Linux IP Masquerading feature to multiplex may machines onto a single IP address. You can get NT to do something similar by using a proxy server, but I'm not too familiar with that.

I wanted my machine to be relatively crack-proof, so I decided to go with a full-blown firewall setup. Janus is my firewall machine, so-called because it has two "faces", or rather two ethernet cards which are connected to seperate LANs. The first LAN is very simple, just a cable which runs from janus to the ADSL router. The second ethernet card is hooked to an 8-port hub, which is then connected to all of the other machines. So in order for packets to go from the outside world to my home network, they have to go through Janus.

Each of the machines in the house has an address in the range 192.168.0.XXX. This is a special IP address range which is used for "local networks". No internet router will route packets which come from an address in this range. This is a good thing.

I got a block of 8 static addresses from my ADSL provider, also known as a "subnet". Most places charge an extra $10 a month for this, but I managed to haggle them into giving it to me for free, since I wasn't going to use any of their other services.

Here's how my subnet looks. Note that in any subnet, the first and last address is never usable, so I really only have 6 addresses. Add in the

fact that one is already used by the router, and I only have 5.

48: Internet address (required for network, not usable by servers)

49: The ADSL router.

50: Janus ethernet card #1

51: Janus ethernet card #2

52: Eyrie, Joe's web server

53: Unused

54: Unused

55: Broadcast address (required for network, not usable by servers)

In addition to being a firewall, Janus is also a web and email server; I figured that it would be no less secure to put the web server on the machine as to have it on a machine on the inside; packets have to come through one way or another.

Janus uses something called "IP chains" to do both IP Masquerading and Firewalling. Masquerading is very simple: It means that any packet which is sent out through the firewall is modified so that the packet "appears" to be coming from the firewall itself, rather than one of the machines behind it. It essentially does this by changing the IP address from the address of the original machine to be the address of the firewall. Remember those "special" addresses which can't be transmitted over the Internet? Well, once they've been transformed, they can now be routed normally.

Any replies to that packet are automatically routed back to the correct machine, translating the IP address back to the original value.

The advantage of this is that I can have up to 254 machines in my house, using only a single static IP address. Each of the machines in the house is set to use janus as a gateway, so any packets to the outside world get sent there first.

All of this works using a "rules file" on janus. Each packet that comes into janus is checked against the rules to see what to do with it. In some cases, the packets are forwarded through with no change. In some cases, packets are translated (masquerated). In other cases, packets are simply discarded. So the firewall and the masquerade stuff are really two different functions of the same module.

Unfortunately, setting up a rules file is not something that a non-specialist can do. I know that it's certainly beyond my skill. What I did is hired a friend of mine who's knowledgeable in the ways of network security to set up and configure janus for me. Of course, now that the file has been created, I can see how it works and can modify it.

Janus also functions as the household DNS, as well as the DNS for my sylvantech.com domain. DNS is another thing that's quite tricky to set up right.

I also have the "Secure Shell Daemon" running, which allows me to open an encrypted link to the server and run a terminal shell. This has been very handy at work; When I want to test to see what our company server "looks like" from the outside world, or when I realize I need a file which I left at home, I just open up a shell to my home machine. I plan to use this when I go travelling this spring, so that I can continue to update my web page from my laptop.

Now, I don't know what kind of firewall services your ISP is providing. As far as I can tell, my ISP doesn't provide any, and what I've got is a bare wire hooked directly to the internet.

I would STRONGLY recommend that you be very concerned about security. There's probably a million yahoos[1] out there would would love to crash "The Great Jerry Pournelle's" network. Because you are well-known, you are also a target. If your ISP isn't providing a firewall, then I would suggest for now that you connect only a single sacrificial machine to the ADSL router, and not have that machine hooked to the rest of the network. Later, when you get a real firewall you can hook up the rest of your house. Remember, it's not that hard to hack into a Windows shared network drive. I would really, really hate to see some idiot erase your hard drive or worse.

If you're willing to spend some dough, there's a number of companies that make cute little firewall boxes, preconfigured and ready to run. Maybe you can get one for review.

Otherwise, get a guru friend like mine to set up Linette as a firewall. You'll still be able to use it as a normal Linux box.

Note that the "ipchains" feature is only present in linux 2.1 and later. Unfortunately, the RedHat version you have has linux 2.0, which doesn't have that feature. Instead, it has an earlier, more primitive firewall scheme that is even harder to set up and use. Avoid it. So tell your guru friend to install the very latest kernel and utilities. You can start with RedHat 5.2 as a base, and then upgrade the appropriate components. Or you can wait until the next version of RedHat comes out, which should have everything.

[1] "Yahoos" in the sense of Gullivers Travels, not internet directories.

--

Talin (Talin@ACM.org) Talin's third law:

http://www.sylvantech.com/~talin "Politeness doesn't scale."

Thanks. I'll put this up for general edification. I'm making my plans on how to implement this now.

TOP

birdline.gif (1428 bytes)