[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: network installation/configuration

From: Rick Stevens <rstevens vitalstream com>
To: redhat-install-list redhat com
Subject: Re: network installation/configuration
Date: Wed, 03 Sep 2003 10:30:41 -0700

Fortenberry, Michael wrote:

Now that I have RedHat 9 installed and running I am trying to understand how
to configure my network. I have asked a couple of questions and received
suggestions and tried those. Maybe the picture will be a little clearer if I
give an overview of what I think I am trying to set up.

I have 2 XP boxes and 1 Linux box connected to the world via a LinkSys
router/gateway. I want the XP boxes to continue the ability to browse the
internet. I want the Linux box to be able to browse also (as it currently
does) but I want to set it up as a web site server so I can host some
software providing a service. I would like to develop from the Windows box
using Exceed or a similar XServer where my tools are xterms, emacs, vim or
vi, make and various applications such as perl, scripting, php, sql, etc.

My understanding is that an Xserver requires many ports to be open and thus
to be unsafe. One question is, Can't I have that port access only open to
one of the XP boxes and not to the world? I downloaded putty for Windows and
it is the only thing I have tried that actually allows me to connect to the
Linux box but I can't seem to configure it to allow the 'ssh -X' option
which would make X applications available. I can only do non-X terminal type
work. Is there a putty or similar app that allows the -X option or am I
configuring it incorrectly.


Well, not that many ports.  If you're doing X tunneling under ssh then
you don't need any ports other than ssh (TCP/22).

As far as your firewall situation, the important thing is that you want
to block incoming connections from the WAN side of your router (except
for those you truly need, and then you route those ports to the specific
LAN-side machines).  For example, my firewall at home blocks all
incoming connections except ssh (TCP/22), DNS (TCP/UDP/53) and NTP
(UDP/TCP/123), and those three are aimed at my Linux box.  On the LAN
side of things, it's pretty open.  I do have iptables running on the
Linux box and it blocks certain things, but not a lot (primarily things
my nephew doesn't need access to).

I downloaded and installed firestarter and have played at length with it's
setup and configburation but it doesn't seem to be complete or I don't
understand something. When in 'hits' mode I can't even see the hits that
must be occuring when I am connected via putty and ssh. I tried opening many
ports and even turning off the firewall (maybe just the software one that
firestarter provides and not the real one which may be still there?) but I
see no improvement. I have seen some hits that appear to come by themselves
and not directly from my attempts but using 'open port from context on that
hit' or 'open port only for this host' from the same context doesn't seem to
change what is happening.

Next big question. I set up ssh from one XP box to Linux while perusing
Rick's link to 'how to setup ssh' and while that allows for Linux to Linux
work it doesn't discuss XP to Linux.


You mean Exceed can't access the Linux box?  Try this:  Run Exceed on
the Windows system and try using putty or something to access the Linux
machine.  Once you're logged into Linux, try "echo $DISPLAY" and verify
that you have something that reads "hostname 10:0".  For example, here's
me logging into my machine at home from the office (prophead is at the
office, xyclone is at home):

	[root prophead xxx]# echo $DISPLAY
	:0.0
	[root prophead xxx]# ssh xyclone
	root xyclone's password:
	Last login: Tue Sep  2 15:33:04 2003 from
		prophead.corp.publichost.com
	[root xyclone root]# echo $DISPLAY
	localhost:10.0
	[root xyclone root]#

The local (prophead) machine shows a DISPLAY of ":0.0", which is as it
should be.  The remote (xyclone) machine shows "localhost 10:0"
indicating an ssh tunnel with an offset of 10.  If I run "xclock" at the
"[root xyclone root]#" prompt, the display appears on prophead's screen.

That's for ssh tunneling.  If you're not X tunneling, you need to enable
rlogin or telnet (rlogin is preferable), which means that the Linux box
must be listening on TCP/513 (edit /etc/xinetd.d/rlogin and change the
"disable = yes" line, then restart xinetd).  Then use Exceed's rlogin
utility to access the Linux box and start your applications from there.
The display should show up on your Windows machine.  If not, check the
/var/log/messages file on the Linux machine to see what's going on.  You
may need to "xhost +" on the Linux system to disable the X security.

                                     Second part of that is... given my
Linux box now has a static ip at 192.168.1.122 (thanks to Rick's suggestion)
how do I come in from the outside world when I don't know what real ip
address the router has assigned? I guess the obvious answer is to purchase a
static ip address and have that go directly through the router/gateway?


You need to look at the router's WAN-side IP address to get it.
However, you can get it also by accessing:

http://www.rhil.net/whatip.php

That URL will display the IP that your http request came from.  So you
can use lynx or something to hit that URL and get the IP address at any
time.

Final for now question is, my understanding is my internet access cable
provider won't want me to host a web site unless I somehow pay for it or get
someone to host it. My problem is the software I am writing and want to host
depends on gigabytes of image data. Providers charge by space allocation
afaik and 6 g is only the current size. That is why I want to host my own
machine where I can simply use as many HDs as I need. Am I barking up a tree
that makes no sense? What is the correct/desired solution?


That's absolutely correct.  ISPs want you to pay for a "business class"
account to host a website.  There are sound reasons for it (they must
increase your upload speed, change the polling rates for the cable
segment you're on, etc., etc.).  The benefit is that you will get a
fixed IP address to boot.  With a home account, the IP may change on the
fly, you may cause problems on your cable segment, and generally not be
too cool.  Check with your ISP to see how much it costs for a business
class upgrade.

You can host with other people, either a shared account, colocation or
dedicated server.

<shameless plug>
We offer those sorts of things, along with streaming and a bunch of
other goodies.  Hit http://www.vitalstream.com and look at the various
plans we offer.  There are other companies doing similar things, but we
do it better!  ;-)
</shameless plug>
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens vitalstream com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-        Artificial Intelligence usually beats real stupidity.       -
----------------------------------------------------------------------

References:
- network installation/configuration
  - From: Fortenberry, Michael

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]