++jaeger moved out this weekend. That's doesn't rank high on the fun-o-meter because he's a good roommate. On the other hand, it's good for him and I don't suppose we can live together forever. In any case, congrats to him on the new digs and good luck!

As a result of him moving out the geekhouse was temporarily without a gateway box. I have spent some time rebuilding my collection of machines and have emerged with a replacement. Deathstar lives.

Configuring the new gateway has been a lot of fun. It gives me a chance to do all sorts of things that I should be doing in my job but don't because my time is consumed by bullshit. Ah well.

Deathstar is configured as follows:

Crux linux 1.2. Standard 2.4.21 kernel.

eth0 (my venerable intel eepro100) is the inside interface.

eth0 has two ip addresses .1 and .2. .1 is the address dhcpd advertises as the gateway. .2 is only accessible from 127.0.0.1 and is a kludge to work around a port conflict between dnscache and tinydns.

eth1 (a craptacular rtl8139 board) is the outside interface.

Currently eth1 is unused. When we return to the world of broadband (2 days, woot!) it will be connected to a dsl modem. At that point I will configure roaring penguin's PPPoE to talk to the modem.

dhcpd is configured to provide static and dynamic addresses, routing information, and dns configuration (points to dnscache) internally.

dnscache and tinydns (typical djb software) provide caching for external names and hosting for internal names, respectively. Internal names look like hostname.intranet.

squid is installed for local web caching. All traffic from internal machines to port 80(tcp) anywhere is transparently redirected to it.

iptables is configured to allow only ssh from the outside and silently drop all others. From the inside dns (tcp and udp) and ssh are allowed. localhost is allowed full access (looking in to the risks inherent in this, if any). As previously mentioned, only localhost may talk to the .2 address (tinydns).

We are using standard linux Masquerading (NAT) to connect our private address space to our one isp-provided ip.

Right now we are using ++jaeger 's old USR 56k modem and pppd to dial in to TU.

I am in the process of trying to understand the Linux Advanced Routing how-to in the hopes of configuring some traffic shaping. The kernel can do some remarkably advanced routing tricks.

At some point I will make all of the configuration files, etc available if anyone is curious. So far it has been a fairly reliable setup.

At some point I would like to install samba and use it to share my printer. Unfortunately it's a windows GDI printer but I believe someone has written linux drivers for it. Sharing it will be another matter. I may also install a mail server of some kind, although it's a bit gratuitous. Eventually I will install apache to provide statistics (probably with RRDB or Cricket) and local copies of frequently used docs, etc.

</geek>

Extra

Links

sittin here wishin' on a cement floor... just wishin that I had somethin you wore
fathom
the config
i would really like to check out your setup once it's done. the traffic routing stuff sounds very interesting, and i'm not really doing anything fancy on my gateway box.  it needs to be upgraded... maybe this will give me the motivation to do that.