In this article, we will cover some of the useful applications you can run to make a router much more useful, and to create a real Intranet. These applications include dhcp, for automatic allocation of IP addresses, squid, to cache web pages, apache to provide web content, ntp to ensure the time is correct across the LAN, and others.
To install these applications on your router, follow the standard procedure for installation on your chosen distribution. There are packages available for all of these applications in all the major distributions.
Dhcpd is perhaps the most useful - it facilitates the allocation of IP addresses to all the client machines on the LAN. This means you don't have to fiddle about with them ensuring all the settings are correct, and can also change them easily, if you need to. Additionally, it reduces the chance of misconfigured machines, or conflicting IP addresses. Following is an example /etc/dhcpd.conf, which allows you to specify a range of IPs to give to workstations, and also shows how to give static IPs to workstations if you desire.
server-identifier 192.168.1.1; # Specifies the routers IP
subnet 192.168.1.0 netmask 255.255.255.0 { # Specifies the network
range 192.168.1.30 192.168.107.250; # What range to allocate
option domain-name-servers 192.168.1.1; # Specifies the name servers
option domain-name "example.intra.net"; # Specifies the domain name
option routers 192.168.1.1; # Sets the default route
option subnet-mask 255.255.255.0; # Sets the subnet mask
option broadcast-address 192.168.1.255; # Sets the broadcast address
default-lease-time 172800;
max-lease-time 172800;
}
host foo { # Host you wish to give a static IP to
hardware ethernet 00:80:c8:f9:6b:f3; # Hardware address
fixed-address 192.168.1.1; # What IP you want it to have
}
As you can see, you can specify most aspects of network configuration, which means less to do on the client side - all you need to do is tell it to use DHCP to get the network settings.
There are many options available for configuring Squid, but only a few that are necessary for a secure simple configuration. For more details, see my previous articles about Squid.
To set the port the clients use to access the proxy:
http_port 8080
To specify how hosts without a domain are handled, you can specify a domain that is appended to any unqualified hosts by the following:
append_domain .intra.net.au
Most ISPs already provide a proxy, so to increase performance it is a good idea to use it as a parent proxy. It is easy to set the proxy up so it goes direct for any local hosts, but is forced to use the proxy for remote hosts.
cache_peer proxy.isp.net.au parent 80 3130
acl local-intranet dstdomain intra.net.au
always_direct allow local-intranet
never_direct deny local-intranet
never_direct allow all
It is also important to restrict access to the proxy to only your local intranet - otherwise anyone on the internet can use your proxy, which decreases performance, and bandwidth thats available to you.
acl intranet src 192.168.1.0/255.255.255.0
http_access allow intranet
Another useful program that goes hand in hand with squid is Junkbuster. With this, you can specify what type of information your browser will give to web servers, which is useful for restricting what people can know about your machines. This reduces the possibility of denial of service attacks, especially if the machines on your network are running reasonably vunerable operating systems.
Junkbuster can also - as the name suggests - bust junk. This means you can specify URLs that you don't wish to see, and they are replaced by other images. As you can imagine, this is incredibly useful removing unwanted things such as ads. From a subjective opinion this decreases bandwidth used and increases browsing speed.
The default configuration is fairly good with Junkbuster - you only need to make a few minor tweeks to have it functioning correctly. In /etc/junkbuster/config:
blockfile /etc/junkbuster/blockfile
cookiefile /etc/junkbuster/cookiefile
forwardfile /etc/junkbuster/forwardfile
aclfile /etc/junkbuster/acl
listen-address :8000
One possibly overlooked security issue is that of accurate time. It is very important to have a correct time, as this means you can track down security issues across hosts, or, indeed, even across countries by ensuring the time is accurate. There is a protocol ntp - Network Time Protocol - which is used to sync time to a known good source - usually connected to an atomic clock, or some similar accurate source.
To /etc/ntp.conf, add a line similar to the following, for each ntp server you wish to use:
server host.name.net
There are still plenty of applications left for you to configure, such as sshd, for secure remote access, or samba, for sharing files around on your intranet, but this article has covered a few of the basics.