www.ekr-home.de

HOWTO: Setup a server using KNOPPIX

April 2005

Contents

Send errors, corrections, enhancements

This HOWTO explains a quick and easy way to take a KNOPPIX CD, a piece of PC hardware, and end up with a router/proxy/whatever (not needing the CD anymore).

This page is here mainly because this way I can cut'n'paste it when I need it somewhere, myself. :-) It doesn't contain any particularly new information.

What do you get?

A PC with KNOPPIX/Debian installed on the hard disk, and some services like Squid, Bind, etc.

What do you need to do?

Installing KNOPPIX to the hard disk

Installing some services

PPP over ISDN

Ethernet

Using the KNOPPIX ethernet wizard somehow seemed to go wrong; it tries to create a default route for the ethernet card, and to do some other things which seemed not to be compatible with the ISDN connection.

Therefore, I simply issue this command to bring up the ethernet interface (I put this in the boot.sh script, see below):

Bringing up eth0
ifconfig eth0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255

I assume the usual small local network:

DNS server

Running "bind" on startup
ln -s /etc/init.d/bind9 /etc/rc5.d/S50bind9

TODO: describe how to configure bind. It is really optional anyway, its only purpose is so you don't have to enter real DNS server on all clients. You won't need it if you're only using the server to proxy HTTP requests, or if you use NAT to let the clients connect to foreign DNS servers directly.

HTTP proxy

Running "squid" on startup
ln -s /etc/init.d/squid /etc/rc5.d/S50squid

Squid listens on port 3128 by default, so you have to enter that port on your clients (together with the IP address 192.168.0.1).

Edit /etc/squid/squid.conf and add these two lines in the appropriate places:

Squid configuration
acl localnet 192.168.0.0/255.255.255.0

http_access allow localnet

The first line goes behind all the other "acl" lines; the second line goes behing all the other "http_access allow" lines (and before the "http_access deny all").

Additional boot script

I have an additional script that is executed after boot; it's main purpose is to display a sound when the machine is ready (no screen...).

/root/boot.sh
#!/bin/bash

beep -f 440 -l 100
beep -f 880 -l 100
beep -f 660 -l 100
Running boot.sh on startup
ln -s /root/boot.sh /etc/rc5.d/S99boot

You should probably not put this script in /root, but in /etc/init.d; I like to have all my little scripts in /root on machines which I visit only seldomly, so I know at a glance where I have my own stuff.

The "beep" command is not available after initially installing KNOPPIX, but you can get it easily:

Getting "beep"
apt-get update
apt-get install beep

Sound notifications

If the box has no screen attached, you can use "beep" in strategic places...

/etc/ppp/ip-up.d/beep
#!/bin/bash

for f in 220 330 440 550 660 770 880 ; do
  beep -f $f -l 100
done
/etc/ppp/ip-down.d/beep
#!/bin/bash

for f in 880 770 660 550 440 330 220 ; do
  beep -f $f -l 100
done

Control screen for dummies

The machine I use has X disabled (rm /etc/rc5.d/S??kdm), and displays a "dialog"-based menu after startup, so non-Linux-savvy people can easily control the main functions of the server. This menu is a simple shell script which is run by init on tty1.

The technique is the same as shown in the KNOPPIX scripting HOWTO:

/etc/inittab
1:12345:respawn:/bin/bash -login -c /root/shell.sh >/dev/tty1 2>&1 </dev/tty1

This line needs to replace the old line starting with 1:....

To get a working shell.sh, take this one shell.sh and edit it to your needs. Useful entries are "bring up ISDN", "bring down ISDN", "start NAT", "stop NAT", "halt" or whatever you can think of.

I made it so that my machine has no screen attached to it, but I know which letters are in the "dialog" menu. So I can press that letter + Enter blindly.

TODO: add a real shell.sh

Big security risk, don't use it if you don't trust everyone with physical access to the machine; it's a local root login without password protection.

A HTTP based control screen

The script state_http.pl is a small HTTP server; it needs no Apache or further server software. It allows to bring connections up or down, and to halt/reboot the machine.

/etc/inittab
5:12345:respawn:/usr/bin/perl /root/state_http.pl

Big security risk, don't use it.

TODO

Packet filtering, NAT

So far, no routing happens, that is the other PCs on the local network can't connect to servers over the ISDN connection. They can use the Squid proxy for HTTP browsing though.

In any case, packet filtering makes sure that nobody from outside can connect to the Linux machine:

/root/packetfiltering.sh
TODO
Installing it
ln -s /root/packetfiltering.sh /etc/ppp/ip-up.d
ln -s /root/packetfiltering.sh /etc/init.d/rc5.d/S20packetfiltering

If everything is done right, then ShieldsUp or other similar services should not find anything to worry about on the machine.

TODO

Hardening the server

If you're using this server in a high-risk situation (i.e., for a company, or with sensitive data on the local network), then you should "harden" it a bit more, even beyond the packet filtering. This is outside of the scope of this document though.

Other machines on the local network

Clients using this server will enter 192.168.0.1 as their default gateway, DNS and HTTP proxy, that's it.