Installing Debian Linux 3.0 (Woody)
The Woody (3.0) version comes on 7 CDs because it includes not only the operating system but over 8,700 packages containing software for applications, utilities, and OS enhancements. Debian CD images are available for download from www.debian.org or you can purchase a CD set from Web vendors for around $20.
Debian allows you to select from several different "flavors" of installs (compact, vanilla, etc.). We'll be using the vanilla flavor in this procedure because it offers the widest variety of driver support.
Many distros install the "full boat" by default and this isn't necessarily a good thing. If you want to learn Linux, the install routine does too much for you. And it sets up a system that's downright insecure if you want to use it as an Internet server. (They set it up this way because it means fewer tech support contacts for them.) The procedure below does a very basic OS install. This keeps things simple, results in a more secure configuration, and allows you learn more. Another advantage is that it doesn't clutter up memory with unnecessary processes.
The main knock against Debian over the years has been it's installation routine. They're working on making it better but it still has a ways to go before it compares with the install routines of the commercial distros.
The most important piece of advice I can give you is only install the latest stable release of Debian. The second most important piece of advice I can give you is know your video card chipset before you start the install. You will need to know it to select the appropriate XFree86 video "server". A list of appropriate XFree86 servers for most supported video cards can be found at:
While it is possible to set up Debian on a second partition of an existing system and set up a dual-boot configuration, I wouldn't recommend it if this is your first time installing Linux. In order to set up a dual-boot you'll need to over-write the MBR (Master Boot Record) of your hard-drive, and if you mess that up you could lose access to your entire system.
Given that Linux has such modest hardware requirements, you should be able to pick up a used Pentium II clone (non-name-brand) desktop system on places like eBay for around $100. Cheap insurance and a good investment in your education. If you've only got one system and money is tight, another alternative would be to get another hard-drive and install it in your current system (in addition to your current hard-drive). The key is to only have one hard-drive connected at a time. You'd have to do some cable swapping (the power and IDE ribbon cable) between hard-drives when you want to switch back and forth between your regular system and Linux. (Note that with this type of configuration both hard-drives would be jumpered as master). But since you'd only need a two to four gigabyte hard-drive for Linux, this would be a very low-cost option. Being that it's getting hard to find a new hard-drive for anything less than 20 gigabytes, you should be able to find a used 2 to 4 gigabyte hard-drive for $10 to $20. If you do plan to run the GUI you'll want at least 64 meg or RAM. Crucial has good prices on RAM on their system selector tool makes it easy to find out exactly what type of memory you need to order.
The options we select in this procedure are more appropriate for a server system (external Internet server or internal file server). If you're more interested in simply having a GUI Linux stand-alone PC or network workstation, check out our Desktop Linux. It features Corel Linux which is based on Debian and is GUI all the way.
One thing you may want to check before you get started is in the BIOS setup of your system. Some systems have a "PnP OS" option in the BIOS. Make sure this is set to No before you get started.
Installing the OS
The following procedure was developed installing the Debian "woody" (3.0r0) release on a Pentium II-233 clone with 128 meg of RAM, a 4-gig IDE hard-drive, and an IDE CD-ROM drive connected as the master on the secondary IDE channel. If you are installing Debian (or any Linux distro for that matter) on a name-brand system, which are inherently proprietary, you may run into some problems. In these cases it's best to check the support pages on the hardware vendor's Web site. Using the following routine on hardware with different configurations may also result in different prompts or windows appearing. It's important to READ the information presented on the various screens during the installation.
Don't worry about screwing things up. If you do, just hit the reset button on the PC and start over. Even if you don't screw something up, you can just boot off the CD to redo the install just to get more practice at it. I've gone through this install routine at least 80 times trying different options and, because you accept the default selections most of the time, you can literally whip through it in about 15 minutes once you're familier with it.
If you're using an older Pentium system with an older BIOS that doesn't allow for booting off of CDs, you'll have to use a Windows system to create two boot floppies. (They even have boot disk images for the old 1.2-meg 5.25-inch floppy drives if that's what's set up as the A: drive on your soon-to-be Debian system.) To create the boot floppies on a Windows system get two formatted diskettes and:
1. Put the Debian CD #1 in the Windows system CD drive and a blank formatted floppy in the floppy drive.
2. Open a DOS window and switch to the CD drive. On most systems this will be the D: drive so type in the letter D followed by a colon and press Enter.
3. Go to the directory containing the disk creation program by typing in the following at the DOS prompt:
cd \dists\woody\main\disks-i386\3.0.23-2002-05-21\dosutils
(The part of the path in blue may be different on your system. Use Windows Explorer to go down the directory tree on your CD to verify the above path.)
4. If your A: drive is a 1.44-meg 3.5-inch floppy, enter the following two commands to create the two floppies:
rawrite2 -f ..\images-1.44\rescue.bin -d a
(insert the second floppy)
rawrite2 -f ..\images-1.44\root.bin -d a
5. Label the two disks "Boot Disk #1" and "Boot Disk #2" in the order they were created. If your A: drive is a 1.2-meg 5.25-inch floppy drive, replace the blue part of the above commands with images-1.20
Now that you've got everything you need you can go to the system you'll be installing Debian on and begin the installation procedure.
1. Insert CD #1 into the CD-ROM drive and boot the system off of it. In the case of a non-bootable CD-ROM drive you still want to insert CD #1 in the drive but also insert the floppy Boot Disk #1 in the A: drive and boot the system. (You'll be prompted for the floppy Boot Disk #2 during the boot process.)
The Welcome screen appears with a boot: prompt at the bottom. At this prompt, type in:
vanilla
and hit Enter. (If you're booting off a floppy you'll want to enter "linux vanilla" - without the quotes.) You'll see a lot of dependency errors as the kernel loads but you can disregard these. The Release Notes screen is displayed with Continue highlighted so hit Enter and the Installation Menu will appear.
The Installation Menu has two parts - upper area has a Next: and Alternate: and possibly an Alternate1: selection - lower part is the steps that you will progress through using the Next: selection.
2. If your hard-disk has existing partitions blow them away now (this includes any existing Linux partitions if you're redoing an install):
o Arrow down to Alternate1: Partition a Hard Disk and press Enter to run the cfdisk partitioning utility. If you're installing Debian onto the first hard-drive, highlight /dev/hda (for IDE drives) or /dev/sda (for SCSI drives). If you only have one hard-drive it will already be highlighted. Pressing Enter will display a screen about Lilo limitations. If you have an older system (which will have an older BIOS) you should read this.
o Pressing Enter with Continue highlighted will start cfdisk and the existing partitions will be displayed. (The up and down arrow keys will hightlight partitions in the upper part of of the cfdisk display. The left and right arrow keys highlight the available menu selections in the lower part of the display.) Use the arrow keys to highlight them and select Delete. After all partitions have been deleted, be sure to select the Write selection to update the partition table or nothing will change.
o After writing the updates to the drive's partition table you'll be back at cfdisk's main screen. Highlight the Quit selection and press Enter to return to the installation menu.
o When you use cfdisk to remove existing partitions you "jump ahead" in the installation steps so you'll have to take a step back at this point. Back at the installation menu, arrow down to Configure the Keyboard and press Enter. This will put you back at the correct place in the installation routine so go to the next step in this procedure.
3. With the Next: Configure the Keyboard highlighted, press Enter and U.S. English (QWERTY) will be highlighted. Just press Enter if this is your desired selection and you'll be returned to the installation menu with the Next: step highlighted.
4. This next step partitions the hard-drive. With the Next: Partition a Hard Disk selected press Enter.
o The first screen displays the list of connected hard-drive(s). Usually there's only one drive and it's already highlighted. If you have more than one IDE drive select /dev/hda for IDE drives or /dev/sda for SCSI drives and press Enter.
o The Lilo warning about 8-gig or larger drives on older systems with an older BIOS is displayed with Continue highlighted so just hit Enter to start cfdisk.
Note: The top part of the cfdisk display lists the partitions and free space and you use the up and down arrow keys to select those. The lower part of the display are the available menu options and you use the left and right arrow keys to select those.
o You should have a single line that says Pri/Log Free Space with the total free space on the disk displayed on the right. Right arrow over to the New selection and press Enter.
Note: You need to create a root partition and a swap partition (for virtual memory). You typically want a swap partition with a size that is double the amount of RAM in your system. For example, if you have 64 meg of RAM, you'll want a swap partition that's 128 meg in size. Be sure to set a root partition size which leaves enough free space for the desired-size swap partition.
Note also: If you have a large disk, you may want to leave a gig or two free for partitioning as other file types. As you will see, cfdisk can create a huge variety of partitions and you may want to try creating a FAT16 (DOS), Win95 (FAT32), or NTFS partition later to experiment with exchanging files with other platforms. For example, with a 4-gig disk I'll size the primary (Linux) partition to 3 gig. With a 256 meg swap partition, this leaves a little less than 1 gig free for later experimentation.
o With Primary highlighted press Enter but don't accept the default partition size value. This default is the entire disk and you won't have any room left for a swap partition. Enter a size in megabytes using the considerations mentioned above (3000 MB in my example).
o Once you've entered a value and press Enter you'll be given options as to where to locate the primary partition. Accept the default Beginning option and press Enter and the new partition will be displayed.
o Press the down arrow key to highlight the free space and use the right arrow key to highlight the New selection and press Enter and again accept the Primary selection by pressing Enter.
o The default partition size value is whatever disk space remains. Enter the desired size of your swap partition (I used 256 due to my system having 128 meg of RAM) and press Enter. You will again be presented with the location selection and you can just accept Beginning and press Enter.
o With this new partition highlighted, arrow over to the menu selection Type and press Enter which will display some of the different partition types cfdisk supports. Note at the bottom of the screen is a prompt that says Press a key to continue and when you do even more partition types will be displayed.
At the bottom of this second screen of partition types you'll see the Enter file system type: with the value defaulted to 82. This is the Linux Swap type which is what we want to just hit Enter.
o You should now have listed the root partition, the swap partition, and any free space remaining. Be sure to arrow over to the Write menu selection and press Enter so that all your changes get written to the disk's partion table.
o Once the partition table is updated arrow over to the Quit selection and press Enter to exit out of cfdisk and return to the installation menu.
5. The installation menu will automatically highlight the Initialize and Activate a Swap Partition (hda2) so you can just press Enter. If you want to scan for bad blocks (a good idea even with new drives) Tab to Yes and press Enter, and then answer Yes at the Are you sure? prompt.
6. You are then prompted to initialize the Linux Native partition (the first parition you created - hda1). When you select to do this you are asked if you want to scan for bad blocks. If you do, Tab to Yes (this could take quite a long time with a large partition) or you can accept the default No and press Enter. Then answer Yes at the Are you sure? prompt. Then answer Yes to the prompt to mount the root filesystem.
7. The next item in the installation menu is Install Kernel and Driver Modules. The installation routine detects that you are doing a CD-ROM install and asks you if you want to use this drive as the default installation medium. Accept the default Yes to this by pressing Enter.
8. Configure Device Driver Modules is where you are given the chance to load additional drivers. A meesage about loaded drivers appears with Continue already highlighted so just press Enter.
You are then presented with a list of module (driver) categories. Each category has a bunch of modules listed and you have to highlight them and press Enter to install them. If you are prompted for any "Command line arguments" just leave it blank and press Enter.
Install the listed modules from the following categories. Don't try and install any hardware drivers for hardware that isn't installed and ready.
o net - select ppp support (useful for more than just modems) and if you're connecting your system to a network select your NIC driver if it's listed. Many times it's easy to figure out which driver you need because the driver name coincides with the name of the NIC. However this is not always the case. The driver is often based on the chipset used by the card, not the card manufacturer or model. In the table below are some common NICs and the driver you need for them.
Note: Many drivers will prompt you for command line options. If you have a good hub or switch and a decent card, you should not have to enter any command-line options for the cards to work. They auto-negotiated a 100 mb, full-duplex connection.
NIC Driver
3C509-B (ISA) 3c509
3C905 (PCI) 3c59x
SMC 1211
SiS 900
Allied Telesyn AT2550 rtl8139
SMC 8432BT
SMC EtherPower 10/100
Netgear FX31
Linksys EtherPCI
Kingston KNT40T
Kingston KNE100TX
D-Link DFE500TX
D-Link DFE340TX
D-Link DE330CT tulip
Many other cards use the pcnet32 or lance drivers. If your NIC is not one of the ones listed above you may find it, and its corresponding driver name, in the Ethernet HOWTO list.
Note that I've had problems using some SMC cards (9432 in particular) were you get errors saying "too much work at interrupt" and the card does not work properly. Your safest bet is to use a 3Com 3C509-B (ISA) or 3C905 (PCI) card.
They're widely supported, I've never had a problem with them, and they're readily available on eBay.
9. ipv4 - The following modules are for a system which would be connected to the Internet for firewall or proxy capability (but not needed if this will be a network file server). For our purposes, select the following:
o ip_masq_autofw - kernel support for firewall functionality
o ip_masq_ftp - (same as above)
o ip_masq_irc - (same as above)
o ip_masq_mfw - (same as above)
o ip_masq_portfw - (same as above)
o ip_masq_raudio - (same as above)
10. fs - The following are modules you'd want if this would be a system which is not going to be directly connected to the Internet such as an internal file, print, or application server. For our purposes, select all of the following:
o binfmt_aout - for backward compatibility
o binfmt_misc - (same as above)
o nfs - for UNIX/Linux network file storage
o nfsd - (same as above)
(Note that lockd is selected automatically with nfs.)
Tip: If you didn't see the above ipv4 and fs selections listed it's likely because you didn't enter "vanilla" at the start of this procedure. You'll want to start the installation over at Step 1.
11. Because you selected net modules, the next step in the installation menu is to Configure the Network.
o Enter a hostname for your system. If this is going to be an Internet server, use a name that describes its function (ex: "www" or "mail"). If it's going to be in an internal domain in your company, use a name that uniquely identifies it. If this is going to be a home Web/e-mail server using dynamic DNS you'll want to pick something that's really unique (something that isn't already being used by anyone else using the same dynamic DNS service). If none of these apply, you can just accept the default "debian" name.
o Select the No response to the question asking you if you want to use DHCP or BOOTP.
o Next you have to enter an IP address for your system. If you're installing this machine on an existing network, MAKE SURE IT'S AN AVAILABLE IP ADDRESS!. If you choose an IP address that's used by another system you'll cause all kinds of problems. (You can use a different system to try and ping the address you plan to use to make sure there are no replies to it.) If you don't know what IP address to use don't accept the default since it's commonly assigned in home networks.
Note: If you're installing this machine on an existing network, even a home network, try this:
Go to a Windows machine that's also on the network
Open a DOS window
At the DOS prompt type in winipcfg or ipconfig (one of them should work) and see what the IP address of the machine is
Think of an address for your Linux system where the first three "octets" are the same. For example, if the Windows machine has an address of 192.168.10.23, the address for you Linux machine should be 192.168.10.xxx (you make up a number for "xxx" from 1 to 254)
Try to ping the number you come up with. For example, if the number you come up with for xxx is 45, at the DOS prompt type in ping 192.168.10.45 and make sure there are no responses to the ping. This means the address isn't being used by another system so you can use it for your Linux system.
o The subnet mask will be automatically calculated for you based on the class of the IP address you entered and it should be OK as long as you're not on a subnetted LAN.
o Enter a gateway address if you know what it is (the default route off your network). If it's a home network you probably not have a gateway (unless you have a cable/DSL router). Don't just accept the default entry as a system that's not a gateway may already have this address. The procedure above using a Windows system already on the network may display a default gateway address. If not, just back-space out the default value and press Enter leaving the field blank.
o You will then be prompted for a domain name. Enter your domain name if you already have one. If you're just playing around, use your last name (for example smith.net). You'll see why on the Internet Servers page. If you accepted the default "debian" host name earlier, your system will then be referred to as "debian.smith.net". Don't worry about conflicting with a real domain that may have that name since this machine won't have a DNS record created on any ISP's DNS server.
Note: There are up to three types of "domains" to consider when you are asked for a domain name in Linux. If this will be a system in your Internet domain space, naturally you would use that name. Companies can also set up an internal domain space which has the same type of naming hierarchy as the Internet domain naming system. This type of domain name can be anything you want because it is not visible to the outside world nor do you have to "register" the name with any domain naming authority. In other words, a company can have a public (Internet) domain name (registered through someone like Network Solutions) and a private (internal) domain name. They can be the same or they can be different.
The third type of domain are familier to those who work with Windows NT networks. These domains only have a single-word domain, not the dotted hierarchy found on the Internet and in internal Linux/UNIX networks. Linux does not support these type of domains. However, starting with Windows 2000, Windows servers also started using the dotted hierarchy domain naming convention. If you have any such Windows servers on your network, your Linux system can be put into this domain space (i.e. be given the same dotted domain name as your Windows 2000 servers).
o At the prompt for a DNS address, enter the address of one of your ISP's DNS servers. (Most companies don't have heir own DNS servers and will usually use the DNS servers of their ISP or WAN service provider.) Here again you don't want to just accept the default because that address may be used by another machine on the network which isn't a DNS server. If you're not sure of your ISP's DNS server addresses, just backspace out the existing address and leave it blank.
Note: If you enter your ISP's DNS server address, some network-related functions (like establishing a telnet session) may operate slowly until your get your system connected to the Internet so it can "see" the ISP's DNS server. However, this is the only viable entry to use on networks that don't have their own DNS server.
12.
13. Back at the installation menu Install the Base System is highlighted so just press Enter and the file copying and extraction will begin.
14. The next three selections refer to setting up the system to boot up.
o Select Make System Bootable
o Select the default Install LILO in the MBR and press Enter when the "Securing LILO" message appears
o You don't need to Make a Boot Floppy so arrow down to Alernate: Reboot the System press Enter and answer Yes to the confirmation.
Be sure to remove the CD as the system reboots to force it to boot off hard-drive. This next phase of the OS installation will install some basic software and configure some basic OS operations. You may see some errors messages in all of the text that's displayed during the boot process. Don't worry about those at this point.
Once the system reboots you'll have to press Enter at the screen saying that Debian is installed and the configuration process begins.
15. Tab over to the No selection when the prompt appears asking you if your hardware clock is set to Greenwich Mean Time.
16. For the timezone select your geographic area (if you're in the US, choose "US" and not "America") and press Enter. Then select your correct time zone and press Enter.
17. The next series of dialogs will be password and account related. Note that the cursor will not move and nothing will be displayed when you enter passwords.
o First you'll be asked if you want to use MD5 passwords. Use default No selection.
o Next you'll be asked if you want to use shadow passwords. Use the default Yes selection.
o You'll have to press Enter about an informational message about root passwords. Then you'll be prompted to enter, and re-enter, a password for the root (super-user) account. REMEMBER IT.
o Finally you'll be be asked to to create a non-root user account entering the username, full name, and password. Create one for yourself using your first name.
18. When asked if you want to remove the PCMCIA files accept the default Yes answer.
19. When asked Do you want to use PPP to install the system? use the default No answer.
20. At this point the apt (package installer) configuration begins. Before continuing, place the CD #1 back in the drive. What apt is going to do is scan the CDs and create an inventory of the packages on them and store it in a database for later use.
21. After the CD #1 is scanned it will ask if you have another CD to scan. Pop in CD #2, Tab to the Yes selection and press Enter. Repeat this process until all seven CDs have been scanned.
22. Once CD #7 has been scanned, remove it and and put CD #1 back in the drive. This time, accept the default No to the prompt asking if you have another CD to scan and press Enter.
23. When prompted to add another apt source accept the default No answer and press Enter.
24. Answer No to the prompt about using security updates from security.debian.org. (We'll take care of this later.)
25. The next window to appear is the System Configuration window where you are asked if you want to run the tasksel task selection utility. Accept the default Yes by pressing Enter.
26. The Task Installer appears with a list of task packages you can select using the space bar. Only select following at this time:
o X window system
o C and C++
Tab to Finish and press Enter.
27. Accept the default No to running dselect at this time.
28. At this point a list of packages to be installed are presented with a prompt asking "Do you want to continue?" with Yes being the default so just press Enter.
29. You'll be prompted to insert CD#1 but it should already be in the drive so just press Enter.
30. Just press Enter when the informational message about "kernel link failures".
31. Accept the default No answer to configuring less.
32. Accept the default No answer to adding a mime handler.
33. Next you'll have to select a locale for those applications that use this information. If you are in the US, arrow down to the en_US ISO-8859-1 selection and press the Space Bar to select it. Then Tab to OK and press Enter.
34. Accept the default Leave alone for the default locale selection by pressing Enter
35. Press Enter at the informational message about statd using tcpwrappers.
36. When prompted to "Allow SSH protocol 2 only" Tab over to No and press Enter.
37. Press Enter at the informational message about priviledge separation.
38. Accept the default Yes answer to install ssh-keysign SUID root by pressing Enter.
39. Answer No to the prompt to run the sshd server.
40. Accept the default path for the CVS repositories by pressing Enter and then press Enter again when the prompt to Create the repository directory appears.
41. CVS is a version control system that tracks changes to source files which is useful if you are going to use your system for development work - i.e. programming. For this install, press Enter at the CVS informational message and accept the default No answer to the prompt about starting the CVS pserver.
42. Accept the default Yes to the prompt about managing the X server wrapper using debconf.
43. Accept the default Yes to the prompt about managing the XFree86 configuration using debconf.
44. Select your video card's chipset manufacturer from the list presented and press Enter. If you're not sure what it is, use to the vga selection.
45. Accept the default Yes to the prompt about using the kernel's framebuffer interface.
46. Accept the indicated X ruleset by pressing Enter.
47. Press Enter at the informational message about keyboard types.
48. Select the appropriate keyboard type based on what you read in the previous informational message and press Enter. The default pc104 value is for the Windows types of keyboards most often found in the US.
49. Enter the appropriate keyboard layout based on your locale and press Enter.
50. Press Enter at the informational message regarding mice and trackballs.
51. On the mouse port selection screen, select /dev/psaux if you have a PS/2 mouse. For older serial-type mice, use /dev/ttyS0 if it's conneted to COM1 or /dev/ttyS1 if it's connected to COM2. Then Tab to OK and press Enter.
52. On the mouse selection screen, if you have a name-brand select the model which matches it, or simply select the generic model entry.
53. Answer appropriately to the prompt about whether you have an LCD monitor or not.
54. Press Enter at the informational screen about monitors. Then select Simple from the list of selection methods and press Enter.
55. Select your monitor's size and press Enter.
56. If you have a 15" monitor, you'll want only the 640x480 value for the resolution. If you have a 17" monitor have only the 800x600 value selected (i.e. de-select the 640x480 selection) using the Space Bar. Then Tab to OK and press Enter.
57. At the color depth selection, a recommended value based on your earlier selections will be at the top of the list (highlighted) so just press Enter.
58. At this point more packages will be installed. At some point during this installation you may be prompted to select an ispell dictionary from a list presented. Simply select the appropriate dictionary for your locale.
59. If you get a prompt about erasing the .deb files accept the default Yes by pressing Enter and then pressing Enter again to continue.
60. Next you see a message about helping you configure your mail system. Debian installs the Exim e-mail server software by default which is a shame. 99% of the UNIX/Linux world uses Sendmail. On the Internet Servers page we'll remove Exim and install Sendmail but for now:
o Press Enter at the "Press Return" prompt
o Select option 5 to not configure Exim
THAT'S IT! The installation is complete. And you'll be sitting at a text-based shell prompt. Before we reboot the system there a couple commands we need to enter to compensate for the differences in the insallation routines between woody and potato. This will put on on the "same page" as the potato installation before moving on to the subsequent guide pages.
61. Start out by logging in as the 'root' superuser (i.e. enter root at the login: prompt and then whatever you entered above for a root password. This will place you at a shell prompt.
62. Unfortunately, when you choose to install the X-Windows system in Woody it sets the system up to bring up a GUI login prompt when the system is booted. We don't want that.
Recall that back on the Basics page we showed what files are involved in the Linux boot process, including the symbolic links in the rc2.d directory. You can disable the running of the GUI login routine by renaming the symbolic link to the shell script which runs the GUI login routine. Recall also that any symbolic link that starts with an upper-case 'S' causes its associated script to be run at startup. Use the following mv (move) command to rename this link so that it starts with an underscore character so its associated script won't be run when the system is booted:
mv /etc/rc2.d/S99xdm /etc/rc2.d/_S99xdm
63. Next, we want to be able to telnet into the system. Potato takes care of this by default but Woody doesn't (defaulting to the more secure SSH instead) so we'll have to install the telnet server daemon. With CD#1 in the drive, enter the following command:
apt-get install telnetd
You'll find out more about apt-get on the Packages page. For now, we're pretty much at the same point system-wise as the end of the potato installation. So now you can reboot the system by removing the CD from the drive and pressing Ctrl-Alt-Del.
We're not actually done with the initial setup of the system yet. The rest will be covered on the Packages page. For now though, try taking your new Debian system out for a spin around the block in the next section.
Trying It Out
As your system reboots a lot of messages will be displayed. With a faster system you won't be able to read them all. You can use the Shift-PgUp and Shift-PgDn key combos to scroll through this previously-displayed text to look for any error messages, etc. Don't be too concerned about error messages at this point. We still have to install and update the packages.
Once your system restarts you'll be presented with a login prompt. Because Linux is a multi-user OS you have to indentify yourself to the OS via a login. Log in using the root username and the root password you entered during the install.
Once you log in the shell prompt debian:~# is displayed. The # indicates you're logged in as root. (Non-root users get a $ prompt.) The debian is the hostname you gave to the system during the install. The ~ indicates that you have been placed in root's home directory. Whenever you first log in you will see this prompt because every user defaults to their home directory at login. (User home directories are created automatically when the user accounts are created on the system.)
All non-root users have a sub-directory under the /home directory. The names of these home sub-directories for non-root users match the user names (ex: /home/fred). The root user is a little different. root's home directory is off the root of the file system. Instead of /home/root it's at /root. It's important to understand that /root is the root user's home directory. Don't confuse it with the "root" of the file system, which is denoted by a single slash (/).
Since you're in the root user's home directory, look at the files the install routine created by typing in ls and pressing Enter. You won't see anything because there's nothing there. Kind of. There are no user files there. However, there are some system files there. Try typing in ls -laF and pressing Enter. You'll see two files that start with a period, the .bashrc and .profile files. They're both kind of the same thing, like a config.sys file on DOS systems.
The .bashrc file sets certain environment defaults when you use the bash shell. The .profile does the same thing, regardless of which shell you use. You can look at the contents of the .profile file by typing in
cat .profile
('cat' is the equivalent of the DOS TYPE command which just "types out" the contents of a text file on the screen.) As you can see, it's mainly just the setting of the PATH variable and you can see what the value of your path is set to. Notice I said your path. In UNIX/Linux each user gets their own path.
Now lets look at the .bashrc file. Type in
cat .bashrc
There's a little more here but most of it is commented out. In most UNIX/Linux configuration files any line that begins with a pound character (#) are comments (or are commands that have been commented out as in the case of numerous alias commands in the .bashrc file).
Note: There is one case where a line starting with a pound character (#) is not a comment. The very first line is shell scripts will look something like this:
#!/bin/sh
This is known as the "bang" or "shebang" line. It specifies the path to the shell that the script should be run in. (You can run a shell script under a different shell than the one you're currently using.)
alias commands let you substitute one command for another, or "create" your own command. Note the line in the .bashrc file:
alias rm='rm -i'
This just substitutes the standard alias command with itself but using the -i command-line switch. The -i command-line switch is interactive mode, which means it will prompt you for a confirmation whenever you use the rm command to delete a file (a safety measure).
You can also "create" your own commands by aliasing existing commands with a different name. For example, you could enter the following line in the .bashrc file:
alias zapfilz='rm -i'
to "create" a zapfilz command.
Linux defaults it's "virtual terminal" sessions (what you use when you are working at a shell prompt) to the "tty" (teletype) specification. However, some text editors don't get along with the tty terminal type very well. They work better with a "VT100" type of terminal. (The term "terminal" refers to the old "green screen" keyboard/screen devices that were commonly used with mainframes.) Since you tend to work with text files quite a bit in Linux, it would be beneficial to set our virtual terminal sessions to use the VT100 terminal type.
Lets use the infamous vi text editor to edit the .bashrc file to change our default terminal type to VT100. We'll do this using an export statement.
1. At the shell prompt type in vi .bashrc to open the file in the editor and the contents will be displayed.
Note that there already is one export statement in the .bashrc file. This statement is what sets our shell prompt to display the hostname and current working directory.
2. Press the down arrow key until you get to a blank line in a file (the position of the command in the file isn't important).
3. Press the 'a' key (for append).
Note: If you screw things up and you want to quit without saving, just press the following keys in the given order:
Esc : q ! Enter
4. Type in the following line (don't start the line with a pound sign):
export TERM='vt100'
5. Now press the following keys in the given order to save the changes and exit vi:
Esc : w q Enter
Note that what we just did changes a startup file. It won't have any effect until the next time you log in. However, just enter that same command at the shell prompt and it will take effect immediately. Once your enter it at the shell prompt, you can make sure it took effect by entering this command at the shell prompt:
echo $TERM
You can also try entering this command the next time you log in to make sure that the statement you entered into the .bashrc file is correct. $TERM is the environment variable which stores the current terminal value. All environment variables are upper-case. You use the $ character in front of them to indicate you want to echo the contents of the variable. If you didn't use the $ in the above command the word TERM would simply be echoed to the screen.
The vi editor is legendary in it's difficulty to master. For one, it's a line editor, not a full-screen editor. For another, it has an "edit" mode and a "command" mode. (We went into edit mode above when we pressed the 'a' key above, and went back to command mode when we hit the Esc key.) There are entire books written on vi. It's only fair to mention though, that vi's keystroke combinations were devised in such a manner that once you get really good with vi, you'll rarely have to take your fingers off the "home" positions on the keyboard. The reason you want to at least become familier with vi is because every Linux and UNIX system will have it, no matter how old or eccentric a distro it is. That can't be said about any other editor.
Keep in mind that changes made to the .profile only take effect when you're logged in as the same user that you are logged in as when you make the changes. Each user has their own .profile file located in their home directory (but as the root super-user you can edit everyone's .profile file if you want to set up a standard).
The same is true of the .bashrc file, except that, in addition to it only being valid for the current login, it is also only valid if you choose to run the bash shell. Likewise, every user that is set up to use the bash shell by default (which is the default shell in Linux) will have a .bashrc file in their home directory.
If you type in:
echo $SHELL
you'll see that you are using the Linux-default bash shell.
Here's something you can try. Log out of the system using the exit command. Start to log back in as root, but this time use the wrong password. You'll simply get an error message saying it was incorrect and another login prompt. At this second login prompt, use the correct password. Right above the shell prompt you'll see the message:
1 failure since last login
The "failure" the system is referring to is a login failure for the user account you just logged in as (works for all users, not just root). This is good to know as it will let you know if someone has been trying to hack in using this particular username.
What's next? If your system is connected to a network you should try seeing if you can ping another workstation on your network. You can use the procedure in Step 11 of the installation above (using winipcfg or ipconfig) to find the IP address of any Windows system on your network. For example, if the address of another system on your network is 192.168.10.12 you'd type in
ping 192.168.10.12
and see if you get "64 bytes from" the address. Left on its own, Linux ping will just keep pinging so press Ctrl-C to end it.
If you don't get any ping responses or get errors indicating that the "Network is unreachable" you can enter the ifconfig (not ipconfig as with Windows) and check the settings for your eth0 interface (this is the NIC). The lo interface is the local loopback which is only used for testing.
If no eth0 interface is listed, you want to check to see if the kernel driver module got loaded at boot up. Enter the lsmod command. You should see 3c59x or whatever driver you specified during the install listed.
If the module IS loaded (but eth0 doesn't show up in the ifconfig list) it means that the kernel "sees" the NIC. It's just not being brought up automatically at bootup. Check to see if it's set to be brought up automatically by typing out the contents of the interface configuration file with the command:
cat /etc/network/interfaces
and look for the line:
auto eth0
If there is no line like this, or if "eth0" isn't on the line, or if it has a pound character (#) at the beginning of the line (commented out) that's the problem. On the Packages we'll install a text editor called ee. You can wait until this editor is installed to open this file and correct the problem or you can try to edit it using the vi editor.
If the module ISN'T loaded try loading it with the command:
modprobe 3c59x
Substitute the "3c59x" for the name of the NIC module you selected during the installation. After doing this you may also need to bring the interface up manually. Use the ifconfig command to see if eth0 is now listed. If not, bring it up with the command:
ifconfig eth0 up 192.168.10.50 netmask 255.255.255.0
substituting an address and subnet mask appropriate for your network. If you couldn't load the module you may have specified the wrong driver module during the installation or your NIC may be bad or, if this is a used non-PCI NIC, may have had the default IRQ, etc. settings changed at some point.
Once everthing is working, back up your server using our backup page.
Solving Hard-Drive Problems
The one downside of using an older system to set up a Linux server is that the most likely devices to fail are the power supply and hard-drive. When a hard-drive starts to go bad on a Linux system you'll usually find out about it when you boot the system.
The messages displayed when disk errors are encountered duing boot-up are pretty ominous, and a little confusing. You're told to run fsck manually but not really told how. The command to mount a file system as Read/Write is also given and that's NOT what you want to do. You're given the choice of pressing Control-D for "normal startup" (which is actually just a reboot which won't help the problem at all) or entering the root password for system maintenance. When presented with these errors and this choice, do the following:
• Enter the root password.
• Run the command fsck -fp /dev/hda1 (or whatever your root partition is).
• Repeat the above command until no errors are displayed.
• Reboot the system using the init 6 command.
• Run the command badblocks -sv /dev/hda1 (or whatever your root partition is). It will take awhile.
One way to tell if your hard-drive is starting to fail is to turn the system off for about 30 minutes. If you don't have problems for the first hour or so of using, but then problems start popping up, the hard-drive is failing. That's because failing hard-drives are more sensitive to heat and the hotter the drive gets the more likely it is to have problems. Replace these heat-sensitive drives ASAP.
While the above installation procedure got you an operational system, it's pretty much bare-bones at this point. Next we'll install the "base" and some optional packages on the Packages page to put some meat on the bones.
Using Debian Linux Packages
"Packages" are software. A package can be a workstation-type program (mozilla Web browser, gimp graphics editor, etc.), a server-type program (Apache Web server, Sendmail e-mail server, etc.), a utility (apcupsd for APC UPSs, taper backup utility), programming libraries, or OS components (GUIs, language modules, even kernel patches). You can download and install software which isn't "packaged". It's just that when software is put into a package it makes it easier to install because programs are already compiled (binary), directories are created if necessary, and all files (binary executables, text configuration files, man pages, etc.) are put into the proper directories. Some packages even have configuration scripts that are run near the end of the package installation to help you initially configure the software.
A "package manager" is used to search for, install, remove, etc. packages. Sun has a package manager for its flavor of UNIX (Solaris) that works with files that have a .pkg extension. Red Hat's package manager uses .rpm files. And Debian's package manager uses .deb files. As you will see below, a package manager isn't always a single program but several utilities used to perform the various package-related functions (search, install, etc).
Note: The software in one package may need software from another package to work properly. One of the best things about Debian's package architecture is "automatic dependency resolution", i.e it will automatically load any packages that selected packages may depend on. It may also remove other packages that could cause conflicts. This is why the number of installed packages may be greater than the number of packages you select to install.
If you've ever tried installing packages using Red Hat Package Manager (RPM) you've likely found it a frustrating experience due to the "failed dependencies" errors commonly encountered when trying to install an RPM package. This is because Red Hat's package manager doesn't automatically take care of dependencies like Debian's package manager does.
Working with packages in Debian uses three main utilities:
• apt - Advanced Package Tool - the main package manager on Debian systems used for retrieving/installing, removing, or searching for packages
• dpkg - kind of the predecessor to apt, but is still used for some functions
• dselect - a menu driven front-end that uses both apt and dpkg
You may recall being prompted to insert all the discs during the installation so that they could be scanned for available packages. This scan process builds a database of available (on the discs) packages which is used by these package utilities. When you install or remove a package this database is referenced and updated.
A complete list of the current "stable" Debian packages (including free and non-free) can be found at:
packages.debian.org/stable/
apt and dpkg are useful if you have some idea of what you're looking for. For example, apt has a search utility where you can search for software by its given name such as 'apache' or you can search for all available packages containing software offering specific functionality such as 'sniffer', 'dns', etc.
Because Debian comes with so many packages, it's often a good idea to just browse through all of the available packages to see what software you can install and play around with. To get a full listing of packages and their installation status we use dselect. As mentioned, dselect is more of a front-end, user interface tool because when you select a menu item in dselect you are simply running one of the apt or dpkg utilities with a specific set of command-line switches.
Although useful for browsing all available packages, dselect will not be your primary package management tool. You can search for, and install, packages much faster using the apt utilities. However, we wanted to show you how to use dselect because half the fun of playing around with Debian is playing around with some of the thousands of packages that comes with it.
Using dselect
dselect has a 7-step menu (numbered 0 through 6) and it will walk you through the steps. There are two different "modes" that you can use when retreiving packages. One is "access" mode where additional .deb files are retreived and added to your inventory, and "update" mode where no new packages are retreived but any updates to existing packages (newer versions of whats already in your inventory database) are.
To use dselect:
Make sure you're logged in as 'root' (you can use the whoami command to verify this) and type in dselect at the shell prompt and the menu screen will be displayed. The possible selections are:
• 0. Access - highlighting this and pressing Enter will allow you to select apt as the method for accessing the packages. When you select apt and press Enter it will display your current sources.list file and ask you if you want to over-write it. "No" is the default so just press Enter again.
• 1. Update - ALWAYS run this selection every time you run dselect. dselect maintains its own database so run this to have it read (sync up with) the apt database (containing package status information) to update its own database.
• 2. Select - pressing Enter with this selection highlighted will display a help screen. Press q to clear it. This is the main guts of the program. It's displaying the package inventory database. It can look very confusing the first time you use it but it's really not all that bad.
Notice near the very top of the screen is a blue line with EIOM on the left. They stand for
Error Installed OldMark NewMark
Uninstalled packages have "marks" like this:
__
(Note that this is two underscores in columns 3 and 4 - OldMark and NewMark columns.) On the left end of this line there is actually two blank spaces (in columns 1 and 2) before the two __ underscore characters.
o the first blank (Error) column is good
o the second blank (Installed State) column indicates it's not installed
o the _ in the third (OldMark) column indicates that nothing has changed in the selection status of the package
o the _ in the fourth (NewMark) column indicates that nothing has changed in the selection status of the package
Note that the first time you look at this list the third (OldMark) column may have an n in it. This indicates it's a New package because you just ran the Update step. The next time you view the list it will be an underscore character.
Installed packages marks are three asterisks (***) and they indicate:
o the first blank space (Error column) is good
o the first * in the second (Installed state) indicates that it is installed
o the next * in the third (OldMark) column means it was requested for install
o the third * in the fourth column means that it's OK to upgrade this package
If you would like to see a more explanatory presentation of this information, simply press the v key repeatedly to toggle the Verbose display mode on and off. In addition, you can press the ? key at any time to bring up the help menu. In the help menu, pressing the l (lower-case L) key will display a screen explaining all of the code letters. Press q to get out of help.
If you look at the blue bar in the middle of the screen it will also give you some of this information. A description of the highlighted package is displayed below the blue bar.
Note: If you ever get into a Select screen and you can't figure out how to get out, just press an upper-case X to get back to the 7-step menu page.
Packages are grouped into categories such as 'devel', 'net', 'utils', and 'web' with 'admin' being the top category because the groups are listed alphabetically. The packages within each of these groups are listed alphabetically also.
Use your down-arrow key until the uninstalled cpuid pacakge is highlighted:
n_ Opt admin cpuid
Looking at the cpuid line, a blank in the first "Error" column is a good thing. A blank in the second "Installed" column indicates it's not installed. An 'n' in the third (OldMark) column means the package is new (as far as dselect is concerned because it hasn't been run since the packages were indexed when you scanned the DVDs) and the underscore in the fourth (NewMark) columns means nothing has changed (selection-wise) for this package.
With the cpuid line highlighted, press the Insert key to select it for installation and the indicator in column 4 will change to an asterisk. Press Enter to go back to the main menu and the next menu selection (Install) will be highlighted.
• 3. Install - is where the packages are actually transferred onto the hard-drive. It will be highlighted so just press Enter and you'll be presented with the packages to install (if any dependent packages were required they'd be listed also). With 'Y' as the default just press Enter to continue and you'll be asked to insert the Debian DVD #2 and press Enter again. Once it's finished you can answer accept the default 'Y' to remove .deb files.
• 4. Config - is next. This is where any installed packages requiring additional configuration are taken care of. There won't be any in this case so you can just go to the next step.
• 5. Remove - will remove any unnecessary files or software they may cause conflicts with the newly installed packages. The dpkg command takes care of this for you so you'll just be returned to the menu.
Before selecting the "Quit" option, go back up to the "Select" option and press Enter to see how the flags for the cpuid have changed. (You'll also see the change mentioned above where all packages are listed.) The cpuid line we looked at earlier is further down this time so if you arrow down to find it you'll see
*** Opt admin cpuid
Again, using the "l" (lower-case L) option on the help (?) menu will tell you all this. If we look further down at most of the Optional packages the characters for the first four columns are two blank spaces followed by two underscores.
• 6. Quit - will exit you out of dselect.
Try out the software you just installed. Back at the shell prompt, type in:
cpuid | more
to display information, including register contents, about the CPU chip in your system. The | more part of the command just pauses the displayed output of the command at each 25 lines with --More-- at the bottom of the screen. Press the Space Bar to see the next screen.
After you've been working with your system for awhile it's easy to lose track of what packages you have installed. It's also nice to see what all got installed by the installation routine. For that you can use the command:
dpkg -l | more
That's a lower-case L for "list". apt and dpkg have a lot of command-line options and viewing the man pages for them will provide you with more information.
dselect is not only useful for browsing all available packages but it will also tell you which packages are already installed. When you installed Debian a set of "base packages" were installed. As we go through using dselect you will be able to see which packages got installed during the installation and all of the packages that were included with Debian that are available for you to install.
Using the apt Utilities
The apt utilities (there are several such as apt-get, apt-cache, etc.) can retreive packages from DVDs or the Internet via http or ftp. You can update your entire system via an Internet connection which is why you want to have a modem or other means of accessing the Internet. This is especially true for Internet server systems as you will want to regularly apply security updates (we'll show you how to do this later in this page).
apt uses the /etc/apt/sources.list file which lists the locations of package files (we'll be modifying this file later in this page). These locations include the DVDs you inventoried (scanned) during the installation routine and also has entries for various Internet servers from which you can retreive updates. The lines in the sources.list file for these Internet servers are commented out by default in case you don't have an Internet connection. (We'll set up an Internet connection on the Modems page.) The apt utilities are command line utilities and installing a package is very easy provided you know the exact package name. Most of the time you don't. But there is an apt utility that will help with that too.
Apache is the most widely-used Web server software in the world. (The Web server software can be useful on an internal network server for serving up Intranet pages, not just for Internet Web servers.) Lets say you want to set your system up as a Web server using Apache. How do you find out if it's included in one of the package files, and if so, what the package name is? You can use the apt-cache command with the search option like so:
apt-cache search apache versatile
Note that this will display any package that has the word "apache" and "versatile" anywhere, including in a package's description (without them being a part of the package name).
When the listing is complete the shell prompt will reappear. About four lines up from the shell prompt you'll see
apache - Versatile, high-performance HTTP server
which is the package we want. Now that we know the name of the package we want, we can use a simple apt command to install it. apt will automatically install any dependency packages also. To install it just type in:
apt-get install apache
to start the package installation. You will get a (Y/n) prompt to continue. Press enter to begin the installation and you'll be prompted to insert DVD #1. At the end of the installation you'll see the line:
Starting apache 1.3 web server....
Your system is now a Web server! If the system is on a network (and provided you can ping other systems on the network) it's easy to check out. Just go to another system (Linux or Windows) on the same network, fire up a Web browser, and in the URL line type in the IP address of your Debian system. For example, if the IP address of your Debian system is 192.168.10.10 type in:
http://192.168.10.10
You should see the default Debian/Apache placeholder page appear. You may even want to print this page because it tells you where the configuration, html, cgi script, and log files are located.
Note that because you installed Apache, and it is a server-type service, it will start automatically every time you boot the system. So what if you don't really want your system to be a Web server? The command:
apt-get remove apache
would remove the Apache program files from your system, but it would leave the configuration files. In order to remove everything associated with it you need to use the command
apt-get --purge remove apache
If you want to keep Apache installed, there's a few configuration details you'll want to take care of. We'll do that on the Internet Servers page.
There's one more package you may want to install so you can transfer files to/from your system. wu-ftpd is the most widely used FTP server software package. Once again the package name is the same as the software name so installing it is easy:
apt-get install wu-ftpd
You'll be prompted for DVD #2. We set up FTP just so you could get files on and off your server without needing to use a floppy disk. If you are going to set this system up as an Internet server that does offer FTP services, be sure to use the /etc/wu-ftpd/ftpaccess file to increase the security of your FTP services.
Once wu-ftpd is installed, you can go to any system on your network, fire up an FTP client program like WS_FTP or CuteFTP, point it to the IP address of your system, and log in using the user account you created during the installation (not as root).
Recall that when we installed Debian we also installed basic GUI functionality. Since the GUI is useful for Web browsing, and there are a lot of Linux and Debian resources available on the Web, you may want to also install a Web browser. To install it, just enter the command:
apt-get install iceweasel
Iceweasel is a light-weight Mozilla-based Web broswer. If you've ever used Firefox you'll be very familier with Iceweasel.
Next we'll fire up the GUI and check out our Iceweasel installation. When you installed it using the above command, a menu selection for it will be automatically added under the Net submenu of the GUI desktop menu. If you need to set up a modem to get your system on the Internet to check out Iceweasel see our Modems page),
Note: The apt-get command has a lot of options for checking packages, resolving dependencies, etc. that we don't cover here. It would be worth your while to check out the man page or Web references to learn more about all this command can do.
Trying The GUI
Most of the GUI stuff should have been configured during the installation. While a GUI may be the heart of Windows operating systems, it's just another optional piece in Linux. It's also the most problematic, frustrating piece to work with.
There are several different parts to a Linux GUI that all have to interact. There's an X server (like s3v), a windows manager (like twm or enlightenment), and a desktop package (like Gnome or KDE). Getting them all configured correctly and working in harmony is a royal PITA. The Debian installer helps a little, provided you know what you're selecting. The GUI installation steps we covered on the Installation page should get it working for most systems.
There's a reason for all the GUI pieces. The more integrated and simple you make something the fewer options you have in its use. While a pain, the GUI in Linux is very powerful and flexible. You can even run a GUI windows session on a Linux system that doesn't have a GUI installed. You simply connect (over a network) to another system that is running an X server (now you know why they call it an X server) and have it send you the GUI screens and respond to your system's mouse clicks and keystrokes. But that's beyond the scope of these pages.
If you haven't read it on one of the other pages on this site, read it now. We believe the best way to learn, and use, Linux/UNIX is by using the command-line interface (i.e. entering commands at the shell prompt). We'll cover getting in to and out of the GUI here just so you can see what it's like but this is as far as we'll go with it.
There's another reason to stay away from the GUI besides just the learning aspects involved. You can encounter a lot of different GUIs. Systems can have the same desktop manager (Gnome) but have different windows managers. Sun Solaris has it's own GUI. As a result, they'll look completely different with different menus, etc. By contrast, most Linux/UNIX shell commands will work on any UNIX or Linux system. Learn to work at the shell prompt and you'll be good to go on just about any UNIX or Linux system. There are some minor differences with some shells, and different file locations for some configuration and application files depending on the flavor of the OS. But if you know how to work the command line you can find out where they are, and you'll feel at home no matter what flavor of UNIX or Linux distribution is runnng on the machine. Even if you walk up to a machine running a GUI you've never seen before, all you have to do is open up a local terminal window (all GUIs have them) to get to a shell prompt.
If you followed this site's installation page the GUI with Gnome was installed (hopefully correctly but that's a crap shoot). Many more preference files which have file names starting with a period will appear in your home directory after you run the Gnome GUI for the first time. You start it by typing in:
startx
at the shell prompt. You won't see much. No task bar or "Start" button. Just a grey screen with a black "X" for a mouse pointer and a command window in upper-left corner of the desktop. You have to put the mouse pointer on the black command window to give it focus and type in twm at the command prompt to start the window manager. To bring up a menu, move the mouse pointer out of the command window and left-click on the desktop. Note that with the twm windows manager you have to point to the small icons on the right side of the menu selections in order to see the sub-menus. Just pointing on the word won't cause that to happen.
Click and hold down the left mouse button and the pop-up menu will appear. While continuing to hold down the left mouse button, arrow over Debian/Apps/Net/Iceweasel and let up on the mouse button. When you do, the mouse pointer will change to a right-angle and an outline of the window will appear to the right and below the pointer. This is so you can position the window where you want it on the screen. When you've got it where you want it, click the left mouse button again to display the window. Note that the mouse pointer has to be somewhere in the browser window in order for you to be able to enter commands.
To exit twm, left-click on the desktop, arrow down to the icon to the right of "Exit" and select "Yes, really quit". Now put your mouse pointer over the terminal window to give it focus and type in exit at the shell prompt to exit out of the GUI.
On a Linux desktop system the windows manager, desktop manager, and X all start together. Because we're only running a minimal GUI we have the ability to start X and a window manager separately so you can see that they are two different pieces. We never installed the third part of the GUI which is a desktop manager such as KDE or Gnome but, as you can see, we don't really need one.
Upgrading Your System
Debian's package system makes it real easy to keep your system up-to-date. Once you get your system connected to the Internet either via a modem (see the Modems page) or a LAN (see the Networking page), you can upgrade your system to the current point release using that Internet connection.
While using this procedure to upgrade your system to the current stable release is why we're doing it here, it's not the only time it should be done. In other words, if the current stable release is 3.1r3 and you've used this procedure to upgrade your system to 3.1r3, that doesn't mean you don't have to run it again until 3.1r4 comes out. Individual packages can get updated in between point releases. You'll also want to stay on top of any security updates that are available. We'll show you how to automate the security patching process later in this page.
The first thing you have to do is change the sources.list file that apt uses to determine from where it should pull packages. Right now, if you installed your system using a DVD set, it's set to only look on DVDs. We have to change that to only look on the Internet.
As mentioned on the Installation page, many organizations don't allow their servers to be Internet-accessible for security reasons. If this is the case with your server, you have no choice but to do point-release updates using discs and should not follow this procedure.
Open the sources.list file in the nano text editor with the command:
nano /etc/apt/sources.list
You'll see a line like the following for each DVD in your set:
deb cdrom:[name of dvd-rom]
Put a pound character (#) in front of all of these lines to comment them out like so:
#deb cdrom:[name of dvd-rom]
Look for the following line further down in the file:
# deb http://security.debian.org/ stable/updates main
and remove the the pound character (#) at the beginning of this line.
Add the following line underneath the line you just edited:
deb http://http.us.debian.org/debian stable main contrib non-free
If you're outside the US, uncomment the line that has "non-us" in place of the "us" part of the above line. Then exit the editor (by pressing Ctrl-X, then 'y' and then Enter) saving the file.
Note: As long as the sources.list file is in the above configuration (http sources enabled and DVD-ROM sources disabled) you'll have to connect to the Internet in order to install any new packages as well as update any currently-installed packages. It is best to wait until you have your system set up just the way you want it before you use this procedure.
Once you're able to connect to the Internet use the following procedure to update your system:
1. If necessary, use the pon command to use your modem to connect to your ISP.
Once connected to the Internet, you have to update the inventory database of available packages. (This is the list of packages you see when you run dselect.) Database entries for new packages are also pulled from Debian's server over the Internet. (This should take less than five minutes with a modem connection.) You do this by issuing the command:
apt-get update
2. Once the package list is up to date, you upgrade the software on your system by typing in the following command:
apt-get upgrade -u
The -u in the above command just makes the process a little more verbose, displaying package names as they're downloaded and installed. Be advised that these downloads could take awhile with a modem connection because you could be upgrading to a higher point release of the OS (ex: going from 3.0r1 to 3.0r2).
Once the download is complete the package updates will be installed and set up the same way they were when you pulled them off the DVDs. For modem connections, don't forget to use the poff command to disconnect from your ISP when you are finished.
Note: The above procedure only updates applications that were installed as a Debian package. If you installed applications that were not in Debian packages (such as when you download the source code files from a Web site and compile/install it yourself), it will have to be updated separately.
Automating Security Patching
Automatically applying security patches will help ensure you're protected against the latest worms and exploits. Automating the process of retreiving and applying security patches is not hard at all. The cron memory-resident scheduler is loaded by default when the system boots so it's just sitting there waiting for you to use it. Automating a process involves two steps; giving cron something to run (i.e. creating a shell script containing the commands you want to run), and then telling cron when to run it.
Because you only want this process to take care of security patches, you'll want to edit the /etc/apt/sources.list file to comment-out every line except the line that contains the word security in it. The only line that shouldn't be commented out is:
deb http://security.debian.org/ stable/updates main
With this restriction in place you can now create the shell script that will do the updating. You create a shell script using a standard text editor. Create the new shell script with the command:
nano /usr/local/security-patches.sh
and enter the following commands:
#!/bin/sh
apt-get upgrade
init 6
The init command will restart the system. Normally when you patch a daemon you'll want to restart that daemon to make sure the patches take effect. However, since you won't know which daemon got patched with this automated process there's now way to know which daemons to restart so simply restarting the system is the safest way to go. If you want to try this out on a system that does use a modem to connect to the Internet, you'd have to add in the appropriate pon and poff commands:
#!/bin/sh
pon
sleep 30
apt-get upgrade
poff
init 6
Save the file and then change the permissions to make it executable using the command:
chmod 755 /usr/local/security-patches.sh
This is a very basic script. You'll probably want to set up some 'if' statements which test to make sure you got connected and check the success of the apt-get command.
How can you check to see if apt-get executed successfully? If you're familier with DOS you know you could check the value of the ERRORLEVEL environment variable to determine the success of a command. In Linux/UNIX it's called the "exit status" and the ? represents this environment variable. Entering the command:
echo $?
will display the exit status of the most recently run command. (Remember that you have to put the $ in front of an environment variable when referring to its value as with the echo command or the when using an 'if' statement in a shell script.) A zero indicates success (just remember "zero errors") and anything greater than a zero represents some kind of problem.
cron
cron is the memory-resident scheduler daemon that can execute commands and scripts at regular intervals. The jobs it runs are listed in a crontab file which is edited using the crontab utility.
The following command will list the contents of your current crontab file:
crontab -l
You'll want to add an entry to the crontab file for the security-patches.sh shell script. The format of the file is basically:
The "when to run" is a field which consists of five space-delimited values in the following order:
• Minutes past the hour (0 to 59)
• Hour of the day (0 to 23)
• Day of the month (1 to 31)
• Month of the year (1 to 12)
• Day of the week (0=Sunday to 6=Saturday)
You can use the asterisk (*) to specify all values for any given entry. For example, to run a job every Saturday at 11:15 pm you would use the following values:
15 23 * * 6
Be careful with these values. You'd rarely want to enter a number for the "Day of the Month" and the "Day of the Week". For example, if you entered:
15 23 3 * 6
cron would only run the job when the 3rd falls on a Saturday.
You can enter multiple values for each entry by separating them with commas. We set up cron jobs to check the logs twice a day, every weekday, at noon and again at 5 pm. This required the following values:
0 12,17 * * 1,2,3,4,5
Remember that the space is the delimiter between the five entries.
The "what to run" is what you want to cron to execute and is basically anything you can enter at a shell prompt. Any command, including pipes and redirects, shell script, etc. Since we want to run the security-patches.sh shell script, which we saved to the /usr/local directory, our crontab entry ends up looking like this:
0 3 * * 0 /usr/local/security-patches.sh
Note that only a space separates the "what to run" value from the last of the "when to run" values. The "when to run values above will run the security-patches.sh shell script every Sunday morning at 3 a.m.
So now that we know what our entry will be, we have to use crontab to enter it into the crontab file. At the shell prompt, enter:
crontab -e
This will fire up your default text editor with the current crontab file automatically loaded (which is likely empty). Simply enter your new crontab entry and close the editor. You can check to make sure your entry was added to the crontab file by entering the following command at the shell prompt:
crontab -l
Debian Linux Modem Configuration
This page covers how to configure dial-up modems. See the Web HOWTO documents for cable or DSL modems. A comparison of cable and DSL broadband services is presented on the Networking page.
First and foremost, make sure your modem is not a "winmodem" (a stripped-down modem that's controlled through a Windows software driver). Second, if at all possible get yourself an external modem. An external non-winmodem modem presents a lot less headaches trying to set up and having the indicator lights to look at during proxy/firewall testing and console FTP (when there is no file transfer progress indicator) is a real benefit. Internal modems basically have three problems. They either; are winmodems, are likely going to be PCI bus modems (and 99% of PCI bus modems are Winmodems), or they have to be set up via software - software which is usually only available for Windows.
Also, if you're going to use an external modem, go into your system BIOS' peripheral settings and take the serial port you've connected the modem (connect the modem before doing this) to out of AUTO mode so that it explicitly uses 3F8h/IRQ4 or and 2F8h/IRQ3.
Note: If your system won't be connected to a network that has Internet access you'll want to spend a little extra to get a good modem. Once you get your system set up using the CDs you'll rely on the modem to update your system. With so many people going to broadband services at home, you can usually pick up an external USR Sportster 56K non-winmodem on eBay for around $35.
Because internal modems also represent an additional serial port, you have to be careful in setting the modem up. If you have an internal modem that you want to try and use, see if it has jumpers on it that will allow you to set the I/O port and IRQ settings. If it doesn't, and it only comes with Windows configuration software, you'll have to temporarily install the modem into a Windows sytsem and use the software to set the I/O port and IRQ values. In addition, ISA-bus internal modems are better for use with Linux than PCI modems. If money is tight, try finding an internal 56K ISA modem that has jumpers (so you can manually set the port and IRQ) on eBay. Again, make certain it's not a winmodem.
The Physical Connection
Newer ystems will come with either one or two serial ports which are built into the motherboard. These are typically 9-pin male connectors on the back of the PC. You can simply connect an external modem to one of these. If you add an internal modem to the system it has to be set up as the next serial port (for example number 3 in a system that has two of them built in). Or, if you system BIOS allows it, you could disable the second serial port and set the modem up to take its place. The following table will help you set the jumpers or software configuration on an internal modem card.
Serial Port DOS Linux I/O Port IRQ
First COM1 /dev/ttyS0 03F8 4
Second COM2 /dev/ttyS1 02F8 3
Third COM3 /dev/ttyS2 03E8 4
Fourth COM4 /dev/ttyS3 02E8 3
Be careful when specifying the serial ports in Linux/UNIX commands. As you can see from the above table, the Linux ttyS number is one less than the DOS COM number because Linux starts at 0 while DOS starts at 1. If you've had some experience with DOS, typing in ttys0 when you mean the COM1 can take some getting used to.
If you're stuck with an internal modem with no jumpers, or you have problems with an internal modem, try reading through the Modem HOWTO.
Once you've got your modem connected and powered up a simple command will let you know if the system can communicate with it. For a modem connected to the second serial port, simply type in:
echo atdt3333333 > /dev/ttyS1
You should hear some clicking noises from the modem. If it's an external modem you can also look for lights flashing.
If the modem actually dials the '3333333' number you'll quickly want to follow that command with this one:
echo ath > /dev/ttyS1
to hang the modem up.
If the above test didn't work on a desktop system, don't proceed. You've got some troubleshooting to do. Don't overlook the obvious things, like the modem's speaker volume being turned down (you could try listening for the dialing attempt on an extension phone) or you simply used the wrong number for the ttyS part of the command.
For serial ports that are integrated into the motherboard one thing you can try is going into your system's BIOS and hard-setting the values (as given in the above chart) rather than using any "Auto" or "OS configurable" settings. You can also see what the OS thinks the ports are set to using the setserial for the appropriate port. For example, for the second serial port you would use:
setserial /dev/ttyS1
This command does not indicate what the actual port settings are. It merely shows what the OS is going to use to access that port so your hardware port settings, whether set with jumpers or in the BIOS, have to match what this command displays.
The above echo command didn't work when I tried it on my notebook with a 3Com PCMCIA modem. However, it still dialed out and connected fine once I got everything configured as detailed in the next section. The PCMCIA HowTo document covers several useful utilities you can use when working with PCMCIA devices under Linux.
The Logical Connection
Now that your modem is physcially connected properly it's time to set up a connection to your ISP. Be sure you are logged in as root before proceeding.
There are actually two parts to setting up a connection to your ISP. You have to configure the dialer (the chat program), and the PPP (Point-to-Point Protocol) settings (the pppd daemon). PPP is the protocol that modems use to communicate over a serial link. (PPP is a powerful protocol that is also often used when connecting distant routers over dedicated leased lines.)
Knowing the version of the pppd daemon you're using can sometimes be useful. While pppd doesn't have a command-line parameter to show the version, using the -v parameter does work because it's seen as an invalid parameter and, as such, causes the help screen to appear. The version number is at the top of this information. So to see your pppd version, simply use the command:
pppd -v
To configure chat we have to edit the /etc/chatscripts/provider file. Initially, the file looks like this:
ABORT BUSY
ABORT "NO CARRIER"
ABORT VOICE
ABORT "NO DIALTONE"
"" ATDT
ogin
word \q
You can edit this file by entering the following two commands:
cd /etc/chatscripts
nano provider
Once you edit the file it should look something like this:
ABORT BUSY
ABORT "NO CARRIER"
ABORT VOICE
ABORT "NO DIALTONE"
"" ATDT5551212
ogin bgates
word \qluvlinux
Press Ctrl-X and then 'y' when prompted to save the changes (and Enter when the file name is displayed).
Once you've edited and saved the file it's time to configure ppp. Oddly enough, this configuration file has the same name as the dialer configuration file. It's just located in a different place.
/etc/ppp/peers/provider is the ppp configuration file. You edit it by typing in:
cd /etc/ppp/peers
nano provider
There are only two things you need to change in this file:
• Look for the default modem line which has /dev/modem and change it to the correct ttyS entry for your modem's serial port (ex: /dev/ttyS1 for the second serial port)
• Look for the speed line which has 38400 and change it to 115200
The speed setting of 115200 may be too high only if you have a 486 computer that doesn't have a 16550 UART chip. If you're using a 486 and not sure of the UART, play it safe and set the speed to 56700 instead. Exit the nano editor saving the file.
There's only one more file that we need to edit and it's not really related to ppp or the dialer. It's a TCP/IP configuration file. The /etc/resolv.conf file is where you enter your DNS server information. If you're going to be connecting to the Interent you need to be able to resolve domain names (we talk more about this on the DNS Services page).
You'll need to use your ISP's DNS server settings, the same way you enter them if you set up a Dialup Networking connection in Windows. If you don't remember these settings your ISP likely lists them on one of their technical support Web pages. Edit the resolv.conf file by entering:
cd /etc
nano resolv.conf
and edit the file entering the two IP addresses of your ISP's DNS servers so it looks like this:
search yourisp.com
nameserver 172.18.180.99
nameserver 192.168.203.5
It's likely that the domain name on the search line is the one you entered during the installation. Be sure to change it to your ISP's domain name. Once you save this file and exit the editor you're ready to roll.
Above we said that the pppd daemon is responsible for setting up the connection. We don't run the daemon directly. Instead we use a couple shell scripts that have been created to set up the connection and to take it down when we're done. These two shell scripts are called pon and poff
Because you changed several configuration files it would be easier to simply reboot the system rather than restart the associated services. Once it comes back up and you're logged in, simply enter:
pon
at the shell prompt to dial and connect to your ISP. If you have an external modem you can watch the lights to see if you get a connect. Once you're connected, see if you can ping one of the DNS servers that you entered in the above resolv.conf file. For example, if the address of one of the DNS servers is 172.18.180.99 you would enter:
ping 172.18.180.99
You should get responses back. Press Ctrl-C to stop the responses.
You can also check to make sure your DNS resolution is working correctly by trying to ping using a domain name.
ping www.debian.org
You should get responses back here also. If you can ping an IP address but not a domain name there's something is wrong in your resolv.conf file.
Note: You may not receive ping responses if you have already configured a network card on your system. This is because the system is using the default gateway setting for your ethernet NIC (if you entered an IP address for one during the install) and not the ppp0 interface that the modem sets up. You can check this out with the command:
route
Look for the default line. Look at the far right column and see if eth0 is listed as the "Iface" for this line. If it is, your system is sending all your Internet-destined traffic out of the NIC (a dead end). Try typing in the following command at the shell prompt:
route add default ppp0
Now try pinging your ISP's DNS server address. You should be able to now because your system is routing traffic out of the modem. You can verify this by looking at the system's routing table again by again entering route by itself at the shell prompt. You should see a second default line with ppp0 listed in the right-most column.
The above behavior is normal. Think about it. If you have a network-connected system but you need to access the Internet via a modem, your network obviously doesn't have a gateway to the Internet. In this case, you shouldn't have a default gateway setting in your NIC configuration. We get more into default gateways and the ping command on the Networking page.
Have you ever surfed the Web using a text-based Web browser? Try it out! At the shell prompt type in:
apt-get install lynx
and press Enter. Once it's installed type in lynx at the shell prompt to start it. Then use the following keys to try it out:
• use the up and down arrow keys to move from one link to another and look at the text on the current page
• use the right arrow key to "follow" a link
• use the left arrow key to return to the previous page
• hit the g key to enter a URL to go to a different site
• hit the q key to quit lynx
Have you ever wondered why those HOWTO pages all have the same bland format? It's so they display in a readable format when viewed with text-based browsers. Try looking at one of the HOWTOs in Lynx by press g and then typing in the following URL (note that it, like Linux/UNIX, is case-sensitive):
http://www.tldp.org/HOWTO/Net-HOWTO/
As you can see, you don't need a GUI to get Web-based help with your Linux questions.
You can now also try starting up the GUI with the startx command and firing up the Mozilla browser we installed on the Packages page.
When you're done using the Internet connection be sure to disconnect from your ISP by typing in:
poff
at the shell prompt.
Testing Your Server
If you've got two phone lines you can use your new dial-up connection to use one phone line to connect your Debian system to your ISP and the other to call a friend or family member in a different part of the country (who also has two phone lines) and walk them through trying out the server capabilities of your Debian system. If you or they don't have two phone lines you could just make sure you're both on line at the same time and e-mail the IP address of your Debian system to them.
The Web Server
If you installed the Apache Web server package as illustrated on our Packages page, you can ask your friend or family member in a different part of the country (or a different part of the world for that matter) to try and access your Web server.
If you're not already connected to the Internet, use the pon command to connect your Debian system to your ISP. Once connected, at the shell prompt type in:
ifconfig
If you've got a network card installed and configured you'll see three "interfaces" listed, the loopback, eth0, and one for ppp0 which is your dial-up connection. If you don't have a NIC you'll just see the loopback and ppp0 entries. Look at the IP address next to "inet addr:" in the ppp0 entry. That's the IP address your ISP assigned to your Debian system for this call. This is what you want your friend or family member to type into their browser. For example, if the IP address assigned for the ppp0 interface is 172.17.59.132, then tell or e-mail your friend or family member to type the following into the location/address bar in their Web browser:
http://172.17.59.132
They should see the same Apache/Debian Web page you may have seen if you tried this back on the Packages page. The difference is they are accessing your system and pulling the page over the Internet where as you were accessing the system and pulling the page over your local network.
How About Telnet ?
The Debian 2.2 install routine enables telnet access by default. (For Woody and Sarge we added the telnet package back on the Installation page.) If your friend or family member is fairly computer-literate you can also have them try and telnet into your system over the Internet. You'll need to create an account for them but that's easy enough. The command:
useradd dad -p october
creates an account with a login name of dad and dad's password is october.
Note: For security reasons, you cannot telnet or ftp into a server using the root superuser ID. You'll want to use the non-root account you created during the Debian installation. In the case of telent, once you log in using your non-root account you can use the su command to log in as root. You'll then have to type in exit twice when you are finished. Once to exit out of the root login, and then one more time to close the telnet session.
We're assuming your friend or family member uses a Windows PC to connect to the Internet. Tell or e-mail them to click on the "Start" button and select "Run" and then in the command input field they just type in:
telnet 172.17.59.132
(or whatever the IP address of your Linux system's ppp0 interface is) and press Enter.
Once connected they should get a login prompt. This is where they enter the ID and password you set up with the above useradd command. Once they log in they should get a shell prompt with a $ at the end. They can then type in different Linux commands as if they were sitting at the console.
You could tell them to disconnect gracefully by typing in exit at the shell prompt but that's no fun. You can see which process they came in as by entering the following command:
ps -A
You'll see an entry for in.telnetd and all the way over on the left side of this line you'll see a PID (Process ID number). It'll be something like 716 or some other number. (If you don't have two phone lines and you're waiting for the person to try and telnet in at your pre-arranged time, you can just press the Up Arrow key and Enter repeatedly to run the ps command to watch for their connection.)
Once you know their PID, you can disconnect them by killing their process. Just type in:
kill 716
(or whatever their PID is) to kill their telnet process which will disconnect them.
Again, be sure to use the poff command when you're finished testing.
There's no reason you can't have a modem connection to the Internet and a network connection to a LAN both going at the same time. As a matter of fact, with such a dual-connected configuration you could set your Debian system up to be a proxy server where it would act as the default gateway for your LAN. We'll cover the basics of that on the Networking page and show you how to set one up on the Proxy/NAT page.
How To Set Up A Linux Network
Before we get into setting up Linux networking on a Debian system, we'll cover the basics of how to set up a network with both Windows and Linux systems and how to make it a "private" network. Here the term "private" may not mean what you think it does. It has to do with the IP addresses you use on your home or business network. You'll then understand the value of having a proxy/NAT server or a firewall system which also performs the proxy/NAT function on your network.
Once we cover the "whys" and "whats" we'll get into the "hows". You'll see how easy it is to set up a home or small-business network including what hardware is needed. We'll briefly mention what you need to look at on Windows PCs and present more in-depth information on which files are used on a Debian system to set up networking. The Network Configuration Files section shows what files are involved in setting up your Debian system to work on a local network and how they need to be configured to enable the various functions involved in networking including being able to connect to the Internet.
Note: Even if you're not familier with TCP/IP networks, try giving the material on this page a shot. It's presented in an introductory manner. Don't be concerned if you don't understand all of the material on OSI layers, subnetting, etc. presented on this page. Understanding this material is not necessary when setting up a network or using the subsequent guide pages on this site. It is merely presented for those who wish more in-depth information.
Even if you don't have a network you can still play around with the material present on this page and on the Proxy/NAT and Firewall pages. See the No-Network Network section below on how to do this.
What's particularly appealing about Linux for small businesses and non-profit organizations is that you can set up both internal (file, print, database) servers, external Internet (Web, e-mail, ftp) servers, firewalls, and routers (yes, you can set up a Linux system to be a router too) for very little cost. The operating system and server applications are free and, given that Debian will run on older hardware, the hardware costs can be minimal. These attributes also make it a great toy for those wishing to learn more about networking. Pick up one CD set and you can set up all the Linux servers, firewalls, and routers you want and experiment your brains out.
"Private" Networks
Theoretically, every system on a network needs a unique identifier (a unique address). As such, every system that accesses the Internet would need a unique IP address because TCP/IP is the protocol of the Internet. However, when the Internet exploded in the mid-90s it became clear that there simply were not enough addresses available in the TCP/IP address space for every computer in every office of every Internet-connected organization. That doesn't even take into account those who wanted to access the Internet from home.
The solution was to create "private" address ranges to be used in conjunction with "address translation". Lets look at the first piece first.
Three blocks of IP addresses were set aside as private, meaning that all of the routers on the Internet would be configured to not route them. That's why private addresses are also referred to as "non-routable" addresses. The benefit? If packets from systems with private addresses weren't routed between Internet-connected networks, then a whole bunch of networks could use the same private addresses because they'd never "see" each others addresses. In other words, these same addresses could be used by any number of computers around the world because if they weren't routed, it would never be "discovered" that they weren't unique.
So if they're not routed, how do you get on the Internet if your computer has a private address assigned to it? That's where the second piece, address translation, comes in. Normally, in order for all the computers in a company to have Internet access they would all have to be assigned routable ("public") IP addresses that could pass through the Internet. Since there aren't enough addresses for this, companies instead assign all of the hundreds of computers in their organization private addresses and they all share a single "public" address to access resources on the Internet. This sharing is accomplished by configuring privately-addressed systems to use a special server, called a proxy server, to access the Internet.
A proxy server has two NICs (Network Interface Cards) because it's connected to two different networks. One NIC is connected to the Internet and is assigned a single "public" (routable) IP address. (This NIC is referred to as the "external interface".) The other NIC is connected to the company's internal network. It is assigned a private IP address so that it can communicate with all of the other privately-addressed computers in the company. (This NIC is referred to as the "internal interface".) The proxy server acts as a "gateway" onto the Internet. (Because of the gateway behavior, a proxy server should also have firewalling capabilities to protect the internal network.) However, in addition to acting as a gateway, it acts as an address translator.
The private IP addresses assigned to the systems on your internal nework are chosen by you from one of the three private address ranges listed below.
Public IP addresses are only available from an ISP. In most cases, such as with a dial-up, DSL, or cable modem, your ISP automatically assigns a single public address to your modem using PPP, bootp, or DHCP. This assigned address can change from time to time ("dynamic"). It requires no configuration on your part. Business customers typically obtain multiple public addresses from their ISP. These addresses do not change ("static"). Static addresses are needed for Internet servers that are referenced by DNS records such as Web servers, mail servers, etc. that are contacted using a domain name.
When a computer on the internal network with a private address wants to request information from a Web site, it actually sends the request to the internal interface of the proxy server. The proxy server, with it's public routable address on the external NIC, is the one that actually sends the request to the Internet Web server. The Web server sends the response back to the proxy server's external NIC, and the proxy server then forwards the response on to the computer on the internal network that made the initial request. The proxy server keeps track of which internal computers make which requests.
The advantage? Hundreds of computers in a company can access the Internet and only take up a single public Internet address (that of the proxy server's external NIC). Another advantage is security. If your computer's address can't be routed over the Internet, it would be hard for someone to get at your computer from the Internet. (There are ways though.)
The translating of a private address to a public address (outbound request) and back again (inbound response) is most commonly known as NAT (Network Address Translation). In the Linux community it's also often referred to as "masquerading" because the proxy server hides the true identity of the internal computer that made the initial Internet request.
The internationally-established private IP address ranges that can be assigned to internal network computers are as follows:
• 10.0.0.1 through 10.255.255.254
o 16,777,214 addresses
o 16,777,214 computers on 1 network
(10.x.x.x)
o Uses a subnet mask of 255.0.0.0
o First octet must be the same on all computers
o A Class A address range
• 172.16.0.1 through 172.31.255.254
o 1,048,574 addresses
o 65,534 computers on each of 16 possible networks
(172.16.x.x to 172.31.x.x)
o Uses a subnet mask of 255.255.0.0
o First two octets must be the same on all computers
o A Class B address range
• 192.168.0.1 through 192.168.255.254
o 65,534 addresses
o 254 computers on each of 256 possible networks
(192.168.0 to 255.x)
o Uses a subnet mask of 255.255.255.0
o First three octets must be the same on all computers
o A Class C address range
Clearly, with 254 possible addresses on each of the 192.168.x.x private address ranges, using one of these ranges is plenty for most small businesses and those who want to play around with a network at home. (This is why, you may recall, the default IP address in the "Network Setup" part of the Debian installation was 192.168.1.1.) The 10.x.x.x address space is often used by very large organizations with many dispersed locations. They will "subnet" this large private address space so that one location will have an address range of 10.3.x.x, another will have 10.4.x.x, and so on, with each location having the ability to have up to 65,534 computers. Each location may even further subnet their address space for different departments or facilities. For example, in the location that has the 10.3.x.x address space, the engineering department will have the 10.3.2.x space, the accounting will have the 10.3.3.x address space, etc. with each department being able to have up to 254 computers. (You'll see where these numbers come from later.)
Each of the numbers separated by periods in an IP address is referred to as "octet" because the value of the number (0 to 255) is derived from eight binary bits. An IP address actually consists of two parts. The first part of an IP address identifies the Network that a computer is on, and the other part identifies the individual Computer on that network.
There's an often-used analogy comparing an IP address to a telephone number. The network part of the IP address is analogous to the area code, and the computer part of the IP address is like the individual's phone number. All the people on phone company network (in one area code) have the same area code number, and no two of them have the same phone number. Conversly, two people can have the same phone number in different parts of the country because they're not in the same area code (not on the same network). It's when you put the area code and an individual's phone number together that the number becomes one that is unique to the entire country (internetwork). In this context, we call the area code the prefix. With IP addresses, the network part of an IP address is the prefix.
Note: If you get into routers you'll learn about another instance where this telphone number anology holds true. The long distance carriers don't care what the individual's phone number is. All they look at is the area code and route the call to the baby bell's appropriate switching center. Likewise, most network routers don't care about the computer part of an IP address. They only look at the network part of the address because routers route packets between networks, not PCs. The only router that cares about the computer part of the address is the "final hop" router (the router which is connected to the network segment that destination computer is connected to).
With national phone numbers the prefix is always three digits. Unlike national phone numbers, the prefix of an IP address can vary in length. That's where a subnet mask comes in. It determines how much of the IP address is the prefix (the network part). If you have a subnet mask of 255.255.0.0 it means that the first two numbers (octets) in an IP address are the network part (prefix) of the address and the last two numbers (octets) are used to identify the individual computers on that network.
Note that a '1' in a subnet mask indicates a Network bit and a '0' indicates a Computer bit. Because of the way an IP address is split into two parts (network part followed by the computer part), a subnet mask will always be a series of consecutive 1s followed by a series of consecutive 0s. In other words, you'll never see a subnet mask where 1s and 0s are interspersed (ex: 11100110).
Here's a few points you need to be aware of when you assign IP addresses to systems on a network:
• All systems on an internal network must have the same subnet mask
• The network part of the IP address must be the same for all computers on the internal network
• The computer portion of the IP address must be different for every computer on the internal network
That second point is important. With a Class C network the subnet mask of 255.255.255.0 indicates the first three octets are the "network" part of the IP address. That means that the first three numbers (octets) of the IP address must be the same on all of the computers on this internal network. That leaves only the last octet available to identify individual computers on the network (8 bits equals about 254 computers that can be uniquely identified, a value between 1 and 254 for the last octet).
Note: People are often confused by the 192.168.x.x private address range because of it has two 'x's. The first 'x' means you can pick one and only one number from the range of available values (0 through 255) for your network. Because this is a Class C address which uses a subnet mask of 255.255.255.0, the number you choose for the first 'x' must be the same on all systems on your network.
You can set up a network with 192.168.1.x addresses and another network with 192.168.2.x addresses but because these are Class C address ranges they are two totally separate networks. You would need to set up a router to inter-connect the two networks in order for the machines on both networks to talk to each other. If you think that, given the number of servers, workstations, network printers, switches, etc. you may have in the forseeable future may grow to more than 254, you may want to consider using the Class B private address space on your network.
The range of values for the last octet (to assign to computers) on a Class C network is 1 to 254. So you can only have 254 computers on a network that has a subnet mask of 255.255.255.0 (a Class C network). A '0' in the last octet is reserved as the "wire" address for the network and 255 in the last octet is the broadcast address for the network. No system can be assigned either of these numbers. The following addresses can't be assigned to computers when using the private IP address ranges:
"Wire" or "Network" Addresses:
10.0.0.0
172.16-31.0.0
192.168.0-255.0
Broadcast Addresses:
10.255.255.255
172.16-31.255.255
192.168.0-255.255
Because you can't use these two (wire and broadcast) addresses to assign to computers, the number of addresses that you can assign to computers can be calculated using the equation:
2c - 2 = number of available computer addresses
where c is the number of computer bits in your subnet mask. Now you can see how we came up with the number of computers you could have on each network when we gave the three private address ranges earlier. With a class B address you have 16 computer bits in the subnet mask:
so using our equation we end up with
216 = 65,536 - 2 = 65,534 available computer addresses
On a class C network we have 8 computer bits in the subnet mask so:
28 = 256 - 2 = 254 available computer addresses
Earlier we said that private address ranges and NAT help conserve IP addresses but the use of subnet masks can also. For a more thorough explanation on IP address classes and the use of subnet masks check out the Subnetting section later in this page.
You may run into networks in businesses and schools where the computers don't have private addresses. Our local community college is one such case. That's because they jumped on the Internet bandwagon early when public addresses were being handed out for the asking and got themselves a Class B public address (which allows them to have 65,534 publically addressed computers). Every PC at all the campuses has a publically routable address. The upside is they don't need to use a proxy/NAT server in order for the students to be able to access the Internet. The downside is that their internal network is basically a part of the Internet. This is a huge security risk if no firewall is in place because every system is accessible from anywhere in the world (which is why they have a mega-bucks Cisco PIX firewall appliance).
If you're using a networked Windows system at the office and you want to see what your system's TCP/IP settings are, open up a DOS window and enter the command:
ipconfig
To view the TCP/IP settings configured for a NIC on a Linux system type in the following command at the shell prompt:
ifconfig
and look for the "eth0:" entry.
What Network Hardware Does
Now that we've covered the "logical" part of networking, lets take a look at the hardware. When you talk networking hardware you're talking NICs, hubs, switches, routers, cables, etc. However, hubs are quickly disappearing, being replaced by switches. When switches were first introduced, they were significantly more expensive than hubs on a "per port" cost basis, but their prices have dropped to the point where the cost difference isn't an issue.
Why are switches better than hubs? When two PCs want to talk to each other, switches set up a virtual direct connection between two. This means the bandwidth isn't shared with other systems. The two PCs get it all (100 Mbps). They accomplish this by using the MAC addresses of systems on the network.
Each system on a network actually has two addresses. A "logical" IP address that can be assigned and changed by you at will, and a "physical" hardware address that is permanently burned into a NIC. This permanent hardware address is often referred to as a MAC address or "BIA" - Burned-In Address. (Physical, hardware, MAC, and BIA all refer the same address.) Each "packet" sent over a network must include both the logical and physical addresses to identify the destination computer.
The above diagram shows how the MAC and IP addresses are used on a LAN. It also illustrates the theory behind how "encapsulation" is used to build a frame and how they apply to the OSI layers. Don't worry about the OSI layer stuff if you're not studying networking. It's presented in just about every network book ever written so I included the references here for those that may be reading up on networking and are encountering this material. (The "FCS" at the end of the frame stands for Frame Check Sequence which is a CRC checksum to make sure the frame didn't get corrupted in transit.) The above also shows why TCP/IP is independent of the networking technology used. When using WAN connections instead of an ethernet LAN, the TCP/IP packet would be encapsulated in a PPP (dial-up, ISDN, or leased-line), frame relay, or X.25 frame. If encapsulated in a frame relay frame, the Layer 2 addressing would use numbers called DLCIs (Data Link Connection Identifiers) instead of MAC addresses.
Technically, using the term "packet" when referring to what's sent across the wire isn't proper. A packet has a very specific meaning in the TCP/IP world. The term "frame" would be more appropriate but it's become rather common to mis-use the term "packet" in this way, such as in "packet sniffers", etc. And actually, nothing is "sent" across a network cable. The voltage on the network cables just flucuates rapidly and, like the telegraph operators in the old west who knew Morse Code, every device attached to the same LAN cable segment senses and monitors this series of flucuations to see if they pertain to them (as indicated by the destination MAC address). If you're familier with the OSI model, these voltage fluctuations are what's referred to by "Layer 1". It's the NIC's job to convert a frame into a series of voltage fluctuations when sending and to use these voltage flucuations to rebuild a frame when receiving.
The encapsulation scheme was devised because it offers flexibility. One layer's packet is the next lower layer's payload. Packets that travel over a LAN are encapsulated in an ethernet frame. If you're connecting to another network using a modem, your computer encapsulates the packets in a PPP frame. The Layer 2 framing is dependent on the connection technology you're using. When Cisco routers are used to connect remote sites they can use any number of different technologies with their related framing protocols including PPP, frame relay, HDLC, etc. Likewise, the Layer 3 protocol could be IPX on a Novell network rather than IP. In such a case the Layer 3 header would contain source and destination IPX addresses (and Novell's SPX protocol would take the place of TCP).
The sending computer takes your data (your e-mail message or Web site request) and does the series of encapsulations based on the type of network you're on. The receiving computer simply reverses the process and de-encapsulates the received frame to extract the data you sent.
One other point to note in the above diagram is that the destination IP address is not the only TCP/IP-related information specified about the destination computer. The TCP port number for the requested service is also specified. HTTP (Web) uses port 80. FTP (file transfer) uses port 21. You may have seen the term "socket" used in TCP/IP literature. A socket is simply referencing the IP address and port number together. For example, traffic destined for a Web server with an IP address of 172.16.5.20 would have a destination socket of 172.16.5.20:80. It's the use of different port numbers (and sockets) that allows you to still surf the Web while you're using FTP to download a file.
So how does the sending system find out what a destination computer's MAC address is so that it can put it in a frame? It uses ARP. ARP is an address resolution protocol kind of like DNS. Whereas a computer will send out a DNS query packet to a DNS server to resolve a domain name or system name to an IP address, it will also send out an ARP query packet to resolve an IP address to a MAC address. An ARP request is basically just a broadcast that says "Whoever has IP address x.x.x.x, send me your MAC address". We mention this because when comparing hubs to switches to routers you can see where these two different destination addresses come into play. (You'll see how all this ties together in the How It All Works section later in this page.)
Network
Device Packet
Handling OSI
Layer
Hubs Hubs don't look at anything. They serve as a central electrical tie point for all the systems on a network and are basically just repeaters. Any packets received on one port are flooded out all other ports. All systems on the network see all traffic and all share the available bandwidth. As a result, only one computer on the network segment can transmit packets at a time (shared bandwidth). 1
Electrical
signals and
connections
Switches Switches also serve as a central electrical tie point. They don't care about IP addresses. They look at the MAC addresses in packets and build a lookup table that shows which MAC address is plugged into which switch port. This allows them to forward packets MAC-addressed for a specific system to that system only (the virtual direct connection). None of the other systems on the network segment see them. (If it doesn't have the destination MAC address in it's ARP table it floods the packet, either waiting for the destination system to respond so it can add an entry into its ARP table for it, or it lets the default gateway router deal with it.) As a result, multiple computers on the same network segment can transmit at the same time (bandwidth is not shared).
Another advantage of switches is that the virtual direct connection they set up between two systems allows for full-duplex communications between the two systems. Full-duplex operation has the effect of doubling the bandwidth under certain circumstances because the both systems can send and receive packets to each other simultaneously (provided both NICs support full-duplex operation).
There is a disadvantage to switches though. You can't hook a system running a "packet sniffer" to a switch to try and analyze your network's level of bandwidth utilization or capture traffic to/from a specific system because the sniffer system can't see all the traffic. It will only see traffic sent to it and any "broadcast" traffic (such as ARP requests) which is flooded out all switch ports. (Knowing the level of broadcast traffic on your network is helpful however.) You can only sniff traffic to/from other systems when they (and the sniffer system) are connected to hubs. However, Cisco switches have a feature called SPAN that lets you configure a port as a SPAN port to hook a sniffer to. You then specify one or more other ports on the switch which will have their traffic duplicated to the SPAN port. You would specify two ports to monitor the traffic between two systems or all other ports to simulate having your sniffer hooked to a hub. This could slow down a heavily utilized switch though as you would in essence be doubling the amount of traffic across the switch fabric because all unicast traffic is going to two ports instead of one. 2
Hardware
addressing
(MAC address)
Routers Routers do switching too, building a lookup table of the MAC addresses of systems on the network segment that connects to each interface, but they also look at IP addresses. If the destination IP address of a packet isn't on the same network segment as the system that sent the packet, the router looks at a different table (routing table) to see which other interface it needs to send the packet out of to reach the destination network. That's why default gateway devices are routers.
Often times a router will connect to two different types of networks. One interface will connect to an ethernet LAN while another connects to a frame relay WAN link. If the router receives a packet on the LAN interface that needs to be forwarded onto the frame relay link, it will strip off the ethernet frame and re-encapsulate the packet in a frame relay frame before sending it on its way. 3
Logical
addressing
(IP address)
Switches and routers aren't the only things that build ARP tables. Computers build them too, but the table entries are temporary (called the "ARP cache"), usually being removed after a couple minutes. On a Windows system, open up a DOS window. Linux systems just do the following at the shell prompt. Ping another system on your network. When the ping is finished (on Linux systems press Ctrl-C to stop the pinging), type in the following command to view the ARP table entry created as a result of the ping:
arp -a
Given that most broadband Internet connections are only in the 1 Megabit-per-second (Mbps) range, you probably wouldn't notice much of a performance difference between using a hub and a switch on a home network. In this case you could save some money by buying a used 8-port 10 or 100 Mbps hub on places like eBay rather than a new switch. However, on larger business LANs the performance difference could be significant.
Notice one very important point. An ARP is a broadcast packet. As such, only systems on the same LAN segment will see the broadcast and respond. In other words, ARP will only resolve the MAC addresses of destination systems on the same Layer 2 segment (which is comprised of systems interconected by hubs or switches).
How does your system know when to try and get the destination system's MAC address? Easy. It looks at the destination IP address. If the destination IP address isn't on the same subnet (doesn't have the same network portion of the IP address), then it knows sending an ARP request with the destination's IP address won't do any good. So instead, it sends out an ARP request with the IP address of the default gateway. Your system knows that to access any system on a different network (or subnet), it has to send the packet out the default gateway router so it ARPs to get the MAC address of that router's interface. (That's why you enter an IP address, subnet mask, and default gateway address in your system's TCP/IP configuration.)
Let's take a look at a somewhat realistic frame. You're on your PC at work which is connected to an Ethernet LAN and you send your mom an e-mail. Remember, when sending information the encapsulation process starts at the top OSI layer (Application layer) and works it's way down through the transport, network, and link layers. (Received frames go up the OSI layers and get de-encapsulated at each layer.)
• Since e-mail messages are sent using the SMTP protocol, your e-mail message will get wrapped in a TCP segment with port 25 as the destination port.
• Then, since your mom's e-mail address contained the domain name of her ISP, your system has to send out a DNS request to get the IP address of the mail server for that domain name. Once it has that it will use it as the destination IP address as it wraps the TCP segment up in an IP packet.
• Because the source and destination IP addresses are for different networks, your system will send out an ARP request to get the MAC address for the default gateway router's interface. With that it can wrap the IP packet inside an ethernet frame, calculate the checksum value for the FCS (Frame Check Sequence), and pass it down to the hardware layer to be put on the wire.
Note that your system had to do two address resolution queries (DNS and ARP) to get the two destination addresses (IP and MAC). Only after it has both of them can it build the frame.
At some point the packet will likely encounter your proxy server and it will change the source IP address of the packet to the public address of the external interface of the proxy server. The proxy server will use the randomly generated source port number (58631) to keep track of your PC's SMTP "conversation" with the mail server.
As your e-mail packet travels over the Internet the frame type will change to whatever medium (frame relay, ATM, etc.) is encountered along the way (the intermediate hop routers de-encapsulate and re-encapsulate with the proper frame type as necessary because routers can connect to different network mediums). But once the proxy server has changed the private IP address to a public one and sent the frame on its way, the IP addresses in the packet (and any information in the layers above it) never change as it winds its way through the Internet. Only the Layer 2 framing changes.
Note: With point-to-point serial links like a dial-up connection between two modems (PPP Layer 2 protocol) or a leased line between two routers (HDLC Layer 2 protocol) there is no need for Layer 2 addressing. As an analogy, take the old George Carlin line "When there's only two people on an elevator and one of them farts everybody knows who did it". If there's only two devices connected to a link and one of them is sending they both know who needs to be receiving. The packet is still encapsulated in a frame appropriate for the medium, but there is no addressing information in the frame header.
Going back to the OSI model for those studying networking, you can see how the pieces of the above frame relate to the lower layers of the model. It also shows how all the different technologies relate to each other.
OSI
Layer Function Example
Technologies
1
Physical Hardware interconnection of devices specifying cable types, connector types and pin-outs, electrical signal levels, and encoding/modulation methods. 10/100-Base-T
(for Ethernet),
Token Ring
(hardware specs),
LocalTalk
(for AppleTalk),
232c and v.35
(for serial
connections)
2
Link Local network (same segment) addressing. Used by NICs, switches, and routers. Ethernet
(802.2/802.3),
Token Ring
(802.5),
Frame Relay,
ATM,
Serial links using
PPP, HDLC, etc.
3
Network Internetwork (different subnet or network) addressing. Used by routers. IP,
IPX (Novell),
AppleTalk
4
Transport Service identification (WWW, e-mail, FTP, etc.). Used by the protocol stack. TCP and UDP (using
Port numbers),
SPX (Novell),
AppleTalk
Note that a NIC is both a Layer 1 device (because it has a 10/100-Base-T connector) and a Layer 2 device (because it looks at the MAC addresses of the frames it sees). Same for switches because they have 10/100-Base-T connectors and they look at the MAC address to build their MAC address-to-port lookup table). Routers can have multiple interfaces of varying types (serial, 10/100-Base-T, Token Ring) so it is a Layer 1 device (different connector types), has to appropriately re-frame a packet for each of those network types and apply the appropriate Layer 2 address (so it is also a Layer 2 device) and it looks at the IP addess to see which interface the packet needs to go out of (so it's also a Layer 3 device).
Also note that the Layer 3 Network technologies (IP, IPX, etc.) are totally independent of the Layer 2 Link technologies which is why you can have a TCP/IP network span different network types or run Novell IPX/SPX on an Ethernet or Token Ring network.
There's one important point about Layer 4. Note that it's the server applications that open ports. A common security practice is to run a "port scanner" program on a workstation and point it at a server to see what ports are open on that server (to see which ports the server is listening on). If ports are open that shouldn't be, it's because some application or memory-resident service opened the port and is listening for service requests on it. To close ports you need to find out which application or service has them open and shut them down as well as keep them from starting when the server is booted. As you will see in the Internet Servers page, applications are often started at bootup through inetd.
The above was a simplified coverage of frames and packets. There's more than just addresses in frame (Layer 2), packet (Layer 3), and segment (Layer 4) headers. There are flags, status indicators, sequence numbers, etc. And we didn't show the information in the layers between the Transport layer (TCP ports) and the Application layer (the data). For example, NetBIOS and client/server technologies like SQL would use the "Session" layer above the Transport layer.
Time spent learning the OSI model is an investment that will likely pay off in big time savings when troubleshooting network problems. The layers allow you to narrow down and isolate the possible sources of problems. As a simple example, take a Web server that isn't responding to requests from browsers. If you can ping the server, which uses Layer 3 ICMP packets, you know the network configuration is OK but for some reason the Apache Web server software isn't listening on port 80 (Layer 4). Likewise if two Windows systems running NetBIOS over TCP/IP can't "see" each other in Network Neighborhood but they can ping each other you know the TCP/IP properties are OK and it's likely a Session layer problem. Session layer problems could be something with the Windows Networking configuration (ex: File and Print Sharing isn't enabled or the Server service isn't running - neither of which is needed for TCP/IP at layers 3 and 4 to operate properly).
The Two Parts of Ping
Be careful about your assumptions when using the ping command. It has two parts The ECHO (what you send) and the ECHO REPLY (what the remote system sends back).
It is easy to assume that if you don't get a response to a ping there is no connectivity between the two systems. This is not necessarily true. The ping ECHOs may very well be reaching the remote system. However, if the remote system isn't configured correctly, you may not receive the ECHO REPLYs.
The most common reason for this is that the remote system doesn't have a route in it's routing table to the network your system (the ECHO sending system) is on. As a result, the remote system is trying to reply but either it doesn't know where to send the replies, or it is sending them but out of the wrong interface (which can happen if the replying system has multiple NICs, but remember that your system sees a connected modem as the ppp0 interface, essentially another NIC).
Causes for this are incorrect values for the default gateway, subnet mask, or IP address on the remote system (i.e. an incorrect Layer 3 configuration). Also consider the fact that the incorrect values could be on the ECHO sending system. In this case, while there may be connectivity between the two systems, the ECHOs are never being sent or are being sent out of the wrong interface. Although Layer 3 may be configured incorrectly, there is still may be traffic coming from the system. Look at the port indicators on your hub or switch (for ethernet interfaces) when you ping to check for the existence of Layer 1 signals indicating ping traffic. Likewise, the indicators on an external modem can be used to see if ping attempts are being sent or received at the lower layers with dial-up connections.
If you're trying to ping a system on a remote network it's also possible that a router or firewall somewhere between the two networks is blocking one or both of the ping components or the router/firewall itself has an incomplete routing table.
Don't get hung up on the word "protocol" that you see mentioned a lot in networking. It's just a technical term for "a set of rules or commands". The PPP protocol dictates that if you're going to put a PPP frame on the wire the frame has to be comprised of these fields in this order with these lengths and each field has to contain this information. The SMTP protocol dictates that if you're going use the SMTP service on a mail server to send a mail message you have to use these commands with these parameters in this order to set up the connection, specify the sender, specify the recipient, etc. Defining a protocol is just a means of establishing a standard. If everyone builds their hardware or writes their software to follow the same rules then all the pieces work with each other.
Debian comes with two great "sniffer" packages that allow you to look at individual packets. tcpdump is a console program that will display packet traffic in a real-time manner, with the packets scrolling up the screen as they are received and displayed. Ethereal is a sophisticated GUI protocol analyzer that breaks the frames down into their individual OSI layers and displays the data contained in each of the frame, packet, and segment fields. I use a dual-boot notebook at work with Fluke's expensive (read 'thousands of dollars') "Protocol Expert" sniffer installed on the Windows 2000 partition and Ethereal installed on the Debian partition and the differences in the information provided by both is very small indeed.
And as long as we're on the subject of cool Debian packages and verifying connectivity, one package that's probably already on your system as part of the default installation is the mtr utility. It's like the traceroute command, only better. If your Debian system has Internet connectivity and you have the correct DNS server settings in the resolv.conf file, type in the following at the shell prompt:
mtr www.debian.org
It's a great tool for real-time monitoring the effects of any changes you make to server, proxy, firewall, router, etc. configurations. Press Ctrl-C to quit the program.
Sometimes you'll make a change and then you don't get the results you expected. It may be because systems cache certain "reachability" information. We said earlier that arp maps IP addresses to MAC addresses (layer 2). Systems also maintain routing tables which relate an interface to the path needed to get to a given IP address (layer 3). Often times you will need to clear these caches to get the results you expect.
Function Linux
Command Windows (DOS)
Command
View ARP cache arp arp -a
Clear ARP cache arp -d entry arp -d
View routing table route route print
Clear routing table route del entry route -f
View DNS cache n/a ipconfig /displaydns
Clear DNS cache n/a ipconfig /flushdns
Note that there are no Linux versions of the DNS commands. Windows caches a lot more things to try and improve its performance so if you're using a Windows system to test DNS changes be sure to clear that cache also. Also note that you can't flush all entries from the arp cache or routing table with Linux. It has to be done one entry at a time.
What A Subnet Mask Really Does
So now that you know about ARP and MAC addresses lets go back to subnet masks for a minute. We know that a subnet mask identifies the network portion of an IP address, and that you have to enter a subnet mask on every system on an internal network and it has to be the same on all those systems. But how does a system make use of it? It has something to do with the default gateway address you also enter on most systems.
When a system wants to send a packet to another system, it takes the IP address of the destination system and compares it to the subnet mask. If the network portion of the address is the same it knows the destination system is on the same network (segment) it is. So it sends out an ARP request which in effect says "System with IP address x.x.x.x send me your MAC address." When it gets the reply it puts the destination system's MAC address in the frame header and puts it on the wire.
If the system compares the destination IP address to the subnet mask and finds that the destination system is on a different network it still sends out an ARP request, but this time the ARP request contains the IP address you entered for a default gateway (typically a router). When the router responds to the sending system, the sending system puts the routers MAC address in the frame header (Layer 2) and sends the packet to it and it lets the router worry about the Layer 3 stuff. As a result, you can see that the only Layer 3 function performed by end systems is to find out if a destination system is on the same network (subnet) or not using the subnet mask (and getting the end system's IP address in the first place). If it's not, it sends it to the default gateway and lets it worry about getting the packet to the different network. (But how does the sending system get the destination system's IP address in the first place? That's why you also have to enter DNS server addresses on every system. You'll see how they use these addresses on the DNS Services page.)
Given all of the above you can figure out what problems you'll have if you have an incorrect subnet mask on a system. Lets use the Class B network 172.18.0.0 as an example. Recall that the correct subnet mask for a Class B network is 255.255.0.0 so all systems on the same network segment have addresses that start with '172.18'.
If a system on this network has an IP address of 172.18.5.10 and an incorrect subnet mask of 255.0.0.0 it'll think that any system where the first octet is 172 is on the same segment it is. So while a packet destined for the system 172.16.2.12 is on a different segment, the system with the incorrect mask will think it's on the same segment and will never try to use the default gateway. It'll just sit there and ARP its brains out trying to get a response from 172.16.2.12 with its MAC address. Eventually it'll error out and say that the system is unreachable.
Going the other way, if the Class B system (172.18.5.10) has a Class C mask of 255.255.255.0, it'll think that only systems with addresses that start with '172.18.5' are on its local segment. So if it has a packet destined for 172.18.3.33 (which is on the same segment) it'll think it's on a different segment and send an ARP request with the IP address of the default gateway router and send the packet to it, even though it should have just sent an ARP request using the IP address of the destination system itself. In this instance, the router may be smart enough to just send the packet back onto the same segment to the destination system or it may just drop it. It depends on how the router configured. And if the router is smart enough you may not notice there's a problem. But having a "narrower" subnet mask than you should would place an undue load on your gateway router and unnecessary traffic on your network.
At The Office
The wide range of addresses available with the 172.x.x.x space allows you to simplify things in larger networks. You pick one and only one value for the first 'x' (the second octet) from the available range of 16 through 31, but you can use different values for the third octet to try and keep track of things.
For example, lets say you decide to use 172.18.x.x for your network. You could manually assign all of your servers addresses in the 172.18.1.x range. All of your printers could be manually assigned addresses in the 172.18.2.x range, and you could set up a DHCP server on your internal network to automatically assign addresses in the 172.18.3.x and 172.18.4.x ranges to your workstation computers. (In DHCP lingo, the address spaces you set up for the DHCP server to hand out individual addresses from are called "scopes" and the addresses are "leased" to workstations.)
Even though the systems in your network would have a value for the third octet ranging from 1 to 4 in this example, because you'd only be using a Class B subnet mask (255.255.0.0), they would all still be on the same network. You're still using two octets to identify individual computers instead of just one octet as with a Class C address. It's just that you're using the third octet as a means of logically grouping or identifying devices.
Note: Using different numbers in the "computer" portion of address as in the previous example is not the same as the "subnetting" we referred to when discussing the 10.x.x.x network address space earlier. While a subnetted Class B network would likely have different values for the third octet on each subnet, simply assigning certain a certain group of computers the same value for the third octet in a Class B address range does not create a subnet. Subnetting is done with routers to reduce the size of broadcast domains which has the effect of increasing available LAN bandwidth. (Subnetting is covered in more detail in the Subnetting section on this page.)
If you want to allow your internal private network to access the Internet you can set up a broadband connection to the Internet. This isn't much different than getting cable or DSL access at home. You would then set up a proxy/NAT server to allow everyone on the internal network (with their non-routable IP addresses) to share this broadband Internet connection. Most ISPs require businesses to get a "business account". However, most business accounts have special features that make them preferable.
For one, check to see if the business-account broadband connection is symmetrical (i.e. the speed of the connection is the same in both directions). Home accounts have an asymmetrical connection where the download speed is much faster than the upload speed. The other important feature is that most business accounts include several static public IP addresses that you are assigned. These two features are necessary if you want to set up your own Web and/or e-mail servers (as you will see on the Internet Servers page). The cable or DSL interfaces for most home accounts are dynamically assigned temporary public IP address. (A comparison of DSL and cable services is given later on this page.)
Keep in mind though, that security becomes a major issue when you start connecting business networks to the Internet. Ideally you'd want to put any Web and/or e-mail servers in a "DMZ" with one firewall between them and the Internet. You'd then put a second firewall between the DMZ and your internal network to further restrict traffic. A DMZ is also referred to as "screened subnet". It's also a good idea to put an IDS (Intrusion Detection System) in your DMZ.
We get more into how to set up a DMZ using Linux systems for the outside and inside firewalls on the Firewall page. We also show you how to set up and test a Snort IDS system on the Security page.
At Home
Setting up a network at home is easy. Hardware-wise you just need to install some 100 mega-bit PCI NICs (Network Interface Cards) in the PCs, buy an 8-port 100 mega-bit switch, and the RJ-45 Cat 5 UTP cables to connect the PC NICs to the switch. (Get an 8-port instead of a 4-port switch. They don't cost that much more and it's always better to have too many network connections than not enough.) For home networks a hub would work just as well as a switch, but not too many companies make hubs anymore because switches have dropped in price so much. Some computers come with NICs integrated into the motherboard. Check the back of your computer for an RJ-45 jack. It looks like a telephone jack but has 8 contacts instead of the 4 contacts with telephone jacks.
If some of your systems are scattered or you don't want to run cables to them you could always add a wireless NAP (Network Access Point - which is like a wireless hub that would plug into a port on your switch) to your network but this would also require getting wireless NICs for those PCs. They also make PCMCIA versions of NICs so you can connect your notebook into your home network. Once you've got the hardware in place, you just configure the network settings in the PC software. We'll cover the Debian network configuration below. On Windows PCs, go to
Start/Settings/Control Panels/Networking
and get into the TCP/IP properties for the NIC where you can enter an IP address for the PC, a subnet mask, and possibly a default gateway (if you have a broadband Internet connection). When you enter an IP address into the TCP/IP properties like this it's called a "static" IP address because it won't change unless you change it.
The family in the diagram below chose a Class C private address range of 192.168.5.x
When you set the TCP/IP properties you are assigning the private addresses to the NICs inside the computers. You can have a NIC with a private address assigned to it on your home network and still use a dial-up modem connected to the same system to get on the Internet. Your modem gets a different (public routable) IP address from your ISP every time you dial in and retains it as long as you're connected.
The names above are not just identifying family members. They are the names given to the systems (hostnames). Since a home network is too small for a DNS server, you can set up name resolution using a simple hosts file. A hosts file is just a simple text file you can edit using any text editor (like NotePad on Windows systems). Note that this file does not have an extension. On most Linux and UNIX systems the path to open the file is:
/etc/hosts
On Windows systems the paths are typically:
95 / 98: C:\Windows\hosts
NT / 2000: C:\WINNT\system32\drivers\etc\hosts
Once you open the file in a text editor, add the address/hostname pairs for the systems on your network. For the above home network the hosts file would look like this:
127.0.0.1
192.168.5.10
192.168.5.11
192.168.5.12
192.168.5.13
192.168.5.14
192.168.5.15 localhost
dad
mom
grandpa
junior
sis
fido
(That's a Tab character between the address and hostname.) Each system that would want to do name resolution would need to have this hosts file but once you create one you can just copy it to other systems. Then instead of entering the command:
ping 192.168.5.12
you could just enter:
ping grandpa
If Grandpa had a Debian system running the Apache Web server software, Junior could open up a Web browser on his system and enter the following URL to see Grandpa's Web pages:
http://grandpa/
The downside of hosts files is that you have to have one on every system on your network and if a change needs to be made it needs to be made to all of the files manually by editing them with a text editor. As an alternative to setting up a hosts file on all the computers you could set up a DNS server for your LAN. This DNS server would also have the ability to resolve Internet host/domain names if you have a broadband connection to the Internet. Actually, you don't need a separate server. You can just run the DNS service on your existing Debian system. We show you how it all works, and how easy it is to set up, on the DNS page.
If you have cable or DSL service at home, you can share this broadband connection with all of the computers on your home network. Cable or DSL providers typically give you the option of having an external cable or DSL modem, which then connects to your computer's NIC via a Cat 5 LAN type cable or connects to your computer's USB port, or an internal model that gets installed in one of your computer's slots. Stay away from anything USB and get the external model that plugs into a NIC. That way, instead of plugging the cable into your computer's NIC you can plug it into a device known as a cable/DSL router. This cable/DSL router would then plug into the hub or switch that you use to connect all of your computers together. (Some cable/DSL routers have a built in 4-port hub.) A cable/DSL router is basically just a "proxy-server-in-a-box".
The "modem" you get from your cable or DSL provider is actually just a device called a "bridge". It bridges traffic from one type of network (cable or telephone) to another (ethernet-based LAN) without doing any packet inspection, filtering, or manipulation. It is essentially a media converter.
Note that a cable/DSL router is not the same as the cable or DSL "modem" or "interface" that you get from your cable company or ISP. The router allows you to take the incoming Internet connection, which normally goes to a single computer, and plug it into a hub or switch so that the Inernet connection can be shared by your entire internal network. Some can even be set up to act as DHCP servers to hand out private IP addresses to your home PCs each time you turn them on. If you don't want to assign static addresses to the PCs on your home network you just set them up to use a DHCP server and then enable the DHCP function on the cable/DSL router.
Your cable or DSL service provider assigns you a single public (routable) IP address. If you don't have a cable/DSL router, and because of the bridging action of the modem they give you, it is your PC which receives this public, routable IP address. As a result, only one PC can access the Internet. A cable/DSL router performs the NAT function explained earlier which allows this single public address (which is assigned to the router rather than a single PC) to be shared by multiple systems on your LAN.
Note in the above diagram that if you use a commercial cable/DSL router you may need one of two things (it depends on the model you buy). The cable that connects the router to your hub or switch may have to be a Cat 5 "crossover" cable, or you may have to use a regular Cat 5 LAN cable and plug it into the "uplink" port found on most hubs/switches. If you try using a regular cable but the "link" indicator on your hub/switch don't light up for that connection, you'll likely have to do either of the above. (If your hub or switch doesn't have an uplink port, you'll have no choice but to get an uplink cable.) None of this applies if you are using a Linux system as a proxy server.
IMPORTANT: Because Windows enables file and print sharing by default, having a publically routable IP address assigned to your Windows PC is a security risk. The file and print sharing functions open ports on your system and the public address makes your system accessible from anywhere on the Internet. So even if you don't need to share your broadband Internet connection with other PCs (i.e. the cable or DSL modem now plugs directly into your PC), you should either disable file and print sharing or have some kind of NAT or firewall system (cable/DSL router or Linux system) between your PC and the modem to protect your PC. (You could disable these sharing functions but this would negate the point of having a home network in the first place - to share files, printers, etc.)
In the above diagram, the public IP address dynamically assigned by your ISP is on the router's "external interface" (connection), and you assign a static private IP address to the "internal interface". Note that the "default gateway" setting on all of your home network PCs is this same static private address you assigned to the internal interface of the router.
The default gateway setting on a PC is kind of a "last resort" setting. (Cisco routers actually refer to the default gateway setting as the "gateway of last resort".) It basically tells the computer that if it wants to contact another computer, and it can't find that other computer on the local network (which Internet servers won't be), it should send the traffic for this other computer to the address of the default gateway. The default gateway device is typcially a router, so it will know what to do with any traffic that's destined for a distant network (which is why they call it a "gateway"). So in addition to doing address translation, a commerical "proxy-server-in-a-box" or Linux proxy server is also a router which acts as a gateway.
Cable/DSL routers are available from manufacturers such as Linksys and DLink for under $100. Here's an example list using mostly Linksys equipment of what you'd need to set up a home network where you can share a broadband Internet connection. (You may want to spend a little more and get 3Com 3C905 NICs because they have wide driver support.):
• An 8-port 10/100-mb Switch * - approx $40
• A Cable/DSL Router for Internet access sharing * - approx $50
• One 100-mb NIC for each computer - (get used 3Com 3C905C NICs on eBay)
• One PCMCIA NIC for each notebook - approx $40 ea
• One Cat 5 LAN cable for each computer/notebook (variable lengths) - approx $15 ea
* You could replace the switch and router with an
integrated model but that limits your options for
cable runs, experimenting, and troubleshooting.
For adding wireless nodes:
• A Wireless NAP/Bridge - approx $50
• One Wireless NIC for each computer - approx $50 ea
• One Wireless PCMCIA NIC for each notebook - approx $50 ea
So to network (wired) four desktop PCs at home without a broadband Internet connection you're looking at approximately $175 (switch, NICs, and cables). Around $250 (additional cable and router) if you do have a broadband connection to share. This can always be added on as a separate piece later if you don't have a broadband connection now.
Alternative: Instead of buying a commerical cable/DSL router product you could just use a Linux box to act like one. Since a cable/DSL router is nothing but a proxy-server-in-a-box, you could set up a Linux system to be a proxy server and it's easy to do. (You'll see how easy on the Proxy/NAT page.) The advantage of using a Linux system as your cable/DSL router is that you can customize the firewalling capabilities of the router using something called IPTABLES. This not only includes customizing what traffic you allow into your network, but also allows you to restrict which systems on your network can access certain services or sites on the Internet. (You'll see how to do this on the Firewall page.)
Another advantage of using a Linux server over a commercial cable/DSL router is that you could also use it as your own home Web and e-mail server using the dyndns.org dynamic DNS service. We cover this on the DNS Services page. And since you've got a Web server running, you can easily add a Web cam to it so you can keep an eye on your home from anywhere that has a Web browser. We show you how to add that on the Web Cam Server page.
The concept of sharing an Internet connection is the same no matter what type of Internet connection you have. With a Linux system acting as a proxy server or firewall, you can just as easily share a modem connection.
This is essentially the same type of configuration you have if you use the "Internet Connection Sharing" option found on Windows systems. See the Modems page for information on getting a modem to work on your Debian system. Then see the Proxy/NAT page for a script that you can use to get your Debian system to act as a proxy server.
One important point to keep in mind when setting up a gateway type of system (which includes proxy servers and firewall systems) is that the "internal" interface should NOT have a Default Gateway entry. Leave it blank. The Default Gateway entry for the "external" interface will either be automatically assigned when you connect to your ISP or should otherwise be available from them.
So the proxy server that sits between your private network and the Interent actually has (or should have) three functions. A gateway (router), an address translator, and a firewall. The firewalling capabilities of the commercial cable/DSL routers are limited at best and typically not upgradable if a new sort of attack is developed. We'll show you how to set your Debian system up to protect your network on the Firewall page.
Note: When we use IP addresses in our examples on these guide pages, they will be in the private IP address ranges even if it's an example where a public address would normally be needed (such as with an Internet-connected interface). We use addresses like this so we're not using IP addresses that have been legally licensed to companies or ISPs.
If you also want your Debian system to act as a DHCP server handing out addresses to the PCs on your home network when they boot up, you can easily accomplish this. However, we won't cover it here. Based on the information we've given so far on searching for and installing packages, this would be a good one for you to try on your own. If you do set it up, be sure to set the PCs on your network to use a DHCP server. In Windows, this is modifying the TCP/IP properties for the LAN interface to "Obtain an IP address automatically".
If you are going to connect to your ISP's cable or DSL modem to the "external" interface (NIC) on your Debian system, you'll likely need to run some sort of DHCP client software on the system so that it can pull the ISP-assigned address and apply it to the external NIC. This is because it's not the cable or DSL modem that gets assigned an IP address. A cable or DSL modem merely acts as a bridge. Whatever device is connected to the customer side of the modem (PC, router, etc.) is what actually gets assigned an IP address. We likewise won't cover installing a bootp or DHCP client here. See the Web HOWTO documents for cable or DSL modems. (The reason that no DHCP client software is necessary if you're using a dial-up modem connection is because the dynamic addressing is handled by the PPP protocol.) See the Web HOWTO documents for cable or DSL modems.
A No-Network Network
On the Proxy/NAT and Firewall pages we'll show you how to configure your Debian system so you can share your broadband connection with all of the computers on a network, including a home network. However, you don't need a formal network or even a broadband connection if you want to try setting up the proxy and firewall functions demonstrated on these pages.
For those that don't have a home network or access to a business network you can still try the examples we present on these pages by setting up a two-system network (your Debian system and a Windows PC for example). All it requires you to do is to have a NIC installed and configured in each computer, and to purchase a special cable called a "Cat 5 cross-over" cable. (As mentioned above, your computers may have network cards inegrated into the motherboard already. Check the back of the systems for an RJ-45 jack.) If one of the computers you use is a notebook, and it doesn't have an integrated NIC, you'll need to get a 100 mb PCMCIA card. You can get those used for about $20 on eBay or similar sites.
A cross-over cable flips the transmit and receive pairs of the cable so they are on different pins on the connectors on each end. This allows you to connect the two systems in a back-to-back fashion so that you don't need an ethernet hub or switch. Note that you would have to have had the NIC installed in the system and installed the appropriate NIC driver module during the Debian installation to be able to use the NIC.
The back-to-back connection between the two systems represents the internal LAN where each system would need a unique IP address. You would then hook you modem up to the Debian system to set up the Internet connection (as outlined on the Modems page). And just as shown in the above diagram, the IP address of the NIC on the Debian system would be the default gateway entry on the Windows system. This is because the Debian system will be acting as the gateway for this two-system network.
This configuration will also work if you want to play around with the servers we set up on the Internet Servers page.
How It All Works
So you've got IP addresses and MAC addresses and subnet masks and default gateways and DNS and ARP and hardware and software. How do all these pieces fit together? Consider the network below.
The user of the Windows PC in the Sales department fires up their Web browser so that they can access the company's internal intranet Web servers. There's a corporate intranet Web server with company-wide information and one right in the user's department on the same network segment with information for Sales staff.
Remember that each system has two addresses (logical and physical) and in order for one system to communicate with another, it needs to include both of these addresses when it puts a packet together to send to the destination system.
Scenario 1 - Accessing SALES1 - SAME Network
The Windows PC user wants to look at sales figures for last month on the intranet Web server in their department. In the browser URL line they enter:
http://sales1.widgets.com
or in the case of a Windows-based network that is only using WINS for name resolution:
http://sales1
Here's what happens:
1. The Windows PC sends a DNS or WINS query to the DNS or WINS server to get the IP address of the intranet Web server named in the URL (in this case SALES1)
2. The DNS or WINS server sends a response back with the IP address of 172.16.0.20
3. The Windows PC uses its subnet mask to see if the received IP address is on the same logical network as it is (i.e. is the network portion of the IP addresses of both SALES1 and the Windows PC the same)
4. Because they are on the same logical network, the Windows PC sends out an ARP request using the SALES1 IP address
5. SALES1 responds to the Windows PC supplying the Windows PC with its (SALES1) MAC address so the Windows PC now has both of the destination addresses it needs to send the HTTP packets to SALES1
6. The Windows PC sends out the HTTP packets to SALES1. The switch, knowing the MAC addresses of both systems, sets up a virtual direct connection between the two and the HTTP traffic is sent
Scenario 2 - Accessing CORP1 - DIFFERENT Networks
The Windows PC user in the Sales department wants to look at the company's telephone directory on the main corporate intranet Web server. In the browser URL line they enter:
http://corp1.widgets.com
or in the case of a Windows-based network that is only using WINS for name resolution:
http://corp1
Here's what happens:
1. The Windows PC sends a DNS or WINS query to the DNS or WINS server to get the IP address of the intranet Web server named in the URL (in this case CORP1)
2. The DNS or WINS server sends a response back with the IP address of 172.17.0.25
3. The Windows PC uses its subnet mask to see if the received IP address is on the same logical network as it is (i.e. is the network portion of the IP addresses of both CORP1 and the Windows PC the same)
4. Because they are not on the same logical network, the Windows PC sends out an ARP request using the default gateway's IP address
5. The default gateway (router) responds to the Windows PC supplying the Windows PC with its (router interface) MAC address so the Windows PC now has both of the destination addresses it needs to send the HTTP packets to CORP1
6. The Windows PC sends out the HTTP packets to the default gateway and the switch, knowing the MAC addresses of the Windows PC and the default gateway router interface, sets up a virtual direct connection between the two and the HTTP traffic is sent
7. The default gateway router removes the Ethernet frame (de-encapsulation) and looks at the network portion of the IP address in the incoming packets to determine what network the destination computer is on
8. The default gateway router checks its routing table and finds that the destination network is connected to one of its interfaces (the 172.17.0.1 interface)
9. The default gateway router sends an ARP request out of this interface with the IP address of the destination computer (CORP1)
10. CORP1 responds to the router with supplying it (router) with its (CORP1) MAC address so the router now has both of the destination addresses it needs to forward the packets onto CORP1
11. The default gateway router re-encapsulates the packet with a new Ethernet frame using CORP1's destination MAC address and the source MAC address of its 172.17.0.1 interface and forwards the packets to CORP1. The switch, knowing the MAC addresses of the router interface and CORP1, sets up a virtual direct connection between the two and the HTTP traffic is forwarded
In both of the above scenarios, the intranet Web servers will be the ones doing all the DNSing and ARPing when they wish to respond to the received HTTP request. (Recall that on small networks having a hosts file on each system could be used instead of a DNS or WINS server in which case the DNS or WINS queries wouldn't be necessary.) Also, in actuality a PC or router will check it's local ARP table first to see if it already has an entry for the MAC address of the destination system before sending out an ARP request. It it does need to issue an ARP request it uses the received MAC address to update its table.
Note one important point. As packets travel over router hops, the MAC addresses change (as the routers re-encapsulate the packets with new frames). However, the source and destination IP addresses stay the same. MAC addresses (and ARP) are used within networks (or sub-networks as in the case above). IP addresses are used both within and across sub-networks and networks.
In order to fully appreciate the above material you have to be familier with the OSI layer model and what takes place at each layer. However, if you understand the above material you've got a pretty good handle on how networks work.
Network Configuration Files
If you set up networking during the Debian OS installation, these files will be pretty much set up already. If you wanted to change anything related to the network settings on your system, you simply make the relevant changes in the appropriate files (just make sure you make all of the necessary changes in all of the files so the networking configuration is consistent). As with most Linux/UNIX configuration files, these are all text files that can be changed using a simple text editor.
Where necessary, changes to these files are detailed on the Internet Servers page in the configuration of various server services. The primary network configuration files on a Debian system are:
• /etc/hosts
This file is used for name resolution of machines on the local network. Just as DNS is used to resolve Internet domain names (i.e. translate the domain name into an IP address that your computer can use to communicate with a distant computer), the hosts file is used to resolve the names of computers on your local network. In addition to having a line for each of the other computers on your internal network, you have to have one for the computer that the hosts file is on (the "local" computer). For example, if you accepted the default host name of "debian" during the installation, the hosts file entry for the local system would be:
192.168.10.10 debian debian.mylastname.net localhost mailhost
Note that the host name and the FQDN (Fully Qualified Domain Name) are both listed. The extra space between the IP address and host name, and between the FQDN and the word "localhost" indicate Tab characters. You can also have entries for your Windows systems (provided they're running TCP/IP and not just NetBEUI). You just use the system's "Computer Name" so an example of an entry for a Windows system would be:
192.168.10.20 win95box win95box.mylastname.net
You will also see a "localhost" entry with an IP address of 127.0.0.1 which is called the "loopback" address. It has an interface designation of lo when you use the ifconfig command. The loopback address is a TCP/IP standard found on all systems no matter their OS. It is used for testing. If you can successfully ping the loopback address it indicates that your TCP/IP stack is properly configured. If you can ping the IP address of the NIC that's in the computer you're on (the local system) it indicates that the NIC and TCP/IP stack are both OK.
Note that with hard-core networking types like Linux/UNIX and Cisco, a "host" is any end-node like a server, a workstation computer, or even a networked printer. So what we refer to as the "computer" part of the IP address on this page is often referred to as the "host portion" of the IP address in networking literature.
• /etc/host.conf
This file is what you use to tell the system what to use to resolve host (computer) and domain names. The most common possible selections are:
o hosts - look for host names and addresses in the /etc/hosts file
o bind - use the DNS server(s) specified in /etc/resolv.conf
o nis - Network Information System - kind of an internal network version of DNS used on large Linux/UNIX networks
The order in which the above possible selections are listed is the order in which they are used. For example, you should always list "hosts" first so your system doesn't go out to the Internet trying to find a system that's on your local network. If using the first method doesn't resolve the name, the next entry is tried. Running NIS on your network is no small feat so if you don't know if you should use NIS or not you're probably not running it so you don't need the "nis" entry. As a result, the important line in this file is:
order hosts,bind
• /etc/resolv.conf
As noted above, this is the file you use to enter your DNS server information. Unless you have your own Internet DNS server, this file will contain information about your ISP.
search yourisp.com
nameserver 172.25.188.66
nameserver 172.25.188.77
Your ISP's domain and DNS server IP addresses would be entered in place of the blue entries above.
What about having your own Internet DNS server? Bad idea. First of all, when you register a domain name with someone like Network Solutions you're required to enter the IP addresses for two DNS servers. This is because DNS is critical. If it fails no one will be able to "find" (get the IP address of) your Web, e-mail, or other Internet servers. Thats why a proper DNS server setup includes two servers with two different addresses (for redundancy). And since an ISP will typically only allocate a few static IP addresses to you, using two of them just for DNS isn't very efficient. If you need DNS records for an Internet Web or e-mail server, check with your ISP. They will usually host your DNS records on their DNS servers for a small one-time setup fee ($5 in the case of our ISP).
• /etc/network/interfaces
This file contains the IP information that your system uses to work with the NIC(s). There is a parent entry for each NIC, and the information for the NIC is listed underneath it like so:
• auto eth0
• iface eth0 inet static
• address 192.168.10.10
• netmask 255.255.255.0
• network 192.168.10.0
• broadcast 192.168.10.255
• gateway 192.168.10.1
•
Note that the above would be appropriate for an internal LAN interface. Also note that the "network" (aka "wire") and broadcast addresses for the network the system is on are also listed.
Be careful about using the gateway setting. This should only be used if you truly do have a gateway router that leads off your network, most likely to the Internet. (A proxy server or firewall is one such type of router.) Having a default gateway address in the NIC configuration when you don't have a default gateway router will cause problems if your try and connect to the Internet using a modem. (See the Modems page for more information on this.)
As you will see on the Internet Servers page, the Apache Web server software allows you to host any number of Web sites on a single server by setting up a "virtual host" for each domain (Web site). For example, if you wanted to use your system to host the Web sites www.shoes4men.com and www.shoes4ladies.com you would set up a virtual host for each in the Apache configuration file. However, remember that DNS would require a unique IP address for each of these domains, but at the same time you only have one NIC connected to your broadband connection. No problem. You just create a "virtual interface" for each domain.
You create virtual interfaces by creating an additional parent entry in the /etc/interfaces file for each virtual interface. Where the above only had one parent entry for the NIC, we create multiple parent entries for each virtual interface append the actual interface designation with a colon (:) and the number 1 or higher. For example:
auto eth0
iface eth0:1 inet static
address 172.30.156.115
netmask 255.255.255.240
network 172.30.156.112
broadcast 172.30.156.127
gateway 172.30.156.1
iface eth0:2 inet static
address 172.30.156.116
netmask 255.255.255.240
network 172.30.156.112
broadcast 172.30.156.127
gateway 172.30.156.1
Notice the netmask entry. This indicates that most of the address is the network address. Only the last 4 bits of the last octet identify the computer. That only allows for 16 computer addresses (actually only 14 are usable due to the wire and broadcast addresses).
More precisely, because the IP addresses are in the Class B address range, the first two octets are the network portion of the address and the third octet and the first half (4 bits) of the fourth octet are the subnet portion of the address. Subnets are created by "borrowing" some of the computer bits in an address and using them to identify sub-networks. Naturally, this leaves you with fewer computer bits so you must have fewer computers on a subnet.
This is something that ISPs routinely do. They will take their public address space and subnet it into a lot of small public subnets. These small public subnets are then assigned to business customers looking for static IP addresses.
The point? Looking at a subnet mask will give you some idea of a networks size. The higher the numbers in the subnet mask:
o the more bits that are used to identify the network/subnet portion of an IP address
o the more networks (subnets) there are in the address space
o the smaller these individual networks will be (fewer number of computers per network)
It's kind of like cutting up a pie. You can get more slices (networks) if you make the individual slices smaller. More details on subnetting are given in the Subnetting section below.
• /etc/network/options
There's only one line of interest to us in this file:
ip_foward=no
This is the setting that allows (or in this case doesn't allow) your system to act as a gateway when acting as a proxy server or firewall. I point this out because you will see in the shell scripts on the Proxy/NAT and Firewall pages that you can use a command to dynamically change this setting. The actual file isn't edited at all, but there is a way to change this setting in memory (which is lost at the next reboot).
• /etc/inetd.conf
This file allows you to control which services are made available by the server. As a matter of fact, commenting out the lines for some of the services listed in this file is one of the ways you can help to secure an Internet server. When you comment out a line its corresponding service does not start and its associated port is never opened. More details about this file are given on the Internet Servers page.
On Windows systems, when you want to change the network settings you go into the Network control panel and select the TCP/IP Properties. You enter your information into a GUI window and it is then written to the files that make up the registry. With Linux you basically eliminate the GUI middle-man and edit the files yourself.
When it comes to networking, all operating systems do pretty much the same thing. They just put a different face on it.
Replacing A Network Card
NICs fail or you may want to upgrade to a faster NIC. If you're replacing a failed NIC with one of the same type, you shouldn't need to do anything to any of the configuration files. Simply swap the card out and boot the system.
If you're replacing a NIC with a different model, check which driver the new NIC uses. If it's the same driver, again you shouldn't need to do anything except swap the NIC and boot the system. Here are some common NICs and the drivers they use:
NIC Driver
3C509-B (ISA) 3c509
3C905 (PCI) 3c59x
SMC 1211
SiS 900
Allied Telesyn AT2550 rtl8139
SMC 8432BT
SMC EtherPower 10/100
Netgear FX31
Linksys EtherPCI
Kingston KNT40T
Kingston KNE100TX
D-Link DFE500TX
D-Link DFE340TX
D-Link DE330CT tulip
Many other cards use the pcnet32 or lance drivers. If your NIC is not one of the ones listed above you may find it, and its corresponding driver name, in the Ethernet HOWTO list.
If the NIC you're installing uses a different driver, you only need to manually edit one file. The /etc/modules file lists the kernel modules that should be automatically loaded when you boot the system. (NIC drivers are kernel modules.) All you need to do is edit this file using the nano text editor with the command:
nano /etc/modules
Simply backspace out the name of the driver for the NIC being removed and type in the name of the driver module for the new NIC. Then just shut down the system, swap the NICs, and turn on your system. The settings in your current /etc/network/interfaces file will be applied to the new NIC. This because of the:
auto eth0
line in this file. While NIC driver modules can be loaded with optional parameters, it's best to not use any parameters and let the NIC auto-negotiate the speed and duplex of the connection with the switch it is connected to.
Installing A Network Card
If you have an existing Debian system without a NIC and you'd like to add one to put your system on a network, you'll have to add the NIC's driver module to the system configuration and then use the nano text editor to take care of the necessary network files.
The first thing to do (after installing the NIC) is run the modconf command at a shell prompt. Highlight the Net selection in the modconf menu and then highlight your NIC driver and press Enter to install it, leaving the optional parameters field blank. Then exit out of modconf.
Use nano to edit the /etc/network/interfaces file and add an eth0 section like that shown earlier. You'll also want to edit the /etc/hosts file to add a line for you system. If your system's name is 'debian', it's IP address is 192.168.10.50, and your domain name is 'smith.net', you'd want to add the following line to your hosts file:
192.168.10.50 debian.smith.net debian
Those are tab characters separating the above entries. You'll also have to use the nano editor create a /etc/resolve.conf file and add the entries like those shown earlier. You'll also want to verify the contents of the /etc/hosts.conf file as discussed earlier.
Add the NIC driver module, editing two files, and creating a third file is all you should need to do to get your new NIC working. Reboot your system and verify that it all works by trying to ping another workstation on the local network.
Adding A Second Network Card
Setting up a proxy or firewall system requires that the system have two NICs so you would have to add a second network card to your existing networked Debian system. If you want to use a Linux system as a router you would have a system with multiple NICs, one for each of the subnets you wish to interconnect.
Installing a second NIC (or more) in a system that already has one is easy to do. You just have to make sure that the second NIC is configured for a different network (or subnet) than that of the first.
Scenario 1 - Two NICs - Same Driver
If the second NIC you're adding uses the same driver as the one already installed, all you have to do is add the information for the eth1 (second) NIC to the /etc/network/interfaces file. Given the file we had earlier, adding this information would result in a file like this:
auto eth0
iface eth0 inet static
address 192.168.10.10
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255
gateway 192.168.10.1
auto eth1
iface eth1 inet static
address 172.16.1.10
netmask 255.255.0.0
network 172.16.0.0
broadcast 172.16.255.255
gateway 172.16.0.1
Since the same driver module will be used for both NICs, this is all that is necessary to get both NICs to work (after saving the file and rebooting the system).
The important thing to remember about this scenario is that when the same driver is used for multiple NICs, Linux will designate the NIC in the lower-numbered PCI slot as the eth0 interface and the NIC in the higher-numbered PCI slot (closer to the end of the motherboard) as the eth1 interface.
Scenario 2 - Two NICs - Two Drivers
If you have two different make/model NICs that require two different drivers you'll want to add the eth1 information for the new NIC to the /etc/network/interfaces file as above. You'll also want to run the modconf utility as described earlier to pick the driver for it.
When the drivers load at system boot they will initialize the proper NIC. The key word is "when". The NIC designated as eth0 will be the NIC who's driver module is loaded first. Because modconf will add the selected driver module to the bottom of the /etc/modules file, the newly-added NIC will be designated as the eth1 interface. If you wish to flip this, simply edit the file to place the driver for the new NIC above that of the original NIC.
Using Static Routes
Every computer system (servers and workstations) maintains a "routing table" in memory. This table contains entries that specify which gateway to use to get to other networks or subnets. If a network or subnet only has one gateway (which most do), the routing table isn't very complex. The routing table will typically consist of information taken from the "default gateway" setting in the system's TCP/IP configuration and a local loopback address (127.0.0.1). The local loopback information is only used for testing a TCP/IP configuration.
On Linux systems you can look at the routing table simply by entering route by itself at a shell prompt. On Windows systems you have to open up a DOS window and enter the route print command. If you have a "default gateway" entered in the system's TCP/IP settings, you should see one or more entries in the routing table with this address. If you look at the routing table, and then dial up your ISP, you'll see that the table was updated to include entries for your ISP's network. In this case, the modem is acting as a gateway off of your local network (or stand-alone system).
Static routes are entries that you manually enter into a system's routing table (they can also be entered on routers). They are useful when a network segment has multiple "gateways", or paths off the local segment. In the diagram below the multiple gateways are represented by two routers. However a multi-homed system like proxy or VPN server could be substituted for one or both of the routers.
If a computer system wants to send data to another computer that's not on the "local" segment, it will send that data out through whatever default gateway is specified in its TCP/IP configuration. But what if the destination computer isn't accessible by the default gateway? That's where static routes come in.
Lets consider a scenario using the diagram below. A Windows PC on the 172.16.0.0 network segment runs a special application that accesses data on the Linux server with the address 172.18.0.43. Without a static route, the Windows PC will go through the 172.16.0.1 router trying to find this server because thats what its default gateway is set to. We need to tell the Windows PC to use a different (172.16.0.2) gateway when it wants to communicate with the 172.18.0.43 Linux server.
On the Windows PC we would open up a DOS window and enter one of the static route commands shown in the diagram above. The first command will set up a static route that applies only to that one specific Linux server (172.18.0.43). Traffic destined for all other systems on that same network segment (172.18.0.22 for example) would still be erroneously sent out the Windows PC's default gateway. The second command would create a static route that would correctly route traffic to any system on the 172.18.0.0 network segment. In other words, the first command sets up a static route to a specific system, while the second command sets up a static route to the entire 172.18.0.0 network. Setting up static routes to specific systems rather than entire networks (or subnets) is used as an access control (security) measure.
The syntax for the Linux route command is similar to the Windows version. The Linux equivalents of the two Windows commands given in the diagram would be:
route add -host 172.18.0.43 gw 172.16.0.2
route add -net 172.18.0.0 netmask 255.255.0.0 gw 172.16.0.2
Note that you don't need to enter a mask when using the -host switch as a mask of 255.255.255.255 is assumed.
Note that I said when the -host switch is used to specify a single system the subnet mask of 255.255.255.255 is assumed. This may not seem logical since this subnet mask means "all network bits and no system bits". Actually, what you are specifying with a 255.255.255.255 mask is a single-address network (the address of the specified system).
In the diagram above, the Windows PC uses the 172.16.0.1 for a default gateway because this is the route to take to get onto the Internet. The default gateway router (the one with the 172.16.0.1 interface) would itself likely have a "gateway of last resort" (default gateway) entry of 172.17.0.2 which would cause it to send all non-local traffic out through the proxy server.
In the above diagram the static routes are being entered on a Windows workstation PC but they are also useful on servers. For example, we have a mail server on our 172.17.x.x LAN segment that needs to pull Internet e-mail from one of our ISP's servers. To get to the ISP server the mail server uses it's default gateway (which is set to our proxy server). However, it also has to pull messages from an internal enterprise Lotus Notes/Domino or Microsoft Exchange server on a different internal network segment (172.30.x.x). Entering a static route on the mail server takes care of the problem:
route add -net 172.30.0.0 netmask 255.255.0.0 gw 172.17.0.10
The 172.17.0.10 is the address of the router interface (not shown in the above diagram) which connects our 172.17.0.0 LAN segment to the rest of the enterprise network where the internal (Domino or Exchange) mail servers are located. Enabling server-to-server communications is probably the most common use of static routes.
Static routes can be thought of as "explicit" routes. You use them to explicitly tell IP to use a certain gateway for a given destination network or subnet. The default gateway setting could be thought of as an "implicit" static route. You are telling IP that for any destination network or subnet that doesn't have an explicit route defined, send the traffic to the default gateway router.
Subnetting
The information in this section isn't necessary for
setting up a Linux server. It is presented here
for those that may want to know more about the
subnetting process than was presented above.
As mentioned earlier, the decimal numbers that make up an IP address or subnet mask are referred to as "octets" because their values are derived from 8 binary digits. (These 8 binary digits are often written in two groups of 4 to make for easier reading.) And, like all other number systems, the further you go to the left, the more value (weight) the digit has. For example, with a base-10 number system like we use for money, with "$111" the first '1' represents $100, the second '1' represents $10, and the third '1' only represents $1 (a factor of 10 for each position to the left because it's a base-10 number system) all added together. With $101 there wouldn't be any 10-value to add in so it's just $100 plus $1.
With the binary number system it's pretty much the same thing. It's just that because the binary number system is base-2, the value (weight) of a digit doubles (a factor of 2 rather than a factor of 10) for each position to the left.
In a binary number, any bit that's a '0' has no value. Any bit that's a '1' has the value of its position. Add up the values of the positions that have a '1' bit and you have the decimal equivanlet. If all the bits were a '1' you would add up the values for all of the positions it would total '255' (as in a subnet mask). See how easy binary-to-decimal conversion is!
When they created the IP addressing system they decided to create the classes based on how many '1' bits started the first octet like so:
Address
Class First
Octet Possible
Values Network
Portion
A 0000 0000
0111 1111 0 through 127
'0' network not used
127 reserved (loopback) First octet only
B 1000 0000
1011 1111 128 through 191 First two octets
C 1100 0000
1101 1111 192 through 223 First three octets
D 1110 0000
1110 1111 224 through 239
Reserved for
multicast addresses N/A
That's how the numeric ranges for IP addresses in the the various address classes are derived.
Now ask yourself this question; If you can tell the class of an address just by looking at the first few bits, and the class determines how much of the address is the network portion, why do you need a subnet mask?
Technically, you don't. At least not with a "classful" addressing scheme. In classful addressing schemes, routers don't even forward a subnet mask in their routing updates. The class (and subsequently how much of an IP address constitutes the "network" portion of the address) is determined simply by looking at the first few bits in the first octet. The very common RIPv1 routing protocol is strictly classful.
You need a subnet mask because these days most IP-based software, like the networking software that's part of your operating system (and the RIPv2 and OSPF routing protocols), operates in a "classless" manner. It doesn't assume anything so you need a subnet mask to tell it how much of the IP address identifies the network. There are several benefits to using a classless addressing scheme that we won't get into here because they mainly deal with routers. However, play it safe and always assume you're dealing with classless IP addressing and enter an appropriate subnet mask when configuring any IP-based software.
Earlier we compared a computer network with the telephone system, comparing an area code to a network number and a person's telephone number to an individual computer's address. But notice that in a person's telephone number not all of it is unique. Only the last four digits are unique to that person. Many people share the same first three digits. These first three digits are called the "exchange".
If we think of each area code being a network, we can think of an exchange as sort of a "sub network" within that area code network. Actually, area code networks have quite a few exchange sub-networks in them. The telephone network is divided up into this hierarchical structure of a network (area code) being divided into sub-networks (exchanges) consisting of individual nodes (last four digits of a telephone number) because it makes it easier to design systems that route calls. It makes things more "modular".
Breaking up a data network into sub-nets is done for pretty much the same reason. It makes it easier to route and manage network traffic. However, another important reason is that it saves on IP addresses. If an ISP were to assign an entire Class C address range to a business customer with only 50 computers, 201 addresses would be wasted. Subnetting allows an ISP to parcel out their available public addresses in much smaller ranges in order to reduce this waste.
We can take one of the standard Class B private network ranges, say 172.16.0.0, and subnet it by taking a piece of the computer part of an IP address (analogous to a phone number) and using it to sub-divide the network range (as with an exchange).
Here we "borrowed" three bits from the computer part of the IP address (by using the subnet mask) to use them to identify several sub-networks. (Remember that the '1's in a subnet mask have to be contiguous so we always borrow from the left end of the computer part of the mask.) Given that we borrowed three bits, and 2 raised to the power of 3 is 8, we can identify up to 8 subnets. Note that the Subnet portion of mask does not have to coincide with an octet boundary. You can borrow as many bits as you want as long as it's at least two. (If you only borrowed one bit you'd only end up with two addresses - because 2 raised to the power of 1 is 2 - and those would be the wire and broadcast addresses with nothing left for computers.) Now you see why they call it a "subnet" mask.
That leaves us with 13 bits to use for computer identification on each of those 8 subnets. 2 raised to the power of 13 is 8,192. But like each network, each subnet has a wire and broadcast address so we have to subtract off the two which gives us 8,190 IP addresses for computers on each subnet.
Instead of using the private Class B address space in the diagram above as an example, lets say a regional ISP had a public Class B address space assigned to it by ARPA and they had operations in six small cities. They could use a subnetting scheme similar to that above to subnet their space so that each city had its own subnet. The operation in each city would have nearly 8.200 addresses for customers. They could then further subnet their space (by using even more '1's in the subnet mask) to have smaller ranges to give to business customers wishing to have a small range of static public addresses for their Internet servers. Also in the above diagram we show the binary bit patterns and their corresponding octet values.
Subnetting is the practice of taking of given address space and dividing it up into numerous, smaller sub-networks. We mentioned that ISPs will subnet public address space to help conserve IP addresses. On privately-addressed Ethernet LANs subnetting cuts down on the size of things called "broadcast domains".
As local networks are expanded, more and more systems share the same bandwidth. This also means more and more systems are sending broadcasts to locate servers or resolve addresses. A broadcast domain is just a logical area of a network where all systems can see each others broadcasts. When broadcast domains get too big, bandwidth is gobbled up with broadcasts and the network users only get what's left.
Switches are useful in that they cut down on collisions (common in Ethernet networks) by breaking up the physical (OSI layer 1) segments (shared cable), but they don't break up the logical (OSI layer 3) segment that represents a network (i.e. a collection of machines that all have the same network part of their IP addresses). As a result, switches pass broadcasts. The only way to stop broadcasts is to subnet a network into different logical segments (sub-networks) using routers which operate at OSI layer 3.
Because of the ability to borrow some of the bits from the computer part of the address and use them to identify the subnet part of the address, you can end up with subnet masks like:
255.128.0.0
255.255.248.0
255.255.255.192
These are only a few of a myriad of different numbers you could encounter in subnet masks. To make things easier to document, subnet masks are often indicated using "bit mask" notation. In bit mask notation, the subnet mask is indicated with a slash (/) followed by the number of 1s in the subnet mask. Note that when this notation is used, it is specifying the length of the prefix. Here are some examples of subnet masks and their equivalent bit mask notations:
255.0.0.0 /8
255.255.0.0 /16
255.255.128.0 /17
255.255.255.0 /24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
So instead of writing out an IP address and a subnet mask, it is becoming more and more common in networking literature and specifications to see an IP address with a bit mask after it to indicate the length of the subnet mask (how many 1s there are):
192.168.1.5/24
A /30 bit mask (255.255.255.252) yields only two usable computer addresses and is typically only found when connecting two routers together via a point-to-point link (i.e. each router's interface gets one of the addresses).
Lets take a look at a typical subnetting situation. An insurance company has multiple buildings in close proximity. Note that this does NOT constitute a WAN (Wide Area Network). It is commnly known as a "Campus LAN". The buildings are close enough that LAN technologies (Gigabit or Fast Ethernet over fiber for example) are used to interconnect the buidlings, not WAN technologies like frame relay or leased lines. Fiber (100-Base-FX) allows you to extend the length of Ethernet segments so that buidlings too far apart for copper (100-Base-T) can be interconnected.
In this example the Class B private address network of 172.16.0.0 is subnetted into six usable subnets even though only four are being used. If this network was not subnetted and the router was replaced with a switch, you can imagine what would happen to the bandwidth of this network if every computer in every building could see broadcasts sent from every other computer in all of the buildings. For example, a PC in Building C would send an ARP broadcast intended to resolve a MAC address for another PC in building C but all of the systems in Buildings A and B and the data center would also see it. Multiply this by every PC in the enterprise and you'd have a lot of broadcast activity over the entire network.
Like full Class A, B, or C networks, every subnet has both a wire and a broadcast address. (The wire address is also referred to as the "network address".) No computers can use either of these addresses.
The first subnet can't be used because its address range includes the network (wire) address for the entire 172.16.0.0 network. Likewise, the last subnet can't be used because its address range includes the broadcast address for the entire 172.16.0.0 network (172.16.255.255). In addition, addresses ending in .0 and .255 on each subnet can't be used because these are the network and broadcast addresses for the individual subnets respectively. This is one downside of subnetting, available addresses are "lost" (can't be used by systems). The more subnets created, the more addresses that are lost. This is important to consider when you are trying to decide on which private address class to use for your enterprise. If you choose a Class C private address range and you're close to using all available addresses without subnetting, you may want to consider using the Class B space so you have some room to subnet should it become necessary in the future.
QUIZ! Looking at the above diagram, determine the following for Building B:
• Network (wire) address 172.16.96.0
• Router interface address 172.16.96.1
• Starting and ending addresses in the range available for systems in the building
172.16.96.2 (because the router is using .1) through 172.16.127.254
When you think you've got the right answers, drag your mouse over the above bullet points to see what they are.
Another QUIZ! This network uses a bitmask of /19 so 19 bits of a 32-bit IP address represent the network/subnet portion of the address (the prefix). How many usable addresses are available for systems on each subnet?
32 - 19 = 13
213 = 8192
8192 - 2 unusable = 8190 systems
When you think you have the answer, drag your mouse over the blank area above. When trying to determine how to best subnet a network, it is often best to determine the absolute maximum possible number of systems (computers, printers, etc) you would have in the largest subnet. For example, if Building A was the largest of all buildings, and it currently has 1,800 systems and would never get over 2,500 systems because there simply isn't room for more, you would figure out how many host bits you would need to support 2,500 systems.
210 = 1024 so 10 computer bits isn't enough
211 = 2048 so 11 computer bits still isn't enough
212 = 4096 so 12 computer bits would be enough
So if we need 12 bits for systems, 32-12=20. We should have used a /20 bitmask (255.255.240.0) in our example network in the diagram above. What would be the benefit of using /20 instead of /19? Note on the above diagram that the /19 bitmask only gave us six usable subnets with four already being used. What if the insurance company wanted to expand and add remote offices in three other cities? It couldn't be supported with a /19 mask. Even though these offices in remote cities would be connected via WAN technologies like frame relay or leased lines, their subnet addressing schemes would still have to fall within the addressing scheme set up at headquarters.
So here's a few basic principles of network design. We'll use the above example again here:
1. Determine the largest possible number of systems on any given subnet
2,500 systems
2. Calculate how many computer bits you would need to support this number (remember to subtract two):
11 bits aren't enough (2,048-2) so 12 bits support 4,096-2 or 4,094 systems
3. Calculate how many bits this leaves you with for subnets (for example, a Class B network has 16 computer bits to start with so after subtracting the required number of computer bits how many computer bits are left for subnetting)
16 computer bits - 12 bits needed for systems = 4 bits for subnetting
Note that these 4 bits plus the Class B 16 network bits gives a bitmask of /20.
4. Determine how many subnets the remaining computer bits will allow you to have (remember to subtract two)
24 = 16 - 2 = 14 subnets available
5. If this isn't enough subnets, go to the next higher address class (ex: Class B to Class A)
An important rule to remember with this type of subnetting is that all subnets must be the same size (i.e. all have the same number of available system addresses). With this type of subnetting the real waste of IP addresses is not due to the necessity that each subnet have it's own network and broadcast addresses. It's that even point-to-point links, which only have two connections (one at each router interface), have to be set up as their own subnet. So in the above example, even though serial links would only use two addresses, they would have to be given their own subnet consisting of 4,094 addresses. 4,092 of those addresses would never be used.
In the case of the insurance company above, if they opened three remote offices, not only would three subnets be required for systems in each of those offices to use, but three additional subnets would be required for each of the three serial (leased line) links to those offices. That's six subnets for three offices! And on each of those three serial link subnets, only two of the available 4,094 addresses would be used. That's (3 x 4092) or 12,276 wasted addresses. This doesn't even take into account all of the unused addresses on each of the building subnets.
What to do about all this address wasting? That's where VLSM (Variable Length Subnet Masking) and CIDR (Classless Interdomain Routing) come in. VLSM allows you to set up subnets of different sizes. However, this requires a that your routers use a more complex "classless" routing protocol where the bitmask value is included with every IP address. (Simpler "classful" routing protocols like RIP v1 assume the subnet mask that corresponds to the class of any given address.)
Address wasting isn't really a problem when you use private IP address ranges except that having all the same-size subnets can cause excessive routing traffic on routed networks. We won't get into the details of VLSM and CIDR here. Cisco has a book called Top-Down Network Design that covers the material nicely. But we wanted to point out the above so you know why the Internet is in danger of running out of addresses. Many companies use standard subnetting like that presented above but do it using the public address space assigned to their company resulting in many wasted routable IP addresses.
DSL vs Cable
As previously stated, if you want to set up one or more serious Internet servers, you're going to need three things:
1. A high-speed symmetrical connection to an ISP
2. One or more static IP addresses
3. An ISP that will host your DNS records
These things are typically only available with "business" accounts offered by cable and DSL providers. Even if the servers will be located in your home, you're going to need a business account to get these features.
Business accounts cost considerably more than you average asymmetrical residential account, but if you're currently paying a Web hosting service to host several Web sites on their servers, you may be able to save some money by hosting your sites yourself. There are advantages and disadvantages to this.
Advantages:
• By hosting your own Web sites you're not restricted by artificial lmiits on disk storage, e-mail accounts, and monthly bandwidth allocations.
• You can configure your Web server with all of the bells and whistles that hosting companies charge extra for.
• The money you're paying your Web hosting service and the money you're paying your ISP for monthly dial-up access could be put toward your own broadband connection.
• You can host as many sites as you want on one server (the way the hosting companies do).
• Because your server will host your sites, and your sites only, your sites won't be affected by all of the other Web sites you share a server with when you use a hosting service.
• The same server could also be set up to have Sendmail handle your Internet e-mail needs rather than using an ISP's mail server.
• You could charge others a monthly fee for hosting their Web sites on your server also (but you'd better check with your ISP on this as it may violate their service contract).
Disadvantages:
• You would be responsible for the monitoring and support of your Web server. There is cheap software available to routinely check the availability of your Web sites (www.ipsentry.com), but you would have to be reachable via pager or cell phone 24/7 should the software discover a failure.
• You'd have to set up a means of routinely backing up your server so you can recover from server hard-drive failures quickly.
• You'd want to provide some means of extended power backup should the power go out at your home or office.
• You'd have to become very knowledgable in the areas of system security (prevention, monitoring, detection, and recovery).
This last point is especially important if you want to conduct secure (SSL) transactions on your Web sites. Frankly, I wouldn't recommend "hosting your own" if you do need to do this. Hosting companies have a lot of experience with setting up and securing SSL-enabled Web servers. This is one area that may be best left to the professionals.
Also, while the "baby bells" do offer static IP addresses with some of their business DSL packages, they usually only offer asymmetrical service. I suspect this is because they don't want symmetrical DSL cutting into their high-priced T1 and fraction T1 product lines (which are also symmetrical).
Below are some points you should consider when comparing symmetrical DSL and cable broadband services.
DSL Cable-modems
• If you get the more expensive business-class DSL service you receive a DSL router (instead of a DSL adapter for a single computer) which you can plug into an Ethernet hub. This means that all the computers on your network can share the Internet access. • Most cable-modem providers charge extra for each additional PC you want to have use the Internet access. However, Linksys (www.linksys.com) and D-Link (www.dlink.com) both sell a cable/DSL router for under $100 that would allow you to get around this. But hook it up after the cable guy leaves because the cable companies do not support the use of them. (They will also not help you if you have problems setting one up.) Like the straight DSL router, you just plug the cable into the cable/DSL router and then plug that into your hub to share the access.
• The speed of your connection is dependent upon your physical distance from a telephone company facility. You may be limited to a 144 kbps service if you are beyond the distance limitations of the higher-speed service. • Cable-modem users share their pipe with other cable users. The more business and private users between you and the cable company's office the slower your speed will be.
• Your "up-time" is dependent on the reliability of your local telephone service which is typically less susceptible to weather-related problems and does not involve neighborhood line power provided by your local electric utility. • If your cable-tv service often goes out due to storms or other weather-related events, your Internet access will also go out. The electronic components used in the cable distribution network (mounted on utility poles, etc. around town) use line power in those neighborhoods. This means that you are also affected by power outages that occur for any reason. If the power goes out anywhere between you and your cable service provider, your service will go down.
• Service considerations include:
o You will be dealing with your local baby bell for the line (installation and maintenance), the DSL provider for the DSL service over that line, and an ISP.
o Cases of installations taking over a month to complete are not uncommon.
o A lot of DSL providers have gone out of business. • Service considerations include:
o The cable company will likely be slower to respond to data line problems. As part of their contract with municipalities, most cable companies have to respond to "no picture" service calls quickly when it comes to video service. However, they are under no such obligation for data service. A friend of mine was told it would take three weeks to get a technician to his house when his cable-modem died.
o Because most municipalities only have one cable service provider, the lack of competition means your cost for the service could rise substantially over the next few years (look at how much video service has gone up in the last few years).
o Most cable companies block SNMP (network device status monitoring) traffic.
o Not all cable companies host customer DNS records.
o Not all cable companies allow you to "dial in" when you're away from home.
o It's the cable company. :^(
If you've got more time than money, hosting your own may be the way to go. However, maintaining the 24/7 operation of Internet servers is a big responsibility.
Insatallasi Linux Debian Woody
Langganan:
Postingan (Atom)