Fedora 1 and 3 Route
This story is about the “useless and outdated hardware” that can still be of use.
Back then Fedora was taking it first steps. I also was an “absolute beginner” in the administration world.
The quest was to create a router that would support 75 PCs divided into 3 networks enabling on-demand re-configuration.
Network Layout:
Room A:
- 30 PCs running Windows 2000 Professional, 1GB RAM, 80 GB HDD.
- 1 Network Laser Printer
- 3 Stand-by Ethernet connections for laptops
- 2 CISCO 2950 24p 10/100 switches with uplink
- Some bad switch ports
- Connectivity to main switches via 1000 Ethernet
Room B:
- 30 PCs running Windows 2000 Professional, 1GB RAM, 80 GB HDD.
- 2 Network Laser Printer
- 3 Stand-by Ethernet connections for laptops
- 3 Stand-by Administrative/Service/Technician Ethernet outlets
- 2 CISCO 2950 24p 10/100 switches with uplink
- Connectivity to main switches via 1000 Ethernet
Servers :
- 1 Server Xeon based with 4 GB RAM and a few SCSI HDDs, Windows 2003, part of Active Domain, backup DHCP server
- 1 Server Xeon based with 4GB RAM/500 GB HDD acting as Global Catalog, DHCP server, WINS server
- 1 PC Pentium III with 786 MB RAM and 40 GB HDD running Fedora
Office / Administration
- 4 Pentium 4/4GB RAM/250 GB HDD/Windows XP Proffesional boxes
- 1 Network Laser Printer
- 1 3COM Gigabit switch
- 1 Intel 8p switch
- 1 CISCO 2950 switch
User Requirements
- All the terminals (PCs) in the Rooms A & B should have Internet Access during free hours.
- All the users should be able to print out (later a limit was set to # of pages per user per day)
- All the servers should have access to updates and antivirus database updates.
- All the Administrative stations should have access to all the terminals
- All the users should have an account in the Active Directory, Personal Storage and a Roaming Profile
- During some classes the terminal PCs should have restricted access to specific extranet servers outside of LAN
- During some classes the terminals should not have any access to any server outside of the LAN
- During some classes and some exams the terminals should have access to specific servers and specific ports, no other network traffic is to be allowed
- The services of Active Directory should be available 24/7
The solution that I have worked out was to take a P4 box that was running Fedora 1, add 2 more NICs and use it as a router.
To get the job done, it was pretty simple to implement basic routing so I went through Fedora‘s documentation and got basic routing up and running within the day.
Now we were able to control the traffic to internet and decide whether to allow or disallow it.
According to the User Requirement Document (URD) that we put up in the first place, we had to be able to filter certain packages.
So I start searching through the internet to find something like layer 7 router. Downloaded some of them and tried to configure and use them.
Eventually I install and configure a pretty straight forward firewall script based on IPTables (I think it was arno’s script http://rocky.eld.leidenuniv.nl/joomla/) that was readable and configurable.
This script supported the entire above mentioned and promised to deliver Layer 7 functionality in the future. Since there was no clear demand for Layer 7, the script simply was fitting the needs.
The infrastructure was based on a static public IP directly connected to back-bone. The configuration went smoothly and after a couple of phone calls to software houses about needed open ports and other similar information that usually it is almost impossible to get, voila, the router/firewall was in place.
For a period of 6 months I was monitoring the attacks and the outgoing traffic as well as the CPU & RAM utilization, and finally I put up a small web server that was hosting a couple of pages as a backup. Still I had plenty of resources. The only issue was that I had to deactivate graphical login, but on the other hand who needs a graphical login to a router?
After a period of about 2 years, we upgrade the distribution to Fedora 3 (again without X) and since then the same box supported the network for 3 years more until more funds were available to get a CISCO solution (that cost more than 10 P4 boxes). --A.E.S. 00:56, 23 November 2009 (UTC)