|
|
| Line 27: |
Line 27: |
| | | | |
| | </graphviz> | | </graphviz> |
| − |
| |
| − | =IP Address=
| |
| − | The network uses the RFC1918 private IP range 192.168.10.0/24
| |
| − | All hosts get network information from the DHCP server, but some hosts get a fixed address based on MAC address.
| |
| − | The dynamic range is 192.168.10.30-100.
| |
| − |
| |
| − | =Host timon=
| |
| − | Timon is the gateway and firewall for the network.
| |
| − |
| |
| − | Timon runs the following services
| |
| − | * Firewall
| |
| − | **Homebuild iptables script with source / destination nat and forward filtering
| |
| − | **DNAT
| |
| − | ***http->rafiki
| |
| − | ***smtp->rafiki
| |
| − | ***openvpn->rafiki
| |
| − | ***(mldonkey ports)->rafiki
| |
| − | ***443->rafiki:22
| |
| − | ***<strike>VNC->pumba</strike>
| |
| − | **outgoing traffic is SNAT'ed
| |
| − | *Traffic shaping
| |
| − | *Static route: route add -net 192.168.20.0/24 gw 192.168.10.5
| |
| − | *ISC DHCP Server
| |
| − | **Serves IP addresses as described above
| |
| − | *bind9 DNS server
| |
| − | **Caching DNS server, uses <strike>ISP DNS</strike> OpenDNS for lookups
| |
| − | **reverse lookup for 192.168.10.x and 192.168.20.x
| |
| − | **local override for t-hoerup.dk (primarily to bind www.t-hoerup.dk etc. to the internal webserver address)
| |
| − | *SSH server
| |
| − | **For remote admininistration (only available from internal network)
| |
| − | *TFTP
| |
| − | **Used For PXE installations.
| |
| − | *SNMP
| |
| − | *cron
| |
| − | **chkrootkit / rkhunter / ntpdate / logrotate / logwatch (logwatch recipient torben@t-hoerup.dk)
| |
| − | *nullmailer
| |
| − | **forwarding local-generated mail to rafiki
| |
| − | **/etc/mailname:timon.t-hoerup.dk
| |
| − | **/etc/nullmailer/remotes:rafiki.t-hoerup.dk
| |
| − |
| |
| − | =Host Rafiki=
| |
| − | Rafiki is the server
| |
| − |
| |
| − | (VPN access is regarded as internal network access)
| |
| − |
| |
| − | Unless specified otherwise the daemons listens on all network interfaces.
| |
| − |
| |
| − | Rafiki runs
| |
| − | *SSH server
| |
| − | * Apache webserver
| |
| − | ** With mod_php5, mod_dav_svn, mod_python, mod_proxy
| |
| − | ** Hosts all vhosts listed in http://status.t-hoerup.dk/vhosts.php
| |
| − | *** Hosts subversion repository
| |
| − | ***Wiki
| |
| − | ***Pastebin
| |
| − | ***SQL webfrontends
| |
| − | ***Is reverse proxy for those services that has their own http engine (such as mldonkey, and tomcat)
| |
| − | *MySQL
| |
| − | *PostgreSQL
| |
| − | *Mldonkey for file download
| |
| − | **bittorrent
| |
| − | **donkey
| |
| − | **overnet
| |
| − | **basic HTTP
| |
| − | *Squid http proxy
| |
| − | **port 3128
| |
| − | **Non caching
| |
| − | **available to internal network only
| |
| − | *Proftpd
| |
| − | **File transfer - Only available to internal network (from outside scp/sftp should be used)
| |
| − | *Postfix SMTP MTA
| |
| − | *Dovecot IMAPd
| |
| − | *OpenVPN
| |
| − | ** TUN / UDP based
| |
| − | **Listens on port 1494
| |
| − | **Uses subnet 192.168.20.0/24 for tunnels
| |
| − | **Full access to 192.168.10.0/24 available via vpn
| |
| − | *Smokeping
| |
| − | *App server: Sun Glassfish 2.1
| |
| − | *smsdaemon
| |
| − | *MRTG
| |
| − | *webalizer
| |
| − | *cron
| |
| − | **chkrootkit / rkhunter / ntpdate / logrotate / logwatch (logwatch recipient torben@t-hoerup.dk)
| |
| − | **torben's crontab
| |
| − | ***05 */3 * * * /home/torben/bin/getmail-silent
| |
| − | ***05 05 * * * cp /var/spool/mail/torben /home/torben/Mail/inbox-backup
| |
| − |
| |
| − | =Access Point=
| |
| − | *SSID: hoerup
| |
| − | *Encryption: WPA2-PSK
| |
| − | *Channel: 6
| |
