Once we cover the “whys” and “whats” we’ll get into the “hows”. You’ll see how easy it is to set up a home or small-business network including what hardware is needed. We’ll briefly mention what you need to look at on Windows PCs and present more in-depth information on which files are used on a Debian system to set up networking. The Network Configuration Files section shows what files are involved in setting up your Debian system to work on a local network and how they need to be configured to enable the various functions involved in networking including being able to connect to the Internet.
Even if you don’t have a network you can still play around with the material present on this page and on the Proxy/NAT and Firewall pages. See the No-Network Network section below on how to do this.
What’s particularly appealing about Linux for small businesses and non-profit organizations is that you can set up both internal (file, print, database) servers, external Internet (Web, e-mail, ftp) servers, firewalls, and routers (yes, you can set up a Linux system to be a router too) for very little cost. The operating system and server applications are free and, given that Debian will run on older hardware, the hardware costs can be minimal. These attributes also make it a great toy for those wishing to learn more about networking. Pick up one CD set and you can set up all the Linux servers, firewalls, and routers you want and experiment your brains out.
Theoretically, every system on a network needs a unique identifier (a unique address). As such, every system that accesses the Internet would need a unique IP address because TCP/IP is the protocol of the Internet. However, when the Internet exploded in the mid-90s it became clear that there simply were not enough addresses available in the TCP/IP address space for every computer in every office of every Internet-connected organization. That doesn’t even take into account those who wanted to access the Internet from home.
The solution was to create “private” address ranges to be used in conjunction with “address translation”. Lets look at the first piece first.
Three blocks of IP addresses were set aside as private, meaning that all of the routers on the Internet would be configured to not route them. That’s why private addresses are also referred to as “non-routable” addresses. The benefit? If packets from systems with private addresses weren’t routed between Internet-connected networks, then a whole bunch of networks could use the same private addresses because they’d never “see” each others addresses. In other words, these same addresses could be used by any number of computers around the world because if they weren’t routed, it would never be “discovered” that they weren’t unique.
So if they’re not routed, how do you get on the Internet if your computer has a private address assigned to it? That’s where the second piece, address translation, comes in. Normally, in order for all the computers in a company to have Internet access they would all have to be assigned routable (“public”) IP addresses that could pass through the Internet. Since there aren’t enough addresses for this, companies instead assign all of the hundreds of computers in their organization private addresses and they all share a single “public” address to access resources on the Internet. This sharing is accomplished by configuring privately-addressed systems to use a special server, called a proxy server, to access the Internet.
A proxy server has two NICs (Network Interface Cards) because it’s connected to two different networks. One NIC is connected to the Internet and is assigned a single “public” (routable) IP address. (This NIC is referred to as the “external interface”.) The other NIC is connected to the company’s internal network. It is assigned a private IP address so that it can communicate with all of the other privately-addressed computers in the company. (This NIC is referred to as the “internal interface”.) The proxy server acts as a “gateway” onto the Internet. (Because of the gateway behavior, a proxy server should also have firewalling capabilities to protect the internal network.) However, in addition to acting as a gateway, it acts as an address translator.
The private IP addresses assigned to the systems on your internal nework are chosen by you from one of the three private address ranges listed below.
Public IP addresses are only available from an ISP. In most cases, such as with a dial-up, DSL, or cable modem, your ISP automatically assigns a single public address to your modem using PPP, bootp, or DHCP. This assigned address can change from time to time (“dynamic”). It requires no configuration on your part. Business customers typically obtain multiple public addresses from their ISP. These addresses do not change (“static”). Static addresses are needed for Internet servers that are referenced by DNS records such as Web servers, mail servers, etc. that are contacted using a domain name.
When a computer on the internal network with a private address wants to request information from a Web site, it actually sends the request to the internal interface of the proxy server. The proxy server, with it’s public routable address on the external NIC, is the one that actually sends the request to the Internet Web server. The Web server sends the response back to the proxy server’s external NIC, and the proxy server then forwards the response on to the computer on the internal network that made the initial request. The proxy server keeps track of which internal computers make which requests.
The advantage? Hundreds of computers in a company can access the Internet and only take up a single public Internet address (that of the proxy server’s external NIC). Another advantage is security. If your computer’s address can’t be routed over the Internet, it would be hard for someone to get at your computer from the Internet. (There are ways though.)
The translating of a private address to a public address (outbound request) and back again (inbound response) is most commonly known as NAT (Network Address Translation). In the Linux community it’s also often referred to as “masquerading” because the proxy server hides the true identity of the internal computer that made the initial Internet request.
The internationally-established private IP address ranges that can be assigned to internal network computers are as follows:
10.0.0.1 through 10.255.255.254
16,777,214 addresses
16,777,214 computers on 1 network
(10.x.x.x)
Uses a subnet mask of 255.0.0.0
First octet must be the same on all computers
A Class A address range
172.16.0.1 through 172.31.255.254
1,048,574 addresses
65,534 computers on each of 16 possible networks
(172.16.x.x to 172.31.x.x)
Uses a subnet mask of 255.255.0.0
First two octets must be the same on all computers
A Class B address range
192.168.0.1 through 192.168.255.254
65,534 addresses
254 computers on each of 256 possible networks
(192.168.0 to 255.x)
Uses a subnet mask of 255.255.255.0
First three octets must be the same on all computers
A Class C address range
Clearly, with 254 possible addresses on each of the 192.168.x.x private address ranges, using one of these ranges is plenty for most small businesses and those who want to play around with a network at home. (This is why, you may recall, the default IP address in the “Network Setup” part of the Debian installation was 192.168.1.1.) The 10.x.x.x address space is often used by very large organizations with many dispersed locations. They will “subnet” this large private address space so that one location will have an address range of 10.3.x.x, another will have 10.4.x.x, and so on, with each location having the ability to have up to 65,534 computers. Each location may even further subnet their address space for different departments or facilities. For example, in the location that has the 10.3.x.x address space, the engineering department will have the 10.3.2.x space, the accounting will have the 10.3.3.x address space, etc. with each department being able to have up to 254 computers. (You’ll see where these numbers come from later.)
Each of the numbers separated by periods in an IP address is referred to as “octet” because the value of the number (0 to 255) is derived from eight binary bits. An IP address actually consists of two parts. The first part of an IP address identifies the Network that a computer is on, and the other part identifies the individual Computer on that network.
There’s an often-used analogy comparing an IP address to a telephone number. The network part of the IP address is analogous to the area code, and the computer part of the IP address is like the individual’s phone number. All the people on phone company network (in one area code) have the same area code number, and no two of them have the same phone number. Conversly, two people can have the same phone number in different parts of the country because they’re not in the same area code (not on the same network). It’s when you put the area code and an individual’s phone number together that the number becomes one that is unique to the entire country (internetwork). In this context, we call the area code the prefix. With IP addresses, the network part of an IP address is the prefix.
With national phone numbers the prefix is always three digits. Unlike national phone numbers, the prefix of an IP address can vary in length. That’s where a subnet mask comes in. It determines how much of the IP address is the prefix (the network part). If you have a subnet mask of 255.255.0.0 it means that the first two numbers (octets) in an IP address are the network part (prefix) of the address and the last two numbers (octets) are used to identify the individual computers on that network.
Note that a ‘1′ in a subnet mask indicates a Network bit and a ‘0′ indicates a Computer bit. Because of the way an IP address is split into two parts (network part followed by the computer part), a subnet mask will always be a series of consecutive 1s followed by a series of consecutive 0s. In other words, you’ll never see a subnet mask where 1s and 0s are interspersed (ex: 11100110).
Here’s a few points you need to be aware of when you assign IP addresses to systems on a network:
All systems on an internal network must have the same subnet mask
The network part of the IP address must be the same for all computers on the internal network
The computer portion of the IP address must be different for every computer on the internal network
That second point is important. With a Class C network the subnet mask of 255.255.255.0 indicates the first three octets are the “network” part of the IP address. That means that the first three numbers (octets) of the IP address must be the same on all of the computers on this internal network. That leaves only the last octet available to identify individual computers on the network (8 bits equals about 254 computers that can be uniquely identified, a value between 1 and 254 for the last octet).
You can set up a network with 192.168.1.x addresses and another network with 192.168.2.x addresses but because these are Class C address ranges they are two totally separate networks. You would need to set up a router to inter-connect the two networks in order for the machines on both networks to talk to each other. If you think that, given the number of servers, workstations, network printers, switches, etc. you may have in the forseeable future may grow to more than 254, you may want to consider using the Class B private address space on your network.
The range of values for the last octet (to assign to computers) on a Class C network is 1 to 254. So you can only have 254 computers on a network that has a subnet mask of 255.255.255.0 (a Class C network). A ‘0′ in the last octet is reserved as the “wire” address for the network and 255 in the last octet is the broadcast address for the network. No system can be assigned either of these numbers. The following addresses can’t be assigned to computers when using the private IP address ranges:
“Wire” or “Network” Addresses:
10.0.0.0
172.16-31.0.0
192.168.0-255.0
Broadcast Addresses:
10.255.255.255
172.16-31.255.255
192.168.0-255.255
Because you can’t use these two (wire and broadcast) addresses to assign to computers, the number of addresses that you can assign to computers can be calculated using the equation:
2c – 2 = number of available computer addresses
where c is the number of computer bits in your subnet mask. Now you can see how we came up with the number of computers you could have on each network when we gave the three private address ranges earlier. With a class B address you have 16 computer bits in the subnet mask:
so using our equation we end up with
216 = 65,536 – 2 = 65,534 available computer addresses
On a class C network we have 8 computer bits in the subnet mask so:
28 = 256 – 2 = 254 available computer addresses
Earlier we said that private address ranges and NAT help conserve IP addresses but the use of subnet masks can also. For a more thorough explanation on IP address classes and the use of subnet masks check out the Subnetting section later in this page.
You may run into networks in businesses and schools where the computers don’t have private addresses. Our local community college is one such case. That’s because they jumped on the Internet bandwagon early when public addresses were being handed out for the asking and got themselves a Class B public address (which allows them to have 65,534 publically addressed computers). Every PC at all the campuses has a publically routable address. The upside is they don’t need to use a proxy/NAT server in order for the students to be able to access the Internet. The downside is that their internal network is basically a part of the Internet. This is a huge security risk if no firewall is in place because every system is accessible from anywhere in the world (which is why they have a mega-bucks Cisco PIX firewall appliance).
