[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-autoinstall
Subject:    Secure Network-Based Install for SuSE 9.0...
From:       Roy Butler <roy.butler () jpl ! nasa ! gov>
Date:       2004-05-06 0:18:44
Message-ID: 40998423.7020604 () jpl ! nasa ! gov
[Download RAW message or body]

Hi,

I'd like to create a secure network-based install for SuSE 9.0 with 
AutoYaST using iptables.  Currently, I have the following working quite 
well on a private network:

- Server at 192.168.1.1 with SuSE 9.0 DVD contents NFS-exported and 
AutoYast XML control file served via TFTP.
- Client connected through switch and booted from SuSE 9.0 CD1 with the 
following arguments:

hostip=192.168.1.2 netmask=255.255.255.0 gateway=192.168.1.1 
install=nfs://192.168.1.1/export/i386/SuSE/9.0/DVD 
autoyast=tftp://192.168.1.1/test-1.xml

My goal is to move the server to a semi-public network and install 
clients in a manner similar to the above, but prohibit any network 
traffic to the client from anywhere but the server during the process. 
I've read (most of) Anas' fine AutoYaST documentation, the Linux 
Bootdisk HOWTO, and the kernel's initrd.txt file, as well as some of the 
messages on this list.  I've missed it if anyone has described how to do 
this before, but here is my plan of attack:

- Copy SuSE 9.0 CD1 to hard drive.
- Gunzip and mount the CD's /boot/loader/initrd.
- Copy iptables.o to initrd's /modules directory and add an entry to the 
[autoload] section of initrd's /modules/module.config file.
- Unmount and gzip the initrd image.
- Create a template entry for the long-winded boot arguments above in 
the CD's /boot/loader/isolinux.cfg.
- Burn a custom SuSE 9.0 CD1 from the hard drive.
- Create a pre-script in my test-1.xml file which runs "iptables <some 
rule>".

Has anyone done something similar who can offer advice/comments?  I like 
the extended boot arguments, because I can't rely on PXE or DHCP 
everywhere.  I'm not stuck on iptables, if there's a similar way to do 
it otherwise.  I have the sense that I may be working with the wrong 
ramdisk (/boot/loader/initrd) since I found no /lib directory and an 
incredibly sparse /bin directory there...


Much appreciated,
Roy


[prev in list] [next in list] [prev in thread] [next in thread]