Your Own Home Domain With ADSL LG #65

Rate this post
  • IPCHAINS-HOWTO

    If you wanna use Napster behind the firewall, you should read IPMasquerading+Napster mini-HOWTO

    Setup External DNS Server at baston host

    Although I’ll use HAMMER NODE to host the DNS entry for my domain name, a working caching only nameserver is still required to run the linux box. Configuration files were shown below:

    /etc/named.boot
    /etc/named.conf
    /var/named/named.ca
    /var/named/named.local
    /var/named/named.myfakedomain.com
    /var/named/named.myhome.net
    /var/named/named.rev.3
    /var/named/named.rev.2

    Connecting to the ADSL modem

    Connecting the ADSL modem under linux is easy, just download the RPM of RP-PPPOE from Roaring Penguin Software Inc, install it and then run the adsl-setup, that’s all. As easy as an window machine.

    Migrating domain name to baston host

    At this moment, the web server does not seems working yet. I fixed it by adding the line below to the /etc/httpd/conf/httpd.conf file:

    ServerName www.myfakedomain.com (for baston host)
    ServerName www.myhome.net (for Intranet Server)

    The web servers on both linux were up and running after a reboot. Now what’s next? I started my favourite browser Netscape and did a search on my favourite search engine Google for a Free DNS server. Finally I reach HAMMER NODE. I was lucky that I could reached hn.org. They provides free services for both dynamic I.P. and static I.P. user. They have good and easy to use UI and manages to provides both reliable and stable service. I created a virtual domain mappings accounts and have the configuration like this:

    After setup the DNS account from hn.org, I change the DNS entry, both of the primary and secondary server to the DNS server provided by hn.org from the domain registration company (usually register.com or whatever). It may take some times to get the DNS entry refresh.

    Wonderful! Now the DNS entry was refreshed and all request to www.myfakedomain.com will forward to my baston host. That’s simple huh? Thanks for the great work of hn.org. For details about how to setup DNS entries, please refer to DNS-HOWTO.

    Because the machine connected to ADSL modem provide services for the public, that mean it will be accessed by anyone who have Internet access from anywhere. I need to restrict the access of various tcpd services for this machine for security reason. I edited the file /etc/hosts.allow and /etc/hosts.deny accordingly:

    /etc/hosts.allow

    ALL: 127.0.0.1 in.telnetd: 192.168.2.2 in.ftpd: 192.168.2.2

    sshd: 192.168.2.2 203.xxx.xxx.xxx

    /etc/hosts.deny

    ALL: ALL : spawn (echo Attempt from %h %a to %d at `date` | tee -a /xxx/xxx/tcp.deny.log | mail my@email.com )

    As shown from the above configuration files, all machines from internal network can telnet, ftp, ssh and sftp to the baston host. The address 203.xxx.xxx.xxx is the I.P. address of my office machine which is allowed to remote login to the baston host using ssh and transfer file to the baston host using sftp. Telnet and ftp to the baston host will never allow from machine outside the internal network because user name and password is transmit in plaintext format. It may be captured by hacker easily. HTTPD is not included in the above configuration file because HTTPD is not under controlled of INETD.

    Connect to the baston host safely using SSH

    Telnet and FTP is allowed to connect to the baston host from the internal network. SSH and SFTP must be used to connect from external network. Refer to the article ‘Using ssh’ from Linux Gazette about how to setup and usage of SSH. You must install and running SSHD in order to support SSH. SFTP can be download from http://enigma.xbill.org/sftp/. SFTP is easy to use and install, please refer to the readme from the web site.

    Setup the Intranet Server

    In order to protect the internal network, I disable all access from external network to my internal network:

    /etc/hosts.allow

    ALL: LOCAL 192.168.1.2 192.168.1.7

    /etc/hosts.deny

    ALL: ALL : spawn (echo Attempt from %h %a to %d at `date` | tee -a /xxx/xxx/tcp.deny.log | mail my@email.com )

    An email will be sent to my mailbox in case there are any activities attempt to connect to any prohibited services to both of my linux server.

    As shown from figure 1, all internal machines have a host name. You can use whatever host name and domain name for your internal network even the domain name is already registered at NIC, however, special care must be taken when setting up your own internal DNS server.

    Setting up intranet DNS server – named

    Lire aussi...  The RCS MINI-HOWTO: Creating and maintaining archives.

    Again, please refer to the HOWTO or technical books about how to setup a DNS server. Following shows my configuration files of the DNS server running at the Intranet server:

    /etc/named.boot
    /etc/named.conf
    /var/named/named.ca
    /var/named/named.local
    /var/named/named.myhome.net
    /var/named/named.rev.1
    /var/named/named.rev.2

    More security issues

    Hackers are arounding you, only firewalling with packet filtering and controlling services access from hosts.allow/hosts.deny are never enough. A few security holes may discover everyday. You should subscribes to corresponding mailing list and upgrade your linux constantly. A few more articles and software about security is good and worth to introduce:

    • Security for the Home Network LG #46
    • Linux Firewall and Security Site
    • Mason – the automated firewall builder for Linux
    • Astaro AG (Great firewall linux distribution with web interface)
    • The Ethereal Network Analyzer
    • Nessus – The Security Scanner
    • Stunnel – Universal SSL Wrapper

      How about POP3 and SMTP server?

      POP3, as same as TELNET and FTP, transfer username and password in plaintext and is considered insecure. SPOP maybe setup to encrypt POP data. However, I don’t want to store my personal email in any machine outside internal network including my office’s workstation. So I’m not going to setup POP3 in the baston host. The reason not to allow SMTP because relaying mail is dangerous because spammer will make use of your relayed SMTP server to send their hateful spam mails. On the other hands, setting up a non-relayed SMTP server for yourself is meaningless because you cannot send mail from your SMTP server outside the network. I can simply login to my baston host using ssh and run pine to check and reply my message in a secure way.

      Subdomain for web server

      Wow, everything working now. I can host my web server, email server and ftp server at my home linux box. It rocks! Now I need a subdomain resume.myfakedomain.com to host my online resume. Just add the following lines to the /etc/httpd/conf/httpd.conf handles all the magic:

      RewriteEngine on ## Ignore www.myfakedomain.com RewriteCond %{HTTP_HOST} !^www\.myfakedomain\.com [NC] ## A directory with the name of the subdomain must exist RewriteCond %{DOCUMENT_ROOT}/%1 -d ## Add the requested hostname to the URI ## [C] means that the next Rewrite Rules uses this RewriteRule ^(.+) %{HTTP_HOST}/$1 [C] ## Translate abc.myfakedomain.com/foo to myfakedomain.com/abc/foo RewriteRule ^([a-z-]+)\.myfakedomain\.com/?(.*)$ http://www.myfakedomain.com/$1/$2 [L]

      Other useful configuration files

      /etc/hosts (baston host)

      127.0.0.1       localhost.localdomain   localhost
      192.168.2.1     router.myhome.net       router
      192.168.2.2     gateway.myhome.net      gateway
      202.xxx.xxx.xxx www.myfakedomain.com    www
      

      /etc/hosts (intranet gateway)

      127.0.0.1       localhost.localdomain   localhost
      192.168.1.1     server.myhome.net       server
      192.168.1.2     devel.myhome.net        devel
      192.168.1.3     php.myhome.net  php
      192.168.1.4     asp.myhome.net  asp
      192.168.1.7     be.myhome.net   be
      192.168.2.1     router.myhome.net       router
      192.168.2.2     gateway.myhome.net      gateway
      

      /etc/resolv.conf (baston host)

      search myfakedomain.com
      nameserver      127.0.0.1
      

      /etc/resolv.conf (intranet gateway)

      search  myhome.net
      nameserver      127.0.0.1
      

      Network Card Setting

      Ethernet port setting:

      More network configuration files:

      /etc/sysconfig/network (baston host)
      /etc/sysconfig/network-scripts/ifcfg-eth0 (baston host)
      /etc/sysconfig/network-scripts/ifcfg-eth1 (baston host)

      /etc/sysconfig/network (Intranet gateway)
      /etc/sysconfig/network-scripts/ifcfg-eth0 (Intranet gateway)
      /etc/sysconfig/network-scripts/ifcfg-eth1 (Intranet gateway)

      /etc/rc.d/rc.local (Both of the Baston host and Intranet gateway)

      TCP/IP setting summary

      Baston host
      Default Gateway: ppp0
      Nameserver: 127.0.0.1
       
      Network interface: eth0
      I.P. Address: 192.168.3.1
      Subnet mask: 255.255.255.0
       
      Network interface: eth1
      I.P. Address: 192.168.2.1
      Subnet mask: 255.255.255.0
      Intranet Server
      Default Gateway: 192.168.2.1
      Nameserver: 127.0.0.1
       
      Network interface: eth0
      I.P. Address: 192.168.1.1
      Subnet mask: 255.255.255.0
       
      Network interface: eth1
      I.P. Address: 192.168.2.2
      Subnet mask: 255.255.255.0
      Workstations from Internal Network
      Default Gateway: 192.168.1.1
      Nameserver: 192.168.1.1
       
      Network interface: eth0
      I.P. Address: 192.168.1.X
      Subnet mask: 255.255.255.0

      Further setup and reading

      What if you want to access your internal machine running windowsz from the other network while maintaining security through the firewall? The answer is using Virtual Private Network (VPN) technology. Linux do support VPN in recent version. More details can be find at VPN HOWTO. If you have more than one domains and want to host at the same baston host, you may require special setting for your apache web server and sendmail server. The next version of this article will include the walkthrough of the VPN and virtual domain setup.

      If you have any suggestions or comments regarding this document, please feel free to contact me at rayxtra@hotmail.com.

      Copyright © 2001, Ray Chan.
      Copying license http://www.linuxgazette.com/copying.html
      Published in Issue 65 of Linux Gazette, April 2001