My server has two ethernet interfaces, which, surprisingly, aren’t called ethX any more, but enp3s0 and enp4s1. I guess I can live with that.
The outward-facing one needs to obtain a DHCP address from my ISP:
systemctl start dhcpcd@enp3s0 systemctl enable dhcpcd@enp3s0 curl cnn.com
and I see a little HTML file. So we are connected to the internet.
Next is a full system upgrade and the installation of a firewall. I like ufw (“uncomplicated firewall”, something firewalls are in dire need of.)
pacman -Syu pacman -S ufw ufw default deny ufw enable systemctl enable ufw
Rate-limiting for ssh seems like a good idea:
ufw limit SSH
Now for the internal Ethernet interface. It connects to my home Ethernet, which includes a zillion (as it seems) stationary computers, a Skype phone, printers, and a WiFi base station in “bridge” mode (so we don’t have double-NAT traversal for WiFi clients).
I’ll work from an example config file provided by Arch’s netctl:
cp /etc/netctl/examples/ethernet-static /etc/netctl/enp4s1 vi !$
and add my IP network configuration. Then, I activate it and make it permanent:
netctl start enp4s1 netctl enable enp4s1
We need to augment the ufw rules for NAT by adding to
/etc/ufw/before.rules at the very beginning:
*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.138.0/24 -o enp3s0 -j MASQUERADE COMMIT
And we need to allow ufw to forward packets in
/etc/default/ufw by changing
ACCEPT. For good measure, I also disable IPv6 there.
We also need to tell the kernel about needing IPv4 forwarding, so the box can act as a router. Then, to test everything so far, let’s reboot:
echo net.ipv4.ip_forward=1 > /etc/sysctl.d/30-ipforward.conf shutdown -r now
DHCP and DNS for the home network are next. I haven’t used dnsmasq for reals, but it seems like a good tool for the job. It performs DHCP, local DNS resolution and DNS caching all in one package:
pacman -S dnsmasq vi /etc/dnsmasq.conf systemctl start dnsmasq systemctl enable dnsmasq
In /etc/dnsmasq.conf, I pick the following settings:
domain-needed bogus-priv except-interface=enp3s0 listen-address=192.168.138.1 expand-hosts domain=aviatis.com dhcp-range=192.168.138.100,192.168.138.199,15m dhcp-host=xx:xx:xx:xx:xx:xx,printer,192.168.138.9,15
The last line allows me to assign the same IP addresses and hostnames to devices with a known Mac address. That’s great for things like printers or file servers because I can leave them unconfigured (they default to getting IP addresses by DHCP) while essentially giving them a static IP address.
And because I like to know what’s going on on my network, I deny IP addresses to any client that isn’t known. Of course, that won’t defeat anybody even a bit knowledgeable about IP networking, but it does prevent “casual” additions of new devices to the network by those people in the house that don’t know that they should know better ;-)
The latter logs everything that happens related to DHCP.
Apparently, according to this page, dhcpcd and dnsmasq tend to fight if left alone, so we do this:
echo "nameserver 192.168.138.1" > /etc/resolv.conf.head
And we need to tell ufw that local network operations are okay, as are DHCP requests:
ufw allow from 192.168.138.0/24 ufw allow from any port 68 to any port 67 proto udp
(This last rule sounds overly broad, but it’s quoted all over the net and works. My attempts to limit it to the local network have failed; somehow then DHCP does not make it through.)
Reboot. Working! Go to step 4.
P.S. So far, the system takes 838MB on disk. Take that, Windows, OSX, or most other Linux distros.