Home server step 3: networking

After setting up hardware and installing the base OS, we can now configure networking. (In the future, I hope Indie Box Project will make this a lot easier with indie-networking.)

My server has two ethernet interfaces, which, surprisingly, aren’t called ethX any more, but enp3s0 and enp4s1. I guess I can live with that.

The outward-facing one needs to obtain a DHCP address from my ISP:

systemctl start dhcpcd@enp3s0
systemctl enable dhcpcd@enp3s0
curl cnn.com

and I see a little HTML file. So we are connected to the internet.

Next is a full system upgrade and the installation of a firewall. I like ufw (“uncomplicated firewall”, something firewalls are in dire need of.)

pacman -Syu
pacman -S ufw
ufw default deny
ufw enable
systemctl enable ufw

Rate-limiting for ssh seems like a good idea:

ufw limit SSH

Now for the internal Ethernet interface. It connects to my home Ethernet, which includes a zillion (as it seems) stationary computers, a Skype phone, printers, and a WiFi base station in “bridge” mode (so we don’t have double-NAT traversal for WiFi clients).

I’ll work from an example config file provided by Arch’s netctl:

cp /etc/netctl/examples/ethernet-static /etc/netctl/enp4s1
vi !$

and add my IP network configuration. Then, I activate it and make it permanent:

netctl start enp4s1
netctl enable enp4s1

We need to augment the ufw rules for NAT by adding to /etc/ufw/before.rules at the very beginning:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.138.0/24 -o enp3s0 -j MASQUERADE
COMMIT

And we need to allow ufw to forward packets in /etc/default/ufw by changing DEFAULT_FORWARD_POLICY to ACCEPT. For good measure, I also disable IPv6 there.

We also need to tell the kernel about needing IPv4 forwarding, so the box can act as a router. Then, to test everything so far, let’s reboot:

echo net.ipv4.ip_forward=1 > /etc/sysctl.d/30-ipforward.conf
shutdown -r now

DHCP and DNS for the home network are next. I haven’t used dnsmasq for reals, but it seems like a good tool for the job. It performs DHCP, local DNS resolution and DNS caching all in one package:

pacman -S dnsmasq
vi /etc/dnsmasq.conf
systemctl start dnsmasq
systemctl enable dnsmasq

In /etc/dnsmasq.conf, I pick the following settings:

domain-needed
bogus-priv
except-interface=enp3s0
listen-address=192.168.138.1
expand-hosts
domain=aviatis.com
dhcp-range=192.168.138.100,192.168.138.199,15m
dhcp-host=xx:xx:xx:xx:xx:xx,printer,192.168.138.9,15

The last line allows me to assign the same IP addresses and hostnames to devices with a known Mac address. That’s great for things like printers or file servers because I can leave them unconfigured (they default to getting IP addresses by DHCP) while essentially giving them a static IP address.

And because I like to know what’s going on on my network, I deny IP addresses to any client that isn’t known. Of course, that won’t defeat anybody even a bit knowledgeable about IP networking, but it does prevent “casual” additions of new devices to the network by those people in the house that don’t know that they should know better ;-)

dhcp-ignore=tag:!known
dhcp-script=/bin/echo

The latter logs everything that happens related to DHCP.

Apparently, according to this page, dhcpcd and dnsmasq tend to fight if left alone, so we do this:

echo "nameserver 192.168.138.1" > /etc/resolv.conf.head

And we need to tell ufw that local network operations are okay, as are DHCP requests:

ufw allow from 192.168.138.0/24
ufw allow from any port 68 to any port 67 proto udp

(This last rule sounds overly broad, but it’s quoted all over the net and works. My attempts to limit it to the local network have failed; somehow then DHCP does not make it through.)

Reboot. Working! Go to step 4.

P.S. So far, the system takes 838MB on disk. Take that, Windows, OSX, or most other Linux distros.

 

Links to all parts: Step 1: assemble and test hardware; Step 2: install Arch Linux; Step 3: networking; Step 4: make it an Indie Box!; Step 5: deploy Shaarli via Indie Box.