{"id":1659,"date":"2013-11-25T12:58:53","date_gmt":"2013-11-25T20:58:53","guid":{"rendered":"http:\/\/upon2020.com\/blog\/?p=1659"},"modified":"2014-03-06T12:16:47","modified_gmt":"2014-03-06T20:16:47","slug":"home-server-step-3-networking","status":"publish","type":"post","link":"https:\/\/upon2020.com\/blog\/2013\/11\/home-server-step-3-networking\/","title":{"rendered":"Home server step 3: networking"},"content":{"rendered":"<p>After <a href=\"\/blog\/2013\/11\/home-server-step-1-assemble-and-test-hardware\/\">setting up hardware<\/a> and <a href=\"\/blog\/2013\/11\/home-server-step-2-install-arch-linux\/\">installing the base OS<\/a>, we can now configure networking. (In the future, I hope Indie Box Project will make this a lot easier with <a href=\"https:\/\/github.com\/indieboxproject\/archlinux\/indie-networking\">indie-networking<\/a>.)<\/p>\n<p>My server has two ethernet interfaces, which, surprisingly, <a href=\"http:\/\/www.freedesktop.org\/wiki\/Software\/systemd\/PredictableNetworkInterfaceNames\/\">aren&#8217;t called ethX any more<\/a>, but enp3s0 and enp4s1. I guess I can live with that.<\/p>\n<p>The outward-facing one needs to obtain a DHCP address from my ISP:<\/p>\n<pre>systemctl start dhcpcd@enp3s0\r\nsystemctl enable dhcpcd@enp3s0\r\ncurl cnn.com<\/pre>\n<p>and I see a little HTML file. So we are connected to the internet.<\/p>\n<p>Next is a full system upgrade and the installation of a firewall. I like ufw (&#8220;uncomplicated firewall&#8221;, something firewalls are in dire need of.)<\/p>\n<pre>pacman -Syu\r\npacman -S ufw\r\nufw default deny\r\nufw enable\r\nsystemctl enable ufw<\/pre>\n<p>Rate-limiting for ssh seems like a good idea:<\/p>\n<pre>ufw limit SSH<\/pre>\n<p>Now for the internal Ethernet interface. It connects to my home Ethernet, which includes a zillion (as it seems) stationary computers, a Skype phone, printers, and a WiFi base station in &#8220;bridge&#8221; mode (so we don&#8217;t have <a href=\"http:\/\/graemenoble.id.au\/post\/48695277030\/double-nat-explained-and-possible-solutions\">double-NAT<\/a> traversal for WiFi clients).<\/p>\n<p>I&#8217;ll work from an example config file provided by Arch&#8217;s netctl:<\/p>\n<pre>cp \/etc\/netctl\/examples\/ethernet-static \/etc\/netctl\/enp4s1\r\nvi !$<\/pre>\n<p>and add my IP network configuration. Then, I activate it and make it permanent:<\/p>\n<pre>netctl start enp4s1\r\nnetctl enable enp4s1<\/pre>\n<p>We need to augment the ufw rules for NAT by adding to <code>\/etc\/ufw\/before.rules<\/code> at the very beginning:<\/p>\n<pre>*nat\r\n:POSTROUTING ACCEPT [0:0]\r\n-A POSTROUTING -s 192.168.138.0\/24 -o enp3s0 -j MASQUERADE\r\nCOMMIT<\/pre>\n<p>And we need to allow ufw to forward packets in <code>\/etc\/default\/ufw<\/code>\u00a0by changing <code>DEFAULT_FORWARD_POLICY<\/code> to <code>ACCEPT<\/code>. For good measure, I also disable IPv6 there.<\/p>\n<p>We also need to tell the kernel about needing IPv4 forwarding, so the box can act as a router. Then, to test everything so far, let&#8217;s reboot:<\/p>\n<pre>echo net.ipv4.ip_forward=1 &gt; \/etc\/sysctl.d\/30-ipforward.conf\r\nshutdown -r now<\/pre>\n<p>DHCP and DNS for the home network are next. I haven&#8217;t used dnsmasq for reals, but it seems like a good tool for the job. It performs DHCP, local DNS resolution and DNS caching all in one package:<\/p>\n<pre>pacman -S dnsmasq\r\nvi \/etc\/dnsmasq.conf\r\nsystemctl start dnsmasq\r\nsystemctl enable dnsmasq<\/pre>\n<p>In \/etc\/dnsmasq.conf, I pick the following settings:<\/p>\n<pre>domain-needed\r\nbogus-priv\r\nexcept-interface=enp3s0\r\nlisten-address=192.168.138.1\r\nexpand-hosts\r\ndomain=aviatis.com\r\ndhcp-range=192.168.138.100,192.168.138.199,15m\r\ndhcp-host=xx:xx:xx:xx:xx:xx,printer,192.168.138.9,15<\/pre>\n<p>The last line allows me to assign the same IP addresses and hostnames to devices with a known Mac address. That&#8217;s great for things like printers or file servers because I can leave them unconfigured (they default to getting IP addresses by DHCP) while essentially giving them a static IP address.<\/p>\n<p>And because I like to know what&#8217;s going on on my network, I deny IP addresses to any client that isn&#8217;t known. Of course, that won&#8217;t defeat anybody even a bit knowledgeable about IP networking, but it does prevent &#8220;casual&#8221; additions of new devices to the network by those people in the house that don&#8217;t know that they should know better ;-)<\/p>\n<pre>dhcp-ignore=tag:!known\r\ndhcp-script=\/bin\/echo<\/pre>\n<p>The latter logs everything that happens related to DHCP.<\/p>\n<p>Apparently, according to <a href=\"https:\/\/wiki.archlinux.org\/index.php\/Dnsmasq\">this page<\/a>, dhcpcd and dnsmasq tend to fight if left alone, so we do this:<\/p>\n<pre>echo \"nameserver 192.168.138.1\" &gt; \/etc\/resolv.conf.head<\/pre>\n<p>And we need to tell ufw that local network operations are okay, as are DHCP requests:<\/p>\n<pre>ufw allow from 192.168.138.0\/24\r\nufw allow from any port 68 to any port 67 proto udp<\/pre>\n<p>(This last rule sounds overly broad, but it&#8217;s quoted all over the net and works. My attempts to limit it to the local network have failed; somehow then DHCP does not make it through.)<\/p>\n<p>Reboot. Working! Go to <a href=\"\/blog\/2013\/12\/home-server-step-4-make-it-an-indie-box\/\">step 4<\/a>.<\/p>\n<p>P.S. So far, the system takes 838MB on disk. Take that, Windows, OSX, or most other Linux distros.<\/p>\n<p>&nbsp;<\/p>\n<p>Links to all parts: <a href=\"\/blog\/2013\/11\/home-server-step-1-assemble-and-test-hardware\/\">Step 1: assemble and test hardware<\/a>; <a href=\"\/blog\/2013\/11\/home-server-step-2-install-arch-linux\/\">Step 2: install Arch Linux<\/a>; <a href=\"\/blog\/2013\/11\/home-server-step-3-networking\/\">Step 3: networking<\/a>; <a href=\"\/blog\/2013\/12\/home-server-step-4-make-it-an-indie-box\/\">Step 4: make it an Indie Box!<\/a>; <a href=\"\/blog\/2013\/12\/home-server-step-5-deploy-shaarli-via-indie-box\/\">Step 5: deploy Shaarli via Indie Box<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After setting up hardware and installing the base OS, we can now configure networking. (In the future, I hope Indie Box Project will make this a lot easier with indie-networking.) My server has two ethernet interfaces, which, surprisingly, aren&#8217;t called ethX any more, but enp3s0 and enp4s1. I guess I can live with that. The&hellip;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"webmentions_disabled":false,"footnotes":""},"categories":[65,66],"tags":[291],"class_list":["post-1659","post","type-post","status-publish","format-standard","hentry","category-personal","category-technical","tag-indiebox","kind-"],"kind":false,"_links":{"self":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/posts\/1659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/comments?post=1659"}],"version-history":[{"count":11,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/posts\/1659\/revisions"}],"predecessor-version":[{"id":1900,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/posts\/1659\/revisions\/1900"}],"wp:attachment":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/media?parent=1659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/categories?post=1659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/tags?post=1659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}