Yesterday, after a power outage, the SSD inside my home server fried… As usual, I realised how many things were not backed up after the fact… That’s ironic when you know that one of the purpose of this machine was backuping my stuff !
The roles of the servers are :
- Internet Gateway
- Wireless Access Point
- Storage server
- Media player
- Web server (for websites without critical importance, like tests sites, etc)
- Torrents
In this article (and the next ones), I’ll describe the setup of the new server.
Hardware :
The server is a PC stuffed with many hard drives, 2 ethernet card and a wifi card, hooked up to a TV.
The system is a standard Arch Linux on a SSD. The data hard drives are configured as a BTRFS volume in RAID1.
One NIC is plugged into my ISP fibre adapter, the other one is plugged into my local network.
Network configuration
I used systemd-networkd to configure my network, hostapd for the wireless access point and dnsmasq for the dhcp/dns.
|
pacman -S bridge-utils hostapd openssh fail2ban dnsmasq |
First, renaming the interfaces :
/etc/systemd/network/10-lan.link
|
[Match] MACAddress=74:d4:35:e8:b3:0e [Link] Name=lan |
/etc/systemd/network/10-wan.link
|
[Match] MACAddress=74:d4:35:e8:b3:0c [Link] Name=wan |
/etc/systemd/network/10-wlan0.link
|
[Match] MACAddress=80:86:f2:5f:a9:a1 [Link] Name=wlan0 |
Then I’ve created a new bridge interface. This interface will connect the wired and wireless lan into one network.
/etc/systemd/network/20-br0.netdev
|
[NetDev] Name=br0 Kind=bridge |
I’ve added the wired lan network to the bridge. The wireless lan network will be added by hostapd.
/etc/systemd/network/20-lan.network
|
[Match] Name=lan [Network] Bridge=br0 |
I ‘ve configured the lan network to a staic IP
/etc/systemd/network/30-br0.network
|
[Match] Name=br0 [Network] Address=192.168.42.254/24 DNS=80.80.80.80 #DNS=8.8.8.8 |
Then I’ve setup the wan network as a DHCP. My internet provider (SFR) require a vendor class starting by neufbox*. I also added IPForward=yes (this used to be done through sysctl or /proc). This command just activate the routing functionality inside the linux kernel. It could be added to any interface.
/etc/systemd/network/30-wan.network
|
[Match] Name=wan [Network] #IPMasquerade=yes IPForward=yes DHCP=yes [DHCP] VendorClassIdentifier=neufbox-BypassedNeufBox-DirectConnectionToFTTH-puyb@puyb.net |
Then I’ve implement my firewall rules :
/etc/iptables/iptables.rules
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
|
# Generated by iptables-save v1.6.1 on Sat Feb 10 18:41:10 2018 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [506:47311] :OUTPUT ACCEPT [27428:4233911] :TCP - [0:0] :UDP - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp-proto-unreachable -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A TCP -p tcp -m tcp --dport 22 -j ACCEPT -A TCP -s 192.168.42.0/24 -p tcp -j ACCEPT -A UDP -s 192.168.42.0/24 -p udp -j ACCEPT -A UDP -i br0 -p udp -m udp --dport 67 -j ACCEPT COMMIT # Completed on Sat Feb 10 18:41:10 2018 # Generated by iptables-save v1.6.1 on Sat Feb 10 18:41:10 2018 *nat :PREROUTING ACCEPT [12773:981683] :INPUT ACCEPT [507:45818] :OUTPUT ACCEPT [7126:640794] :POSTROUTING ACCEPT [7886:703974] -A POSTROUTING -s 192.168.42.0/24 -o wan -j MASQUERADE COMMIT # Completed on Sat Feb 10 18:41:10 2018 |
Wireless access point:
/etc/hostapd/hostapd.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
|
interface=wlan0 bridge=br0 ssid=Puyb.net driver=nl80211 country_code=FR hw_mode=g channel=7 max_num_sta=50 wme_enabled=1 ieee80211n=1 ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40] wpa=2 auth_algs=1 rsn_pairwise=CCMP wpa_key_mgmt=WPA-PSK wpa_passphrase=replaceme logger_stdout=-1 logger_stdout_level=2 |
Then the DHCP server / DNS cache:
/etc/dnsmasq.conf
|
interface=br0 dhcp-range=192.168.42.1,192.168.42.150,12h |
Then I’ve enabled all service:
|
systemctl enable --now systemd-networkd systemd-resolved systemctl enable --now iptables systemctl enable --now sshd fail2ban systemctl enable --now dnsmasq systemctl enable --now hostapd |
That’s it for the network part. stay tuned for the rest of the config !
Commentaires récents