Home Network with Linux

Here is the home network we have setup at our home for me and my roomate's machines, using a Linux box running 2.4 kernel as the server.

newtwork diagram generated with the opensource tool Dia.

Services running on the linux server

1. NAT/IP Masquerading - For sharing the broadband internet access.
2. DHCPD - DHCP Server For dynamic IP allocation to all machines.
3. SAMBA - For file sharing between Windows and Linux machines.
4. Iptables/Netfilter - Firewalls the subnet from the internet.
5. Portsentry with logcheck.sh - Intrusion detection and logging
6. HTTPD - Web serevr for HTTP and HTTPS.
7. SSHD - SSH server for secure shell access, secure copy, and rsync
8. DHCPCD - DHCP Client for getting the dynamic IP from the boroadband provider.

The Server

AMD Athlon 850MHz with 265 MB running Linux 2.4.8 kernel

Multi-hommed with two ethernet interfaces eth0 facing out to the internet through the cable modem and eth1 facing inwards to the home subnet through the hub. This box while running all the networking services, also doubles as my main desktop workstation as well.

Setting up SAMBA

I had some trouble since I was testing the SAMBA configuration without encrypted passwords. Once I had the encrypted password set in /etc/samba/smb.conf everything worked.

But just for fun, I turned off encrypted paswords, on my Win98 box. And it worked with SAMBA not using encrypted passwords.

This is the registry entry to edit to turn off encrypted passwords in Win98.

In the HKEY_LOCAL_MACHINE tree go to
\system\currentcontrolset\Services\VxD\VNETSUP
And add a new DWORD named "EnablePlainTextPassword" with Value Data: 1

For security, smbd is bound to the internel interface eth1 192.168.0.1/24 and localhost 127.0.0.1/24, So that the smbd will not listen at the external interface eth0.

Here is my smb.conf file, And here is my notes on SAMBA setup.

Security

Real men will edit their iptable rules themselves :) Maybe someday, for now I use the Bastille hardening script to configure the Iptables/Netfilter firewall. The Bastille script does more than the firewall. It does many other hardening for the system security as well. I totally recommend Bastille, eventhough it takes a while to answer all the questions and set up. But if you just want a basic firewall try using Firestarter, which is an easy firewall setup program with a nice GUI.

After Bastille hardening you might find some services not working or denied. I had to loosen up the following two options. Allow crond for other users with cron.allow. Allow SWAT ( The SAMBA configuration tool ) through hosts.allow.

Since I had Netfilter, I was not sure if I should have an intrusion detection tool like Snort or PortSentry. I ended up running PortSentry, with Logcheck just for logging and as a lookout for any unusual system activity.

Turned off all unwanted services, especially the plain text protocols telnet,ftp,rlogin et' all, with only ssh protocol enabled for known hosts.

Iptables port forwarding with Bastille firewall

I had trouble getting port forwarding work with Bastille generated iptable firewall script. This was solved with the new supplemental script facility in Bastille. Get all the details documented here

DHCP Client with AT&T cable service

Modified "/etc/sysconfig/network-scripts/ifcfg-eth0" to :

DEVICE="eth0"
BOOTPROTO="dhcp"
DHCP_HOSTNAME="XXXXXX"
ONBOOT="yes"

Where "XXXXXX" is the hostname provided by AT&T.

No static IP from AT&T cable

AT&T cable does not provide static IP, like my previous DSL providers used to do ( Northpoint and Rhythms, both went belly up ). So how do I ssh into my network from outside, like from work.

I have registered with the free dynamic IP service at myip.org as well as rolled up a script for uploading my DHCP IP to an external web server. More details here

Measuring the bandwidth

I have hacked up SPEEDOMETER, a combination of unix shell and perl CGI scripts to keep track of the AT&T cable bandwidth performance. See the dynamically updated bandwidth chart.