A single Linux machine as router, Internet Gateway, and server!!

[Rockman75]

Im trying to build a home-network with my linux machine.

Wonder if a single Linux machine is configurable as a router, Internet gateway, Web, DNS, and Mail server to all under-connected PC machines.



What are pros and cons for this setting? Any security matters?

Anyone please let me know!! I will appriciate. Thanx

 

[Norwich]

Hi,

Yes, it is all possible but there is a security issue. Generally, you would want the machine gatewaying to the Internet to be running as little as possible so that if it were compromised, you wouldn't immediqately compromise all other services, data etc.

It all depends upon what you want to use it for, budget and how security consious you were but the minimum I would say would be to have one machine running as an Internet gateway router with the mail/web/DNS server behind it in the network. The gateway can be an old, low spec machine.

Better still, put another network card on the gateway and keep the web/mail and possibly DNS server on another subnet seperate from the local, private network (this is assuming you want all available from the Internet). So that incoming connections can be redirected to this subnet and doesn't risk compromising the security of the private network. This is often refered to as a DMZ subnet (demilitarized zone).

You may want to look at distributions like smoothwall or astaro that will set up such routers.

 

[RhythmAce]

If you have 2 ethernet cards you would connect one to your modem and the other one to the hub. The one connected on the WAN side (internet) would use the ip given to you by your isp. The other one would take an internal (intranet) ip such as 192.168.0.1. If you do not want run a dhcp server, you can give the other machines static ip addresses from 192.168.0.2 to 192.168.0.255. Read up on ipchains and iptables. This will be your router and firewall software. When assigning an ip addresses to your network, use netmask of 255.255.255.0. The gateway address will be 192.168.0.1. You could also opt for a hardware router but the lower priced ones lack the functionality and security of ipchains. Most linux distros come with ipchains and iptables. They also come with apache, the worlds most popular web server and sendmail which is just as popular as a mail server. They also come with Bind (a DNS server) and pop3 and imap daemons so you can access your mail from a client such as OutLook.

 

[Rockman75]

Norwich, RhythmAce

Very very thank you for both of you!!

 

[RGamboa]

I'm running a configuration of this sort myself: we have an old (PII-266) HP Pavilion that we're using as the firewall, with two NICs installed. The Internet-facing NIC is configured using the IP address from our ISP, and is connected to our DSL modem. The inward-facing NIC is set up using the test IP subnet 192.168.2.*.

The Pavilion's running RedHat 7.3, with a custom kernel built for MASQ/NAT (IP Masquerading/Network Address Translation) and NetFilter support. All seems to be running well. We're using FireStarter on the firewall machine to set the firewall rules for it to use, as well as for monitoring what kind of requests are coming in (and getting dropped to the floor) from the outside (http, ftp, netbios queries, etc). It's been running like a top that way (even with OS/package updates) for close to a year now.

Even with a configuration of this type, you still want to ensure that the hosts on the inside are configured for minimum network services and maximum anti-virus support, as these are the principal entry vectors for exploits. In checking your configuration, have a friend on the outside, somewhere on the Internet, perform a scan of your firewall box by IP address, using a tool like Nessus, to determine if you have any exploitable holes open.

Overall, I highly recommend the configuration. Best of luck, and if you need other pointers, please feel free to post them on this thread, as I will be reviewing it pretty regularly.