Connecting to the Internet
Karl Hegbloom
hegbloom at pdx.edu
Wed Dec 7 00:08:31 UTC 2005
On Wed, 2005-12-07 at 10:45 +1100, Geoff Purchase wrote:
> Well I'm building a server for my home network. Can anyone point me
> to the information I need to ensure my server is secure when I add it
> to my network? It will be behind my router...
As long as it's hidden behind the router and the router is configured so
that:
* It has an Internet IP on the WAN interface, provided by your ISP
* It has a non-Internet route-able IP address (See: RFC 1918) on
the LAN interface, and
* performs NAT (network address translation) so that hosts on your
LAN that access hosts on the Internet appear to the Internet as
being coming from the router WAN IP.
* By default, it should not forward any ports to any hosts on the
inside. Those should be explicit settings you are in control of
via the router user interface.
* Since the LAN IP are not route-able across the Internet, nothing
out there can route a packet in to them to initiate a
connection. They can connect out, and return packets related to
those connections are routed back to the originating host.
As long as you are aware of what ports are forwarded to what hosts on
the inside, you are safe. For instance, you can safely run an ftp
server on your LAN, and it will not be accessible from the Internet. I
like to run vsftpd inside my LAN, since ftp works better with
Gnome-VFS[1] than SMB does --- it's easier to set up and more natural to
use than Samba.
If you look on the Linux Documentation Project web site, you'll find
things about NAT and IP Masquerading, as well as Netfilter (iptables)
and Linux based routers.
I have a LinkSYS WRT54G running OpenWRT. It's pretty nice. The latest
version has a web interface that does most of what I needed, other than
installing a few rules into the /etc/firewall.user script.
[1] Places --> Connect to Server..., FTP.
--
Karl Hegbloom <hegbloom at pdx.edu>
More information about the ubuntu-users
mailing list