LINUX GAZETTE

[ Prev ][ Table of Contents ][ Front Page ][ Talkback ][ FAQ ][ Next ]

"Linux Gazette...making Linux just a little more fun!"


Your Own Home Domain With ADSL

By Ray Chan


Note: Domain names and IP numbers in this article have been changed. I have no connection with myfakedomain.com and myhome.net--please do not send questions or complaints to them.

Acknowledgement

This article is a walk through the steps I did to host my own domain name at home. It is not a guide or tutorial about how to set up and host your domain. There are already lots of HOW-TOs and tutorials on that topic. However, this artice provides working example for your reference, and I've also included URLs to some really useful web sites.

Background

In late 2000, when everyone were talking or already using broadband, I was still using my Hayes 28.8kbps modem to surf the net. My reason is simple, none of the broadband provider provides fix I.P. address although they did provide unlimited usage plan. I have a few domains name registered and hosting at some ISP. The service of the web hosting companies are limiting to html, perl cgi, pop server and maybe mod_rewrite. They never provide SMTP, MySQL, PHP4. whatever useful or at a really high price. That's why I'm looking for a broadband provider willing to provides fix I.P. so that I can host my own web site and run whatever I want.

Thanks god. At Jan 2001, one of the broadband provider at my area annouced that they will provides fix I.P. with extra cost. It is really expensive but hey that's what I need. I'm willing to pay for any services that fit my needs. On the other hand, I can save a lot of butts from web hosting company where my domain names currently located. Why not dynamic I.P.? Yes dynamic I.P. may also do the same using some tricks with dynamic DNS as provided by no-ip, DynDNS... etc. but it is too annonying and not really good if you are going to host your own email server.

Planning the Network

OK I subscribed to the broadband service finally. It takes two weeks to arrange a technical guy to install the splitter and ADSL modem. Actually I can do it myself but they don't want me to. Anyway this is a good time to build the network and prepair for the high speed connection. Before actually building the network, it is better to think about the topology first. I make use of my spare old hardware and spent some money to build two linux box. One linux box will be the baston host running Apache web server, ftp server, email server and MySQL database server. The baston host will act as an exterior router routing traffic between the internet and the intranet. The other linux box will be the Intranet server hosting internal application and data. The intranet box will act as an interior router. Someone asked, why two linux box? Well, for security reason of course. Please refer to your technical books about firewalling for details explaination. Figure 1 shows the network diagram of my home network.

Since I got only one fixed IP, I'm not going to run any high traffic web site. Only one baston host may do the job well, since it is a basic and simple network. It is the solution for me, not neccessary for everyone who are reading this article. Again, think about your own plan.

Building the network

I downloaded and installed RedHat 7.0 to both of the linux boxes. Choose your own packages that sounds interest to you. It is fine for you to use other distribution. However, there were some essential components required in order to setup an internet server. Please refer to the HOW-TO at linuxdocs.org. Again this is not a tutorial. I strongly suggest the following HOW-TOs for this section:

  • ISP-Setup-ReadHat
  • DSL HOWTO for Linux

    And the following mini-HOWTOs:

  • Setting Up Your New Domain Mini-HOWTO
  • Home-Network-mini-HOWTO
  • IP-Subnetworking

    If you know nothing about what linux can do, you must read 'The Linux Networking Overview HOWTO'.

    Secure the baston host by packet filtering firewall using ipchains

    Ok now I got RedHat installed but the linux boxes were not protected yet. I need to setup firewall and routing table in order to protect the linux machines and forwarding packets from Internal network to extranet network. This is a really big job for home user, and me too. I did a lot of search at freshmeat.net, google and sourceforge. I tried a lot of free firewalling scripts and none of them provides good security and hard to modify. Yes I'm lazy to write my own filtering and routing rules. You are lucky. I found a really good firewall scripts @ ICEBERG. Their scripts are easy to modify and setup all the routing. I run their scripts on both of my linux machines and then I'm free to do other tasks now. Thanks again ICEBERG. Following is a list of useful documentation regarding firewalling and packet forwarding:

  • Firewall-HOWTO
  • IP-Masquerade-HOWTO
  • IPCHAINS-HOWTO

    If you wanna use Napster behind the firewall, you should read IPMasquerading+Napster mini-HOWTO

    Setup External DNS Server at baston host

    Although I'll use HAMMER NODE to host the DNS entry for my domain name, a working caching only nameserver is still required to run the linux box. Configuration files were shown below:

    /etc/named.boot
    /etc/named.conf
    /var/named/named.ca
    /var/named/named.local
    /var/named/named.myfakedomain.com
    /var/named/named.myhome.net
    /var/named/named.rev.3
    /var/named/named.rev.2

    Connecting to the ADSL modem

    Connecting the ADSL modem under linux is easy, just download the RPM of RP-PPPOE from Roaring Penguin Software Inc, install it and then run the adsl-setup, that's all. As easy as an window machine.

    Migrating domain name to baston host

    At this moment, the web server does not seems working yet. I fixed it by adding the line below to the /etc/httpd/conf/httpd.conf file:

    ServerName www.myfakedomain.com (for baston host)
    ServerName www.myhome.net (for Intranet Server)

    The web servers on both linux were up and running after a reboot. Now what's next? I started my favourite browser Netscape and did a search on my favourite search engine Google for a Free DNS server. Finally I reach HAMMER NODE. I was lucky that I could reached hn.org. They provides free services for both dynamic I.P. and static I.P. user. They have good and easy to use UI and manages to provides both reliable and stable service. I created a virtual domain mappings accounts and have the configuration like this:

    Rec FQDNRec TypeRec ValueDynDNSMX PrefCommands
    myfakedomain.comNSns1.hn.org00
    myfakedomain.comNSaux1.hn.org00
    www.myfakedomain.comCNAMEmyfakedomain.com00
    myfakedomain.comA202.xxx.xxx.xxx00
    mail.myfakedomain.comMX202.xxx.xxx.xxx00
    ns.myfakedomain.comNSmyfakedomain.com00
    mail.myfakedomain.comCNAMEmyfakedomain.com00
    ns.myfakedomain.comCNAMEmyfakedomain.com00

    After setup the DNS account from hn.org, I change the DNS entry, both of the primary and secondary server to the DNS server provided by hn.org from the domain registration company (usually register.com or whatever). It may take some times to get the DNS entry refresh.

    Wonderful! Now the DNS entry was refreshed and all request to www.myfakedomain.com will forward to my baston host. That's simple huh? Thanks for the great work of hn.org. For details about how to setup DNS entries, please refer to DNS-HOWTO.

    Because the machine connected to ADSL modem provide services for the public, that mean it will be accessed by anyone who have Internet access from anywhere. I need to restrict the access of various tcpd services for this machine for security reason. I edited the file /etc/hosts.allow and /etc/hosts.deny accordingly:

    /etc/hosts.allow

    ALL: 127.0.0.1
    in.telnetd: 192.168.2.2
    in.ftpd: 192.168.2.2
    sshd: 192.168.2.2 203.xxx.xxx.xxx

    /etc/hosts.deny

    ALL: ALL : spawn (echo Attempt from %h %a to %d at `date` | tee -a /xxx/xxx/tcp.deny.log | mail my@email.com )

    As shown from the above configuration files, all machines from internal network can telnet, ftp, ssh and sftp to the baston host. The address 203.xxx.xxx.xxx is the I.P. address of my office machine which is allowed to remote login to the baston host using ssh and transfer file to the baston host using sftp. Telnet and ftp to the baston host will never allow from machine outside the internal network because user name and password is transmit in plaintext format. It may be captured by hacker easily. HTTPD is not included in the above configuration file because HTTPD is not under controlled of INETD.

    Connect to the baston host safely using SSH

    Telnet and FTP is allowed to connect to the baston host from the internal network. SSH and SFTP must be used to connect from external network. Refer to the article 'Using ssh' from Linux Gazette about how to setup and usage of SSH. You must install and running SSHD in order to support SSH. SFTP can be download from https://enigma.xbill.org/sftp/. SFTP is easy to use and install, please refer to the readme from the web site.

    Setup the Intranet Server

    In order to protect the internal network, I disable all access from external network to my internal network:

    /etc/hosts.allow

    ALL: LOCAL 192.168.1.2 192.168.1.7

    /etc/hosts.deny

    ALL: ALL : spawn (echo Attempt from %h %a to %d at `date` | tee -a /xxx/xxx/tcp.deny.log | mail my@email.com )

    An email will be sent to my mailbox in case there are any activities attempt to connect to any prohibited services to both of my linux server.

    As shown from figure 1, all internal machines have a host name. You can use whatever host name and domain name for your internal network even the domain name is already registered at NIC, however, special care must be taken when setting up your own internal DNS server.

    Setting up intranet DNS server - named

    Again, please refer to the HOWTO or technical books about how to setup a DNS server. Following shows my configuration files of the DNS server running at the Intranet server:

    /etc/named.boot
    /etc/named.conf
    /var/named/named.ca
    /var/named/named.local
    /var/named/named.myhome.net
    /var/named/named.rev.1
    /var/named/named.rev.2

    More security issues

    Hackers are arounding you, only firewalling with packet filtering and controlling services access from hosts.allow/hosts.deny are never enough. A few security holes may discover everyday. You should subscribes to corresponding mailing list and upgrade your linux constantly. A few more articles and software about security is good and worth to introduce:

  • Security for the Home Network LG #46
  • Linux Firewall and Security Site
  • Mason - the automated firewall builder for Linux
  • Astaro AG (Great firewall linux distribution with web interface)
  • The Ethereal Network Analyzer
  • Nessus - The Security Scanner
  • Stunnel - Universal SSL Wrapper

    How about POP3 and SMTP server?

    POP3, as same as TELNET and FTP, transfer username and password in plaintext and is considered insecure. SPOP maybe setup to encrypt POP data. However, I don't want to store my personal email in any machine outside internal network including my office's workstation. So I'm not going to setup POP3 in the baston host. The reason not to allow SMTP because relaying mail is dangerous because spammer will make use of your relayed SMTP server to send their hateful spam mails. On the other hands, setting up a non-relayed SMTP server for yourself is meaningless because you cannot send mail from your SMTP server outside the network. I can simply login to my baston host using ssh and run pine to check and reply my message in a secure way.

    Subdomain for web server

    Wow, everything working now. I can host my web server, email server and ftp server at my home linux box. It rocks! Now I need a subdomain resume.myfakedomain.com to host my online resume. Just add the following lines to the /etc/httpd/conf/httpd.conf handles all the magic:

    RewriteEngine on
    ## Ignore www.myfakedomain.com
    RewriteCond %{HTTP_HOST} !^www\.myfakedomain\.com [NC]
    ## A directory with the name of the subdomain must exist
    RewriteCond %{DOCUMENT_ROOT}/%1 -d
    ## Add the requested hostname to the URI
    ## [C] means that the next Rewrite Rules uses this
    RewriteRule ^(.+) %{HTTP_HOST}/$1 [C]
    ## Translate abc.myfakedomain.com/foo to myfakedomain.com/abc/foo
    RewriteRule ^([a-z-]+)\.myfakedomain\.com/?(.*)$ https://www.myfakedomain.com/$1/$2 [L]

    Other useful configuration files

    /etc/hosts (baston host)

    127.0.0.1	localhost.localdomain 	localhost
    192.168.2.1	router.myhome.net	router
    192.168.2.2	gateway.myhome.net	gateway
    202.xxx.xxx.xxx	www.myfakedomain.com	www
    

    /etc/hosts (intranet gateway)

    127.0.0.1	localhost.localdomain 	localhost
    192.168.1.1	server.myhome.net	server
    192.168.1.2	devel.myhome.net 	devel
    192.168.1.3	php.myhome.net	php
    192.168.1.4	asp.myhome.net	asp
    192.168.1.7	be.myhome.net	be
    192.168.2.1	router.myhome.net	router
    192.168.2.2	gateway.myhome.net	gateway
    

    /etc/resolv.conf (baston host)

    search myfakedomain.com
    nameserver	127.0.0.1
    

    /etc/resolv.conf (intranet gateway)

    search	myhome.net
    nameserver	127.0.0.1
    

    Network Card Setting

    Ethernet port setting:

    More network configuration files:

    /etc/sysconfig/network (baston host)
    /etc/sysconfig/network-scripts/ifcfg-eth0 (baston host)
    /etc/sysconfig/network-scripts/ifcfg-eth1 (baston host)

    /etc/sysconfig/network (Intranet gateway)
    /etc/sysconfig/network-scripts/ifcfg-eth0 (Intranet gateway)
    /etc/sysconfig/network-scripts/ifcfg-eth1 (Intranet gateway)

    /etc/rc.d/rc.local (Both of the Baston host and Intranet gateway)

    TCP/IP setting summary

    Baston host
    Default Gateway:ppp0
    Nameserver:127.0.0.1
     
    Network interface:eth0
    I.P. Address:192.168.3.1
    Subnet mask:255.255.255.0
     
    Network interface:eth1
    I.P. Address:192.168.2.1
    Subnet mask:255.255.255.0

    Intranet Server
    Default Gateway:192.168.2.1
    Nameserver:127.0.0.1
     
    Network interface:eth0
    I.P. Address:192.168.1.1
    Subnet mask:255.255.255.0
     
    Network interface:eth1
    I.P. Address:192.168.2.2
    Subnet mask:255.255.255.0

    Workstations from Internal Network
    Default Gateway:192.168.1.1
    Nameserver:192.168.1.1
     
    Network interface:eth0
    I.P. Address:192.168.1.X
    Subnet mask:255.255.255.0

    Further setup and reading

    What if you want to access your internal machine running windowsz from the other network while maintaining security through the firewall? The answer is using Virtual Private Network (VPN) technology. Linux do support VPN in recent version. More details can be find at VPN HOWTO. If you have more than one domains and want to host at the same baston host, you may require special setting for your apache web server and sendmail server. The next version of this article will include the walkthrough of the VPN and virtual domain setup.

    If you have any suggestions or comments regarding this document, please feel free to contact me at rayxtra@hotmail.com.


    Copyright © 2001, Ray Chan.
    Copying license https://www.linuxgazette.net/copying.html
    Published in Issue 65 of Linux Gazette, April 2001

    [ Prev ][ Table of Contents ][ Front Page ][ Talkback ][ FAQ ][ Next ]