Index.
- Introduction.
- Configure the Gateway Server.
- Configure the Home Server.
- Firewall.
- Download.
17-Jun-2011: initial release. 13-Aug-2011: more info about eth1. 29-Aug-2011: removed VDE network.
Introduction.
In the article Home Server Planning you could see how a virtual server fits into our home server design. The article about a Virtual Machine shows what you need to add this Virtual Gateway machine.
Configure the Gateway Server.
Create the networks and a virtual machine as described in the previous two articles. After the base packages are installed, make the following changes in the new virtual machine:
- hostname gateway.wpl.ym
- eth0 static 10.126.161.1 (Host-only ‘vboxnet0′ interface to Home Server).
- eth1 dhcp (bridged with Home Server eth1, to cable or ADSL).
- eth2 static 10.126.162.1 (Internal Network ‘WPL-DMZ’, reserved for the DMZ network).
Here is a part from /etc/rc.conf:
HOSTNAME="gateway" #Static IP example eth0="eth0 10.126.161.1 netmask 255.255.255.0 broadcast 10.126.161.255" eth1="dhcp" eth2="eth2 10.126.162.1 netmask 255.255.255.0 broadcast 10.126.162.255" INTERFACES=(eth0 eth1 eth2) # Routes to start at boot-up (in this order) # Declare each route then list in ROUTES # - prefix an entry in ROUTES with a ! to disable it # net160="-net 10.126.160.0 netmask 255.255.255.0 gw 10.126.161.2" ROUTES=(net160)
When the gateway is configured, reboot it and see if it works and has got an IP address on eth1. It is now also a good moment to see if you can connect to the console using a RDP client. In X on your Linux desktop the command rdesktop 10.126.160.253:5000 must do the trick.
Configure the Home Server.
On the Home Server we must now change the eth1 interface, but first turn the firewall off with /etc/rc.d/iptables stop. Then edit /etc/rc.conf:
#Static IP eth0="eth0 10.126.160.253 netmask 255.255.255.0 broadcast 10.126.160.255" eth1="eth1 up" # Only bring it up INTERFACES=(eth0 eth1) # Routes for our gateway server. # Make sure we have a route to the virtual gateway. gateway4="default gw 10.126.161.1" ROUTES=(gateway4)
Now eth1 is only brought up so that the virtual gateway server that is bridged with this interface can use it and not the host Home Server. In the new firewall rules we will forbid all traffic on this interface. Note that you still can use a tool like wireshark on eth1 in the Home Server to tap the traffic between your server and Cable/ADSL modem.
Now check if you can ping the gateway server from the host server.
Firewall.
Firewall Object tree
Home Server Policy
We expand the firewall object tree with the gateway server and change the homsrv to reflect the new situation. In the gateway, eth2 is for the DMZ network, but there are no DMZ systems yet, it’s just already there. Then eth1 has no IP address, it uses DHCP to get an address, but it might be static too, it depends on your situation. Finally, eth0 is connected with the vboxnet0 interface of the homsrv machine. In the homsrv. eth1 is present (it is real hardware) but it’s only present in the firewall because it is bridged with eth1 of the gateway machine. Because there is traffic present on that link that is for the gateway machine, there are some rules to silence logging and protect that interface for abuse.
There is now a much simpeler policy of the homsrv machine. Note that the homsrv has no NAT anymore, that is moved to the gateway.
Gateway Policy
Gateway NAT
Left and right, the gateway policy and NAT rules.
Download.
The needed scripts and configuration files upto this article can be downloaded from the following archive. The Firewall Builder configuration files are included, see the examples/homsrc/etc/iptables directory. Just unpack this archive in your home directory to see what you can use.
