Home Server Add a Virtual Gateway

Index.

• Introduction.
• Configure the Gateway Server.
• Configure the Home Server.
• Firewall.
• Download.

17-Jun-2011: initial release.
13-Aug-2011: more info about eth1.
29-Aug-2011: removed VDE network.
28-Jul-2012: updated network configuration.
25-Aug-2012: the gateway network uses netcfg.
14-Nov-2012: the gateway changed to Slackware.
06-Jan-2013: the homsrv changed to Slackware.
18-Jan-2013: updated modules loading.
19-Nov-2013: added gateway routing and forwarding.
18-Apr-2015: Adjusted for LXC and new firewall scripts.

 

Introduction.

In the article Home Server Planning you could see how a virtual server fits into our home server design. The article about  a Virtual Machine shows what you need to add this Virtual Gateway machine.

 

Configure the Gateway Server.

Create the networks and a virtual machine as described in the previous two articles. After the standard Slackware packages are installed, add the following extra packages to the server:

mbse-firewall-0.0.18-noarch-1_mb          logwatch-7.4.0-noarch-1_mb
ssmtp-2.64-i686-1_mb

 

The problem is that this virtual gateway has no Internet access yet. This is easy to solve. On the homsrv download these packages and copy these to /var/lib/lxc/11-gateway/rootfs/root. Then in the gateway container install these packages from root’s home directory with the command installpkg *.txz.

As root using pkgtool make the following changes in the new virtual machine:

• hostname gateway.wpl.ym
• eth0 static 10.126.161.1 (Host-only ‘vboxnet0’ interface to Home Server).

 

If you need a static address to the Internet, you must set the gateway address, but inmost cases your Internet connection is configured using DHCP and therefore the gateway address is configured automatic.

Then edit /etc/rc.d/rc.inet1.conf and configure the eth1 and eth2 interfaces:

• eth1 dhcp or static (bridged with Home Server eth1, to cable or ADSL). Give this interface the name wan0
• eth2 static 10.126.162.1 (Internal Network ‘WPL-DMZ’, reserved for the DMZ network). Give this interface the name dmz0.

Here is a piece of /etc/rc.d/rc.inet1.conf:

# Config information for eth0:
IPADDR[0]="10.126.161.1"
NETMASK[0]="255.255.255.0"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""

# Config information for eth1:
IFNAME[1]="wan0"
IPADDR[1]=""
NETMASK[1]=""
USE_DHCP[1]="yes"
DHCP_HOSTNAME[1]=""

# Config information for eth2:
IFNAME[2]="dmz0"
IPADDR[2]="10.126.162.1"
NETMASK[2]="255.255.255.0"
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""

 

Take a look at /etc/udev/rules.d/70-persistent-net.rules that is created after your first boot:

# PCI device 0x8086:/sys/devices/pci0000:00/0000:00:08.0 (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="08:00:27:23:21:
1f", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="wan0"

# PCI device 0x8086:/sys/devices/pci0000:00/0000:00:03.0 (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="08:00:27:17:be:
96", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

# PCI device 0x8086:/sys/devices/pci0000:00/0000:00:0a.0 (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="08:00:27:91:d2:
d5", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth3"

# PCI device 0x8086:/sys/devices/pci0000:00/0000:00:09.0 (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="08:00:27:fe:a5:
04", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="dmz0"

 

Here you can see that I changed the names of some interface to make it more logical to see where each network interface is used for. Of course you need to use the same names in /etc/rc.d/rc.inet1.conf. Also, check your mac addresses so that the right interface is configured for the correct network.

Now you can (re)start the network using /etc/rc.d/rc.inet1 restart. When the gateway is configured, reboot it and see if it works and has got an IP address on wan0. It is now also a good moment to see if you can connect to the console using a RDP client. In X on your Linux desktop the command rdesktop 10.126.160.253:5000 must do the trick.

Then we must make sure that the new gateway forwards network traffic.

root@gateway:~# chmod 755 /etc/rc.d/rc.ip_forward 
root@gateway:~# /etc/rc.d/rc.ip_forward start
Activating IPv4 packet forwarding.
root@gateway:~#

 

The gateway has only a default route to the internet and does not know how to reach the internal workstations on network 10.126.160.* connected to the homeserver. We must manually add a route. Add the following line to /etc/rc.d/rc.local:

/sbin/route add -net 10.126.160.0 netmask 255.255.255.0 gw 10.126.161.2

 

Configure the Home Server.

On the Home Server we must change the network settings so that the gateway will go via the gw0 interface using the IP address of the virtual gateway. The eth1 (renamed wan0) interface must only brought up so that the virtual gateway can use it. We do this by static configuring the 0.0.0.0 address to that interface. This gives an error message during configure, but the interface is brought up. Edit the file /etc/rc.d/rc.inet1.conf:

# Config information for eth0:
IFNAME[0]="lan0"
IPADDR[0]="10.126.160.253"
NETMASK[0]="255.255.255.0"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""

# Config information for eth1:
IFNAME[1]="wan0"
IPADDR[1]="0.0.0.0"
NETMASK[1]="255.255.255.255"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""

# Default gateway IP address:
GATEWAY="10.126.161.1"

 

Now check if you can ping the gateway server from the host server.

 

Firewall.

As firewall I use the package mbse-firewall which can be downloaded from this site. The main configuration file is the file /etc/mbse-firewall/firewall.conf. Here we set the global configuration. In the directory /etc/mbse-firewall/conf.d/ are the configuration files per interface. The interfaces you want to use must be set in the global file. The interface files that can be used are for example: eth0-input.conf, eth0-output.conf, eth0-forward.conf, eth0-prerouting.conf and eth0-postrouting.conf. If a file doesn’t exist, that chain will not be created in the firewall. The example files have an explanation in the comments in the file.

The firewall for the homsrv is not complex. It just allows most traffic to flow between all interfaces.

The firewall on the gateway is a different story. It must do that NAT translation and it must protect the system from the Internet. In the main configuration file, we set the parameters that this machine is a boarder gateway and we set auto blocking on. This will automatic block IP addresses that do port scans en try to connect to your system on services that you don’t provide access for, which right now is nothing yet. Systems are blocked for a certain time using tables created with ipset.

If you make changes to the configuration, as root install the firewall like this:

root@homsrv:~# mbse-firewall install
Installing mbse-firewall 0.0.18: ............. done.
root@homsrv:~# mbse-firewall save
Saving mbse-firewall 0.0.18: .. done.
root@homsrv:~#

 

If you download the example files you can see how it works. But be aware that these examples show the completed project including a DMZ server and IPv6 traffic.

 

Download.

The needed scripts and configuration files up to this article can be downloaded from the following location. The Firewall Builder configuration files are included, see the examples/homsrc/etc/iptables directory. Just unpack this archive in your home directory to see what you can use.

See the download page for the script and configuration files.