linux web server/file server/gateway/firewall - need help

[Fuse]

Hi,
I want to set up a linux web server/file server/gateway/firewall for my 3 computers at home to share ADSL.
I am using RedHat Linux 6.2, and the other two computers are using Win98se
How do I do it?
What Apps should I use?
How can I make it secure so people entering my web site don't have access to my other computers ?

 

[GL]

I replied to your last thread too, but just in case you don't see it, check out this webpage. You'll need to setup a firewall using a tool called ipchains. http://www.linux-firewall-tools.com/linux/firewall/index.html

-GL

 

[Sebastian]

To secure your machine head to redhat.com and download all the security updates they have. It's important most hackers are just script kiddies. So for most intends and purpose that's good enough.
Using that firewall making site above you can setup a pretty tight firewall. Just enable what you need and not waht you don't and it'll work out just fine.

I suggest no anonymous ftp access. Mainly because wu-ftpd that come with redhat has a habit of chucking up bugs every so often. Use ssh from remote location instead of plain old telnet (http://www.ssh.com). And keep checking redhat for updates.

 

[Shuxclams]

web server/file server/gateway/firewall? How about a IPMASQ/Router and use a "masked" box inside your network for file sharing and server uses. Putting any services on a firewall is asking for trouble, using Apache, SAMBA, FTP etc, where people can attach to your firewall is just bad news and I would really rethink the layout. I have a IPMASQ/Firewall that has no services available to the WAN or LAN other than routing and filtering traffic, not to say I don't actually use it for stuff Like web surfing, e-mail, play QIII now and again, listen to netradio alot etc... But to run anything else poses serious security risks. Just my $0.02.


SHUX

 

[Sebastian]

No it isn't. If you intend only on the service being accessed from the home private networks.

And having a masked host inside your networks being accessed from outside is plain stupid. What you want is a DMZ with the web/file server as a bastion host and a firewall protecting the private networks.

 

[Praetor]

Translation, Sebastian? I think you lost me. But let me see if I understand enough of it...

Box 1 = IPMASQ/Router/Firewall
Box 2 = File/Print/Web Services server
Box 3 = Terminal, client, whatever.

Cable Modem -> Box 1 -> Hub |--> Box 2
.............................+--> Box 3

Doing it like that is a stupid idea? Why? I wanted to do something like Fuse wanted, sans web server, and changed my mind to something like this. Doesn't it make more sense? One mistake, and someone has gotten into your first box which has everything on it and can trash it all on a whim.

Or are you suggesting something like..

Modem -> IPMASQ/Router/Web Server -> Firewall -> Hub -> Clients?

And what's a DMZ? If it weren't for the fact that I have to leave for work in 3 min, I'd look it up myself.

 

[Fuse]

Cable Modem -> Box 1(Redhat)|--> Hub |--> Box 2(Win98se)
|--> Box 3(Win98se)

Doing it like this sounds the best, but I dont really want to turn Box two into the web server, because then I cant use it for anything else.

What I really want to do is to make Box 1 into a
File/Print/Web Services server, but I want to connect to the Internet through it with the other two computers and make sure that no one can access my private network.

Can't I just put some firewall app on Box 1 together with the server software?

Another question was what software should I use?
For the Web Server --> Apache
File/Print Server --> ???
IPMASQ/Router--> ???
Firewall --> ???

 

[Bob/NYC]

ipchains...firewall/masq., or the old ipfwadm for 2.0.x kernels.
Basic masquerade:
ipchains -P forward DENY
ipchains -A forward -j MASQ -p all -s 192.168.0.0/24 -d 0.0.0.0/0
or for old kernels:
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0

Check if you have /etc/sysconfig/ipchains.rules, for firewalling.

http://members.home.net/ipmasq/ipmasq-HOWTO-1.82.html
http://members.home.net/ipmasq/
http://www.nic.com/~cannon/Linux/
http://www.linux-firewall-tools.com/linux/faq/index3.html

 

[Praetor]

Another question was what software should I use?
For the Web Server --> Apache
File/Print Server --> ???
IPMASQ/Router--> ???
Firewall --> ???


Well Fuse, from what I've been reading so far, most of what you need should all ready be included with your distro. All you would really need to do is a few kernal re-compiles and other misc. adjustments.

Web Server --> Apache http://www.apache.org/
File/Print --> Samba http://www.samba.org/
.............or a HOWTO at http://www.linuxdoc.org/HOWTO/SMB-HOWTO.html
IPMASQ& Router --> info at http://ipmasq.cjb.net/
Firewall --> info at http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html


CompUSA just advertised a commercial firewall for linux in their last ad. I just had to laugh at it. You can find the stuff in your distro for free, all you need to do is work at it. And they want you to pay for it!

 

[Sebastian]

A DMZ stands for demilitorized zone. Like the one between the two koreas this is supposed to be where all the bad things happens.

This is basically a unsafe networks where the non essential machines stays. This network is firewalled off from the rest of the networks so hackers are limited to damaging things in this zone. Typically the webserver stays in the DMZ.

In may cases it is not a good idea to have the webserver behind the one and only firewall because that's a great way for people to break into it and have access to everything behind the firewall.

But if you don't do much on the webserver then it's perfectly fine for most case. That means the risk is acceptable for most people like home users.

 

[rahvin]

<<web server/file server/gateway/firewall? How about a IPMASQ/Router and use a &quot;masked&quot; box inside your network for file sharing and server uses.>>

Whoa! Security says never ever put the webserver inside your private network! You should always put the webserver in a &quot;DMZ&quot; (on a third network card and independent of your home network). This way if someone compromises the webserver they can't sniff your main network. If you don't care about the security aspects of it you should just let your masq box handle the web traffic.

I see sebastian beat me to it, I'll let the post go up anyway.

Fuse a good source to start if your using redhat is a project called the &quot;TrinityOS&quot;. A guy runs it and has a script that will go ahead and do all the security changes and a lot of setup, good examples and a great place to start if you don't know anything. (in other words is a good place to setup something that works and that you can hurt yourself with. I would recommend that you DON'T setup a webserver immediately and in fact disable EVERYTHING in inetd.conf to begin with. There are way to many vulnerabilities out there to exploit in linux distributions and untill you can learn to use SAINT and scan your own network don't do anything that can comprimise your server. (oh and get a tape backup for it).

 

[Rogue]

Boy, sound like Linux has a lot security problems too. If I were to just listen to the Linux community, they'd have me believe that Linux can't be hacked and that Windows NT/2k is child's play for hackers. Truth be told, an OS is only as good as the person running/securing it. Just had to voice that little quip.

 

[rahvin]

Given equally knowledgable people WinNT can be as secure as linux on known exploits. Given equally knowledgeable people Linux is 3x faster as a server than NT (see recent slashdot article). Also given equally knowledgeable people a complete Linux server (software) can cost as little as nothing and for equivalent software on NT will run upwards of $2000.

Of course some people think that pretty little interface is worth the outrageous costs...

 

[Rogue]

Of course if large company is will to pay for NT Server, it doesn't matter to me. I don't dislike Linux. I think Linux suffers from being fragmented in that there is no real standard. I would rather work with NT anyday than have to search endlessly on the 'net to find out most things that Microsoft includes in help files. Too many *nixes out there. Besides, Win2k offers many more features over Linux.

 

[rahvin]

<<Of course if large company is will to pay for NT Server, it doesn't matter to me. I don't dislike Linux. I think Linux suffers from being fragmented in that there is no real standard. I would rather work with NT anyday than have to search endlessly on the 'net to find out most things that Microsoft includes in help files. Too many *nixes out there. Besides, Win2k offers many more features over Linux.>>

Oh I believe that you dont' dislike linux, but I do think you are afraid of it. It doesn't act like that friendly little windows system and has neat little head icons for users and a nice simple user manager. It also doesn't have a file or executable system anything like windows and that scares you. It is also free and because of that there are many distributions that come with many different programs target for many different users and that scares you. You want a friendly little operating system with someone in redmond making decisions for you about what it looks like, acts like and does. Because to you, that is safe. Because of that you will probably never try linux, or understand the power, flexibility and speed of an operating system who's entire kernel can fit on a floppy disk. Because if you did you might find out that all the HOWTO's are included in every distibution I'm aware of, and you might also find out that man pages in linux are far more exensive and linked than any windows help file. Of course you don't get your pretty little blue underlines and animated search icon and man pages assume you aren't an idiot so that would probably scare you....

 

[Sebastian]

Fragmentation is only a sign of flexibility.

If a windows security bug comes out for NT it pretty much effect all NT servers. A security bug for one linux distro doesn't mean a bug for all systems.

What you call fragmentation is really just different people setting up systems in different ways. The Kernel and base utilities and setup are all the same. The differences between distro are the differenced in custom utilities and configuration. There isn't really fragmentation. Although i may not be sure about what slackware is like because i use redhat. The truth is if i get my hands on a slackware system i wouldn't really be lost. Just a few hours of getting used to it and it would be the same.

 

[Sunner]

This is pretty scare, I agree with Rhavin for the second time in less than a week

 

[Rogue]

Actually, I prefer command line to GUI for most things. I script a lot of the things I do and if I haven't found a way to script it, I am probably looking for a way to do it. I definitely want to learn *nix at some point, but from my perspective, my life is made easier by the fact that Microsoft software is easy to learn, intuitive and doesn't take a lot of reading to figure out. I know that Linux would be easy, if I just had the time to sit down and play with it. But, since you say it &quot;scares&quot; me to use it, I will get my system formatted and install Linux today. Thanks for the reverse psychology!

Perhaps someone can answer me this. Can Internet Explorer run on any variants of Linux? I know Microsoft makes Unix versions, can those work? Reason I say this is that MS SQL Server and ASP are the standards in my company. That was one problem I had with Linux previously here at work is that I couldn't access a lot of the pages in our company due to no ASP handling in Nutscrape. Any suggestions?

BTW, I will report back with my progress on Linux.

 

[Rogue]

I am currently installing Caldera Open Linux 2.3. Does anyone have any pointers or tips for me? I plan on setting it up with SAMBA to use as a failover/BDC.

 

[rahvin]

M$ made a version of iexplorer for unix for a while but dropped development. You will probably have a lot better luck if you take a look at the newest mozilla build. Works pretty good.

Ok for ease of use in transitioning from windows I would SERIOUSLY recommend you start with Mandrake. It is much more geared towards an easier transition from the windows GUI. May I also recomend you pick expert install and don't let it autoboot the GUI. Have it load in command line then use startx to get into X windows if you need to go into it.

 

[Rogue]

Too late. Already installed and using KDE right now. Bought this version off the shelf so it has some documentation with it. Going to get re-acquainted with it since it's been about 6 months since I last &quot;played&quot; with it.

 

[rahvin]

I've never used caldara but email me if you have questions and I'll see if I can answer. I'm very Redhat centric, my server is redhat and I use mandrake (in triple boot) on my main box. One of the really huge advantages of the mandrake 7.1 install right now is it will automatically snag all your TTF's from windows and use them in navigator so you don't have that nasty aliased font problem in linux.

 

[Rogue]

I re-installed using the Network Server install option which gets rid of KDE altogether. It's all command line from here. Any good sites for Linux commands?

 

[rahvin]

http://www2.hawaii.edu/~maysk/unix.html
http://www.ee.surrey.ac.uk/Teaching/Unix/
http://www.nmt.edu/tcc/help/unix/unix_cmd.html

If your looking for something more complicated let me know...