Home Server
From Gentoo Linux Wiki
Contents |
[edit] Intended Audience
Generally articles regarding particular setups are discouraged, as they should be, but this article is being kept alive for the sake of those who are new to Gentoo. This article intends to be simple and decently explanatory, so please add any extra hints that might have been forgotten. Often times setting up a home server can be the driving force behind learning Gentoo, and this article is intended to make your transition easier.
Of course this article certainly can not cover every setup, so make sure to cruise to wiki for more detailed information once you are ready.
If you are really new to Gentoo, then I suggest you go over the whole wiki before starting.
[edit] Prerequisites
You must already have an installed, working, and up-to-date gentoo system. If you haven't done that, visit the Gentoo Handbook
Next, set everything to UTF-8. If you don't know how to do that, follow the UTF-8 wiki. The reason this is important, is because I am assuming that most things connecting to this box will be windows clients, and further more, for universal conformity; UTF-8 is a global standard, if you are unfamiliar with it, please visit wikipedia.
Basic understanding of Gentoo or at least some form of Linux.
Basic understanding of TCP/IP concepts.
Finally, this wiki assumes you are using the following technologies and they are in physical working order:
- CPU -- This computer can be pretty basic, I recommend at least a 1Ghz with 512MB of ram. A simple VIA based board can run this setup.
- Hard Drive -- size is up to you, just depends on what you do with the server. I went with a 30.
- Optional: RAID5 (3 more hard drives) -- We are going to do this as a software raid because they are really safe and secure. To accomplish this you need at least 3 drives and you want them to be the same size. If you are using the server simply for the networking, then don't worry about this. You can also just use one drive if your house hold doesn't use much storage.
- Switch/Hub -- Similar to routers, but they do no routing, that's what your box is for, they simply expand your ports, so you don't need to install 50 ethernet cards.
- Two Ethernet Ports -- Doesn't matter if they are cards or on board, just as long as the kernel supports them.
- Optional: Wifi Card -- There are many different cards that will work for this task, but I suggest the Atheros Chip set based cards. They have a long support history with linux. If you decide to go with Atheros, you can spot them with the 108Mbps sticker, it's their proprietary technology. If you have spare cards lying around you can check the Compatabiliy site to see if it's supported.
Your network should look like this...
,-----, ,---------------------, ,------, /----Comp1 |modem|-----(wan) gentoo (lan & ath0)-----|switch|---------Comp2 '-----' '---------------------' '------' \----Comp3
And your hard drive scheme like this...
sda - small, os and web cache only sdb-sdd - raid 5 drives. can be more than this, but at least 3
[edit] Check Your Log Files
While you are doing anything in linux, make sure to check your /var/log/ directory. There is tons of good info in there.
If you are really new to linux, here are some basic commands to check things out.
cat - will print out the file in the terminal, bad for long files
less - will display the file in a scrollable format similar to man pages.
tail - will print out the tail end of said file into the terminal
tailf - will do the same thing as tail but then continually watch it.
grep - will print out the line that contains a certain word, for example,
would print out every line in /var/log/messages that contained the word 'dnsmasq'
A lot of things will end up in /var/log/messages, it's where the system logger logs stuff.
And of course don't forget to check your man pages. i.e.[edit] Kernel Config
This kernel config does not include wireless support as of yet.
| Linux Kernel Configuration: /usr/src/linux/.config |
[*] Enable loadable module support --->
[*] Module unloading
[*] Module versioning support
[*] Automatic kernel module loading
Networking --->
<*> Packet socket
[*] Packet socket: mmapped IO
<*> Unix domain sockets
<*> Transformation user configuration interface
<*> PF_KEY sockets
[*] TCP/IP networking
[*] IP: advanced router
Choose IP: FIB lookup algorithm (choose FIB_HASH if unsure) (FIB_HASH)--->
[*] IP: policy routing
[*] IP: equal cost multipath
[*] IP: verbose route monitoring
[*] IP: kernel level autoconfiguration
[*] IP: DHCP support
[*] IP: BOOTPsupport
[*] IP: RARPsupport
<M> IP: tunneling
<M> IP: GRE tunnels over IP
<*> IP: AH transformation
<*> IP: ESP transformation
<*> IP: IPComp transformation
<*> IP: IPsec transport mode
<*> IP: IPsec tunnelmode
<*> IP: IPsec BEET mode
<*> Large Receive Offload (ipv4/tcp)
<*> INET: socket monitoring interface
[*] TCP: advanced congestion control--->
<*> TCP Westwood+
Default TCP congestion control (Westwood) --->
[*] Security Marking
[*] Network packet filtering framework (Netfilter)--->
[*] Network packet filtering debugging
[*] Advanced netfilter configuration
[*] Bridged IP/ARP packets filtering
Core Netfilter Configuration --->
<*> Netfilter NFQUEUE over NFNETLINK interface
<*> Netfilter LOG over NFNETLINK interface
<*> Netfilter connection tracking support
-*- Connection tracking flow accounting
-*- Connection mark tracking support
<*> UDP-Lite protocol connection tracking support
<*> FTP protocol support
<*> IRC protocol support
<*> NetBIOS name service protocol support
<*> Connection tracking netlink interface
-*- Netfilter Xtables support (required for ip_tables)
<*> "CLASSIFY" target support
<*> "CONNMARK" target support
<*> "DSCP" and "TOS" target support
<*> "MARK" target support
<*> "NFQUEUE" target Support
<*> "NFLOG" target support
{*} "RATEEST" target support
<*> "SECMARK" target support
<*> "TCPMSS" target support
<*> "comment" match support
<*> "connbytes" per-connection counter match support
<*> "connlimit" match support
<*> "connmark" connection mark match support
<*> "conntrack" connection tracking match support
<*> "dccp" protocol match support
<*> "dscp" and "tos" match support
<*> "esp" match support
<*> "helper" match support
<*> "iprange" address range match support
<*> "length" match support
<*> "limit" match support
<*> "mac" address match support
<*> "mark" match support
<*> "owner" match support
<*> IPsec "policy" match support
<*> "multiport" Multiple port match support
<*> "physdev" match support
<*> "pkttype" packettypematchsupport
<*> "quota" match support
<*> "rateest" match support
<*> "realm" match support
<*> "state" match support
<*> "statistic" match support
<*> "string" match support
<*> "tcpmss" match support
<*> "time" match support
<*> "u32" match support
<*> "hashlimit" match support
IP: Netfilter Configuration --->
<*> IPv4 connection tracking support (required for NAT)
[*] proc/sysctl compatibility with old connection tracking
<*> IP tables support (required for filtering/masq/NAT)
<*> "recent" match support
<*> "ecn" match support
<*> "ah" match supporT
<*> "ttl" match support
<*> "addrtype" address type match support
<*> Packet filtering
<*> REJECT target support
<*> LOG target support
<*> ULOG target support
<*> Full NAT
<*> MASQUERADE target support
<*> REDIRECT target support
<*> NETMAP target support
<*> Basic SNMP-ALG support
<*> Packet mangling
<*> ECN target support
<*> TTL target support
<*> ARP tables support
<*> ARP packet filtering
<*> ARP payload mangling
{M} The SCTP Protocol (EXPERIMENTAL)--->
<*> 802.1d Ethernet Bridging
<*> Appletalk protocol support
[*] QoS and/or fair queueing --->
*** Queueing/Scheduling ***
<*> Class Based Queueing (CBQ)
<*> Hierarchical Token Bucket (HTB)
<*> Hierarchical Fair Service Curve (HFSC)
<*> Multi Band Priority Queueing (PRIO)
<*> Random Early Detection (RED)
<*> Stochastic Fairness Queueing (SFQ)
<*> True Link Equalizer (TEQL)
<*> Token Bucket Filter (TBF)
<*> Generic Random Early Detection (GRED)
<*> Differentiated Services marker (DSMARK)
<*> Network emulator (NETEM)
<*> Ingress Qdisc
*** Classification ***
<*> Elementary classification (BASIC)
<*> Traffic-Control Index (TCINDEX)
<*> Routing decision (ROUTE)
<*> Netfilter mark (FW)
<*> Universal 32bit comparisons w/ hashing (U32)
[*] Performance counters support
[*] Netfilter marks support
<*> IPv4 Resource Reservation Protocol (RSVP)
<*> Flow classifier
[*] Extended Matches
(32)Stack size
<*> Simple packet data comparison
<*> Multi byte comparison
<*> U32 key
<*> Metadata
<*> Textsearch
[*] Actions
<*> Traffic Policing
<*> Generic actions
[*] Probability support
<*> Redirecting and Mirroring
<*> IPtables targets
<*> Stateless NAT
<*> Packet Editing
<*> Simple Example (Debug)
[*] Incoming device classification
File systems --->
[*] Network File Systems --->
<*> NFS file system support
[*] Provide NFSv3 client support
[*] Provide client support for the NFSv3 ACL protocol extension
<*> NFS server support
[*] NFS server support for NFS version 3
<*> CIFS support (advanced network filesystem, SMBFS successor)
[*] CIFS statistics
[*] Extended statistics
[*] Support legacy servers which use weaker LANMAN security
[*] CIFS extended attributes
[*] CIFS POSIX Extensions
[*] Enable additional CIFS debugging routines
|
[edit] Getting Started
First, I am going to assume that you have gone over the provided /usr/src/linux/.config file, and made sure yours looked the same. Obviously feel free to customize it however you see fit.
[edit] Make an Admin account
We need to make an admin account for you to work from, because it is unsafe and unnecessary to work as root all the time. If you need to do something, you should be in super user.
-m Creates a home dir for that user -G assigns them to certain groups This creates <username> with su privileges and they are also in the root and users groups.
[edit] Rename NICs
Next we are going to change the names of our network interfaces to make our lives a little easier later. So open /etc/udev/rules.d/70-persistent-net.rules and change the names of your corresponding ethernet devices. Here is what mine looks like:
# This file was automatically generated by the /lib/udev/write_net_rules
# program run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single line.
# PCI device 0x10ec:0x8168 (r8169)
SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="my mac address", NAME="lan"
# PCI device 0x10b7:0x9200 (3c59x)
SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="my mac address", NAME="wan"
After doing this you also need to rename the rc-scripts associated with them (Supplement lan and wan accordingly) and make sure they start on their own.
[edit] Setup the LAN
Now we want to make sure our /etc/conf.d/net is configured properly.
# This blank configuration will automatically use DHCP for any net.* # scripts in /etc/init.d. To create a more complete configuration, # please review /etc/conf.d/net.example and save your configuration # in /etc/conf.d/net (this file :]!). ## We want to obtain our ip automatically from the modem config_wan=( "dhcp" ) ## We want to tell everyone that plugs in where to go for their ips config_lan=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
[edit] Turn on and Configure SSH
Now we want to start ssh with boot-up and make it so no one can ever log in as root remotely.
###Uncomment this line and make sure it says no! ..... PermitRootLogin no .....
And start it at boot.
[edit] Rebooting
Now, if you haven't already done this, turn off the computer and pop in those RAID drives. Either way, reboot your computer. On this reboot it might also be a good time to make sure that your bios doesn't try to boot to one of these drives you're popping in, and make sure that your modem is plugged into the card that you decided to call 'wan'
or
[edit] Optional: Wifi
This part can be very tough, and is certainly out of the scope of this wiki. It's pretty cool if you can do it though. So, if you feel so inclined, you should visit the Wireless/Access point wiki page or the Madwifi Wireless Access Point wiki page.
[edit] Routing
At this point in time your box doesn't really do much, that will change shortly. In this section we are only going setup simple routing.
[edit] DNS & DHCP Server Using DNSmasq
Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file.
DNSmasq does have the advantage of being really easy to work with and encompasses a lot, so that's what we are going to use. Let's go ahead and emerge it now.
Then configure it...
## Uncomment these two lines, it is not necessary, but it makes you a better person. domain-needed bogus-priv ## Uncomment this line except-interface=wan ## Uncomment and change to what ever you end up deciding will be your address or just leave it commented out domain=gentoo-wiki.com ## The following line will make it so your dhcp leases all occur ## between 192.168.0.25-50 dhcp-range=192.168.0.25,192.168.0.50,255.255.255.0,12h ## Uncomment this line if you are going to host an NTP time server dhcp-option=42,192.168.0.1 ## The following lines need to be uncommented for samba, or at least I needed them dhcp-option=44,0.0.0.0 dhcp-option=45,0.0.0.0 dhcp-option=46,8 dhcp-option=47 ## Uncomment this line for a special Microsoft tweak dhcp-option=vendor:MSFT,2,1i ## Uncommment and change this line to fit our configuration dhcp-lease-max=50 ## Finally, uncomment and add as many as needed of the following ## lines, they will assign specific computers, specific sub-ips, ## which will make routing much easier later on. ## syntax is as follows: ## dhcp-host=<mac address>,<nametogivecomputer>,<iptolease>,<lengthoftimetolease> ## xbox example dhcp-host=00:12:FA:CA:8C:D8,xbox,192.168.0.10,6h
Now we want to make sure it starts up with boot
And why don't we just start it up now
If there are any problems, check your log files and your config file, to make sure it's not something simple
[edit] NAT or 'Masquerading'
At this point, people on your network can talk to each other and they can look up hostnames via DNS, but they still can't actually connect to the internet.
This is where Network Address Translation (NAT) steps in. NAT is a way of connecting multiple computers in a private LAN to the internet when you have a smaller number of public IP addresses available to you. Typically you are given 1 IP by your ISP, but you want to let your whole house connect to the internet. NAT is the magic that makes this possible. For more information about NAT, you can always visit Wikipedia.
To accomplish this, we are going to use iptables.
Once iptables is installed, you'll want to make a script that you can run, that sets your iptables settings. This way editing and reviewing can be made much easier.
The following script was taken from the Home Router Guide. It sets up a very basic firewall which allows all intranet traffic, allows people to connect to the web, allows you to ssh in, and blocks all other ports.
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
export LAN=lan
export WAN=wan
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
/etc/init.d/iptables save
To make the file executable we chmod it to be executable
We are also going to want to turn on ip forwarding so lets make sure that's enabled now and always
## Add/Uncomment the following lines: net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 ## If you have a dynamic internet address you probably want to enable this: net.ipv4.ip_dynaddr = 1
Run the script to setup masquerading
Start up iptables and see if it worked
Now, your computers that are connected through the box should be able to connect to the internet. In other words, go take a minute to make sure it worked.
[edit] File Sharing
OK, right now all you have is a really cool router, but of course, you want to do more than that...
[edit] Setup RAID
What's the point of having a server if you aren't storing things on it, right? There are many different storage configurations, each one good for different situations, So if you have any interest in setting up a RAID array, please visit the RAID wiki page. For the purposes of this wiki, we are simply going to go over mounting.
[edit] ClamAV
"Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library."
Having an anti-virus is just a plain good idea, and ClamAV will be incorporated in later sections. As always, I recommend you visit the official gentoo ClamAV wiki page along with the offical ClamAV wiki.
Start by emerging
Configure /etc/clamd.conf as you like, but the defaults should be fine.
Go ahead, start it, and make sure it always does so.
[edit] Samba with ClamAV Scanning
Explaining Samba in this wiki would be beyond my scope. But I do recommend that you familiarize yourself with it by visiting the Samba wiki page.
Further more, especially if you are new, I recommend you check out the section on setting up SWAT, it's a web interface that makes configuring Samba much easier.
For this example I am going to include ClamAV on-access scanning, which requires a very specific set of USE flags for samba.
Then make a user account that will handle all samba connections.
Setting up Samba for the first time can be a real pain sometimes. So here is a good configuration that will setup a completely public share (no passwords, and users can modify all) and includes on-access virus scanning.
[global]
guest account = sambaaccount
force group = users
interfaces = lo lan
bind interfaces only = yes
hosts allow = 127.0.0.1 192.168.1.0/24
hosts deny = 0.0.0.0/0
public = yes
map archive = no
writeable = yes
server string = Brahma - The Preserver
path = /pub
default = public
workgroup = WORKGROUP
os level = 20
force user = sambaaccount
auto services = public
guest only = yes
security = share
create mask = 777
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
[public]
comment = It will eat your brains
path = /pub
read only = No
guest ok = Yes
create mode = 0766
If you notice the vscan-clamav.conf line, then you probably figured out that we need to make that file. There is an example one included with Samba when you use the oav flag, so you are going to copy it to the /etc/samba directory and then change a few things.
Now you need to change a few things, and of course, configure anything else as you see fit.
... infected file action = quarantine ... ; where to put infected files - you really want to change this! ; it has to be on the same physical device as the share! ; make sure it has the proper permissions (i.e. chmod & chown) quarantine directory = /pub/infected_files ... clamd socket name = /var/run/clamav/clamd.sock
Now all you need to do is start it up add it to rc. Make sure to check the logs if there are any errors
[edit] Security
[edit] DenyHost
I imagine this whole setup process didn't happen in one day so go ahead and check your logs to see just how many attacks you have had...
Bet you'll see a bunch of failed login attemps.
To prevent this, I suggest you visit the DenyHosts wiki page. It's easy to setup, and keeps the bots out.
[edit] Traffic Control
[edit] Port Management
So you remember that iptables script you made a while back? Here is where it comes in handy.
So let's say you want to open up port 6890 to the server because you decided to install rTorrent. Just find the line where we opened up ssh, and add this line after it.
...
iptables -A INPUT -p TCP --dport 6890 -i ${WAN} -j ACCEPT
...
Forwarding ports is done in a similar fashion. Let's say you want to forward xbox ports, just add the following line to the same section. Note the use of tcp and upd accordingly.
...
iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.2
iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.2
iptables -t nat -A PREROUTING -p udp --dport 88 -i ${WAN} -j DNAT --to 192.168.0.2
...
[edit] QoS/Traffic Shaping
QoS packet scheduling enables you to manage bandwidth for your home server, that way no one gets left behind. There are a few different ways to go about setting up traffic shaping, but probably the two easiest ways are CBQ and HTB. Since they both are about the same in terms of setup, it is recommended that you use HTB, as it possesses benefits over CBQ.
If you are an experienced linux user, I recommend you look into HFSC, it seems to be more well adapted for environments that include things like VoIP and xBox. The down side is there is little documentation, and no nifty little scripts for simple use.
