Re: Help again please
From: Martin Cooper (usenet_at_martinc.me.uk)
Date: 05/03/03
- Next message: Martin Cooper: "Re: encrypted file system in linux like XP"
- Previous message: Martin Cooper: "Re: encrypted file system in linux like XP"
- In reply to: jhardy: "Help again please"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 3 May 2003 19:22:09 +0100
Hi,
"jhardy" <rockyrocky81@yahoo.com.au> wrote in message
news:2714696.0305030459.29c14f4@posting.google.com...
> i am trying to setup to host my own web page and email using my
> personal broadband connection.
>
> Can someone help me with the following questions please? I have
been
> researching and playing.
>
> i was wondering if you could help with the following:
> I am playing with Nat. Do you know what the following actually
> means?
> nat create protocol=50 inside_addr=10.0.0.1 outside_addr=0
mmm, protocol 50 is 'Encap Security Payload for IPv6', so protocol 50
is used in running ipsec over IPV6, are you sure you need this ?
Also, if someone other than you has set up an ipsec tunnel, you need
to find out what they are using it for. The rule just forwards all
data which arrive at your external interface to the machine with
address 10.0.0.1, I assume this is your linux box.
> nat create protocol=udp inside_addr=10.0.0.1 inside_port=500
> outside_addr=0 outside_port=500
Port 500 is used when establishing an IPSec tunnel, can't say much
more than that, I don't know much about ipsec. But the rule will
forward all udp traffic from your external interface to port 500 of
your linux box.
>
> Also, this one:
>
> nat create protocol=tcp inside_addr=10.0.0.1:80
> outside_addr=0.0.0.0:80
Port 80 is the port that a web server will run on such as apache.
This rule forwards port 80 to your linux box whixh presumably already
has apache running on it.
If you want email, then you will also need a rule to forward port 25
to the linux box (assuming you want to use SMTP for email
delivery)with a rule such as :-
nat create protocol=tcp inside_addr=10.0.0.1:25
outside_addr=0.0.0.0:25
So basically, when someone on the net wants to connect to your
machine, first they have to find your machines IP address. This is
usually done by DNS, but as you are using NAT, this only gets the
traffic to your router. As a router can support multiple machines, it
has no way of knowing which machine to send the traffic to. The above
rules are all used to ensure that certian 'data channels' for want of
a better description go to the correct machine. For instance, you
might want to forward port 25 for email to your mail server on
10.0.0.3 if you had multiple machines behind the router.
>
> Is the router enough security? Do i really need a firewall on the
> linux box such as IPCop or is Lokkit enough?
The router gives you basic security only. I would never trust
completely the firewall in the router. If a problem was found with
the firmware, it could be months before you get a fix for the problem.
If you are new to this sort of thing, IPCop or similar would be a good
idea, alternatively, if you have the time and inclination, iptables is
a good firewall when setup correctly.
>
> Once i have got the server setup what do i need to do on the server
to
> make my web page available to the internet ie. do i just put my web
> page files there? What configuration is necessary? Are the
settings
> under Apache?
Basically, setup apache, if you don't already have it running, then
put your files in the correct directory and ensure the permissions are
set correctly. Ensure that apache is setup to serve pages as a user
such as nobody, and that the files are owned by anyone other than user
nobody. For more on apache installation, see
http://httpd.apache.org/docs/install.html as it would take too long
for me to cover here.
>
> Also, how do i actually place my server outside of the router's
> firewall without making the other machines on the lan vulnerable to
an
> attack? Should i use iptables to be the firewall?
> Does linux use tcp/ip? How does it communicate?
> Is ip route the same as ip forwarding?
Sorry, I would have to write a book to answer all that lot properly.
But basically, iptables is a firewall, the only way to connect to the
net is using TCP/IP, so yes linux does use that. You do not put your
web server outside the firewall, you use the forwarding rules on your
router to forward traffic on port 80 to your web server. Yes, this
does make the machine vulnerable to various security exploits, but the
subject is too big to even try and cover here. Routing and forwarding
are different things, forwarding is what you are doing with the rules
on your router, I can't think how to easily explain routing, so I
won't. For more information, you need to do some background reading.
Take a look at the following guides :-
http://www.tldp.org/LDP/sag/index.html
http://www.tldp.org/LDP/nag2/index.html
http://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/index.html
http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.html
These guides will be enough to get you started, a lot of reading, but
if you want to do things properly, that is the only way.
>
> As you can see, i am concerned about the security side of things. I
> want to make sure it is secure. What would you setup the security
for
> this?
Working through the above guides will give you a better understanding
of what you need than I could. The first thing you need to do is find
out what the ipsec tunnel on the internal machine is being used for,
as it will bypass any security you put in place elsewhere on your
network.
> What about antivirus software?
Virii are much less of a problem with linux. As long as you tie down
the linux box securely, and don't do bowse the net as the root user,
this should cover most things. The only virus scanning software I
have really seen for linux is aimed at scanning email before it is fed
to microsoft machines.
>
> thanks again
The main part of the security of your site will be dicided more by
what you put on the web server than anything else. Unless you have a
fixed IP, you might also need a service like www.no-ip.com so that
people can find your server from the net.
Martin
- Next message: Martin Cooper: "Re: encrypted file system in linux like XP"
- Previous message: Martin Cooper: "Re: encrypted file system in linux like XP"
- In reply to: jhardy: "Help again please"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
