[Princess Garnet]

Okay, I'm not a big networking person. I know the basics, and then some, but that's it. I could use someone who knows their networking, and has a few minutes to read this.

Here's my question. I want to make a PC accessible to the internet as a server. This server will be used by a few people only, so while I know you can't run a real website on a home connection, it won't matter in this case. It will probably be idle about 99%of the time.

I have a few questions.

1. What should I look at as far as security? It's running Ubuntu 8.04 LTS Server Edition (no GUI), with the latest updates. MySQL, PHP, and Apache are, as of right now, updated. It's got a software firewall (Shorewall). I know Ubuntu is decently safe by default, but other than telling PHP and MySQL not to disclose the server signature, is there any other "basic" or "common" steps besides the obvious of backing it up and being prepared for the possibility? How often should I check for updates to Apache, MySQL, and PHP, and can you download and update them automatically via a command like I did when I installed them? I use SFTP for transfers, which I hear is much safer than standard FTP. I'm also learning the basics of my way around command line Linux, and it's pretty interesting.

2. Here's the actual networking situation. Right now, our internet connection comes in through the modem/router (they're both combined into one box). The modem/router splits it up into a few connections, and one of them is my PC obviously. DMZ Plus is enabled for my PC, so for anyone who doesn't know, this basically means my PC is outside the modem/router's hardware firewall (DMZ = demilitarized zone?), and it routes all incoming traffic on our IP address to my PC specifically, or something like that.

Now, here is the thing. It's not my PC the server is/is set up on (it's my old Dell Dimension 4100). The PC is set up "behind" mine on the network. My motherboard has two ethernet connections, so basically, I have my internet connection incoming on one, and the other is connected directly to the Ubuntu box. Here's a simple image diagram I threw together in Paint to explain it.

As I said, right now, all incoming traffic is routed by default to my PC since it's set as DMZ Plus enabled. What I want to happen is for my PC to pass that incoming stuff along to the server that's behind it as though it were the default DMZ Plus enabled. For reference, the PC behind mine (the server) can access the internet fine (I tried it with Windows, and Ubuntu was obviously able to connect and get it's updates), so it is connected right with access. I just need to get it to be the default destination for the IP address. I figure I can't do this via the modem/router since the PC I want to direct the traffic to isn't directly connected to it or on that network, but rather on it's own network with my PC, so I assume I'd have to do something on my PC to get it to pass that data along.

So, long long story short, is it possible to do this way? Is it something I can do via Windows 7's networking, or is there software I can install and set up to control this?

I'm aware it's probably possible to hook the server up to the modem/router and have it set to DMZ plus, which would also maybe be safer for my PC as it'd then disable it on mine and put it back under the modem/router's firewall, but that'd be another wire to run across the house, and I'm pretty sure all of the connections on our modem/router are in use anyway.

I know this isn't a simple question anyone can answer, so I'm specifically asking for people who know their networking here.

 

[masta.g.86]

Um, not entirely related but you should be using port forwarding or port range forwarding as it is much more secure than forwarding all ports. (DMZ)

Also, is there really any reason to open all ports at once? -and- Can you connect the server directly to the router rather than connecting through another PC? (makes it easier to setup)

 

[Princess Garnet]

I had a feeling someone would ask that.

I never really did anything to the modem/router to set up DMZ Plus mode myself. It happened itself, and I later found out. When I went to hook up a secondary PC to my computer for when someone who was over could play LANs and online games or just use the internet, the modem/router obviously detected this, and gave me a screen like this.

It's some proprietary U-Verse error (AT&T). That "third party router" was really just my PC (since it was apparently acting as a router once I connected another PC to it with internet connection sharing enabled). After I first connected the second PC to mine, all attempts at connecting to the internet led to that page until I clicked Resolve or Disable. Clicking resolve or disable obviously makes it set DMZ Plus mode, from what I now know. I only recently discovered my PC had something called "DMZ Plus mode enabled" applied to it, so I researched it and found out what it was.

For reference, that also reminds me, I did do one more thing to help secure the server as was advised from a guide. I disabled the server from accepting stuff on anything but port 22 (SSH/FTP) and port 80 (HTTP), so even if I did make my PC pass it along, it'd only be those two ports open for the server.

As for the question, as I said in my post, all connections from the modem/router are in use, and I also don't have the wire to reach it anyway/run a second wire. If I could do it that way, there'd be no questions for me to ask. Sure, it may be less secure with only software rather than router and software, but I'd been running this way for a long time, and both PCs do have software firewalls. It's alot easier for me to do it this way, so unless it's seriously insecure, I don't really have a choice.

 

[fivefeet8]

Why not simply use a cheap switch between both systems and the router? Unless your linux box is in another room from your main system, you wouldn't need to run any wire through the wall.

 

[Princess Garnet]

That's a possibility too, and I'm surprised I didn't think of it. I do have a few spare old routers. I'd basically set it up, and then have it forward the desired ports to the server, right? I imagine the current modem/outer wouldn't put the new router in the DMZ by default (unless it threw that error again), but even if it did, I'd still be behind that router, and if it doesn't, I'll simply forward the ports from that instead. I hope it's as simple as it sounds, because I have a feeling it could be tricky when more routers are in play.

 

[wlee15]

Have you tried a Windows Network Bridge?

Info is for XP but they work exactly the same in W7.

Windows XP Bridging and Media Support for Home Networking

 

[Princess Garnet]

I'll have to try that too. I wasn't aware bridging could do that, nor what, exactly, it was. The only experience I have with bridging is that when I set my network up as described above, if my PC, the one connected behind it (which wasn't the server at the time), and a third on our home network, wanted to, say, play an LAN game, both other PCs could see me in the network, and I could see both of them, but they couldn't see each other (since they were on different networks). If I bridged both my ethernet connections, then they were able to. It makes sense now. That sounds like the answer to my original question. I knew there had to be a way to do it. Before I dig into adding another router and having to deal with more IP addresses (possibly conflicts), I'll try that.

 

[FLaRe85]

Holy hell, that's a needlessly-complicated setup. My first suggestion is to ditch the DMZ setup..completely. It's not necessary and terribly insecure. The second router idea, while it would work, is essentially the same thing you're already doing. I imagine you're using ICS (Internet Connection Sharing) to accomplish this, which means your workstation just became a router and is acting as a gateway for the server. You would have to do your port forwarding there and, last I checked, the interface isn't very intuitive, so expect complications. Your best bet is to throw a switch in front of your workstation. This will give you the added ports you need. Plug the switch into your modem and plug the server and workstation into that switch. Again, disable the DMZ and forward the ports you need to each machine. This is a FAR simpler solution as you only have to manage a single gateway.

 

[Spyhop]

Oh yuck, 2wire.

Yeah. Assuming your ISP gives you at least 2 IPs then you should put your server outside of your router. NAT should be avoided with public-facing servers if possible.

 

[FLaRe85]

Oh yuck, 2wire.

Yeah. Assuming your ISP gives you at least 2 IPs then you should put your server outside of your router. NAT should be avoided with public-facing servers if possible.

The damn thing's a personal "toy" server, not a production server. He said he just wants to expose web services, so port 80 (maybe 443 also) is all that's necessary. A DMZ is overkill in this situation.

 

[Spyhop]

The damn thing's a personal "toy" server, not a production server.

So?

 

[FLaRe85]

He said he's inexperienced with network setups and the DMZ adds an additional layer of complication.

The purpose of a DMZ is to safeguard your internal network should the server become compromised. As long as he takes a few very basic precautions and only needs to forward web traffic through, there is very little risk.

 

[Princess Garnet]

What you described first, FLaRe85, sounds like my next attempt. I guess I should had clarified that although I'd be using a router, I'd be using it as a switch, as that's what fivefeet8 suggested.

Basically, it sounds like adding a router behind my modem/router box as a switch is my best bet. I know actual switches are cheaper, but routers are basically switches with more capabilities as far as I know, and I have three spares, so I might as well since they'd be free. I'd then connect my two PCs to the "switch". I'd also do away with DMZ and just forward the two ports I need to the server.

Does that sound right?

I'm aware I have to plug the incoming connection from the modem/router box to an ethernet opening, not WAN port, on the router that will be used a switch. Other than that, is it basically plug and go, or is there configuring to be done (since this is a router and not a simple switch, I'm assuming the latter)?

Yes, I've been using ICS to accomplish this thus far. As I said, I originally only started doing this with another PC so my girlfriend or buddy could connect their laptop/PC respectively to mine to get internet/gaming (again, respectively) from right in my room when they were over. As I'm not too versed in more than basic networking, I didn't know what DMZ was (once I saw "DMZ Plus enabled" tagged by my PC in my modem/router's properties, I researched it). ICS was self explanatory, so I just connected it and worked, basically, and I thought that was that.

As far as I know, I have one, static, IP address. It's changed once since the switchover from just AT&T DSL (we had SBC, but they were taken over) to U-Verse. We got fed up with DirecTV. That one change only happened when we moved, so I assume the plan has either a static IP address, or an almost never changing dynamic one.

Lastly, what are these "very few basic precautions" specifically that I should be doing/knowing about?

 

[fivefeet8]

Basically, it sounds like adding a router behind my modem/router box as a switch is my best bet. I know actual switches are cheaper, but routers are basically switches with more capabilities as far as I know, and I have three spares, so I might as well since they'd be free. I'd then connect my two PCs to the "switch".

Switches operate at Layer 2 with Mac addresses and Frames. Routers operate at Layer 3 with IP addresses and Packets. There are high end switches that also do some layer 3 functions, but not the extent of a router. It is not quite as simple as what you're saying.

Having a switched network behind your primary router is the most performant option since they don't deal with IP routing. I guess if you can't get a cheap switch or have one donated to you, you could use a router, but that does incur some additional complexity with your setup. A router normally separates IP subnets while a switch normally does not.

You'll need to disable DHCP on your second router and have it get a WAN IP from DHCP on your primary router.

 

[FLaRe85]

I'm echo'ing most of FF8's sentiments, I just disagree with setting the second router up to receive DHCP. You're going to want to know what that IP is if you're doing a double-NAT setup, which would likely be the case with two routers. The first router will forward the port to the second router, which is going to need to be static if that's to work.

Routers segregate a network into subnets, which means that the two machines you have sitting behind the second router will be on a different subnet than the rest of your network (ie: 192.168.2.0/24 as opposed to 192.168.1.0/24). Those cheapie workgroup routers usually don't give you the power to modify the routing tables, so you're not going to be able to pass data between those two nets. It will be something like this:

Net 2 -> Router B -> Net 1 -> Router A -> Internet

Without specific configuration, traffic is going to be constricted in that each node can only access another node that is to the right of it in the diagram.

With an additional switch, things change to look more like this:

Net 2 <-> Switch <-> Net 1 <-> Router -> Internet

Traffic can flow in any direction, but only outbound traffic is allowed to the Internet.


Those precautions you're going to want to take with the server involve limiting access to SSH and making sure your file permissions are strong. Since you're going to be running web applications, there is always the risk of compromise through a scripting/httpd exploit, but your permissions will ultimately define how deep they can penetrate the server. Finally, just be sure to keep all of your software updated. Since you said you were running Ubuntu, just become familiar with apt-get.

 

[fivefeet8]

I'm echo'ing most of FF8's sentiments, I just disagree with setting the second router up to receive DHCP.

I agree with your disagreement.

 

[Princess Garnet]

Wait, I wasn't going to use the second router as a router. I'd be using it as a switch.

So far as I know in this area (which isn't all too much, yes), if I connect it via one of the ethernet ports, not the WAN port, it will essentially be operating as a switch. Concerning doing it, I did a Google search, and this turned up. It even explains that if you do it right, it will indeed be operating as a switch, as you can have them on the same network (see step four).

portforward.com forum - Using a Second router as a Switch/Hub/WAP

Is my understanding of that off or something? I'll be using a router only because it's what I already have. Sure, the switch may be cheap, but the router is free and already in my possession. I may as well, right? It's confusing me that you guys keep saying this isn't the optimal route, when I'm doing what you suggested, just using a router as a switch. According to the guides I'm plentifully finding, this should be possible in the same way with just a bit of extra work that effectively "dumbs down" the router to the level of a switch, or something like that by the sounds of it. If it does end up being too much of a headache, then I could always pick up a switch, but I may as well try first.

 

[fivefeet8]

Wait, I wasn't going to use the second router as a router. I'd be using it as a switch.

portforward.com forum - Using a Second router as a Switch/Hub/WAP

Yes, we understand that you would be using it LIKE a switch, but the router will function as a router. It still works on IP addressing. The whole thread talks about the configurations needed for IP settings. Throwing a switch in there gets rid of that entire procedure and any of the related issues with it(IP addressing concerns). With a switch, all you would do is plug it in. It doesn't work on IP addressing.

That post suggestion says that you need to make all the computers use DHCP. Well that can be an issue for a server you want accessible from the internet using port forwarding. If the IP address changes on the server because of DHCP, you'll need to reconfigure the port forwarding to that new IP.

You can use a router in such a way, but it creates some extra complexities to your LAN configuration. Those complexities make it harder to track down and fix when an issue arises. Besides some tiny bit of performance loss(depending on the router), that by itself is not optimal.

 

[Princess Garnet]

Okay, so then does it matter what switch it is? I see that, like routers, some are cheap and some are expensive. I presume the expensive ones are professional and business grade ones, and that any will work just as fine for what I'm doing?

 

[fivefeet8]

Practically all the cheapest switches today will be able to handle what you're doing.