Creating a home network

Dralnu · Veteran Joined: 24 May 2006 Posts: 1919

I recently have decided to set up an old desktop as a file server, and I am looking for suggestions on what would be the best way to go about this.

Currently, the two systems in the house run off of an old Netgear websafe router, which I don't trust because A) I lost the password to it, and B) never had the default password reset for a long time, so I don't know if it is compromised or not. I have bought a new one (a newer version, actually), and was planning on hooking it up to the old router, and using it for my personal network.

So far I have looked into firewalls, NFS, and several other apps to give me an idea on what I need to do to set up and secure this network, and have so far come up with this idea.

I'll wire my new router to the old one, change the pass and everything on it, and plug my desktop and server up to it.

I'll reinstall both systems (storing the files I want/need to keep on an external hard drive for the time being), then install a firewall (iptables, probably), set to reject all incoming connections except for NFS and ssh.

Install NFS and ssh (of course), and possibly encrypt the hard drive on the file server and my desktop.

I am also debating on setting the file server up as a mail server (mainly fetching mail from my various email accounts to be stored locally), and simply connect to it to handle all of my email (how I would set that up, I have no idea right now).

Before I dive into this, I'm wanting some input on how I have things laid out, and see if anything has any suggestions on how to improve my proposed setup.

Thanks.
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.

baeksu · l33t Joined: 26 Sep 2004 Posts: 609 Location: Seoul, Korea

I recall some people commenting that perimeter-based security shouldn't be considered trustworthy.

You might want to set up security on each machine as if they were directly connected to WAN. For instance, only allow nfs and ssh connections from the ip addresses that you plan to use the services from. If you have a "blackbox" on your local network (I have a voip phone from our local telecom), or any other box you consider not trustworthy, just block everything from that address.

You better make sure your new router is secure, too, as a compromised router makes ip address based security measures kind of pointless.

What are you using the old router for? Seems to me like it's not a necessary device in your network anymore.

For your mail server needs, I run a courier-imap server on a local box, and use getmail to, errr, get my mail from the various webmail services I use. This provides a good local mirror, in case google or yahoo decide to delete my accounts for whatever reason.

For sending mail, I just use my ISP's smtp server.
_________________
Gnome:
1. A legendary being.
2. A never ending quest to make unix friendly to people who don't want unix and excruciating for those that do.

Dralnu · Veteran Joined: 24 May 2006 Posts: 1919

carpenike · Tux's lil' helper Joined: 10 Feb 2005 Posts: 127

Hmmm...

Who is the other person that you currently have using the router? I'd personally stick away from using the two router approach as you're likely to introduce double-NAT'ing into your LAN which can become a pain later on, and isn't that clean of a configuration. For the most part, these home routers aren't doing a ton of firewalling that your linux boxes wouldn't be capable of themselves... Maybe your roommate would be cool with replacing the edge device with your new router?

You could co-exist within the same LAN as the other user and just use IPTables (EBTables) rules to only allow the clients that you want to to connect to your boxes.

I guess from a security point of view I don't see how the additional router does you that much good over running firewalls on your boxes... Seems to introduce unnecessary complexity to me...