Hack and / - Your Own Personal Server: the Network
These days, it seems everyone is talking about the cloud. Now, what exactly someone means by “the cloud” seems to vary, but typically, the cloud refers to some sort of service, such as e-mail, Web, DNS, file storage and so on, that is managed for you by a third party. Many people love how easy it can be to outsource their e-mail service, blog or image site to someone else. Like oil changes, home repair and cooking, server administration is yet another task you can pay (either with money or with marketing data) someone else to manage for you.
Alongside this trend to outsource work is a growing movement that values doing things yourself. Some examples include “Makers” involved in designing their own electronics, do-it-yourself home improvement, gardening, amateur cheese making, baking and even home brewing. The fact is, many of these so-called chores actually are rather rewarding and even fun to do yourself. I think we as Linux users should apply this same idea to server management. It turns out it is quite rewarding, educational and not terribly difficult to manage your own services at home instead of outsourcing them to the cloud. This is on top of the fact that when you manage your own server, you are in full control of your server, what's installed on it and who can see it.
In this series of columns, I'm going to discuss how to set up various types of services at home and how to make them available to the Internet at large. In this first column of the series, I discuss some things you should consider about your network before you set up your first server at home.
When it comes to hosting servers at home, all ISPs (Internet Service Providers) are not created equal. Before I even discuss bandwidth, first you should look into your ISP's terms of service. It turns out that some ISPs discourage, disallow or sometimes outright block home users from hosting their own services on the Internet. Take a large dose of caffeine and try to read through your ISP's terms of service (or just call and ask them) to see whether they have any sort of restrictions. These days, at the very least it's common for even server-friendly ISPs to block outbound e-mail traffic (SMTP port 25) by default to prevent spam. Although I'll discuss this more in a future column about e-mail, some ISPs will lift this restriction and some won't. The bottom line is that if hosting your own server is important to you, you will want to make sure you use an ISP that allows it. For me, this policy is more important when choosing an ISP than even speed or price.
No matter what type of Internet connection you have, ultimately you are assigned at least one publicly routed IP address. If this address changes each time you connect to the Internet (or each time your DSL or cable modem resets), you have a dynamic IP. If this IP stays the same, it's static. Although people historically have run servers on both static and dynamic IPs, with a dynamic IP, you will have to go through the additional trouble of setting up some sort of dynamic DNS service so that each time your IP changes at home, everyone trying to access your service on the Internet will get the new IP. Unfortunately, due to the nature of how DNS works, you can't always guarantee (even with low TTLs) that everyone will see your changed IP in a timely manner, so if you are serious about running servers at home, I recommend you spring for one or more static IPs.
Typically when you rate the quality of your Internet connection at home, you first look at your download speed. Average home users rely much more on their download bandwidth than their upload bandwidth as a metric of how “fast” their connection is, and many home Internet connections have much higher download bandwidth than upload. Once you start hosting servers at home, however, you'll find that their performance is governed more by your upload bandwidth. If you want to host bandwidth-hungry services at home, like streaming audio or video or image-heavy Web sites, you might want to upgrade or change your Internet connection to get more upload bandwidth. On the other hand, your personal DNS or e-mail server probably is going to be fine even with somewhat low upload bandwidth. Although upload bandwidth can be slower at home than at a data center, most connections at home (at least in the US) are unmetered so you don't have to worry about bandwidth caps.
These days, most people who would want to host a server at their homes tend to access the Internet through some sort of DSL or cable modem. This device connects to either a phone line or some other cable on one end and provides a network port (or sometimes a USB port) on the other. More sophisticated modems actually can act as a gateway, and even a DHCP server, and hand out internal IPs to computers in the home while the public IP resides on the modem itself.
If you plan on having multiple computers inside your home network, I recommend getting the modem configured so it acts more like a bridge, so that the publicly routed IP address is assigned to a device that is under your control, whether it's a home router or a computer on your network. Most home routers these days (including DSL and cable modems, if your ISP gives you the ability to configure them) have the ability to do port forwarding so that incoming traffic intended for your Web server (ports 80 and 443) can be redirected to the internal IP address. The more control you have over your gateway, the more flexibility you will have in how you set up your servers and your network. If you do opt to use a consumer router instead of turning a home computer into the gateway, you might want to choose a router that can be reflashed with custom Linux firmware (like OpenWRT or DD-WRT), so you can have some of the same flexibility you would have if a Linux server acted as the gateway.
Of course, any time you open up a service to the Internet, you are opening yourself up to attack. These days, it doesn't matter if you just have a lone server on the Internet; attacks are automated, so your obscurity doesn't ensure security. Be sure that any service and server you make available on the Internet is kept up to date with the latest security patches. If you have the ability to configure a firewall on your gateway router, block all incoming ports by default and allow in only ports you know need to be open. If you are going to open up an SSH server to the public Internet, be sure to audit your passwords, and make sure they are difficult to guess (or better, disable passwords altogether and use key-based authentication). These days, more home (and enterprise) Linux servers are hacked due to bad passwords than just about anything else.
While I'm on the subject of firewalls, here's a quick tip if you happen to use a Linux device as your router with iptables. Even if you are granted multiple public IPs, you may find you prefer to have all Internet traffic come through a central router so it's easier to monitor and secure. To accomplish that, you likely will need to have your gateway device configured to answer on all of the public IPs and assign private IPs to the computers inside your home. Let's assume I have a few static IPs, including 18.104.22.168 and 22.214.171.124, and a gateway router that is configured to answer to both of those IPs on eth0. I have an internal server on my network with an IP address of 192.168.0.7. Because it has an internal IP, I want to forward traffic on my gateway destined for 126.96.36.199 to 192.168.0.7. The first way I could do it is to forward traffic only on specific ports to this host. For instance, if this were a Web server, I might want to forward only ports 80 and 443 to this server. I could use these iptables commands on my gateway router for the port forwarding:
iptables -t nat -A PREROUTING -d 188.8.131.52 -i eth0 -p ↪tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80 iptables -t nat -A PREROUTING -d 184.108.40.206 -i eth0 -p ↪tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.7:443
This is also a common solution if you have only one public IP but multiple servers in your network, so you can forward Web ports to an internal Web server and e-mail ports to a different e-mail server. This method works; however, I'll have to be sure to add new firewall rules each time I want to forward another port. If I simply want to have the router forward all traffic destined for 220.127.116.11 to 192.168.0.7, I could use these two commands:
iptables -t nat -A PREROUTING -d 18.104.22.168 -i eth0 -j ↪DNAT --to-destination 192.168.0.7 iptables -t nat -A POSTROUTING -s 192.168.0.7 -o eth0 -j ↪SNAT --to-source 22.214.171.124
Note that because these commands forward all traffic to that internal host, regardless of port, I will want to make sure to lock down the firewall rules on that internal server.
This should be enough information to get you started on your network setup at home so that by next month, you'll be ready to set up your first service. In my next column, I'll focus on DNS, including how to register a domain and how to set up your own home DNS server.
Kyle Rankin is a Systems Architect in the San Francisco Bay Area and the author of a number of books, including The Official Ubuntu Server Book, Knoppix Hacks and Ubuntu Hacks. He is currently the president of the North Bay Linux Users' Group.