[lug] Personal Server Behind DSL Router

[David L. Anselmi]

karl horlen wrote:
> I want to setup a linux mail,web,dns server with
> iptables firewall behind my dsl router.  

Actually, you probably don't.  But we won't say "I told you so" when you 
come back to ask about problems. ;-)

> I was wondering if a server like this is possible if
> all of these services live on a box with a nonpublic
> ip address "behind" a router?

Yes, I do that.  NAT works fine.

If you don't have a static IP you'll have problems sending mail to other 
servers due to various black lists.  It will work if you send via a 
smart host but you'll need credentials to use QWest for that.

If you aren't good at spam filtering you may bounce some spam and get 
black listed for that.  But probably not a serious problem.

Web is easy.  DNS is easy if you use the free service from zoneedit.com. 
  If you really want to run your own read Cricket's book.

I typically don't run iptables on a box like this because all the 
services it provides are public.  So there isn't anything for iptables 
to block (obviously there are some other useful things iptables can do). 
  But I do have backups and I do expect it to be hacked and rebuilt one 
day.  So make sure you don't mind losing it, and make sure other 
machines don't trust it any more than the Internet.  I like bacula and 
rdiff-backup.

> I've portfowarded ssh access to this box on the router
> in the past from the outside world.  

It's worth moving ssh off port 22, at least externally.

[...]
> I'm not sure but I think inbound requests will
> probably work.  I'm more concerned about NAT'ing the
> service replies on the way out since they have no
> public identities.

All of this should work if your router does NAT properly (and for UDP 
too).  Actiontecs do some odd DNS caching I hear so you might run into 
that.  But for the most part it will work.

Dave