System setup

Create users and groups

The best for some services setup is to create users and groups with the same numbers as you use on the desktop. Use program id on your desktop to obtain UID and GID.

For example, runnig id on my desktop returns: 
uid=1000(petr) gid=1000(petr) skupiny=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),111(netdev),115(powerdev),1000(petr)

That means I have to create group petr with GID 1000: 
addgroup --gid 1000 petr

And than user petr with UID 1000 in group petr: 
adduser --uid 1000 --gid 1000 petr

Repeat this for all your users.

Recommended software

FTP server - vsftpd

I tested various FTP servers in debian and the best results I've got with vsftpd.

Instalation

Because vsftpd is included in debian, instalation is very simple: 
aptitude install vsftpd

Configuration

UPnP multimedia server - Media Tomb

Instalation

Mediatomb is also included in debian: 
aptitude install mediatomb-daemon

Configuration

File sharing: bittorent, donkey, gnuttela... - MLDonkey

Instalation

Configuration

GUI: KMLDonkey

Firewall setup

Bridged connection

This is situation, which I use, so the description is more detailed. My network configuration is shown below: 

            switch                       WiFi
            _______         _____
   ISP ----| VLAN1 |  eth0 |     | eth1  \|/ . . . . . . NTB1
           | ~~~~~ |-------| br0 |--------| . .
EDMini ----|       |       |_____|        |  . . . .
           |   V   |                          .     . . . NTB2
   PC1 ----|   L   |                           .
           |   A   |                            .
   PC2 ----|   N   |                             . Nokia N95
           |   0   |
   PC3 ----|_______|
I use switch which is able to tag packets according the incomming port. It is configured to distinguish between traffic from outside my network (ISP) and my home network traffic. All networks (vlan0, vlan1 and eth1) are bridged together, as my ISP provides enougth IP addresses.

I consider my network secure as the wifi is protected by WPA2 and when someone is able to hack cable connection, he can also easily grabs the computers. Becouse some services I use doesn't support password protection, filtering is required. It can be done using ebtables. Command scheme is following: 
ebtables -I FORWARD -i __INCOMING_INTERFACE -p IPv4 --ip-protocol __PROTOCOL --ip-destination-port __PORT_NUMBER -j DROP
where
  • __INCOMING_INTERFACE is where the ISP is connected - vlan1 in my case.
  • __PROTOCOL is transport layer protocol - tcp, udp, sctp etc.
  • __PORT_NUMBER is service port number
For example I can filter NFSv4 with following command: 
ebtables -I FORWARD -i vlan1 -p IPv4 --ip-protocol tcp --ip-destination-port 2049 -j DROP

Routed connection

In case of routed connection, use iptables. Commands will looks like this: 
iptables -I FORWARD -i __INCOMING_INTERFACE -p __PROTOCOL --dport __PORT_NUMBER -j REJECT
where
  • __INCOMING_INTERFACE is where the ISP is connected.
  • __PROTOCOL is transport layer protocol - tcp, udp, sctp etc.
  • __PORT_NUMBER is service port number

Filtering on EDMini

If you want to do filtering on EDMini, use following command to reject all packets except these originating from __ALLOWED_IP: 
iptables -I INPUT -i __INCOMING_INTERFACE -s ! __ALLOWED_IP -p __PROTOCOL --dport __PORT_NUMBER -j REJECT
where
  • __INCOMING_INTERFACE is where the ISP is connected.
  • __ALLOWED_IP packets from this IP will not be rejected
  • __PROTOCOL is transport layer protocol - tcp, udp, sctp etc.
  • __PORT_NUMBER is service port number

Services protocols and port numbers

  • NFSv4: TCP 2049
  • UPnP Media Server (mediatomb):
  • SSH server (dropbear): TCP 22
  • MLDonkey Web Interface: TCP 4080
  • MLDonkey GUI Interface: TCP 4001


History: r3 - 25 Sep 2009 - 20:01:18 - PetrMalat