[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Creating a home network

2016-05-12 03:30 に Richard Owlett さんは書きました:

On 5/11/2016 12:09 PM, Peter Ludikovsky wrote:

Not really broke. Eg. the BananaPi Router board comes in at about €75,
with 5 Gb interfaces (4 switched) and a 2.5" SATA connector, and runs a 
minimally adapted Debian called Bananian. Add to that a small powered
USB hub, starting at about €10, and some cables, and your total should
be at around €100.


Thanks. I also asked on a local users group. The sugesstions vary in
detail but are generally. Google on suggested components should be
educational. Cost estimates are similar.


* Samba
* autofs and/or udev to automagically export USB devices via Samba




Searching souhould give useful related links.




Regards
/peter

Am 11.05.2016 um 16:32 schrieb Richard Owlett:

Underlying question: What should I be reading?

I wish a blackbox which:
1. Connects 4 local machines via Ethernet [WiFi shall *NOT* be considered] 
     A. A desktop with WinXP and multiple versions of Debian
B. A laptop with WinXP Pro SP3 whose reason for existence is running 
SeaMonkey.
        Historically it is/was my primary machine. Its future is as a
portable.
C. A laptop dedicated to Linux experiments. I have erased the HDD as 
many as
        ten times in one week ;/
     D. Misc temporarily connected laptops.
2. It shall provide multiple USB ports in order that a selection of
flash dives
     and a 1 TB HDD can be accessed by any machine.
3. It *SHALL* connect to the internet via a T-Mobile 4G Hotspot Z915
connected
via USB. The WiFi features have been disabled. I really wanted a USB 
cell network
     modem. The local T-Mobile outlet was only vendor that didn't try
assaulting me with
their 'smartphone-du-jour' with an atrociously large data plan. this 
connection
     shall be protected by a firewall.

How broke will I be?
TIA






did u see debian wiki about creating a router with a pc?
it s kind of old but still working

i created my house/work one with P3 512M ram
Even running mariadb on it(sql is the heaviest, everything else is light; except tor maybe) Actually providing my house network + less than 10 HP, mail servers for small companies 
Never tried usb wireless stuff but get a wire line if you can
that s the fastest

my place is 2 devian boxes and a cat2960
one vlan is for outside connection, another one is inside connection
Devian boxes are providing NAT/WAN connection
Inside boxes are connected via the switch(cat 2960)

LAN---NAT--Global_IP---WAN

Price:
Pentium 3@512M RAM : 10-20 US
Cat2960: 40 US
everything is 2nd hand of course

Also 2 PCI 1G NIC/routerfw boxes(makes 4)
That was the most expensive(new)
about 10-20 US/card
If you ll use an USB for T-Mobile 4G Hotspot, u don t need 2 outside cards; 
u can use the onboard or other LAN ether port for your LAN
so 0 cost for the 2PCI 1Gig NIC by 2

*MY case*
WAN(provider's DCE, a kind of nowadays modem)
 |
C a t 2 9 6 0(switch)
|        |
Dev1    Dev2
|        |
C a t 2 9 6 0
|
LAN(5 ports are already used as above, so u huv 19 ports left for your LAN 
OS doesnt matter)

*Ur case*
WAN(T-Mobile 4G Hotspot's USB)
|
Devian box(NAT/FW ie. LAN/WAN segregation)
|
LAN(via ethernet, rj45)
|
Cat2960(switch, actually anykind of switch is OK, a hub is even enough in your case I think; 
|       brand doesn't matter; just cisco's works well for me)
|
24 ports available on the switch to connect any kind of OS boxes

Then as said above, if you need windows/linux shares on devian box
u need samba. And maybe more for USB mouting.
If you want to be able to connect many USB, u need that many USB ports
on the box.

Ill paste my iptables below
Also, my house is wired with ppp to provider(my outside.if is ppp0,
urs might be usb0, I don t know).

I never tried wifi or other kind of wireless stuff from an USB
but I think kernel is able to manage that(wifi as wireless cause the USB from t-mobile 
is a kind of wireless protocol, 3G or LTE).
Just try first, get the USB, connect it to the box and check if you can access the net 
(u might need somekind of firmware).
If you can, then above is a 'jeu d'enfants'

IPTABLES
------------8<-------------------------------------------
root@tamerrz:/home/tamerrzusr#cat /etc/network/if-up.d/00-firewall_corrected 

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -X

## nat/POSTROUTING
# Masquerade <=> Changed to SNAT
#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE(was using masquerade nat before, using source nat now, any #one is OK) iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT --to-source XXX.XXX.XXX.XXX(my public IP) iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -o ppp0 -j SNAT --to-source XXX.XXX.XXX.XXX(my public IP) 

## filter/FORWARD

# Allow New outgoing connections from the LAN side.
iptables -t filter -A FORWARD -i eth1 -o ppp0 -m state --state NEW -j ACCEPT iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j ACCEPT 

# Allow Established outgoing connections from the LAN side.
iptables -t filter -A FORWARD -i eth1 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT 


# Allow forwarding of established connection from WAN side.
iptables -t filter -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 

# Don't forward from the outside to the inside (icmp destU).
iptables -t filter -A FORWARD -i ppp0 -o eth1 -j REJECT
iptables -t filter -A FORWARD -i ppp0 -o eth0 -j REJECT

## filter/INPUT

# Always accept loopback traffic
iptables -t filter -A INPUT -i lo -j ACCEPT

#log udp port 5060
iptables -t filter -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug 

#asterisk
iptables -t filter -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p udp --dport 5070 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 5080 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 5090 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p udp --dport 10000:20000 -j ACCEPT

#reTurn_server
iptables -t filter -A INPUT -i ppp0 -p udp --dport 3478 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 5091 -j ACCEPT

#tor
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT

#postfix
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT

#dovecot
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT

#apache
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT

#dns
iptables -t filter -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT

#vsftp
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 50000:50010 -j ACCEPT

# Allow established connections
iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 

# Allow established connections(sorry that s ssh WAN to LAN)
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT

# Proto_U everything else on outside interface (-input ppp0)
iptables -t filter -A INPUT -i ppp0 -j REJECT --reject-with icmp-proto-unreachable 


# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
------------8<-------------------------------------------

basically same stuff with ur USB-t-mobile as my ppp0
Also I have 2 LANs .255 and .1 as 3rd octet(192.168.1.0/24 and 192.168.255.0/24) 
but one is enough in your case it seems.

HTH!
Reply to: