Home file and minecraft server
Hello everyone,
I've been using linux in VMs for a few years, but I'd like to set up a 24/hr box to run in a corner. As I've been planning this, I keep expanding what I want it to do, which is how I usually run into trouble. My searches have all involved problems more advanced than mine, so I'm sorry that I'm starting from scratch. My goals are: home file server to stream movies and music to Windows boxes, laptops, xboxs, etc. power efficient distro, secure distro, minecraft server accessible from the internet as well if possible (only 1-5 people at a time, and rarely). What I know: I'll be using a decent 65W Sandybridge Pentium chip (G860), 8Gb of DDR3, and booting off a smallish performance SSD (30 GB Intel 525 series). I'll be attaching a 2TB disk for the data, and will be creating a RamDISK for minecraft. What I don't know: I've been reading the forum results for minecraft and home servers and have learned a lot already, but I have a few specific, and probably ignorant, questions. 1: Is any distro going to make much of a difference in terms of energy use? Electricity here is almost $.2/kW/hr which is why I'm using a low power CPU and SSD, and letting the 2TB sleep when not in use. 2: With sufficient effort and research on my part, any distro is equally safe and secure, correct? 3: I hate to ask an opinion questions, but I am. Should I aim for a well documented distro like UbuntuServer, that is easily used for file sharing, and adapt it for minecraft as well, OR should I use a minecraft distro and adapt it for file sharing, OR should I use XYZ instead and learn a little bit more along the way? I have heard many people mentioning Debian, which I have played with very briefly, and CentOS, that I have not. 4: What don't I know? Besides what I asked, what do I need to do to have an always on, but power efficient server in the corner? I want it to update automatically, with a minimum of intervention. Tell me whatever you think I might not know, or have overlooked please. Thanks in advance guys, you've always helped me with stupid projects before. Special thanks to whoever introduced me to Gparted years ago :) |
Quote:
Quote:
Code:
*filter Quote:
Quote:
Code:
# systemd uses 'targets' instead of runlevels. By default, there are two main targets: Other things to consider
It depends on how much you want to do and how complicated you want to get. I have all of those implemented on my file sharing server and more. It's more of a one stop shop of everything hackery for me. Granted a lot of the software I mentioned for you at the end is designed for handling hundreds and thousands of systems simultaneously but they work well for one system. I use them for my system at home. SAM |
Re Support Lives for RHEL/Centos
Quote:
Note that Centos only keeps up with the latest version eg 6.3 is currently available, but 6.2 is now 'vaulted'. |
Sam, that was great, thanks a bunch. I will be setting up Ubuntu Server in a VM and playing with some of the tools and software you mentioned, and moving it to the hardware when I have it. I totally agree about security being a process, not a destination, but I'm only knowledgeable with Windows security. I was thinking about going headless just for the energy savings, but I think I'm already cutting out a few weeks or months of work for myself. So, I'll stick with a gui for now. I appreciate all the help, and I'll be tweaking my VM and asking questions as I go.
Thanks again! |
I've looked into CentOS, and RHEL by default, Debian, and Ubuntu server now. The last few days have had me googling the crap out of the internet. Thanks again for all of the leads so far, I'm having a blast giving myself a shock course in Linux! I've settled on Ubuntu Server as my home file system, at least for now. I'll be using a gui at first, even if I mostly use a terminal for editing settings, and I like the safety net of being able to point and click instead of staring at a cursor waiting for my input. I've installed a samba server on an Ubuntu VM, and started learning about iptables thanks to what you posted.
I want to set up this server to do two things: 1 - serve music, picture and video files to my home network (specifically my subnet? still learning the terms and going to community college at night) and deny all other connections from my network except eventually an SSH or equivalent from one 'whitelisted' mac/IP address (mine) & 2 - allow connections from the internet to play minecraft and do nothing else. So, I want to stop anyone not on the network from trying to administer the server or accessing files, and I want to stop anyone not physically using my computer from doing so as well. IPtables seems like a start for broadly separating the two groups, on the network vs from the internet, but how do I include a MAC address filter? I'm sorry if I'm asking things poorly, I'm only used to Windows terminology, and not well either. Oh, lastly, should I move this to the Server Forum? I've checked there, and they seem loads more advance than I am, but I don't want to clog the Newbie forum either. |
Quote:
Quote:
I assume your network is set up like so... filesharing Linux server -> <home network 192.168.10.x> -> wireless router -> ISP modem/cable That being the case there isn't necessarily a need for my 192.168.10.0/24 restrictions since your system is protected behind the NAT of your router. However it is protected against the router port forwarding services that you don't want to be public. As far as accessing a service such as SSH over a single port just change the -s (source) value to an IP address instead of a range. Code:
-A INPUT -p tcp -s 192.168.10.25 -m state --state NEW -m tcp --dport 22 -j ACCEPT Quote:
Quote:
Also, read the man page for iptables (terminal). Code:
man iptables Quote:
SAM |
How can I automatically update the server/
A quick update: I've learned a ton about iptables and I've installed and configured ufw. I'm not completely comfortable with ufw yet, and trying to parse that many rules in order to understand the outcome has taken a while. I've installed and configured the samba service on ubuntu, accessed it from a windows machine, and messed with the permissions. I've tested it by writing to the Ubuntu Server from Win7, and then editing that file back in Ubuntu. Success! I still have to tweak ufw to work with Samba, but you've already given me everything I need to do that myself.
A few questions, as usual. I'll try to be succinct and make my thoughts discrete and not a long narrative. 1: How can I automatically make Ubuntu run apt-get update and apt-get install routinely? Some sort of script that starts with Ubuntu? 2: Are those even the best commands to keep my entire system up to date in one fell swoop? 3: How do I then restart the computer, say at 4:30AM every Wednesday? (or is that even necessary? I'm seeing that the linux kernel is abstracted from services and thus immune to the Windowsesque decay that running processes cause) I do NOT want to update the kernel, just whatever services I have installed. |
One more thing
Thanks so much for the iptables starter you gave me, the specific examples and commenting was what made the difference between reading a man page and understanding the usage. The Samba line was the aha moment for me, and the rest has been much easier. I'm really liking how modular linux is.
|
Iptables
So, I didn't even realize that you had %100 tailored those iptable rules to what I had described to you. I started writing my own iptables rules from scratch, and kept referencing yours, and then I started to see the patterns :) Thanks a million for the effort that went into that.
The helpful article you had linked me to on minecraft port forwarding is one that I had read back when I was running my server on my windows box. Now that I'm making an ubuntu box though, the forwarding I set up on my modem and router will apply just as well. My windows machine has an overclocked 2500k, whereas the Ubuntu server is only going to get a Pentium G860, when and if I get a tax return, which is part of the electricity saving process. As I understand the code you gave me: Code:
What you wrote (mostly intact) My interpretation |
*filter is the default table. See the iptables man page (man iptables and search for filter with /). The COMMIT keyword tells iptables it should commit all rules currently in the pipeline to the kernel. If a commit is never executed then the specified rules will never be active.
You should only use a # (hash comment) at the beginning of a line. I don't know how iptables will behave adding it to the end of a rule (probably poorly). Also, you have comments listed that don't start with # when you're talking about adding the -m mac. I don't know if those are your actual rules or you were just demonstrating the change you were going to make. In that case just post your actual changes; I'll be able to tell where you changed it. If you want to add comments as part of the rule then I recommend the comment module. Code:
... -m comment --comment "my local LAN" ... This should work Code:
-A INPUT -p tcp -s 192.168.10.0/24 -m state --state NEW -m mac --mac-source MY:MAC:HERE -m tcp --dport 22 -j ACCEPT |
Problem with starting Iptables on Bootup
When Ubuntu boots now, I can't see it on the network. If I disable the iptables I can see it fine though. Which part of this iptables did I screw up?
Code:
# Generated by iptables-save v1.4.12 on Sun Feb 24 11:30:47 2013 Code:
auto eth0 Also: I've been editing in vim and it's showing colors strangely. It won't always show a commented line as blue, for instance, and I can't find the answers on Google ANYWHERE. |
Quote:
Quote:
Code:
iptables -F Code:
iptables -L Code:
iptables-restore < /etc/iptables.rules Code:
man iptables Quote:
You could use tcpdump (similar to wireshark for analyzing network traffic on an interface) to troubleshoot how and what applications are trying to communicate outbound. Then you can start designing a set of rules for what applications should be able to communicate. So first get rid of OUTPUT rules and work from there. Remember to use the quick shortcuts I gave you earlier for flushing and restoring the rules so you're not restarting the system a lot; it will save you time. Quote:
|
Found the problem
I found the rule that is causing the problem, a global deny outgoing rule. I checked iptables -L and it comes after all of the other rules, so I'm not sure why it's not working. Anyway, I've disabled it for now, until I can figure out which services to explicitly allow out before it is executed. Thanks for the flush and update hints, those save about a minute each time, multiplied by a million times lol.
|
Thanks a ton Sag47, I'm going to start a thread in the security forum to work specifically on the firewall rules that I need to develop. I particularly appreciate how detailed you've been with your answers, and how many problems you've worked me through in the last week. I already love Ubuntu more than I can say, and I've been a dedicated Windows fan for a long time.
|
Cool, enjoy!
|
All times are GMT -5. The time now is 03:20 AM. |