Greetings,

I am moving my server from an ISP to my home and putting it behind a Linksys WRT54GL Router. I know just enough LINUX to be dangerous (to myself and the server).

My Server:
A small, self-contained WEB / MAIL / DNS Server. No VPN. Not networked with anything else. Very simple.

>> Linux bigblue 2.2.26-ow1-hap1

HERE IS MY PLAN OF ATTACK:

>> Step 1 <<
Go to the Windoz PC I currently have running on my LAN and do an "ipconfig /all" and get the SUBNETMASK, GATEWAY and DNS Addresses.

>> Step 2 <<
Go into the router and set up PORT FORWARDING to the LINUX Server, for the following ports: 22, 23, 25, 53, 80, 443, 8080

>> Are there any other PORTS I should be worrying about?
>> Is there a command I can run to see what PORTS are open on my server right now, before I disconnect from the ISP?

>> Step 3 <<
Go into the LINUX Server and change all of the references of the Current IP Address... to the new Internal LAN IP Address. Is the process that straight forward??? Change every reference to the current IP address, to the new IP Address, and the thing will come up working like a champ???

>> Is there a command that I can run, like "net configure" / "net config" / "net reconfig" / or something like that, to be able to make this seamless and change the IP / Subnetmask / Gateway and DNS Addresses in all of the important spots??? Or do I have to run a "grep -r" and look for all of the instances of the OLD IP Address and replace it with the NEW Internal IP Address?

This is the one that scares me the most... Where are all of the spots I will have to change to the Internal LAN IP Address, to get this thing to do DNS / WEB / MAIL again. With the least amount of headache.

Thanks in advance!

JK///
Cyberfan

<step 1>
Yes, this is fine. For servers, you want to use a fixed IP address and not one assigned automatically by DHCP. If you run your own DHCP server for the Lan, you can configure it to supply some things dynamically and the IP address from an entry in the configuration.
<step 2>
Port 22 is for ssh. Make sure to disallow root logins, add allowed users to "allow users", and only use the ssh-2 protocol.
Port 23 is for telnet. Close this port and uninstall the service if it exists.

You should configure the server and the firewall and router before connecting to the internet. The router config should contain the IP supplied values. Anyway you already recorded this information. You can use the "nmap" program from another host to check which ports are open. You can go the the grc.com website to see which ports are open at the router.

<step 3>
Which distro are you running?
Most distro's have a gui networking -> network devices configuration tool to enter the IP, mask, gateway, nameserver address, etc. On SuSE, this info is stored in /etc/sysconfig/network/ifcfg-eth0 for the eth0 device. So another thing to do is simply to edit this file. On SuSE and other distro's the skeleton ifcfg- file is well commented.

Ideally, a DNS server inside the LAN should just reference hosts inside the LAN. A DNS server referencing internet domains should be located outside the LAN, or use the ISP's dns servers. If a DMZ DNS server itself needs an address in the LAN, that should be in /etc/hosts instead. Then it won't serve up that address as a result of a search.
This is a topic of the book "Firewalls and Internet Security" http://www.wilyhacker.com/1e/

An internet Web server should be in the DMZ. It is even possible to place the server inside the edge router and use a NAT router for the LAN. There was a pdf article on this on the GRC.com security now website.
If it is connected to both the internet and the LAN, use two interfaces and have a tighter firewall setup on the outside zone.

Thanks!

I'll do more investigation...

JK///
Cyberfan