The following steps describe the setup process for NethServer with a single interface and a hoster where your public IP address is outside of your subnet. This is common with various hosters like OVH, Hetzner, Webtropia/MyLoc, etc. where you do not get or did not order a whole range of IPs for your server (might also apply to this scenario depending on your hoster).
What you typically get from your hoster in these cases is a
<PublicIP> with a 255.255.255.255 netmask and a gateway that is naturally out of reach as the netmask limits to a single address. Unfortunately it is currently not possible to setup this configuration from the Cockpit web UI as it will tell you that this is not a valid network address to configure.
Therefore we need to set the configuration from the CLI as we have less checks here. This will still be done in a way that does not interfere with the intention of making changes via the web UI primarily as we make changes to the database in the same way as the web UI does.
Basic knowledge for this howto
Various settings are set using the “db” command. The commands as documented herein are believed to be correct to work with the “Edit” buttons in the web UI later on.
Basically all of the settings covered here consist of the following elements:
Listing can be done using “
db <Group> show”.
<Property> is missing (a new one might have been introduced after this howto has been written) it might be mandatory for the web UI and might lead to the web UI not working properly if it is missing. This for example results in “Edit” buttons not working as intended as the dialog opened by the button is unable to collect all information.
Best practice therefore is to do a “
db <Table> show” at least after adding settings and check if there are other
<Property>s for already existing
<Key>s. Please add missing
<Property>s logically and according to your best knowledge.
As sexy as a setup with a single interface sounds, please bear in mind that this means that you most likely also expose your web UI (Cockpit) port on 9090 (and other ports) to the whole world. If you have the chance for a second NAT interface that can be used as LAN/green connection, you should consider setting up a port forwarding via NAT on a non standard port to your internal NethServer port 9090 and disable web UI access from WAN/red interfaces in the settings.
For some simple security measurements with a single interface, please refer to the “Hardening your server” section at the end.
Credits and inspiration
Start with nethserver-7.8.2003-x86_64.iso (to avoid missing Rspamd user in nethserver-7.9.2009-x86_64.iso if you ever want it, see Rspamd configuration page credential error when based on 7.9.2009 ISO).
Configure and test network before installation (skip to 3) if you do not want to test).
2.1. From the install menu, setup your network configuration with “NETWORK & HOST NAME” in the installation menu (feel free to setup your keyboard language first).
2.2. Click the “Configure…” button.
2.3. Switch to the “IPv4 Settings” tab.
2.4. Change “Method” to “Manual” and add your
<PublicIP>address, netmask and
<GatewayForPublicIP>as given by your provider. Typically this will be
Do not mess around with setting up routes if you do not have to and know you have to. Typically this will not be used in the final NethServer installation and is not necessary either. Feel free to setup other things like additional DNS servers and your host name (in the main “NETWORK & HOST NAME” dialog after clicking “Save”).
2.5. Test your network connection by setting up “DATE & TIME”.
Setup your region and city and switch on “Network Time” if it is not “ON” already. Click the cogs symbol next to it and check if at least one of the NTP servers is reachable by showing a green checkmark. This will let you know that your settings are basically working (they will still not be imported correctly after the setup).
Start the NethServer installation.
Login as root.
Add a green dummy interface as NethServer seems to require a green interface by all means.
5.1. Find out the name of your physical network interface.
ip addr”, the interface you are looking for is either “eth0” or in newer systems something like “ens32”. Let’s assume the name “ens32” for this HowTo.
5.2. Create a new file to load the dummy module with “
vi /etc/sysconfig/modules/dummy0.modules” with the following content:
exec ip link set dummy0 address 10:00:01:02:03:04
The MAC address “
10:00:01:02:03:04” is a reserved private address, so it is safe to use for this purpose.
5.3. Make the script executable and load the module:
chmod 755 /etc/sysconfig/modules/dummy0.modules”
5.3.1. Check that the module is loaded with “
lsmod | grep dummy”. It will now be automatically loaded after a reboot.
5.4. Add and configure the green dummy interface for NethServer. Feel free to use a different Class-C
<DummyIP>address instead of “
192.168.10.2” as it is a dummy address anyhow. If you install this on a virtual machine, you should however use a different address for each VM, just in case they see each other, so the addresses do not collide.
db networks set dummy0 ethernet bootproto none gateway '' ipaddr <DummyIP> netmask 255.255.255.0 role green”
Configure the physical interface as PointToPoint WAN/red interface:
6.1. Configure the
<PublicIP>for the physical interface:
db networks setprop ens32 bootproto none gateway '' ipaddr <PublicIP> netmask 255.255.255.255 role red”
6.2. Add the PointToPoint
<GatewayForPublicIP>route for the physical interface:
db routes set default static Description '' Device ens32 Metric 1 Router <GatewayForPublicIP>”
Let the e-smith tool rebuild the network config files from the configured database entries:
Verify your configuration:
8.1. Check that a route config file has been created:
You should find a route file for your interface, such as “route-ens32”.
8.2. Ping a known IP address (so you do not rely on DNS working and other points of potential failure), for example 22.214.171.124 or 126.96.36.199 which are the well known Google DNS addresses.
8.3. Try to access the web UI via your
<PublicIP>from your browser:
Hardening your server
In general this results in “change your default ports”. While changing the SSH port away from 22 is even mentioned by the web UI as important action, unfortunately it does not seem that there is an easy way to change your web UI port(s) such as 9090 . Instead you should use a
<BetterPort> that is not known to be assigned to a well known service that people might scan IP ranges for. Just be creative with your
<BetterPort>, e.g. add your favorite 3 or 4 digit number on top of the original port number.
- Change your SSH port away, easiest done by simply using the web UI.
- Make the web UI available on
<DefaultPort>(e.g. 9090 for the web UI) with port forwarding.
NOTE #1: The number/index in the command “
db portforward set 1 ...” sets/overwrites your first rule if you already have one. The same of course applies to other indexes as well. Avoid index gaps!
NOTE #2: Do not disable access to the web UI for WAN/red interfaces as this will effectively block your forwarded port as well, as its source is still a WAN/red interface. This worked with nethserver-7.8.2003-x86_64.iso but breaks after updating to newer versions (maybe intentional and as it actually is a WAN/red interface, arguably right so)!
2.1. Create a replacement port
<BetterPort>that internally forwards to your green (dummy) interface
db portforward set 1 pf Allow '' Log none OriDst '' status enabled Description 'Cockpit new port' Proto tcp DstHost <DummyIP> Src <BetterPort> Dst <DefaultPort>”
2.1.1. Test that the web UI is now available via “
2.2. Make the
<DefaultPort>unusable by forwarding it to a
<NonExistingHost>e.g. 192.168.254.254 .
NOTE: Obviously, if you have any access to a higher level of firewall such as a firewall configuration dialog provided by your hoster, you should simply block
<DefaultPort>here to potentially save some resources on your server. If there will be a flooding or (D)DoS against this port, the (hardware) firewall of your hoster needs to handle the packet storm, not your server.
db portforward set 2 pf Allow '' Log none OriDst '' status enabled Description 'Cockpit old port' Proto tcp DstHost <NonExistingHost> Src <DefaultPort> Dst <DefaultPort>”
2.2.1. Test that “
https://<PublicIP>:9090” is no longer working. The firewall might not kill existing connections immediately, so give it a minute or so to work.
- Repeat with increased indexes for the entries you create for other services/ports on the WAN/red interface that you want to make available with a non-default port.