HowTo setup NethServer for public IP with static PointToPoint (255.255.255.255 netmask) gateway

The following steps describe the setup process for NethServer with a single interface and a hoster where your public IP address is outside of your subnet. This is common with various hosters like OVH, Hetzner, Webtropia/MyLoc, etc. where you do not get or did not order a whole range of IPs for your server (might also apply to this scenario depending on your hoster).

What you typically get from your hoster in these cases is a <PublicIP> with a 255.255.255.255 netmask and a gateway that is naturally out of reach as the netmask limits to a single address. Unfortunately it is currently not possible to setup this configuration from the Cockpit web UI as it will tell you that this is not a valid network address to configure.

Therefore we need to set the configuration from the CLI as we have less checks here. This will still be done in a way that does not interfere with the intention of making changes via the web UI primarily as we make changes to the database in the same way as the web UI does.

Basic knowledge for this howto

Various settings are set using the β€œdb” command. The commands as documented herein are believed to be correct to work with the β€œEdit” buttons in the web UI later on.

Basically all of the settings covered here consist of the following elements:

<Table>
--<Key>=<Type>
----<Property>=<Value>

Listing can be done using β€œdb <Group> show”.

If a <Property> is missing (a new one might have been introduced after this howto has been written) it might be mandatory for the web UI and might lead to the web UI not working properly if it is missing. This for example results in β€œEdit” buttons not working as intended as the dialog opened by the button is unable to collect all information.

Best practice therefore is to do a β€œdb <Table> show” at least after adding settings and check if there are other <Property>s for already existing <Key>s. Please add missing <Property>s logically and according to your best knowledge.

Security considerations

As sexy as a setup with a single interface sounds, please bear in mind that this means that you most likely also expose your web UI (Cockpit) port on 9090 (and other ports) to the whole world. If you have the chance for a second NAT interface that can be used as LAN/green connection, you should consider setting up a port forwarding via NAT on a non standard port to your internal NethServer port 9090 and disable web UI access from WAN/red interfaces in the settings.

For some simple security measurements with a single interface, please refer to the β€œHardening your server” section at the end.

Credits and inspiration

https://wiki.nethserver.org/doku.php?id=virtual_network_interface

Installation

  1. Installation media
    Start with nethserver-7.8.2003-x86_64.iso (to avoid missing Rspamd user in nethserver-7.9.2009-x86_64.iso if you ever want it, see Rspamd configuration page credential error when based on 7.9.2009 ISO - #2 by capote).

  2. Configure and test network before installation (skip to 3) if you do not want to test).

    2.1. From the install menu, setup your network configuration with β€œNETWORK & HOST NAME” in the installation menu (feel free to setup your keyboard language first).

    2.2. Click the β€œConfigure…” button.

    2.3. Switch to the β€œIPv4 Settings” tab.

    2.4. Change β€œMethod” to β€œManual” and add your <PublicIP> address, netmask and <GatewayForPublicIP> as given by your provider. Typically this will be <PublicIP>, 255.255.255.255, <GatewayForPublicIP> .

    Do not mess around with setting up routes if you do not have to and know you have to. Typically this will not be used in the final NethServer installation and is not necessary either. Feel free to setup other things like additional DNS servers and your host name (in the main β€œNETWORK & HOST NAME” dialog after clicking β€œSave”).

    2.5. Test your network connection by setting up β€œDATE & TIME”.
    Setup your region and city and switch on β€œNetwork Time” if it is not β€œON” already. Click the cogs symbol next to it and check if at least one of the NTP servers is reachable by showing a green checkmark. This will let you know that your settings are basically working (they will still not be imported correctly after the setup).

  3. Start the NethServer installation.

  4. Login as root.

  5. Add a green dummy interface as NethServer seems to require a green interface by all means.

    5.1. Find out the name of your physical network interface.
    Execute β€œip addr”, the interface you are looking for is either β€œeth0” or in newer systems something like β€œens32”. Let’s assume the name β€œens32” for this HowTo.

    5.2. Create a new file to load the dummy module with β€œvi /etc/sysconfig/modules/dummy0.modules” with the following content:

    #!/bin/sh
    /sbin/modprobe dummy
    exec ip link set dummy0 address 10:00:01:02:03:04

    The MAC address β€œ10:00:01:02:03:04” is a reserved private address, so it is safe to use for this purpose.

    5.3. Make the script executable and load the module:

    β€œchmod 755 /etc/sysconfig/modules/dummy0.modules”
    β€œmodprobe dummy”

    5.3.1. Check that the module is loaded with β€œlsmod | grep dummy”. It will now be automatically loaded after a reboot.

    5.4. Add and configure the green dummy interface for NethServer. Feel free to use a different Class-C <DummyIP> address instead of β€œ192.168.10.2” as it is a dummy address anyhow. If you install this on a virtual machine, you should however use a different address for each VM, just in case they see each other, so the addresses do not collide.

    β€œdb networks set dummy0 ethernet bootproto none gateway '' ipaddr <DummyIP> netmask 255.255.255.0 role green”

  6. Configure the physical interface as PointToPoint WAN/red interface:

    6.1. Configure the <PublicIP> for the physical interface:

    β€œdb networks setprop ens32 bootproto none gateway '' ipaddr <PublicIP> netmask 255.255.255.255 role red”

    6.2. Add the PointToPoint <GatewayForPublicIP> route for the physical interface:
    β€œdb routes set default static Description '' Device ens32 Metric 1 Router <GatewayForPublicIP>”

  7. Let the e-smith tool rebuild the network config files from the configured database entries:

    β€œsignal-event interface-update”
    β€œsignal-event firewall-adjust”

  8. Verify your configuration:

    8.1. Check that a route config file has been created:

    β€œls /etc/sysconfig/network-scripts/”

    You should find a route file for your interface, such as β€œroute-ens32”.

    8.2. Ping a known IP address (so you do not rely on DNS working and other points of potential failure), for example 8.8.8.8 or 8.8.4.4 which are the well known Google DNS addresses.

    8.3. Try to access the web UI via your <PublicIP> from your browser:
    β€œhttps://<PublicIP>:9090”

Hardening your server

In general this results in β€œchange your default ports”. While changing the SSH port away from 22 is even mentioned by the web UI as important action, unfortunately it does not seem that there is an easy way to change your web UI port(s) such as 9090 . Instead you should use a <BetterPort> that is not known to be assigned to a well known service that people might scan IP ranges for. Just be creative with your <BetterPort>, e.g. add your favorite 3 or 4 digit number on top of the original port number.

  1. Change your SSH port away, easiest done by simply using the web UI.

  2. Make the web UI available on <BetterPort> instead of <DefaultPort> (e.g. 9090 for the web UI) with port forwarding.

    NOTE #1: The number/index in the command β€œdb portforward set 1 ...” sets/overwrites your first rule if you already have one. The same of course applies to other indexes as well. Avoid index gaps!

    NOTE #2: Do not disable access to the web UI for WAN/red interfaces as this will effectively block your forwarded port as well, as its source is still a WAN/red interface. This worked with nethserver-7.8.2003-x86_64.iso but breaks after updating to newer versions (maybe intentional and as it actually is a WAN/red interface, arguably right so)!

    2.1. Create a replacement port <BetterPort> that internally forwards to your green (dummy) interface <DefaultPort> 9090 :

    β€œdb portforward set 1 pf Allow '' Log none OriDst '' status enabled Description 'Cockpit new port' Proto tcp DstHost <DummyIP> Src <BetterPort> Dst <DefaultPort>”
    β€œsignal-event firewall-adjust”

    2.1.1. Test that the web UI is now available via β€œhttps://<PublicIP>:<BetterPort>”.

    2.2. Make the <DefaultPort> unusable by forwarding it to a <NonExistingHost> e.g. 192.168.254.254 .

    NOTE: Obviously, if you have any access to a higher level of firewall such as a firewall configuration dialog provided by your hoster, you should simply block <DefaultPort> here to potentially save some resources on your server. If there will be a flooding or (D)DoS against this port, the (hardware) firewall of your hoster needs to handle the packet storm, not your server.

    β€œdb portforward set 2 pf Allow '' Log none OriDst '' status enabled Description 'Cockpit old port' Proto tcp DstHost <NonExistingHost> Src <DefaultPort> Dst <DefaultPort>”
    β€œsignal-event firewall-adjust”

    2.2.1. Test that β€œhttps://<PublicIP>:9090” is no longer working. The firewall might not kill existing connections immediately, so give it a minute or so to work.

  3. Repeat with increased indexes for the entries you create for other services/ports on the WAN/red interface that you want to make available with a non-default port.

End

4 Likes