User Tools

Site Tools


it-artikel:linux:how-to-install-ubuntu-server-20.04-lts-with-bridged-interfaces

How i would install Ubuntu server 20.04 lts for home use?

Szenario / User requirements:

This is the network how i like to have it:

  • [X] are Hosts/Devices
  • {X} are networks/clouds
  • ==> are just bidirectional links/cable of some sort.
  • Workstations are just any number of LAN connected devices/computers/hosts in your home or SOHO.
  • LAN is the local private network. I dont want my ISP to sniff around here how know how many devices i have. I want it to use a private self defined IPv6 address range (or ULA) like fd00:dead:beef:affe::/64 .
  • LINUX SERVER is a plain Linux PC with TWO network interfaces.
  • DMZ is the unsecure “transfer network” or “demilitarized zone” between my Linux server and the cable router to the ISP. Its not yet open internet, but “can” contain mostly exposed hosts and services for the internets. The ISP assigned the /64 IPv6 network/prefix 2a02:xxxx:xxxx:xxxx::/64 to me. And since i dont what them to dictate what addresses i am going to use in my networks, i just decided to use the assigned prefix with my own defined node address 2a02:xxxx:xxxx:xxxx:dead:beef:affe:20/64 for my Linux server on the DMZ side. Note: the 'dead beef' thing is just a hexadecimal number, not a word! it can be any hex number.
  • “ISP router” in my case is a “Vodafone Station” a.k.a. ARRIS cable router in a DS lite (dslite dual stack lite) configuration. In my case ISP provides a shitty artificially crippled router without any real control over anything on your network. No IPv6 dhcp, no control over the “ipv6 firewall” or “port filtering”, nothing. You can disable the routers firewall temporarily for like 24h and then they re-enable it by force without your consent.
  • “Internet” is any network beyond the cable router.
[workstations]==>{LAN}==>[LINUX SERVER]==>{DMZ}==>[ISP router]==>{Internet}

UBUNTU Server base installation:

  1. Use UBUNTU Server 20.04 LTS ISO as DVD or USB Stick to boot from. Make sure you have a a single fast and free SSD for the /boot and root filesystem /.
    1. Use whole Disk (SSD), use default filesystem
    2. make sure /boot has no less then 1GB space
  2. Use manual (fixed ip) network configuration for servers right from the beginning
  3. install updates as soon as possible
    sudo apt update && sudo apt upgrade -y && sudo reboot
  4. Install generic useful tools early:
    apt install -y ethtool bridge-utils net-tools vim nmap atop htop iftop iotop lvm2 tmux screenfetch firefox
  5. Edit bootloader “grub”, disable graphical bootloader modes, make it human readable:
    cat << EOF >> /etc/default/grub
    GRUB_TIMEOUT_STYLE=menu
    GRUB_TERMINAL=console
    GRUB_TIMEOUT=3
    GRUB_CMDLINE_LINUX_DEFAULT="noquiet nosplash"
    EOF
    update-grub
  6. Install screenfetch to every console.
    echo '* * * * * root echo "\l\n$(screenfetch)" > /etc/issue' >> /etc/crontab
  7. Setup preferred console font and most important, the font size, so humans can conveniently read the console without a magnifier.
    cat << EOF > /etc/default/console-setup
    # CONFIGURATION FILE FOR SETUPCON
    
    # Consult the console-setup(5) manual page.
    
    ACTIVE_CONSOLES="/dev/tty[1-6]"
    
    CHARMAP="UTF-8"
    
    CODESET="guess"
    FONTFACE="Terminus"
    FONTSIZE="14x28"
    
    VIDEOMODE=
    EOF
    setupcon
  8. Setup networking interfaces and ip adresses. This Server is supposed to work as a router/firewall so it has multiple interfaces. Your interface names may differ. Same with the “transfer net” IP adresses, the net between our servers internet NIC and the ISPs shitty black-box router. :!: Watch the indentation! Its kinda important with yaml files!:
    cat << EOF > /etc/netplan/55-manual-net-config.yaml
    network:
      version: 2
      ethernets:
        enp5s8:
          addresses:
          - 192.168.178.20/24
          - 2a02:xxxx:xxxx:xxxx:dead:beef:affe:20/64
          - fe80::dead:beef:affe:20/64
          gateway4: 192.168.178.1
          gateway6: 2a02:xxxx:xxxx:xxxx::1
          ipv6-privacy: true
          accept-ra: false
          nameservers:
            addresses:
            - ::1
            search:
            - lan
        enp1s0:
          dhcp4: false
          dhcp6: false
        usb0:
          dhcp6: true
          dhcp4: true
      bridges:
        br0:
          addresses:
          - 192.168.0.1/24
          - fd00:dead:beef:affe::1/64
          dhcp4: false
          dhcp6: false
          interfaces:
          - enp1s0
          nameservers:
            addresses:
            - ::1
            search:
            - lan
    EOF
    netplan apply
  9. Configure SSH daemon, so it uses a non standard port for all interfaces (wan) that are not used directly from lan:
    cat << EOF >> /etc/ssh/sshd_config
    ListenAddress 0.0.0.0:33333
    ListenAddress [::]:33333
    ListenAddress [::1]:22
    ListenAddress 127.0.0.1:22
    ListenAddress [fd00:dead:beef:affe::1]:22
    ListenAddress 192.168.0.1:22
    EOF

DHCP server installation and configuration for ipv4 and ipv6:

  1. Install the dhcp server:
    aptitude install -y isc-dhcp-server
  2. ipv4 configuration file:
    # IPv4 DHCP only
    cat << EOF > /etc/dhcp/dhcpd.conf
    server-name "freiburg.lan" ;
    ddns-update-style interim;
    ddns-updates on;
    update-static-leases on;
    option T150 code 150 = string;
    authoritative;
    update-optimization off;
    update-conflict-detection off;
    
    
    # option definitions common to all supported networks...
    option domain-name "lan";
    option domain-search "lan";
    option domain-name-servers 192.168.0.1;
    ddns-domainname "lan";
    default-lease-time 36000;
    max-lease-time 86400;
    
    ######################
    
    subnet 192.168.0.0 netmask 255.255.255.0 {
      range 192.168.0.50 192.168.0.99;
      option broadcast-address 192.168.0.255;
      option routers 192.168.0.1;
    }
    
    
    ######################
    # HOST DEFINITIONS
    ################/etc/default/isc-dhcp-server######
    
    ######################
    host hpcplj1525n {
      hardware ethernet 44:44:44:44:44:44;
      fixed-address printer-hpcplj1525n.lan;
    }
    ######################
    host tv-panasonic-sz {
      hardware ethernet 00:00:11:11:11:11;
      fixed-address tv-panasonic-sz.lan;
    }
    ######################
    host wlan-pl-ap-sz {
      hardware ethernet 00:00:00:00:00:00;
      fixed-address wlan-pl-ap-sz.lan;
    }
    ######################
    
    key rndc-key {
    	algorithm hmac-md5;
    	secret xxxxxxxxx;
    };
    
    
    zone lan. {
    	primary 127.0.0.1; 
    	key rndc-key ; 
    }
    
    zone 0.168.192.in-addr.arpa. {
    	primary 127.0.0.1; 
    	key rndc-key ; 
    }
    
    
    EOF
  3. FIXME does not yet configure ubuntu clients automatically. only if forced to use ipv6 dhcp. FIXME ipv6 configuration file:
    cat << EOF > /etc/dhcp/dhcpd6.conf
    # FIXME TESTING 
    # FIXME : enable dyndns for ipv6 zone/clients
    # FIXME : make ubuntu clients accept this server as IP source out of the box
    # FIXME : add reverse lookup zone
    #
    server-name "freiburg.lan" ;
    ddns-update-style interim;
    ddns-updates on;
    update-static-leases on;
    option T150 code 150 = string;
    authoritative;
    update-optimization off;
    update-conflict-detection off;
    default-lease-time 2592000;
    preferred-lifetime 604800;
    option dhcp-renewal-time 3600;
    option dhcp-rebinding-time 7200;
    allow leasequery;
    option dhcp6.name-servers fd00:dead:beef:affe::1;
    option dhcp6.domain-search "lan";
    ddns-domainname "lan";
    option dhcp6.preference 255;
    option dhcp6.info-refresh-time 21600;
    subnet6 fd00:dead:beef:affe::/64 {
    	range6 fd00:dead:beef:affe::50 fd00:dead:beef:affe::ff;
    }
    
    
    EOF
  4. Bind DHCP Servers to the LAN interfaces only:
    cat << EOF > /etc/default/isc-dhcp-server
    # Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
    
    # Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
    #DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
    #DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
    
    # Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
    #DHCPDv4_PID=/var/run/dhcpd.pid
    #DHCPDv6_PID=/var/run/dhcpd6.pid
    
    # Additional options to start dhcpd with.
    #	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
    #OPTIONS=""
    
    # On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
    #	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
    INTERFACESv4="br0"
    INTERFACESv6="br0"
    
    EOF
  5. Restart DHCP daemons:
    systemctl restart isc-dhcp-server
    systemctl restart isc-dhcp-server6

DNS Server installation and configuration:

  1. Install bind9 DNS Server:
    aptitude install -y bind9
  2. Make sure bind9/named only serves on LAN interfaces/ip addresses. AND configure our default remote DNS servers we would like to use for name resolution:
    /etc/bind/named.conf.options
    options {
    	directory "/var/cache/bind";
     
    	// If there is a firewall between you and nameservers you want
    	// to talk to, you may need to fix the firewall to allow multiple
    	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
     
    	// If your ISP provided one or more IP addresses for stable 
    	// nameservers, you probably want to use them as forwarders.  
    	// Uncomment the following block, and insert the addresses replacing 
    	// the all-0's placeholder.
     
    	// forwarders {
    	// 	0.0.0.0;
    	// };
     
    	# google's public DNS Servers on ...
    	#	... IPv4: 8.8.8.8 and 8.8.4.4
    	#	... IPv6: 2001:4860:4860::8888; 2001:4860:4860::8844;
    	forwarders {
    		2001:4860:4860::8888;
    		2001:4860:4860::8844;
    		//8.8.8.8;
    		//8.8.4.4;
    	};
    	forward first;
     
     
    	auth-nxdomain no;    # conform to RFC1035
     
    	#
    	# make sure to listen/bind to LAN interfaces only!
    	# (and localhost of course)
    	#
    	listen-on-v6 {	
    		::1;
    		fd00:dead:beef:affe::1;
    	};
     
    	listen-on {
    		127.0.0.1;
    		192.168.0.1;
    	};
    };
  3. Configure which DNS zones (domains) we'd like to serve to our clients and which secret key is used for dynamic dns (ddns) updates:
    /etc/bind/named.conf.local
    //
    // Do any local configuration here
    //
     
    // Consider adding the 1918 zones here, if they are not used in your
    // organization
    include "/etc/bind/zones.rfc1918";
     
    // forward lookup zone for ipv4 + ipv6
    zone "lan" in {
    	type master;
    	file "/var/lib/bind/db.lan";
    	notify no;
    	allow-update { key "rndc-key" ; } ;
    };
     
    // reverse lookup zone for ipv4 only
    zone "0.168.192.in-addr.arpa" in {
    	type master;
    	file "/var/lib/bind/db.192.168.0.0";
    	notify no;
    	allow-update { key "rndc-key" ; } ;
    };
     
     
    // reverse lookup zone for ipv6 only
    zone "e.f.f.a.f.e.e.b.d.a.e.d.0.0.d.f.ip6.arpa" {
            type master;
    	file "/var/lib/bind/db.e.f.f.a.f.e.e.b.d.a.e.d.0.0.d.f.ip6.arpa";
    	allow-update { key "rndc-key" ; } ;
    };
     
    key "rndc-key" {
    	algorithm hmac-md5;
    	secret "iM/RBwJeeLplTTPp2SIPTA==";
    };
    • NOTE: Note that the named configuration file is separate from the zone files at /var/lib/bind/ ! This is is because UBUNTU has apparmor enabled by default and guards/blocks any filesystem access anywhere else by the daemon. In theory you could store the zone files whereever you like, but its easier for me to follow the distribution's recommendation.
  4. Forward lookup zone for lan domain (ipv4 + ipv6):
    /var/lib/bind/db.lan
    $ORIGIN .
    $TTL 172800	; 2 days
    lan			IN SOA	freiburg.lan. hostmaster.freiburg.lan. (
    				20200720 ; serial
    				86400      ; refresh (1 day)
    				7200       ; retry (2 hours)
    				604800     ; expire (1 week)
    				172800     ; minimum (2 days)
    				)
    			NS	freiburg.lan.
    			MX	10 freiburg.lan.
    $ORIGIN lan.
    dns			CNAME	freiburg
    farblaser		CNAME	printer-hpcplj1525n
    freiburg		A	192.168.0.1
    ftp			CNAME	freiburg
    mail			CNAME	freiburg
    ns			CNAME	freiburg
    ntp			CNAME	freiburg
    printer-hpcplj1525n	A	192.168.0.8
    tv-panasonic-sz		A	192.168.0.13
    tv-sz			CNAME	tv-panasonic-sz
    wlan-pl-ap-sz		A	192.168.0.252
    www			CNAME	freiburg
  5. Reverse lookup zone for lan ipv4 IPs:
    /var/lib/bind/db.192.168.0.0
    $ORIGIN .
    $TTL 172800     ; 2 days
    0.168.192.in-addr.arpa  IN SOA  freiburg.lan. hostmaster.freiburg.lan. (
                                    20200720  ; serial
                                    86400      ; refresh (1 day)
                                    7200       ; retry (2 hours)
                                    604800     ; expire (1 week)
                                    172800     ; minimum (2 days)
                                    )
    			NS	freiburg.lan.
    $ORIGIN 0.168.192.in-addr.arpa.
    1			PTR	freiburg.lan.
    13			PTR	tv-panasonic-sz.lan.
    252			PTR	wlan-pl-ap-sz.lan.
    8			PTR	printer-hpcplj1525n.lan.
  6. Reverse lookup zone for lan ipv6 IPs:
    /var/lib/bind/db.e.f.f.a.f.e.e.b.d.a.e.d.0.0.d.f.ip6.arpa
    $ORIGIN .
    $TTL 172800	; 2 days
    @	IN SOA	freiburg.lan. hostmaster.freiburg.lan. (
    				20200739   ; serial
    				86400      ; refresh (1 day)
    				7200       ; retry (2 hours)
    				604800     ; expire (1 week)
    				172800     ; minimum (2 days)
    				)
    @			NS	freiburg.lan.
    1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.f.f.a.f.e.e.b.d.a.e.d.0.0.d.f.ip6.arpa.			PTR	freiburg.lan.
    1.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.f.f.a.f.e.e.b.d.a.e.d.0.0.d.f.ip6.arpa.			PTR	tv-panasonic-sz.lan.
    2.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.e.f.f.a.f.e.e.b.d.a.e.d.0.0.d.f.ip6.arpa.			PTR	wlan-pl-ap-sz.lan.
    8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.f.f.a.f.e.e.b.d.a.e.d.0.0.d.f.ip6.arpa.			PTR	printer-hpcplj1525n.lan.
  7. FIXME
    FIXME
  8. Check config for errors and restart the DNS Server:
    named-checkconf
    rm -v /var/lib/bind/*.jnl # remove offending journal zones
    systemctl restart named
    systemctl status named
  9. Check that named only listens to interfaces/ip addresses that you like to serve:
    ss -nptul | grep -i named
  10. FIXME
    FIXME
  11. FIXME
    FIXME
  12. FIXME
    FIXME

Enable routing (ip forwarding) incl. firewalling and NAT for ipv4 and ipv6:

  1. FIXME Enable IPv4 ip forwarding (routing):
    cat << EOF > /etc/sysctl.d/55-my-ipv4-routing.conf
    # Uncomment the next line to enable packet forwarding for IPv4
    net.ipv4.ip_forward=1
    
    # Do not accept ICMP redirects (prevent MITM attacks)
    net.ipv4.conf.all.accept_redirects = 0
    
    # Log Martian Packets
    net.ipv4.conf.all.log_martians = 1
    
    EOF
  2. FIXME Enable IPv6 ip forwarding (routing):
    # Uncomment the next line to enable packet forwarding for IPv6
    #  Enabling this option disables Stateless Address Autoconfiguration
    #  based on Router Advertisements for this host
    net.ipv6.conf.all.forwarding=1
    
    # Do not accept ICMP redirects (prevent MITM attacks)
    net.ipv6.conf.all.accept_redirects = 0
  3. Install firewall init script:
    FIXME
  4. FIXME
    FIXME
  5. FIXME
    FIXME

FIXME:

FIXME

FIXME:

FIXME

FIXME:

FIXME

FIXME:

FIXME

FIXME:

FIXME

FIXME:

it-artikel/linux/how-to-install-ubuntu-server-20.04-lts-with-bridged-interfaces.txt · Last modified: 2020-07-25 18:04 by axel.werner.1973@gmail.com