Support - No-IP Support Center

Routers and Firewall Appliances Support Guides
RSS Guides feed

Setting up a better No-IP-accessed server.

I know the feeling of spending nearly (or even over) $100 on a cable/DSL router or dialup access point, only to have it be extremely difficult to configure to allow internal servers access from the internet. This is why, instead of paying a large sum of cash for a hassle-in-a-box, you should just transform one of your computers into a router, at the cost of only an additional Ethernet card and some of your spare time.

Step 1: Choosing the computer
The computer that is running the most proficient server OS should be your choice for the new router. If you are running a workstation with Linux, BSD, or any other form of Unix, this should be your primary choice. After this, 2000 * Server (Server, Advanced, etc.) would be your next choice, followed by XP Professional, 2000 Professional, XP Home, ME, and 98SE. Later versions of Mac OS may be able to perform the function, but I am not experienced in them. If you are not running any computers with the above operating systems, I would suggest you install Linux on one, or buy a dedicated computer for Linux. This OS provides for lower hardware costs and absolutely free software if one knows where to obtain it. After you have designated your new routing computer and installed the new Ethernet card, it's time to configure it.

Step 2a: Internet Connection Sharing
*Skip this step if you are NOT going to use Windows on the new router.* Microsoft ICS (Internet Connection Sharing) is a free (so to speak, one must still pay for Windows) and effective method for routing an internet connection from one interface to another within Windows and has been available since Windows 98 Second Edition. Installing it, however, depends on which version of Windows you are currently running.

XP/2000 (any version): Open up "Network and Dial-Up Connections" under the Control Panel, and right-click on the icon that corresponds to your internet connection and bring up its properties. Click the "Sharing" tab on the top of the newly-opened window, and enable internet connection sharing for that device via the checkbox.

ME: Open Add/Remove Programs under the Control Panel and click on the "Windows Setup" tab. Click on 'Communications' and click "Details." Click the checkbox next to 'Internet Connection Sharing' and click OK until it begins to install. Windows ME will then bring up an easy-to-use Home Networking Wizard to set up Internet Connection Sharing. In the following wizard, be sure that you select your previous internet device as the internet device, and your new Ethernet card as the home network device.

98SE: Typically the same as ME, except Internet Connection Sharing is under 'Internet Tools' rather than 'Communications.'

Microsoft ICS will turn Windows into a fully-functional router, and will serve as a DNS (point all your other computers to 192.168.0.1 for their primary DNS servers) and DHCP (will assign IPs to all your other computers automatically) server. A personal firewall software such as Blackice Defender can then be installed for added protection.

Microsoft ICS will assign the router's home Ethernet card with the IP 192.168.0.1, so the computers on your network will have a 192.168.0.x IP scheme (for those who are interested).

Step 2b: IP MASQ
*Skip this step if you are NOT going to use Linux, BSD, or any other Unix OS on the new router* IP Masquerading is Nix (Linux, BSD, or any other Unix)'s version of Microsoft ICS, and is a bit harder to set up, but much more rewarding. Firstly, THOROUGHLY read the Linux IP Masquerade HOWTO at http://tldp.org/HOWTO/IP-Masquerade-HOWTO/, as it will make your life for the next two or three hours (it took me nearly a week to set it up my first time around!) easier. The easiest thing to do is to grab a sample configuration file and change the interface names accordingly; however, you should assign your own rulesets if you are feeling pretty comfortable with the feel of IP MASQ.

Step 2b-A: Deciding on a ruleset scheme
A ruleset allows you to accept, deny, reject (same as deny, but sends back a rejection notice), or masquerade a packet, coming in, going out, or forwarded through the Nix router, from a certain/any source, to a certain/any destination, using a certain/specific port on either/both source and destination. For example, I could reject a packet coming into the Nix router from port 5687 on ANY IP to any IP if I know that a popular trojan horse uses that IP for connectivity to the person who implements it on your computer; this will block access to the Trojan horse both ways if it is ever implemented on any of your internal computers.

The most important thing to remember is that rulesets are applied in the order that they are entered. So, if you first implement a ruleset to deny all packets directed to www.linux.org, and then implement a ruleset that allows access to www.linux.org on port 80, then computers on your network will ONLY have WWW access to www.linux.org. However, if you apply the port 80 rule first, and then the deny all, there will not be WWW access. This can prove to be an effective firewall, since you can first apply a ruleset to deny everything from everything destined to anything, and then only allow through what needs to be allowed through.

Step 2b-B: Logging
Make sure you implement whatever means of logging your version of Nix allows in the IP MASQ process (consult the IP Masquerade HOW-TO for more info). This allows you to monitor the internet usage of your internal computers, as well as tell who has attempted to (or HAS) gained unauthorized access to your network. This information can prove quite useful in tracking down potential felons.

In conclusion, IP MASQ will allow your router to be ten times as secure as a Microsoft ICS router, but is unfortunately ten times harder to set up, so the choice is up to you. On an interesting note, a Nix computer with secure rulesets (as described above) is classified as a hardware firewall, as it is directly implemented into the OS and makes decisions based on a wide range of packet properties.

Step 3: No-IP
This is truly the easiest step of the three. After your router is up and working, download the appropriate No-IP updater from www.no-ip.com and install it on your router, making sure it is set up to report the IP assigned to your internet device. Doing this will allow the updater to seamlessly report IP changes to No-IP as they occur, rather than having downtime waiting for the next time your updater reports the new IP. After this, go to any computer with internet access and run "ping (your No-IP domain name)". This can be done from Start > Run on any Windows machine, or straight from the command line on a Nix computer. If you are getting ping replies, then congratulations, you are in business!

Step 4: Set up a server
Windows 2000 (any version), Windows XP, and Nix (depending on the distribution) come with optional WWW, FTP, and Telnet access that can set up quickly and easily. 98SE and ME can have Personal Web Server (available through Add/Remove Programs -> Windows Setup) installed, which allows a webpage to be served from the computer. You can then run dedicated servers of any games you may play on this computer, and they will be completely accessible from both the internet and from the computers on your network. Any other server software you install will also be accessible from both the internet and from the internal network. Additional server software can also be obtained for a Nix computer, allowing it to run as a DNS server, DHCP server, Quake III server, MUD, or anything you can think of.

And that is that! For the cost of only an additional Ethernet card and a bit of your spare time, you can have a cable/DSL/dialup router set up for your network, and you will also be able to run servers on this router, where they will be completely accessible from both the internet and the internal network. If you have any problems, questions, or comments, feel free to contact me.

Related Articles