Building a debian firewall on a CF card

Posted: 2008-04-05 20:56 | linux | debian | firewall | dns | bind | bind9 | dhcp | iptables

I currently have an OpenBSD firewall running on an ancient 586. I have a mini-itx board, CF/IDE converter and a CF card and have been intending to upgrade.

However - rather than OpenBSD I’m going to try for debian (since I know that much better).

This post will end up being a “how I did it” - but at the minute is just a collection of the notes I’m grabbing for now.

For the initial install - I hung a CD-ROM as the slave IDE unit on the primary IDE channel.

I used the 4.0r3 etch netinst CD downloaded from

Install went smoothly once I replaced the CF-IDE converter with a newer one that supported DMA (the newer CF card was DMA compatible) as I simply could not get the installer to disable DMA. However - see debian bug 475223 for information on how you could actually do that.

Disk Mounting

From I got a starter fstab and the hint about mtab. Here’s the versions I ended up with:


proc            /proc           proc    defaults        0       0
            /dev/hda1   /               ext2    noatime,errors=remount-ro 0       1
            tmpfs          /etc/network/run tmpfs defaults,noatime                   0 0
            tmpfs          /tmp           tmpfs   defaults,noatime                   0 0
            tmpfs          /var/lock      tmpfs   defaults,noatime                   0 0
            tmpfs          /var/log       tmpfs   defaults,noatime                   0 0
            tmpfs          /var/run       tmpfs   defaults,noatime                   0 0
            tmpfs          /var/tmp       tmpfs   defaults,noatime                   0 0

Warning: By mounting /var/log on tmpfs, logs will only be available for the current session.


rm -f /etc/mtab
            ln -s /proc/mounts /etc/mtab



I have some issues with things when IPv6 is running. So, to disable IPV6 I added:

blacklist ipv6

to /etc/modprobe.d/blacklist.

So - now the server boots, mounts the highly active parts of the system on tmpfs (we don’t want to burn out the CF card).


I need both ports to come up - one to the ISP, one internal.

TODO: what is the allow-hotplug bit?


# The loopback network interface
            auto lo eth0 eth1
            iface lo inet loopback
            # The external interface
            allow-hotplug eth0
            iface eth0 inet static
            # The internal interface
            iface eth1 inet static



Install ssh with aptitude.

I configured up ssh with the following sshd_config file (/etc/ssh):

Port 22
            Protocol 2
            HostKey /etc/ssh/ssh_host_rsa_key
            HostKey /etc/ssh/ssh_host_dsa_key
            UsePrivilegeSeparation yes
            KeyRegenerationInterval 3600
            ServerKeyBits 768
            SyslogFacility AUTH
            LogLevel INFO
            LoginGraceTime 120
            PermitRootLogin yes
            StrictModes yes
            RSAAuthentication yes
            PubkeyAuthentication yes
            IgnoreRhosts yes
            RhostsRSAAuthentication no
            HostbasedAuthentication no
            PermitEmptyPasswords no
            ChallengeResponseAuthentication no
            # Remember to make sure that you have a working set of .ssh/authorized_keys before changing this from yes to no!
            PasswordAuthentication no
            X11Forwarding no
            PrintMotd no
            PrintLastLog yes
            TCPKeepAlive yes
            AcceptEnv LANG LC_*
            Subsystem sftp /usr/lib/openssh/sftp-server
            UsePAM yes


Install bind9 with aptitude.

Two new files in /etc/bind:


            $TTL 3600       ; 1 hour
              IN SOA (
                                            2008041201    ; serial
                                            3600            ; refresh 1 hr
                                            1800            ; retry 30 mins
                                            604800          ; expire 1 wk
                                            3600            ; minimum 1 hr
            menavaur              A     ; Old firewall
            nornour               A     ; New firewall
            dolphin-tp            A     ; Astrid mac mini LAN
            dolphin               A     ; Astrid mac mini WLAN
            slippen-tp            A     ; Chris laptop LAN
            slippen               A     ; Chris laptop WLAN
            czar                  A     ; Linux file server
            goldeneagle           A     ; Astrid XP
            galatea-tp            A     ; Chris laptop (work) LAN
            galatea               A    ; Chris laptop (work) WLAN
            bonnet                A    ; Chris iMac
            shah                  A    ; Unused
            islander              A    ; Unused
            serica                A    ; Unused
            klondyke              A    ; Unused
            campernel             A    ; Unused
            bedroom-tp            A    ; Airport
            bedroom               A    ; Airport
            lounge-tp             A    ; Airport
            lounge                A    ; Airport
            store                 A    ; ReadyNAS NV+
            wii                   A    ; Wii
            dhcp50                A    ; DHCP
            dhcp51                A    ; DHCP
            dhcp52                A    ; DHCP
            dhcp53                A    ; DHCP
            dhcp54                A    ; DHCP
            dhcp55                A    ; DHCP
            dhcp56                A    ; DHCP
            dhcp57                A    ; DHCP
            dhcp58                A    ; DHCP
            dhcp59                A    ; DHCP
            dhcp60                A    ; DHCP
            wifi1                 A   ; Linksys AP
            wifi2                 A   ; Linksys AP
            ns                    CNAME  nornour             
            irc                   CNAME  czar                
            web                   CNAME  czar                

            $TTL 3600       ; 1 hour
              IN SOA (
                                            2008041201    ; serial
                                            3600            ; refresh 1 hr
                                            1800            ; retry 30 mins
                                            604800          ; expire 1 wk
                                            3600            ; minimum 1 hr
            1    PTR          ; Old firewall
            2    PTR           ; New firewall
            3    PTR        ; Astrid mac mini LAN
            4    PTR           ; Astrid mac mini WLAN
            5    PTR        ; Chris laptop LAN
            6    PTR           ; Chris laptop WLAN
            7    PTR              ; Linux file server
            8    PTR       ; Astrid XP
            9    PTR        ; Chris laptop (work) LAN
            10   PTR           ; Chris laptop (work) WLAN
            11   PTR            ; Chris iMac
            12   PTR              ; Unused
            13   PTR          ; Unused
            14   PTR            ; Unused
            15   PTR          ; Unused
            16   PTR         ; Unused
            30   PTR        ; Airport
            31   PTR           ; Airport
            32   PTR         ; Airport
            33   PTR            ; Airport
            34   PTR             ; ReadyNAS NV+
            35   PTR               ; Wii
            50   PTR            ; DHCP
            51   PTR            ; DHCP
            52   PTR            ; DHCP
            53   PTR            ; DHCP
            54   PTR            ; DHCP
            55   PTR            ; DHCP
            56   PTR            ; DHCP
            57   PTR            ; DHCP
            58   PTR            ; DHCP
            59   PTR            ; DHCP
            60   PTR            ; DHCP
            200  PTR             ; Linksys AP
            201  PTR             ; Linksys AP

Then we need to activate these two:


zone "" {
                type master;
                file "/etc/bind/";
            zone "" {
                type master;
                file "/etc/bind/";

Restarted bind - now this is authoritative for my local net 192.168.1.x and forwards to the ISP for everything else.


Install dhcpd (virtual package) with aptitude.

Firstly - we want only to serve DHCP internally - that is on interface eth1.



Now configure it. Most internal machines get a fixed IP via MAC address, but there is also a range of .50 to .60 for visitors.


group {
                option subnet-mask;
                option routers;
                option domain-name-servers;
                option domain-name      "";
                host menavaur {
                        hardware ethernet 00:60:08:47:03:69;
                host dolphin-tp {
                        hardware ethernet 00:16:CB:94:15:D3;
                host dolphin {
                        hardware ethernet 00:16:CB:05:8C:03;
                host slippen-tp {
                        hardware ethernet 00:16:CB:C9:2E:A3;
                host slippen {
                        hardware ethernet 00:16:CB:B9:F5:B6;
                host czar {
                        hardware ethernet 00:0A:5E:1F:3D:6F;
                host goldeneagle {
                        hardware ethernet 00:0C:6E:4D:48:DA;
                host galatea-tp {
                        hardware ethernet 00:1B:63:A8:06:8B;
                host galatea {
                        hardware ethernet 00:1C:B3:C5:21:5B;
                host bedroom-tp {
                        hardware ethernet 00:14:51:74:F6:AA;
                host bedroom {
                        hardware ethernet 00:14:51:74:F6:AB;
                host lounge-tp {
                        hardware ethernet 00:14:51:73:86:96;
                host lounge {
                        hardware ethernet 00:14:51:73:86:97;
                host wii {
                        hardware ethernet 00:19:1D:FE:A0:56;
                host wifi1 {
                        hardware ethernet 00:1A:70:AB:A4:AC;
                host wifi2 {
                        hardware ethernet 00:1A:70:AB:A6:91;
            shared-network LOCAL-NET {
                option  domain-name " ";
                option  domain-name-servers;
                subnet netmask {
                        option routers;


Denyhosts will add hosts to /etc/hosts.deny if they try things like brute force attacks on ssh.

Install denyhosts with aptitude.

Configure the /etc/denyhosts.conf file - I simply changed the mail addresses and mail server - everything else was left defaulted.


From and - the following iptables script was generated.


            # Set policy
            iptables -P INPUT DROP
            iptables -P FORWARD DROP
            iptables -P OUTPUT ACCEPT
            # delete all existing rules.
            iptables -F
            iptables -t nat -F
            iptables -t mangle -F
            iptables -X
            # Always accept loopback traffic
            iptables -A INPUT -i lo -j ACCEPT
            # Allow established connections, and those not coming from the outside
            iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
            iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
            iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
            # Allow outgoing connections from the LAN side.
            iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
            # NAT ssh (2222) and http (80) to an internal machine
            iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to
            iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 2222 -j DNAT --to
            # Open some ports externally (including the ports for NAT)
            iptables -A FORWARD -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT
            iptables -A FORWARD -p tcp -m state --state NEW --dport 80 -i eth0 -j ACCEPT
            iptables -A FORWARD -p tcp -m state --state NEW --dport 2222 -i eth0 -j ACCEPT
            # Masquerade.
            iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
            # Don't forward from the outside to the inside.
            iptables -A FORWARD -i eth0 -o eth0 -j REJECT
            # Enable routing.
            echo 1 > /proc/sys/net/ipv4/ip_forward