## Machine * Scaleway Console.net Dedibox 120GB SSD ## OS * Debian 13 trixie AMD64 ## Firewall * Iptables (native) * https://wiki.debian.org/iptables ### IPv4 forwarding Host ports < 1024 as normal user and use iptables firewall to forward between localhost and public IP. ``` /usr/sbin/iptables -F # flush all rules /usr/sbin/iptables -t nat -F # flush all nat rules /usr/sbin/iptables -X # Clear user defined chains /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080 /usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE /usr/sbin/iptables -t nat -L -v ``` /etc/sysctl.conf: ``` net.ipv4.ip_forward = 1 net.ipv4.conf.all.route_localnet = 1 ``` `/sbin/sysctl -p` See also: * https://serverfault.com/questions/551487/dnat-from-localhost-127-0-0-1 ### Persistent IP tables * The rules you have set are temporary and will be lost on reboot. To make them permanent on Debian 13, you need to use the `iptables-persistent` package. First, install the package: ``` sudo apt-get update sudo apt-get install iptables-persistent ``` During the installation, you will be prompted to save your current `iptables` rules. Make sure to confirm "Yes". If you are not prompted, you can manually save the rules with these commands: ``` sudo iptables-save | sudo tee /etc/iptables/rules.v4 sudo ip6tables-save | sudo tee /etc/iptables/rules.v6 ``` The `iptables-persistent` service will automatically load these rules at startup. ## VPN Wireguard ## SSH * Key non-root only (global config) * `PasswordAuthentication no` * `PubkeyAuthentication yes` * `PermitRootLogin no` ## Containers The host OS will be kept clean and all services go into there respective containers. SystemD will be used for frugal container management: * `systemd-container` pkg * `systemd-nspawn` feature