52 lines
1.2 KiB
Markdown
52 lines
1.2 KiB
Markdown
|
|
## Machine
|
|
|
|
* Scaleway Console.net Dedibox 120GB SSD
|
|
## OS
|
|
|
|
* Debian 13 trixie AMD64
|
|
## Firewall
|
|
|
|
* Iptables (native)
|
|
* https://wiki.debian.org/iptables
|
|
* <https://packages.debian.org/trixie/iptables-persistent>
|
|
|
|
### IPv4 forwarding
|
|
|
|
Host ports < 1024 as normal user and use iptables firewall to forward between localhost and public IP.
|
|
|
|
```
|
|
/usr/sbin/iptables -F # flush all rules
|
|
/usr/sbin/iptables -t nat -F # flush all nat rules
|
|
/usr/sbin/iptables -X # Clear user defined chains
|
|
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080
|
|
/usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
|
|
/usr/sbin/iptables -t nat -L -v
|
|
```
|
|
|
|
/etc/sysctl.conf:
|
|
```
|
|
net.ipv4.ip_forward = 1
|
|
net.ipv4.conf.all.route_localnet = 1
|
|
```
|
|
|
|
`/sbin/sysctl -p`
|
|
|
|
See also:
|
|
* https://serverfault.com/questions/551487/dnat-from-localhost-127-0-0-1
|
|
## VPN
|
|
|
|
Wireguard
|
|
## SSH
|
|
|
|
* Key non-root only (global config)
|
|
* `PasswordAuthentication no`
|
|
* `PubkeyAuthentication yes`
|
|
* `PermitRootLogin no`
|
|
|
|
## Containers
|
|
|
|
The host OS will be kept clean and all services go into there respective containers. SystemD will be used for frugal container management:
|
|
|
|
* `systemd-container` pkg
|
|
* `systemd-nspawn` feature |