private-schrijfsels-en-notities/2025/durian.srv.xor-gate.org.md

## Machine

* Scaleway Console.net Dedibox 120GB SSD
## OS

* Debian 13 trixie AMD64
## Firewall 

* Iptables (native)
* https://wiki.debian.org/iptables


### IPv4 forwarding 

Host ports < 1024 as normal user and use iptables firewall to forward between localhost and public IP.

```
/usr/sbin/iptables -F # flush all rules
/usr/sbin/iptables -t nat -F # flush all nat rules
/usr/sbin/iptables -X # Clear user defined chains
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080
/usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
/usr/sbin/iptables -t nat -L -v
```

/etc/sysctl.conf: 
```
net.ipv4.ip_forward = 1
net.ipv4.conf.all.route_localnet = 1
```

`/sbin/sysctl -p`

See also:
* https://serverfault.com/questions/551487/dnat-from-localhost-127-0-0-1

### Persistent IP tables

* <https://packages.debian.org/trixie/iptables-persistent>

The rules you have set are temporary and will be lost on reboot. To make them permanent on Debian 13, you need to use the `iptables-persistent` package.

First, install the package:

```
sudo apt-get update
sudo apt-get install iptables-persistent
```

During the installation, you will be prompted to save your current `iptables` rules. Make sure to confirm "Yes". If you are not prompted, you can manually save the rules with these commands:

```
sudo iptables-save | sudo tee /etc/iptables/rules.v4
sudo ip6tables-save | sudo tee /etc/iptables/rules.v6
```

The `iptables-persistent` service will automatically load these rules at startup.

## VPN

Wireguard
## SSH

* Key non-root only (global config)
	* `PasswordAuthentication no`
	* `PubkeyAuthentication yes`
	* `PermitRootLogin no`

## Containers

The host OS will be kept clean and all services go into there respective containers. SystemD will be used for frugal container management:

* `systemd-container` pkg
* `systemd-nspawn` feature