private-schrijfsels-en-notities/2025/durian.srv.xor-gate.org.md

Machine

• Scaleway Console.net Dedibox 120GB SSD

OS

• Debian 13 trixie AMD64

Firewall

• Iptables (native)
• https://wiki.debian.org/iptables

IPv4 forwarding

Host ports < 1024 as normal user and use iptables firewall to forward between localhost and public IP.

/usr/sbin/iptables -F # flush all rules
/usr/sbin/iptables -t nat -F # flush all nat rules
/usr/sbin/iptables -X # Clear user defined chains
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080
/usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
/usr/sbin/iptables -t nat -L -v

/etc/sysctl.conf:

net.ipv4.ip_forward = 1
net.ipv4.conf.all.route_localnet = 1

/sbin/sysctl -p

See also:

• https://serverfault.com/questions/551487/dnat-from-localhost-127-0-0-1

Persistent IP tables

• https://packages.debian.org/trixie/iptables-persistent

The rules you have set are temporary and will be lost on reboot. To make them permanent on Debian 13, you need to use the iptables-persistent package.

First, install the package:

sudo apt-get update
sudo apt-get install iptables-persistent

During the installation, you will be prompted to save your current iptables rules. Make sure to confirm "Yes". If you are not prompted, you can manually save the rules with these commands:

sudo iptables-save | sudo tee /etc/iptables/rules.v4
sudo ip6tables-save | sudo tee /etc/iptables/rules.v6

The iptables-persistent service will automatically load these rules at startup.

VPN

Wireguard

SSH

• Key non-root only (global config)
  • PasswordAuthentication no
  • PubkeyAuthentication yes
  • PermitRootLogin no

Containers

The host OS will be kept clean and all services go into there respective containers. SystemD will be used for frugal container management:

• systemd-container pkg
• systemd-nspawn feature