──────────────────────────────────────────────────────────────────────────────────────────────────────────────── ════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Home Router in 2003: Debian Woody, iptables and the Stuff Which Runs ──────────────────────────────────────────────────────────────────────────────────────────────────────────────── ════════════════════════════════════════════════════════════════════════════════════════════════════════════════

│ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║

C:\LINUX\HOMERO~1>type homero~1.htm

Home Router in 2003: Debian Woody, iptables and the Stuff Which Runs

Now the router is in a phase where I trust it.

This is a good feeling. It is not the first excitement feeling from the early SuSE days, and it is also not the hack-pride feeling from the D-channel/syslog trick. It is something else. The machine is simply there. It routes. It resolves. It gives leases. It proxies web. It zaps ads. It survives reboot. It is part of the flat now like the switch or the shelf.

The disk swap from the 486 into the Cyrix box worked. Debian Potato was first on that disk, but by now I moved the system further to Debian Woody. That means kernel 2.4, and now finally iptables instead of ipchains.

The move from Potato to Woody

This is not a dramatic migration like the first Debian step. This one is more calm.

The big practical reason is netfilter and iptables. I want the 2.4 generation now. I want the more modern firewall and NAT setup, and I also want to stay on a current stable Debian instead of freezing forever on Potato.

So now the stack looks like this:

Debian Woody
kernel 2.4
iptables
bind9
dhcpd
Squid
Adzapper
PPPoE on DSL

This is already much more modern feeling than the original SuSE 5.3 plus ISDN phase.

The box itself

The hardware is still the same Cyrix Cx133 box. Beige, boring, a bit dusty, absolutely fine.

With 32 MB RAM it is much happier than in the 8 MB starting phase. This is one of the reasons I am glad I did not keep the 486 as the final router. The 486 was okay for proving the install and services, but the Cyrix with more memory is simply the better place for Squid and general peace.

The Teles card is still physically there for some time after DSL. Then it becomes more and more irrelevant. I keep the old configs around for a while because deleting old working things always feels dangerous. Only much later do I stop caring about the old ISDN remains.

Local services: the boring ones and the useful ones

The router is not only a router anymore. It is the small local infrastructure box.

DHCP

dhcpd does what it should do and I mostly do not think about it anymore. Which is good.

Clients come, they get an address, gateway, DNS, and that is it. If DHCP is broken, everyone notices fast. If it works, nobody says anything. This is one of the purest sysadmin services in the world.

DNS

Now I use bind9, not the old bind8 from the Potato phase. Still forwarding, still simple. I am not suddenly becoming an authority server wizard. I still want a local cache and one place for clients to ask.

What I like is that DNS problems are easier to see now because the line is always on. In the ISDN phase one could confuse line-down issues and DNS issues very easily. With DSL that whole category of confusion is much smaller.

Squid + Adzapper

Squid remains important. Maybe less dramatic than on ISDN, because the DSL line is already much nicer. But the proxy still gives me cache, central control, and with Adzapper it still gives me a better web.

Adzapper is honestly one of my favourite small pieces in the whole setup. It is so unnecessary and so useful at the same time. Web pages are getting heavier and more stupid. Banners everywhere. Counters. Tracking garbage. The proxy says no and shows a small zapped replacement. Perfect.

iptables: finally a nicer firewall world

With Woody and kernel 2.4 I finally move to iptables.

The logic is not new. I already know what I want the firewall to do:

default deny where sensible
allow established traffic back in
let the internal network out
do masquerading on the DSL side
only open specific ports intentionally

But the framework feels cleaner now.

My base script is still very normal:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


iptables -F
iptables -t nat -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

This is not a firewall masterpiece. It is just a decent honest firewall for a home router.

And this is enough for me.

Things that changed since DSL

The biggest change after DSL is not only speed. It is mentality.

On ISDN I was always thinking in sessions:

line up
line down
should I bring it up now
did the first request trigger it
will this cost something stupid

On DSL this is gone. The connection is just there. That means I can think much more about service quality and less about connection state.

That is maybe why the router in 2003 feels more complete. The old uplink logic noise is gone, so the rest of the machine can come into focus.

Things that still annoy me

Not all is paradise of course.

Sometimes PPPoE feels a bit ugly. Sometimes package upgrades want a bit too much trust. Sometimes Squid config debugging is still a way to lose an evening. And sometimes I make one firewall typo and then of course I only notice it when I am on the wrong side of the router.

But these are good problems. They are now normal Linux administration problems, not existential connection problems.

Also I still keep too many old notes and backup files. The system is half clean and half archaeology. This is maybe standard student-admin style.

What I use this machine for now

The funny thing is that the router is no longer just about internet access. It is a little confidence machine.

When I want to test something network related, I have a real place for it. When I want to understand a service, I can run it there. When I want to make some small infrastructure experiment, I do not need to imagine it, I can really do it.

This maybe sounds bigger than a home router deserves, but I think many people who did such boxes know exactly this feeling. A machine at the edge of the network teaches a lot because it sits exactly where things become real.

What comes next

I do not think this box is finished. It is only stable enough that now I can be a bit more calm.

Maybe next I write more detailed notes about:

iptables rules I actually keep
Squid and Adzapper config
what I changed from Potato to Woody
maybe some monitoring because right now I still trust too much and measure too little

For now I mostly enjoy that the DSL LED is stable, Debian is on the box, the Cyrix is still alive, and all the little services come up after reboot without drama.

That alone is already very good.

▲

▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ █ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒

▼