NOTES
On the back of the DE2700, the upper right USB port is where you should plug in your keyboard; hitting del on startup will get you into the DE2700's BIOS. I don't know why the other USB ports don't respond the same way to a keyboard, but they don't.
On the back of the DE2700, eth0 is the left ethernet jack, and eth1 is the right ethernet jack.
Install Ubuntu 11.04 Server Edition, 32-bit
Sadly, the Atom processor in the DE2700 is a 32-bit processor.
Set IP forwarding
Ensure these lines are in /etc/sysctl.conf:
net.ipv4.ip_forward=1 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.accept_source_route=0
Install dnsmasq
dnsmasq is a great little deamon that can act as a DHCP server for the rest of your network.
apt-get install dnsmasq
Ubuntu will "helpfully" start up dnsmasq for you, but you don't want to configure it, so shut it down:
/etc/init.d/dnsmasq stop
Use this as /etc/dnsmasq:
domain-needed bogus-priv local=/localnet/ expand-hosts domain=localnet interface=eth0 listen-address=127.0.0.1 dhcp-range=localnet,192.168.1.100,192.168.1.149,12h dhcp-lease-max=100
Set up your ethernet ports
Put this in /etc/network/interfaces:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# WAN interface
auto eth0
iface eth0 inet dhcp
# LAN interface
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
Set up your firewall
First, put this in /etc/rc.local:
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. /etc/iptables_nat_router.sh exit 0
Then, put this in /etc/iptables_nat_router.sh:
#!/bin/sh # # iptables firewall script for sharing # broadband Internet, with no public services # # From Linux Networking Cookbook, by Carla Schroder, O'Reilly, 2007 # # NOTE!!! Forwarding will not work unless # /proc/sys/net/ipv4/ip_forward == '1' # preferably set not here but through /etc/sysctl.conf # define variables ipt="/sbin/iptables" mod="/sbin/modprobe" WAN_IFACE="eth0" LAN_IFACE="eth1" #basic set of kernel modules $mod ip_tables # now compiled into kernel as of f10 $mod ip_conntrack # now compiled into kernel as of f10 $mod iptable_filter # now compiled into kernel as of f10 $mod iptable_nat $mod iptable_mangle $mod ipt_LOG $mod ipt_limit $mod ipt_state # now compiled into kernel as of f10 $mod ipt_MASQUERADE #add these for IRC and FTP $mod ip_nat_ftp $mod ip_nat_irc $mod ip_conntrack_ftp $mod ip_conntrack_irc # Flush all active rules and delete all custom chains $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -X $ipt -t nat -X $ipt -t mangle -X #Set default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT #this line is necessary for the loopback interface #and internal socket-based services to work correctly $ipt -A INPUT -i lo -j ACCEPT #Enable IP masquerading $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE #Enable unrestricted outgoing traffic, incoming #is restricted to locally-initiated sessions only $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Allow ssh access from LAN, but not WAN $ipt -A INPUT -i $LAN_IFACE -p tcp -s 192.168.1.0/24 --dport 22 --syn -m state --state NEW -j ACCEPT # Allow DNS access from LAN $ipt -A INPUT -i $LAN_IFACE -p udp -s 192.168.1.0/24 --dport 53 -j ACCEPT $ipt -A INPUT -i $LAN_IFACE -p tcp -s 192.168.1.0/24 --dport 53 -j ACCEPT # Allow DHCP access from LAN $ipt -A INPUT -i $LAN_IFACE -p udp --dport 67 -j ACCEPT $ipt -A INPUT -i $LAN_IFACE -p udp --dport 68 -j ACCEPT # Accept important ICMP messages $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT #Reject connection attempts not initiated from inside the LAN $ipt -A INPUT -p tcp --syn -j DROP # XXX: what about dropping unwanted UDP?