NOTES
On the back of the DE2700, the upper right USB port is where you
should plug in your keyboard; hitting del on startup will get
you into the DE2700's BIOS. I don't know why the other USB ports
don't respond the same way to a keyboard, but they don't.
Ensure you set up
the BIOS to boot from the device you have Ubuntu on, because the BIOS
seems to get chanced by Ubuntu (I'm guessing) to forget that it should not
boot off the internal hard drive first!
Also, the first time you boot Ubuntu off your boot media (I used a bootable
USB stick), you will need to boot into linux recovery mode, and then use nomodeset
as one of the arguments to the kernel; otherwise, the screen will go blank on startup.
In fact, once your installation is complete, you will want to change /etc/default/grub so that
GRUB_CMDLINE_LINUX_DEFAULT=""
becomes
GRUB_CMDLINE_LINUX_DEFAULT=" nomodeset "
On the back of the DE2700, eth0 is the left ethernet jack, and
eth1 is the right ethernet jack.
Install Ubuntu 11.04 Server Edition, 32-bit
Sadly, the Atom processor in the DE2700 is a 32-bit processor.
When you install Ubuntu, manually partition it so that there is only one primary partition,
instead of partitions for /, /boot, and swap.
Set IP forwarding
Ensure these lines are in /etc/sysctl.conf:
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.accept_source_route=0
Install dnsmasq
dnsmasq is a great little deamon that can act as a DHCP server
for the rest of your network.
apt-get install dnsmasq
Ubuntu will "helpfully" start up dnsmasq for you, but you don't
want to configure it, so shut it down:
/etc/init.d/dnsmasq stop
Use this as /etc/dnsmasq.custom:
domain-needed
bogus-priv
local=/localnet/
expand-hosts
domain=localnet
interface=eth1
listen-address=127.0.0.1
dhcp-range=localnet,192.168.1.100,192.168.1.149,12h
dhcp-lease-max=100
Then, open up /etc/default/dnsmasq, and ensure this line is present:
DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.custom"
Set up your ethernet ports
Put this in /etc/network/interfaces:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# WAN interface
auto eth0
iface eth0 inet dhcp
# LAN interface
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
Set up your firewall
First, put this in /etc/rc.local:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/etc/iptables_nat_router.sh
exit 0
Then, put this in /etc/iptables_nat_router.sh:
#!/bin/sh
#
# iptables firewall script for sharing
# broadband Internet, with no public services
#
# From Linux Networking Cookbook, by Carla Schroder, O'Reilly, 2007
#
# NOTE!!! Forwarding will not work unless
# /proc/sys/net/ipv4/ip_forward == '1'
# preferably set not here but through /etc/sysctl.conf
# define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
WAN_IFACE="eth0"
LAN_IFACE="eth1"
#basic set of kernel modules
$mod ip_tables # now compiled into kernel as of f10
$mod ip_conntrack # now compiled into kernel as of f10
$mod iptable_filter # now compiled into kernel as of f10
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state # now compiled into kernel as of f10
$mod ipt_MASQUERADE
#add these for IRC and FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT
#Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow ssh access from LAN, but not WAN
$ipt -A INPUT -i $LAN_IFACE -p tcp -s 192.168.1.0/24 --dport 22 --syn -m state --state NEW -j ACCEPT
# Allow DNS access from LAN
$ipt -A INPUT -i $LAN_IFACE -p udp -s 192.168.1.0/24 --dport 53 -j ACCEPT
$ipt -A INPUT -i $LAN_IFACE -p tcp -s 192.168.1.0/24 --dport 53 -j ACCEPT
# Allow DHCP access from LAN
$ipt -A INPUT -i $LAN_IFACE -p udp --dport 67 -j ACCEPT
$ipt -A INPUT -i $LAN_IFACE -p udp --dport 68 -j ACCEPT
# Accept important ICMP messages
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j DROP
# XXX: what about dropping unwanted UDP?
Finally, if you are using an SSD in your DE2700, add noatime and discard
to your /etc/fstab so that your SSD will last longer.
So an entry like
UUID=7c77dcd1-39c8-47c1-9724-8cec7b78ea75 / ext4 errors=remount-ro 0 1
will end up like
UUID=7c77dcd1-39c8-47c1-9724-8cec7b78ea75 / ext4 discard,noatime,errors=remount-ro 0 1