Secure and Manage Voyage Linux

Last week we installed Voyage Linux on a Compact Flash card. Today we'll learn basic package management, set up networking, and build a basic firewall that allows remote SSH administration.

Wired Networking

Wired Ethernet interfaces are easy. Just configure them in the usual way, in /etc/network/interfaces. You should do this while your Compact Flash card is still mounted on your Linux PC.

Voyage Linux helpfully includes a set of sample configurations. Suppose you're building an Internet gateway for a small network. You'll have a WAN interface and a LAN interface. Your LAN interface must be a static address, and your WAN address depends on what type of Internet account you have. So let's say your WAN interface is eth0, and the LAN interface is eth1:

#this is required. always include this
auto lo
iface lo inet loopback

#WAN is DHCP
auto eth0
iface eth0 inet dhcp

#WAN is static (addresses come from your ISP)
auto eth0
iface eth0 inet static
        address 12.34.56.78
        gateway 12.34.56.1
        netmask 255.255.255.0

#LAN must be static. You assign an address
auto eth0
iface eth0 inet static
       address 192.168.1.50
       network 192.168.1.0
       netmask 255.255.255.0
       broadcast 192.168.1.255

Delete whichever WAN configuration you're not going to use, and you might want to label the physical ports and cables so you always know which one is which.

Now you can install your Compact Flash card on your routerboard, power it up, plug in your LAN port and open an SSH session. The default login is "root" and the default password is "voyage", which you obviously must change right away:

$ ssh root@192.168.1.50
# remountrw
# passwd root
# remountro

Software Management

Voyage is based on Debian Etch, and it uses familiar old apt-get for package management and dependency-resolving. Voyage's filesystem is mounted read-only by default, so you have to change to read/write, make your changes, then change it back to read-only. Installing or removing packages is done with these commands:

# remountrw
# apt-get install [package name]
# apt-get remove [package name]
# remountro

When you're removing a package, adding the --purge option also gets rid of configuration files. Always return the filesystem to read-only to prevent accidental mistakes, and to extend the life of your Compact Flash card.

Just like on Debian, run apt-get update && apt-get upgrade periodically to keep your system up-to-date. And run apt-get clean regularly to remove downloaded packages, to save space.

Firewall

Now you'll want a nice iptables firewall, both for protection and for sharing an Internet connection. Voyage comes with a script for generating a simple NAT iptables firewall, /usr/local/sbin/nat.sh. It's no good if you're running any public services, but it's fine for protecting a private network with no public services. The way to use it is either create a startup link and run it at boot, or run it from your /etc/network/interfaces, like this:

#WAN address
auto eth0
iface eth0 inet static
        address 12.34.56.78
        gateway 12.34.56.1
        netmask 255.255.255.0
        up nat.sh eth0 eth1 "192.168.1.0/24"

The syntax is nat.sh [nat device] [output device] [network address].