Posted by Ed on 07/19/2005 @ 07:19 AM
Ok, not everyone gets it perfect the first bootup. You'll want to read this one before or alongside the rest of the steps.
They can be reached through the main page
1. First thing is first. When configuring the kernel, you'll want to remove all kernel preemption. It seems to cause a race with the e2compr patch. No preemption results in flawless running.
2. second, my method for updating the ro filesystem with the rw tempfs ones didn't work. apparently things using a --bind'd file's path wont be automatically redirected to the actual mountpoint if you try to umount the --bind'd mountpoint.
So we simply go in reverse, we remount / as rw and create a directory in /tmp to mount --bind it to.
mount -o remount,rw /dev/hda1;
mkdir /tmp/root_fs_cf;
mount --bind / /tmp/root_fs_cf;
Then we do our copying from the tmpfs directories the same way we had in our script with the new path instead of just /
cp -r -u /etc /tmp/root_fs_cf
cp -r -u /var /tmp/root_fs_cf
cp -r -u /root /tmp/root_fs_cf
cp -r -u /home /tmp/root_fs_cf
Now umount our rootfs bind and remount it ro,noatime and we're done.
umount /tmp/root_fs_cf;mount -o remount,ro,noatime /dev/hda1;
This method is actually much better than my original method. Make sure you update your cron file if you have one setup, you'll end up with a bunch of unecessary mount --bind's and failure messages if you dont.
3. third, my iptables rules were sligthtly off.
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to $EXTIP
iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j ACCEPT -s 192.168.1.0/24 -i eth1
iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24 -o eth1
Ok, That _is_ the desired iptable setup for a minimal setup to share a lan on interface 1 with the internet on interface 2.
4. Fourth, just a reminder to pay attention to /var. if you use apt you need to really watch your sizes. Debian pgk lists are really really big, and debian uncompresses the list and keeps the compressed one, basically over half of the used space in /var is debian's pkg lists. Also, watch out for corruption of /var/wtmp. wtmp should hold login info and such, though certain programs could corrupt it due to libc5 and libc6 inconsistancies. If you're ok with it, just delete the file and use some other type of intrusion detection. I found mine to be 7MB by the morning for some reason and upon reading, it was full of binary garbage, something it probably shouldn't have.
Well, that's all the fixes for now. The wrap box is up and functional here.