Server Setup with Debian 9 (Stretch)

Overview

During system setup tasksel will ask what to install. Choose only “Basic system tools” and “SSH server”.

Networking

Network card names have changed from eth* to more specific ones based on chipset and bus location. Beware: During installation one of the cards was named enp5s0 which had changed to enp6s0 after the first reboot. Thus networking was not working as expected.

NAT (IPv4)

General IP forwarding has to be enabled in /etc/sysctl.conf by uncommenting net.ipv4.ip_forward=1. Masquerading will be done via iptables and a hook in /etc/network/interfaces. Script for iptables with comments saved as /etc/network/00-nat:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

LAN=enp3s0
WAN=enp6s0

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Don't forward left overs from the outside to the inside.
iptables -A FORWARD -i $WAN -o $LAN -j REJECT

This script will be called when the interface enp6s0 comes up in /etc/network/interfaces:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto enp6s0
iface enp6s0 inet static
        address 192.168.2.254
        netmask 255.255.255.0
        gateway 192.168.2.1
        nameserver 192.168.2.1 #127.0.0.1 if a local dns resolver is used
        up /etc/network/00-nat

auto enp3s0
iface enp3s0 inet static
        address 192.168.33.33
        netmask 255.255.255.224

At this point networking should be working after rebooting the machine. For machines which should be accessible from the outside a dynamic DNS service such as FreeDNS is handy. Account updates can be handled with a single crontab entry:

@hourly wget -O - http://freedns.afraid.org/dynamic/update.php?<id> >/dev/null 2>&1

Other services

The machine is now providing internet access and can be remotely accessed via SSH. Other services are described in separate articles in preferred setup order:

Miscellaneous

Birthday reminder

Using birthday and cron can provides us with mails for upcoming events. Edit ~/.birthdays accordingly and add @daily birthday to the crontab.

RSS feeds via email

Using rss2email RSS feeds can be received without using an explicit RSS reader. For details see man r2e. Automation can be done via cron: @hourly r2e run Note for backups: Configuration files are located in ~/.local/share/rss2email.json and ~/.config/rss2email.cfg.