The Tiny Internet Project, Part III

Set Up the Firewall

If you want to enable a firewall on your template, this is the time to do it. It's easy with the Webmin interface—under Networking, click Linux Firewall. Check the box at the bottom that says "Enable firewall at boot time", and click the "Setup Firewall" button. Create four basic rules:

  • Accept if state of connection is ESTABLISHED,RELATED.

  • Accept if interface is not eth0.

  • Accept if source is 10.128.1.0/24.

  • Accept if source is 192.168.1.0/24.

These rules allow traffic only from devices on your two networks—the one you use to connect to the internet and the private one that makes up your tiny internet. Set the "Default Action To:" button to "Drop" on the first entry ("Accept" on the other two), and click Apply Configuration.

Figure 11. Setting Up the Firewall Rules

You can confirm these rules are active by running this simple command:


$ sudo iptables -L

Figure 12. Output of the sudo iptables -L Command

Change Your Local sources.list

Next, you'll change the apt package repository listed in /etc/apt/sources.list from the Ubuntu default to your own. This will enable you to update all your VMs locally without them ever needing to access the public internet. Note that this won't work until your apt-mirror is fully operational (if you don't want to set up a mirror, skip this step):


$ mv /etc/apt/sources.list /etc/apt/sources.list.bak
$ sudo vi /etc/apt/sources.list

Enter the following three lines in sources.list and save it. The URL points to the VM you'll make called "mirror" on the domain you'll create called "tiny.lab":


deb http://mirror.tiny.lab/ubuntu trusty main restricted
 ↪universe multiverse
deb http://mirror.tiny.lab/ubuntu trusty-security main
 ↪restricted universe multiverse
deb http://mirror.tiny.lab/ubuntu trusty-updates main
 ↪restricted universe multiverse

Set Up a Proxy

If you're planning to build and use an HTTP proxy, edit /etc/environment to add the following lines. In this example, I used addresses and a port number created later by installing tinyproxy. After the PATH line, add:


no_proxy="127.0.0.1, localhost, *tiny.lab"
http_proxy="http://proxy.tiny.lab:8888"
ftp_proxy="http://proxy.tiny.lab:8888"

In this case, I don't want the system to use the proxy for anything on my private tiny internet domain (*tiny.lab), but it can for anything else that isn't local. If you're not planning to build your own mirror and plan to use a public repository (the default), you'll also need to edit /etc/apt/apt.conf to add a line telling apt to use your proxy to get to the repository:


Acquire::http::Proxy "http://proxy.tiny.lab:8888";

Convert Your VM to a Template

Now you're ready to convert this VM to a template. It's been customized with your credentials, static IP addresses that can be modified easily, Webmin for easy system management, simple firewall rules, a custom sources.list and proxy settings, if necessary.

To convert it, return to the Proxmox browser interface and shut down the machine. Right-click on the VM and select "Convert to template" from the menu.

Figure 13. Converting the VM to a Template

After a few moments, the VM's icon will change, showing you that the machine is now purely a template. It no longer can be started as is.

If you installed a second hard drive on your Proxmox host server, now is a good time to back up this new template. Check the Proxmox website for more information.

______________________

John S. Tonello is Director of IT for NYSERNet, Inc., in Syracuse, New York. He's been a Linux user and enthusiast since he installed his first Slackware system from diskette 20 years ago.