[PLUG] iptables and dynamic global ip...

Sun Mar 24 07:09:17 UTC 2019

There used to be a way to track a dynamic ip with iptables so you can
firewall the Internet connected ethernet port on your Linux box.  I
want to firewall off Internet visible services such as ssh and
everything else the server needs to run internally only.  I may want to
allow specific sources to connect to me using openvpn or some other vpn
service in which case a blanket ssh block won't be proper.

I probably don't need to run X, but until I can figure out how to use a
Yubikey without the gui configuration tool, I will keep X.  Speaking of
the Yubikey, the gui configuration tool makes zero sense to me.  I want
to require physical insertion of a Yubikey on my Debian Stretch server
to become root.  I've removed sudo so that it is impossible to become
root using the password of an ordinary user, this defeats no root
access using a mere password.  I want to be able to give the Yubikey 
to someone I trust and when they are gone with it, nobody can easily
become root period.  The server could be booted via a USB port, but I
can prevent that by enclosing it in a box with a lock on it.  I can 
put a network plate on the back of the box that allows me to connect
three patch cables to it.  One from the Internet modem, one from the
switch that my wired lan is built on, and one from the wireless access
point that I hook to with my smart phones and tablets (they don't have
the ability to connect via wire where I don't want a wifi router that
bypasses my server).  The box will need power too.

I ordered a new Ubiquiti indoor long range wireless access point.  It
is capapble of 802.11ac, low speed though, where it has a gigabit port.
I know it is WPA capable at least.  Not sure about WPA2.  There is
supposed to be configuration software for it that works in Windows, Mac
OSX, and Linux.  This is a POE access point and comes with an injector
I believe.  Cost me about $96.  I decided that hostapd and a low power
802.11AC usb adapter that doesn't even work natively in Linux is the
wrong approach to give smartphones and tablets Internet access.