Debian manual Network settings (2nd.)

STATUS: Frozen (2019-11-17)

No more updates for this guide.

Please refer to the TOC page.

Now we have hardened small read-only Debian.

Rev 2

Add DNS issue on DHCP setting.

Let us connect to the Internet and apt update && apt upgrade

Find and choose your NIC

root# ls /sys/class/net # check your NIC name(s),
enpX  lo
root# basename /sys/class/net/enpX >> /etc/network/interfaces # and memo it

Now, assume enpX as the main NIC.

Setup the network

tier1.jp uses static IPs for a desktop PCs, workstations, and local servers.

DHCP is used for mobile devices under DHCP range limit by the router.

  • Set DHCP range limitation such as ~
  • You can use ~ for static IPs.

Say, we are on our localnet, under the router

Static IP case: An example

root# nano /etc/network/interfaces # edit it with the memo above
allow-hotplug enpX
iface enpX inet static
    address 192.168.1.X/24

DHCP case: An example

root# nano /etc/network/interfaces
allow-hotplug enpX
iface enpX inet dhcp

DNS setup: An example

In read only "/" world, especially DHCP, we need manual DNS setup.

root# nano /etc/resolv.conf


DHCP may fail to set /etc/resolv.conf or something related because it cannot write on /etc.

Please do add this tiny DNS setting file. is Google Public DNS.

If you are interested, read the term of use, and try it.

APT source setups

Include/confirm the security line for APT.


If it is a server, exclude contrib and non-free, since the security team does not cover them.

root# nano /etc/apt/sources.list # remove CD-ROM and add these
deb http://deb.debian.org/debian stretch main
deb http://deb.debian.org/debian stretch-updates main
deb http://security.debian.org/ stretch/updates main

codename or stable/testing

tier1.jp recommends to use codename such as stretch.

If you use stable instead, some day you suddenly upgrade your system drastically.

Read the release note of the next Debian version first.

APT-Cacher NG

If you already have a APT-Cacher NG server,

root# nano /etc/apt/apt.conf.d/02-proxy
Acquire::http::Proxy "http://RAW-ACNG-SERVER-IP:3142/";
Acquire::http::Proxy DIRECT;

DIRECT is a fallback.

First connection

We finished those setting. Now we should turn the system read-only again.

root# mount -o remount,ro /
root# findmnt # confirm /, /boot, /boot/efi, /usr, /usr/share are "ro"

Now, attach network cable.

We configured the network "hotplugable", so both reboot and ifup should not be required.

If your NIC is not brought up, then

root# ip address # shows enpX has no address, then
root# ifup enpX

This is the first connection to the localnet (and the Internet.)

Order matters

Never connect any network devices before these security settings.

Update the system

root# apt update
root# apt upgrade # 01-remount script should work

At this moment, the system is ready to use.


Let us enable AppArmor. Keep proceeding Next, please.

published: MODIFIED: