Repurposing 32-bit Laptop as Linux Firewall for Cybersecurity Lab

Pasted image 20260629153751.png

I. Project Summary

This project repurposed a retired 32-bit laptop into a Linux-based firewall for a small cybersecurity lab. Using AntiX Linux, nftables, dnsmasq, rsyslog, and logrotate, the firewall provides network address translation (NAT), stateful packet filtering, DNS sinkholing, and centralized logging. The implementation was validated through connectivity, domain-blocking, and traffic-filtering tests while addressing challenges associated with aging hardware and limited resources.

Pasted image 20260627220724.png

II. Key Engineering Decisions
1. Default Drop Filtering Policy (nftables)
  • The default policy on all chains under the inet filter was set to drop following a zero trust approach where all connections are denied unless explicitly allowed.
2. Application Layer Filtering and Evasion Prevention (dnsmasq)
  • The firewall intercepts and redirects all DNS queries to dnsmasq to prevent users from bypassing DNS policies by using external DNS servers. This ensures that blocked domains are not accessible on the internal lab hosts.
3. Transparent Telemetry (disabling NAT)
  • Disabling the NAT on the Lab Router makes the true source IP addresses visible on the firewall. This allows better visibility and control over the traffic entering and exiting the lab environment.
4. Event Log Management (rsyslog & logrotate)
  • Implemented logrotate to compress and rotate logs daily/weekly to keep logs at manageable size. This allows older logs to be cleaned automatically ensuring new logs can be stored on the firewall.
5. Infrastructure Standardization
  • Established a consistent addressing and naming scheme which makes future firewall rule management easier. Assigning readable and intuitive names as well as setting lab network to 10.x.x.x, 172.x.x.x for infrastructure, and leaving the 192.x.x.x for external hosts.
III. Challenges
Challenges Probable Cause Fixes
I was not able to find and install an operating system that worked for the laptop. - Support on 32-bit OS are being dropped by maintainers.
- USB ports might also be faulty.
- I tried many lightweight 32-bit operating systems as recommended by Reddit users.
- I installed the operating systems on a different machine then swap it back to the old laptop to see if it would boot.
Overheating, low memory, low capacity storage, 3 beeping sounds followed by clock related errors on bootup. - Dried thermal paste and dust blocking the airflow.
- Built-in memory was quite low.
- Storage type was HDD.
- Replaced thermal paste and cleaned the fans.
- Used external fan for extra air flow.
- Added extra 2GB or RAM
- Swapped with higher capacity SATA SSD.
- Swapped CMOS battery with a new one.
System clock falls behind with the real time and the devices on the network. - Oscillator drift from aging hardware. - Used chrony to resync to the correct time. Ran weekly with cron to prevent too much time drifting.
Unfamiliar with nftables syntax. - I used iptables before and decided to switch to nftables as it's more modern and created to replace legacy tools like iptables. - Viewed documentations/blogs/videos and used genAI tools about nftables.
Designing a correct cybersecurty network architecture with limited resources. - Lack of first-hand experience on real world cybersecurity environment and enterprise resources. - Utilized the available resources by designing a simplified cybersecurity lab.
USB to ethernet adapter was not recognized by the firewall. dmesg -w: device descriptor read/64, error -71, device not accepting address, unable to enumerate USB device - Daisy-chained connection (laptop -> USB-A to USB-C -> USB-C to Ethernet).
- USB ports might also be faulty.
- Modified boot parameter by adding delay=5 as USB errors pop up immediately after turning on the computer.
- Modified boot parameter with pci=noehci to force downgrade to USB1.1.
- Ended up using the built-in wireless interface instead.
IV. Validation and Testing

Based on the test summary below, nftables and dnsmasq implementation is working as expected.

Source Destination proto/port Result Logged Is_expected
External Firewall 22 Connection timeout, packet was dropped Yes Yes
Lab (.100) Firewall 22 Connection timeout, packet was dropped Yes Yes
Lab Firewall 53 Connection established, IP resolution was returned No Yes
Lab External 22 Connection timeout, packet was dropped Yes Yes
Lab External 8080 Connection timeout, packet was dropped Yes Yes
Lab External ICMP Requests were sent, received replies. No Yes
Firewall External 443 Connection established, received HTTP response. Yes (@19:39) Yes
Lab DNS server (Jamilosa.com) 53 Resolved to its proper IP address. Yes Yes
Lab DNS server (Chess.com) 53 Resolved to NXDOMAIN (Non-eXistent domain). Yes Yes
V. Lessons Learned
  • Disabling NAT offers more visibility on hosts but add complexity to the network configurations as static routes need to be specified on the gateways.
  • DNS logs provides insights on hosts activity but also introduces massive log volume which requires proper log retention and filtering important considerations.
  • Accurate time synchronization is essential for event correlation on multi-host systems. The higher the differences in time, the harder it is to correlate events and get insights.
  • DNS filtering compliments L3/L4 filtering. Many modern website are being tunneled or delivered via the massive IP blocks of companies like Cloudflare.
V.I Next Steps
  • Setup Wazuh server for centralized log collection and to monitor lab hosts.
  • Setup windows server and vulnerable hosts inside the lab.
  • Attack the vulnerable hosts inside the lab.