Repurposing 32-bit Laptop as Linux Firewall for Cybersecurity Lab
Date: Jun 14, 2026
Tags: Network Security System Administration Hardware Troubleshooting Firewall DNS Sinkhole Log Management Linux nftables rsyslog
I. Project Summary
This project repurposed a retired 32-bit laptop into a Linux-based firewall for a small cybersecurity lab. Using AntiX Linux, nftables, dnsmasq, rsyslog, and logrotate, the firewall provides network address translation (NAT), stateful packet filtering, DNS sinkholing, and centralized logging. The implementation was validated through connectivity, domain-blocking, and traffic-filtering tests while addressing challenges associated with aging hardware and limited resources.
II. Key Engineering Decisions
1. Default Drop Filtering Policy (nftables)
- The default policy on all chains under the
inet filterwas set todropfollowing a zero trust approach where all connections are denied unless explicitly allowed.Configured Zero-Trust Default-Drop Policy
2. Application Layer Filtering and Evasion Prevention (dnsmasq)
- The firewall intercepts and redirects all DNS queries to
dnsmasqto prevent users from bypassing DNS policies by using external DNS servers. This ensures that blocked domains are not accessible on the internal lab hosts.Blocked Users' Access to Specified Domains
3. Transparent Telemetry (disabling NAT)
- Disabling the NAT on the Lab Router makes the true source IP addresses visible on the firewall. This allows better visibility and control over the traffic entering and exiting the lab environment.
Preserving the True Source IP of Lab Host
4. Event Log Management (rsyslog & logrotate)
- Implemented
logrotateto compress and rotate logs daily/weekly to keep logs at manageable size. This allows older logs to be cleaned automatically ensuring new logs can be stored on the firewall.Managing Firewall and DNS logs
5. Infrastructure Standardization
- Established a consistent addressing and naming scheme which makes future firewall rule management easier. Assigning readable and intuitive names as well as setting lab network to
10.x.x.x,172.x.x.xfor infrastructure, and leaving the192.x.x.xfor external hosts.Standardized Interface Names and Network Addresses
III. Challenges
| Challenges | Probable Cause | Fixes |
|---|---|---|
| I was not able to find and install an operating system that worked for the laptop. | - Support on 32-bit OS are being dropped by maintainers. - USB ports might also be faulty. |
- I tried many lightweight 32-bit operating systems as recommended by Reddit users. - I installed the operating systems on a different machine then swap it back to the old laptop to see if it would boot. |
| Overheating, low memory, low capacity storage, 3 beeping sounds followed by clock related errors on bootup. | - Dried thermal paste and dust blocking the airflow. - Built-in memory was quite low. - Storage type was HDD. |
- Replaced thermal paste and cleaned the fans. - Used external fan for extra air flow. - Added extra 2GB or RAM - Swapped with higher capacity SATA SSD. - Swapped CMOS battery with a new one. |
| System clock falls behind with the real time and the devices on the network. | - Oscillator drift from aging hardware. | - Used chrony to resync to the correct time. Ran weekly with cron to prevent too much time drifting. |
| Unfamiliar with nftables syntax. | - I used iptables before and decided to switch to nftables as it's more modern and created to replace legacy tools like iptables. | - Viewed documentations/blogs/videos and used genAI tools about nftables. |
| Designing a correct cybersecurty network architecture with limited resources. | - Lack of first-hand experience on real world cybersecurity environment and enterprise resources. | - Utilized the available resources by designing a simplified cybersecurity lab. |
USB to ethernet adapter was not recognized by the firewall. dmesg -w: device descriptor read/64, error -71, device not accepting address, unable to enumerate USB device |
- Daisy-chained connection (laptop -> USB-A to USB-C -> USB-C to Ethernet).- USB ports might also be faulty. |
- Modified boot parameter by adding delay=5 as USB errors pop up immediately after turning on the computer.- Modified boot parameter with pci=noehci to force downgrade to USB1.1. - Ended up using the built-in wireless interface instead. |
IV. Validation and Testing
Based on the test summary below, nftables and dnsmasq implementation is working as expected.
| Source | Destination | proto/port | Result | Logged | Is_expected |
|---|---|---|---|---|---|
| External | Firewall | 22 | Connection timeout, packet was dropped | Yes | Yes |
Lab (.100) |
Firewall | 22 | Connection timeout, packet was dropped | Yes | Yes |
| Lab | Firewall | 53 | Connection established, IP resolution was returned | No | Yes |
| Lab | External | 22 | Connection timeout, packet was dropped | Yes | Yes |
| Lab | External | 8080 | Connection timeout, packet was dropped | Yes | Yes |
| Lab | External | ICMP | Requests were sent, received replies. | No | Yes |
| Firewall | External | 443 | Connection established, received HTTP response. | Yes (@19:39) |
Yes |
| Lab | DNS server (Jamilosa.com) |
53 | Resolved to its proper IP address. | Yes | Yes |
| Lab | DNS server (Chess.com) |
53 | Resolved to NXDOMAIN (Non-eXistent domain). | Yes | Yes |
Input Chain Tests
Forward Chain Tests
Output Chain Tests
DNS Sinkhole Tests
V. Lessons Learned
- Disabling NAT offers more visibility on hosts but add complexity to the network configurations as static routes need to be specified on the gateways.
- DNS logs provides insights on hosts activity but also introduces massive log volume which requires proper log retention and filtering important considerations.
- Accurate time synchronization is essential for event correlation on multi-host systems. The higher the differences in time, the harder it is to correlate events and get insights.
- DNS filtering compliments L3/L4 filtering. Many modern website are being tunneled or delivered via the massive IP blocks of companies like Cloudflare.
V.I Next Steps
- Setup Wazuh server for centralized log collection and to monitor lab hosts.
- Setup windows server and vulnerable hosts inside the lab.
- Attack the vulnerable hosts inside the lab.






