About setting up a local mirror repository

Hekmil

New Member
Joined
Jul 20, 2020
Messages
7
Reaction score
0
Credits
58
Hi,

I'm wasn't very sure about where to post this so I apologize if it's not the appropriate spot.

I have a few question about the same topic which is setting up a linux server to host a paquet repository. My goal is to have a Kali Linux which isn't directly connected to web that can install/update some softwares and packages (for example OpenVAS or ClamAV). I've done some research about how to do this, but I am not sure which distribution is the best to use to suit my purpose (my main objective is reaching top security level).

So I'm asking for some guidance to go in the best direction possible, but also to understand the choice I'll have to make when considering a distro or a solution.

Thanks !
 


My goal is to have a Kali Linux ... but I am not sure which distribution is the best to use to suit my purpose

I'm confused ... Do you want to install/run Kali unplugged from the internet - which is pointless if you ask me - but being able to update & upgrade pkgs by setting up a local repository from another distro in a different pc? IMHO, running an unplugged kali is not fun and I really think it beats its purpose which is network security. I guess Debian testing is the way to go as your "local repo" distro where you'd download Kali's. You could create a kali.list and place it on /etc/apt/sources.list.d/kali.list then update the system and download kali's packages, which you'll need to figure out which ones to by yourself. Another option, which would be better and easier, is to have Kali in a USB with persistence enabled, this will save your changes across reboots like new installed programs, updates and customizations you've made. You can plug that to any pc you want in, update & upgrade, then use the pkgs on /var/cache/apt/archives/ to update/upgrade the one unplugged from the internet. https://www.kali.org/docs/usb/kali-linux-live-usb-persistence/
 
I'm confused ... Do you want to install/run Kali unplugged from the internet - which is pointless if you ask me - but being able to update & upgrade pkgs by setting up a local repository from another distro in a different pc? IMHO, running an unplugged kali is not fun and I really think it beats its purpose which is network security. I guess Debian testing is the way to go as your "local repo" distro where you'd download Kali's. You could create a kali.list and place it on /etc/apt/sources.list.d/kali.list then update the system and download kali's packages, which you'll need to figure out which ones to by yourself. Another option, which would be better and easier, is to have Kali in a USB with persistence enabled, this will save your changes across reboots like new installed programs, updates and customizations you've made. You can plug that to any pc you want in, update & upgrade, then use the pkgs on /var/cache/apt/archives/ to update/upgrade the one unplugged from the internet. https://www.kali.org/docs/usb/kali-linux-live-usb-persistence/

Yes, it might be a little bit confusing. This is not a choice but a necessity, the Kali has to be unplugged from the internet haha. The Live ISO is dowloaded from the official website and put on a USB stick to boot on. But the persistence function cannot be used because the system has to be brand new at each reboot.

The correct way to achieve my goal with my constraints would indeed be to create a source list on a machine containing the software I wanna use + their dependencies.
 
Yes, it might be a little bit confusing. This is not a choice but a necessity, the Kali has to be unplugged from the internet haha. The Live ISO is dowloaded from the official website and put on a USB stick to boot on. But the persistence function cannot be used because the system has to be brand new at each reboot.

The correct way to achieve my goal with my constraints would indeed be to create a source list on a machine containing the software I wanna use + their dependencies.

Well, Debian Bullseye/testing is the one you have to use for your local repo since Kali's based off that one and I think you might want to use the netinst.iso. You'll need to create the kali.list file containing kali's repos and save it to /etc/apt/sources.list.d.
 
Alright that's what I was going to do. Question, why the testing release of Debian and not Buster ?

I'll try to create a proxy repo using apt-cacher, I think it's a pretty good solution
 
What do you want to use the local repo for, are you going to be installing updates on the kali live usb drive each time the system is restarted from those repos?
 
What do you want to use the local repo for, are you going to be installing updates on the kali live usb drive each time the system is restarted from those repos?

Yes the system will be used once and has to be fresh without internet connection.
The local repo will be used to install software or tools like openVAS or clamAV which require dependencies not present at first launch.
 
Yes the system will be used once and has to be fresh without internet connection.
The local repo will be used to install software or tools like openVAS or clamAV which require dependencies not present at first launch.
I miss understood what you were trying to do. It makes sense then.
 
Alright, I'm not completly lost then haha !

So I managed to setup a debian with a local repo with kali's mirror : It seems to work, but should I not configure a internal firewall such as iptables to block traffic appart from the proxy ? Not sure about the right thing to do
 
Alright, I'm not completly lost then haha !

So I managed to setup a debian with a local repo with kali's mirror : It seems to work, but should I not configure a internal firewall such as iptables to block traffic appart from the proxy ? Not sure about the right thing to do
You mean should you configure the proxy/local mirror firewall so that only the kali Linux machine can connect to it? If you only want kali linux to be able to access those repos than yes.
 
The server side is ok, the firewall settings seem clear to me.

I was more talking about the kali's firewall machine. It should drop everything except HTTP and DNS traffic to my local repo, so something like that :

iptables -A OUTPUT -o eth0 -p udp -d [IP_repo:9999] --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d [IP_repo:9999] --sports 80 -j ACCEPT
 
Last edited:
Question, why the testing release of Debian and not Buster ?
As explained here
The Kali Linux distribution is based on Debian Testing. Therefore, most of the Kali packages are imported, as-is, from the Debian repositories. In some cases, newer packages may be imported from Debian Unstable or Debian Experimental, either to improve user experience, or to incorporate needed bug fixes.

That's why I think you should use Debian testing/bullseye instead of stable/buster.
 

Members online


Top