Linux: Debian 7 on a Dell Inspiron 3847

Debian logo



This page contains a description of the installation and customisation of Debian 7.6 "Wheezy" on my Dell Inspiron 3847 desktop computer. I am using this off-the-shelf PC as server, router and production machine. Historically, this is a follow-up to my "other" Debian page but the PC described there has been replaced. - As usual, this document has been "anonymised" in a few places; in particular IP addresses have been replaced by XXX or YYY.

Note that this page is partially outdated; I have moved to Debian 8 and most of the issues listed below have disappeared. I should write new page ;-)


The computer is a Dell Inspiron 3847 that I acquired new in 2014. Core characteristics: Quad-core Intel i5-4460 CPU @ 3.20 GHz, 8 GB Dual-Channel DDR3 DRAM with 1.6 GHz (2x 4 GB, both DIMMs are thus occupied), 1 TB Seagate ST1000DM003 SATA harddisk (7200 rpm, 6 GBit/s), a DVD burner PLDS DH-16AES, a card reader, a Dell Wireless-N 1705 + Bluetooth 4.0 card Intel onboard graphics plus a NVIDIA GeForce GT 705 graphics with 1 GB DDR3a RAM.

Since it is a server and router for my home network, I equipped it with a second network card.

The display is composed of two Dell E228WFP 22" widescreen display, connected with a DVI cable and arranged in a dual-screen setup.

Not again

I would not buy this PC again, for the following reasons:

Installing and fine-tuning Debian 7.6

Base install:
Router and firewall

The initial installation was performed from the Debian 7.6 64-bit "netinstall" USB stick. In contrast to the previous install I went for a full-fledged server-with-desktop install using a custom disk layout:

Partition Size Filesystem Label mount point Comment
/dev/sda1 500 MB vfat DellUtilities /boof/efi Dell Utilities from factory install, left unchanged.
/dev/sda2 30 GB ext4 Debian / This is the root filesystem of Debian.
/dev/sda3 30 GB ext4 other /mnt/other This will be used when updating the system in the future.
/dev/sda4 120 GB ext4 home /home Home directories.
/dev/sda5 320 GB ext4 share /mnt/share Local NFS export for music, photos, etc.
/dev/sda6 5 GB swap swap swap Swap space.
/dev/sda7 400 GB ext4 vbox /mnt/vbox VirtualBox files.

During the installation, I selected Desktop, select ssh server, file server (this installs both NFS and Samba), print server (CUPS) and standard system utilities. Once the initial installation finished, log in.

Run apt-get install vim, edit /etc/vim/vimrc and un-comment syntax on.

Edit /etc/apt/sources.list. Remove the entry for the Debian CD, then add non-free contrib at the end of the first 4 entries.

apt-get update
apt-get install firmware-linux* mc ntpdate acpi-support sysv-rc-conf hwinfo ethtool


This system has two network cards and we need to avoid that the cards be assigned in arbitrary order. In my case, the card connected to my ISP was automatically assigned as eth0 during installation but I want this to be eth1 on the production system - simply because all my computers have the internal network on eth0.

The key is to edit /etc/udev/rules.d/70-persistent-net.rules and to adjust (only!) the value of the NAME= key as needed. You can check the assignment with ethtool -i ethX && ethtool -P ethX; on my system this can be resumed as follows:

Edit /etc/network/interfaces and assign the way the two cards are operated. At the same time, this is where the firewall is launched:

# The loopback network interface
auto lo
iface lo inet loopback
# activate the firewall 
pre-up iptables-restore < /etc/network/iptables.rules 
# The primary (internal) network interface
auto eth0
allow-hotplug eth0
iface eth0 inet static
  address 192.168.xx.yy
  broadcast 192.168.xx.255
  # do NOT set any gateway here!

# the external network card
auto eth1
allow-hotplug eth1
iface eth1 inet dhcp

The file /etc/network/iptables.rules contains the existing firewall rules:

:PREROUTING ACCEPT [0:0]                                                                                                                                 
:INPUT ACCEPT [0:0]                                                                                                                                      
:FORWARD ACCEPT [0:0]                                                                                                                                    
:OUTPUT ACCEPT [0:0]                                                                                                                                     
:POSTROUTING ACCEPT [0:0]                                                                                                                                 
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
:INPUT ACCEPT [0:0]                                                                                                             
:FORWARD ACCEPT [0:0]                                                                                                           
:OUTPUT ACCEPT [0:0]                                                                                                            
:RH-Firewall-1-INPUT - [0:0]                                                                                                    
-A INPUT -j RH-Firewall-1-INPUT                                                                                                 
-A FORWARD -j RH-Firewall-1-INPUT                                                                                               
-A RH-Firewall-1-INPUT -i lo -j ACCEPT                                                                                          
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT                                                                                        
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT                                                                        
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT                                                                                          
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT                                                                                          
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT                                                             
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT                                                           
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT                                                
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited                                                             


Edit /etc/sysctl.conf and activate routing by un-commenting the line net.ipv4.ip_forward=1. At the same occasion, you may want to insert kernel.sysrq=1.

For the DHCP server, I use dnmasq: apt-get install dnsmasq, then edit /etc/dnsmasq.conf:



At this point, the router functionality should be established and your machines on the internal network should be able to access Internet again. Test if DNS is working, e.g.:

dig @localhost
nslookup localhost
nslookup i5.localnet

Notes on networking

Please note that NetworkManager and /etc/network/interfaces interfere with each other:

For a server or other "stationary" machines, you want the network interface to come up right during boot, not only after logging in. In other words, you want to control all interfaces through the service networking and remove NetworkManager entirely: apt-get remove network-manager && insserv networking .

We need to specify the interface in /etc/network/interfaces, either using DHCP:

cat >> /etc/network/interfaces
# The primary (internal) network interface
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp

... or using a fixed IP address:

cat >> /etc/network/interfaces
# The primary (internal) network interface
auto eth0
allow-hotplug eth0
iface eth0 inet static
  address 192.168.xx.yyy
  broadcast 192.168.xx.255
  gateway 192.168.xx.zzz

Exactly the opposite is applied on mobile devices; here I usually do not need remote login but I want the network to come up only when I log in. This corresponds to the standard setting.


Customize sshd rather restrictive; some key entries in /etc/ssh/sshd_config are:

Protocol 2
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication yes
Banner /etc/
AllowUsers xxx

Adjust some network-related files

/etc/hosts contains some fixed IP adresses and aliases in my local network.


sshd: xx.yy.zz.aa


sshd: ALL EXCEPT LOCAL : rfc931 : spawn (/usr/sbin/safe_finger -l @%h | mail -s%d-%h root) & : twist /bin/echo "Access prohibited by system administration. Go away."



Copy existing samba configuration (via scp):

cd /etc/samba/
mv smb.conf smb.conf.orig
scp oldserver:/etc/samba/smb.conf .
/etc/init.d/samba restart

The CUPS printing system provides also the traditional lpr functionality, so we set the default printer (as user):

lpstat -p -d         # see which printers are available
lpoptions -d LJ5MP   # set default printer

Note: I did not restart/reload services here since we're going to reboot later anyway.


Enable Alt-Ctrl-Backspace to kill X server. This needs to be done AFTER X is set up; the setting we want is on the very last screen:

dpkg-reconfigure keyboard-configuration 

Limit the available language packs. Here, be careful to select the languages you want to keep! Generally I select the generic language plus the UTF-8 variant, e.g. de and then dialects such as de_DE.UTF-8 and de_CH.UTF-8 :

apt-get install localepurge

Create backup log directory:

mkdir /var/log/backup

KDE Base

Install KDE and related applications. The first command will install some packages needed for clean integration of KDE applications:

apt-get install kde-plasma-desktop kdeplasma-addons plasma-widget-folderview \
        kde-config-gtk-style kwin-style-qtcurve kde-style-qtcurve gtk2-engines-qtcurve 
apt-get install dolphin okular apper kmix konqueror konq-plugins kate kompare kmail knode kinfocenter\
        kcalc ksnapshot kcharselect kaddressbook kdeadmin kdirstat kmenuedit kfind kwalletmanager


Continue to install applications and utilities. You could put all this on one line of course:

apt-get install lyx tex4ht glabels unison-gtk jpilot pilot-link akonadi-kde-resource-googledata
apt-get install enchant aspell-fr aspell-de hunspell-en-us hunspell-fr hunspell-de-de hunspell-de-ch 
apt-get install rsync gftp sitecopy bluefish tidy dos2unix ark rar unrar nmap bum filelight conky   
apt-get install k3b kde-config-cddb gimp inkscape gwenview kipi-plugins digikam hugin autopano-sift-c  
apt-get install cups-pdf cups-driver-gutenprint gimp-gutenprint pdftk qpdf pdfmod khelpcenter4 gnuplot-x11  
apt-get install iceweasel deluge subversion lynx curl amarok easytag gpsbabel qlandkartegt sharutils

LibreOffice 4 is not in the repositories for Wheezy, so we need a trick(but please read the next section before you do this, you may want to change your mind!):

echo -e "\n# Backports for recent version of LibreOffice" >> /etc/apt/sources.list
echo "deb wheezy-backports main" >> /etc/apt/sources.list
apt-get update
apt-get -t wheezy-backports install libreoffice libreoffice-kde libreoffice-help-en-us libreoffice-presenter-console 

However, I encountered a few issues with this version - mainly crashes during merge operations. I decided to roll back to the previous version, LibreOffice

# remove or comment the entry in /etc/apt/sources.list
apt-get remove libreoffice-core     # this will remove a lot more but it saves typing ;-)
apt-get autoremove                  # clean up
apt-get install libreoffice libreoffice-kde libreoffice-help-en-us libreoffice-presenter-console

If you want to install the advanced Grammar Checker LanguageTool (through the Extension Manager), you need to change from Java 6 to Java 7. apt-get remove openjdk-6-* is enough to remove the old and install the new version automagically :-)


echo -e "\n# Multimedia" >> /etc/apt/sources.list
echo "deb wheezy main non-free" >> /etc/apt/sources.list
apt-get update
apt-get install deb-multimedia-keyring
apt-get update
apt-get upgrade
apt-get install libdvdcss2 flashplugin-nonfree w64codecs lame

Make sure you do not have the following on the system:

apt-get remove network-manager
apt-get remove dirmngr # removes kdepim 
apt-get remove winbind

log files

On production machines I like to have a quick look at the key logfiles (e.g. using conky). Of course the default permission for these files is rather restrictive ... yet I do not want to log in as root just to have read access. On the other hand, I don't want to grant access to these files to all users in my group.

With Linux supporting ACL (access Control Lists), the solution is as simple and as elegant as it can get: Use ACL to grant selective access on a per-file and per-user basis. The following cronjob allows user joe to read two of the log files (to be run as a cronjob, due to log file rotation)

11 * * * * root setfacl -m user:joe:r-- /var/log/messages /var/log/daemon.log


As usual, almost everything worked right out of the box:

Debian Wheezy on Laptops


I'm using Debian on most of my computers; this includes laptops. Both machines mentioned below have been used under Fedora 14, too; the installation of Debain Wheezy was performed along the same lines as described above and went mostly seamless. Specific points are listed below; a few generic comments and hints:

Lenovo IdeaPad S12

I'm using a Lenovo IdeaPad S12 as main laptop. Comments and hints:

Fujitsu Lifebook 8020D

I have a Fujitsu Lifebook 8020D as backup laptop. Comments and hints:

Citrix Receiver


For certain applications (e.g. a consulting mandate that requires accessing the client's data remotely) I use Citrix Receiver, which is essentially a terminal client to a Microsoft Windows server. The software is not Open Source but is available free of charge on the manufacturer's website, section "Downloads", product "Citrix Receiver".

Citrix Receiver 64-bit

The installation of Citrix Receiver on 64-bit Debian Wheezy has improved; Citrix has now a corrected package available and there is no need to rebuild it anymore:

dpkg --add-architecture i386
apt-get update
dpkg -i icaclient_13.1.0.285639_amd64.deb
apt-get -f install
ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/
c_rehash /opt/Citrix/ICAClient/keystore/cacerts/

Upon first launch, an application launched inside a Citrix session may ask to "open with..." - if this happens, simply select (always open with) /opt/Citrix/ICAClient/ Done!

Citrix Receiver 32-bit

Installing Citrix receiver for i386 on 32-bit Debian Wheezy is straightforward:

apt-get install libxerces-c3.1 libcurl3
dpkg -i icaclient_13.0.0.256735_i386.deb

# ... and copy the certificate:
cp /mnt/f14/opt/Citrix/ICAClient/keystore/cacerts/PCA-3G5.pem /opt/Citrix/ICAClient/keystore/cacerts/



I use VirtualBox to run an instance of Microsoft Windows as "guest" inside the Linux system. For details, please refer to my GPS software page.

Installation in Debian Wheezy was straightforward but did not work with Windows 8.1; I always ended up with an error message "Your PC needs to restart. Please hold the power button. Error code : 0x000000C4". It turned out that I had to use a newer version of VirtualBox:

echo -e "\n# VirtualBox - get it directly from Oracle (Win8.1)" >> /etc/apt/sources.list
echo "deb wheezy contrib non-free" >> /etc/apt/sources.list
wget -q -O- |  apt-key add - 
apt-get update
apt-get install virtualbox-4.3
usermod -a -G vboxusers joe
/etc/init.d/vboxdrv setup
echo "vboxdrv" >> /etc/modules 

To enable USB support you will be requested to download and install a module from the Virtualbox website; the process is self-explaining.