• Linux Router
• Preamble
• Configuring the network
• Redhat based systems
• Network configuration
• LAN configuration
• WAN configuration
• Debian based systems
• Network configuration
• Configuring the router script
• Install the DHCP server
• Red Hat based distributions
• Debian based distributions
• Configuring the DHCP server
• Enable all required services
• Create unit file for the router script
• Redhat based distributions
• Debian based distributions
• Conclusion

→ Linux Router

→ Preamble

This document explains how to use a Linux box as a router. It will require two network controllers and minimal hardware. We're not building a rendering farm, after all. This document is applicable to Redhat and Debian based servers.

→ Configuring the network

A router requires at least two network adapters. One for the WAN and the other for the LAN. For this example, LAN will be eth0 and WAN will be eth1.

→ Redhat based systems

→ Network configuration

→ LAN configuration

We will need to edit /etc/sysconfig/network-scripts/ifcfg-eth0 first to configure the LAN. In this example, we are using 192.168.10.0/24 for our local network. Since this is the router, or gateway, the IP will be 192.168.10.1.

NAME="eth0"
ONBOOT="yes"
NETBOOT="yes"
BOOTPROTO="static"
IPADDR=192.168.10.1
NETMASK=255.255.255.0
TYPE="Ethernet"

→ WAN configuration

We will assume that your WAN connection is being provided an IP via DHCP. Open /etc/sysconfig/network-scripts/ifcfg-eth1 and make the appropriate changes.

TYPE=Ethernet
BOOTPROTO=dhcp
NAME=eth1
ONBOOT=yes

→ Debian based systems

→ Network configuration

The Debian LAN configuration can be found at /etc/network/interfaces.

auto eth1
iface eth1 inet dhcp

auto eth0
iface eth0 inet static
       address 192.168.10.1
       netmask 255.255.255.0

→ Configuring the router script

The router script is what is making routing traffic possible. It is using iptables to manipulate the traffic from the WAN to the LAN. Save this file to /root/scripts/router.sh. If you do not, the unit file to be created later will not work.

#!/bin/bash 

# Flush all iptables rules
iptables -F
iptables -t nat -F

# Setup default policies to handle unmatched traffic:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Set variables for network interfaces
export LAN=eth0
export WAN=eth1

# Restrict services so they only work from the LAN:
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

# Allow access to the ssh server from the WAN:
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

# Setup port forwarding
iptables -t nat -A PREROUTING -p tcp --dport 32400 -i ${WAN} -j DNAT --to 192.168.10.124:32400

# Drop TCP / UDP packets to privileged ports:
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# Setup NAT (Network Address Translation)
iptables -I FORWARD -i ${LAN} -d 192.168.10.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.10.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.10.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Enable IP forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

# Print the iptables rules to stdout
iptables -L -n
iptables -L -t nat -n

→ Install the DHCP server

→ Red Hat based distributions

yum install -y dhcp

→ Debian based distributions

 apt install -y isc-dhcp-server

→ Configuring the DHCP server

The configuration file for the DHCP server is located at /etc/dhcp/dhcpd.conf. Edit yours accordingly to match the example below.

log-facility local7;
allow booting;
allow bootp;
authoritative;
ddns-update-style interim;
update-static-leases on;

subnet 192.168.10.0 netmask 255.255.255.0 {
    range 192.168.10.90 192.168.10.125;
    authoritative;
    default-lease-time 86400;
    max-lease-time 86400;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.10.255;
    option routers 192.168.10.1;
    option domain-name-servers 192.168.10.1;
    option domain-name "local.domain.tld";
}

→ Enable all required services

→ Create unit file for the router script

cat << EOF >> /etc/systemd/system/router.service
[Unit]
Description=Linux Router

[Service]
ExecStart=/root/scripts/router.sh

[Install]
WantedBy=multi-user.target
EOF

→ Redhat based distributions

systemctl enable dhcpd
systemctl enable router

→ Debian based distributions

systemctl enable isc-dhcp-server
systemctl enable router

→ Conclusion

Your Linux Router should now be complete. You should be able to plug in your WAN connection into eth1 and your LAN into eth0. Once you're all plugged in, you should be able to reboot and route traffic.

---

[home][about][stats][source][contact][cookies][privacy]

---