Router Configuration

To turn our Debian 12 machine into the router we will do the following steps.


Please consider steps described here as tutorial only and seek help of an experienced network administrator before deploying it into production. Use this excellent but a little outdated The Ars guide to building a Linux router from scratch article as a reference.

Step 1. Enable Forwarding

To enable packet forwarding, edit the /etc/sysctl.conf file and uncomment the net.ipv4.ip_forward setting to make it look like the following.

# Uncomment the next line to enable packet forwarding for IPv4

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host

Reboot the machine to bring those settings into effect.

Step 2. Configure Firewall

Debian 12 firewall uses nftables instead of iptables used in earlier version of this article. To configure the minimal set of firewall rules for our network, edit the /etc/nftables.conf file and make it look like the following. This wiki gives some good examples

#!/usr/sbin/nft -f

flush ruleset

define wan_if=ens32
define lan_if=ens33

table inet filter {

    # packets originated from this machine itself
    chain output {

        # what is priority filter? use 100?
        type filter hook output priority filter; policy accept;


    # packets sent to this machine ifself
    chain input {

        # drop all incoming packets by default
        type filter hook input priority 0; policy drop;

        # allow icmp
        icmp type echo-request limit rate 5/second accept

        # accept all established and related 
        ct state related,established accept

        # accept all from localhost
        iifname lo accept

        # accept all from lan
        iifname $lan_if accept

        # allow connections from outside for ssh
        tcp dport ssh accept

        # drop all other connections from wan
        iifname $wan_if drop

    # packets sent to the internet through this machine
    chain forward {

        # drop all packets by default
        type filter hook forward priority 0; policy drop;

        # accept packets from lan to wan
        iifname $lan_if oifname $wan_if accept

        # accept packets from wan into lan for established or related connections
        iifname $wan_if oifname $lan_if ct state related,established accept


table ip nat {

    chain prerouting {
        type nat hook prerouting priority 0; policy accept;

    # enable nat for all packets going to the intenet through wan
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname $wan_if masquerade

Reboot the router and after it starts again, run the nft -s list ruleset command to verify the rules were applied correctly on startup.

Step 3. Install DNS Server

Our network would also need to have DNS server deployed, so we will use the dnsmasq for this purpose. Run the following commands to install it.

# update and install
apt get update
apt install dnsmasq

# enable and start
systemctl enable dnsmasq
systemctl start dnsmasq

To make it listen on the lan address only, edit /etc/dnsmasq.conf to contain the following line.

root@debian12:/etc# cat /etc/dnsmasq.conf  | grep listen

# If you want dnsmasq to listen for DHCP and DNS requests only on
# Or you can specify which interface _not_ to listen on
# Or which to listen on by address (remember to include if

# even when it is listening on only some interfaces. It then discards
# want dnsmasq to really bind only the interfaces it is listening on,

Step 4. Verify Internet Connections

Reboot the router and then open a browser on any workstation in the lan and ensure the Internet is working normally.