Router Configuration¶
To turn our Debian 12 machine into the router we will do the following steps.
Warning
Please consider steps described here as tutorial only and seek help of an experienced network administrator before deploying it into production. Use this excellent but a little outdated The Ars guide to building a Linux router from scratch article as a reference.
Step 1. Enable Forwarding¶
To enable packet forwarding, edit the /etc/sysctl.conf file and uncomment the net.ipv4.ip_forward setting to make it look like the following.
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
Reboot the machine to bring those settings into effect.
Step 2. Configure Firewall¶
Debian 12 firewall uses nftables instead of iptables used in earlier version of this article. To configure the minimal set of firewall rules for our network, edit the /etc/nftables.conf file and make it look like the following. This wiki gives some good examples https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
#!/usr/sbin/nft -f
flush ruleset
define wan_if=ens32
define lan_if=ens33
table inet filter {
#
# packets originated from this machine itself
#
chain output {
# what is priority filter? use 100?
type filter hook output priority filter; policy accept;
}
#
# packets sent to this machine ifself
#
chain input {
# drop all incoming packets by default
type filter hook input priority 0; policy drop;
# allow icmp
icmp type echo-request limit rate 5/second accept
# accept all established and related
ct state related,established accept
# accept all from localhost
iifname lo accept
# accept all from lan
iifname $lan_if accept
# allow connections from outside for ssh
tcp dport ssh accept
# drop all other connections from wan
iifname $wan_if drop
}
#
# packets sent to the internet through this machine
#
chain forward {
# drop all packets by default
type filter hook forward priority 0; policy drop;
# accept packets from lan to wan
iifname $lan_if oifname $wan_if accept
# accept packets from wan into lan for established or related connections
iifname $wan_if oifname $lan_if ct state related,established accept
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# enable nat for all packets going to the intenet through wan
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname $wan_if masquerade
}
}
Reboot the router and after it starts again, run the nft -s list ruleset command to verify the rules were applied correctly on startup.
Step 3. Install DNS Server¶
Our network would also need to have DNS server deployed, so we will use the dnsmasq for this purpose. Run the following commands to install it.
# update and install
apt get update
apt install dnsmasq
# enable and start
systemctl enable dnsmasq
systemctl start dnsmasq
To make it listen on the lan address only, edit /etc/dnsmasq.conf to contain the following line.
root@debian12:/etc# cat /etc/dnsmasq.conf | grep listen
# If you want dnsmasq to listen for DHCP and DNS requests only on
# Or you can specify which interface _not_ to listen on
# Or which to listen on by address (remember to include 127.0.0.1 if
listen-address=10.0.0.1
# even when it is listening on only some interfaces. It then discards
# want dnsmasq to really bind only the interfaces it is listening on,
Step 4. Verify Internet Connections¶
Reboot the router and then open a browser on any workstation in the lan and ensure the Internet is working normally.
