Table of Contents
If you want to send us your comments, please do so. Thanks
More on comments
Debian as a router
Alternative: Mikrotik RouterOS is not free. Price, once, from $ 45,-. Thereafter: unlimited number of interfaces, unlimited software upgrades. Minimum requirements: Intel or AMD 100MHz CPU, 64 MB RAM, 64 MB HDD space
Terms
Software
Name | Description | Remark |
---|---|---|
nft | Administration tool of the nftables framework for packet filtering and classification | See man nft |
Setting up the router
- Open a terminal and login as root
- With aptitude install nftables if it's not already installed
- Do not forget to enable forwarding via echo 1 > /proc/sys/net/ipv4/ip_forward
- Configure the network interfaces:
- Assign IP addresses to each interface
- ip addr (list all network interfaces)
- ip address add <ip_address>/<subnet_mask> dev <interface_name>
- As in ip address add 192.168.1.0/24 dev enp1s1
- Error: “RTNETLINK answers: File exists”. This can be ignorded (for now)
- Check with ip addr
- If no IP address is assigned it might be necessary to bring the interface up
- ip link set enp1s1 up
- Again do ip address add 192.168.1.0/24 dev enp1s1
- Check with ip addr
- The solution if an existing IP address is assigned is to remove the existing IP address from the interface: ip address delete 192.168.1.0/24 dev enp1s1
- Enable IP forwarding to allow the system to act as a router. Set the value of /proc/sys/net/ipv4/ip_forward to 1 sysctl net.ipv4.ip_forward=1
- Or edit the /etc/sysctl.conf file and uncomment the “#net.ipv4.ip_forward=1” line if the change needs to be persitend across reboots
- Check with sysctl net.ipv4.ip_forward
- Write nftables rules to define the routing and logging behavior
- Define rules to forward traffic between the two interfaces
- Create rules to log the traffic by using the “log” statement in nftables to log packets that match specific criteria
- Apply the nftables configuration to activate the routing and logging.
- Edit /etc/network/interfaces
# The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.100 # Replace with the desired IP address for eth0 netmask 255.255.255.0 # Replace with the appropriate subnet mask for your network gateway 192.168.1.1 # Replace with the IP address of your gateway/router # The secondary network interface auto eth1 iface eth1 inet static address 10.0.0.1 # Replace with the desired IP address for eth1 netmask 255.255.255.0 # Replace with the appropriate subnet mask for your network
- Restart the networking service
- systemctl restart networking
- systemctl status networking
- Error: “networking.service: Failed with result 'exit-code'” and “Failed to start networking.service - Raise network interfaces.”
- Check the /etc/network/interfaces file with
- ifupdown2 --test and / or ifquery <interface name>
More ideas
Create a rule set that performs Network Address Translation (NAT) and includes logging for the traffic.
A basic example of how this can be achieved:
#!/usr/sbin/nft -f table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "eth0" masquerade; } } table ip filter { chain input { iifname "eth0" ip protocol icmp icmp type echo-request accept } chain output { type filter hook output priority 0; policy accept; } chain forward { type filter hook forward priority 0; policy accept; ip saddr 192.168.1.0/24 oifname "eth0" log prefix "NAT-LOG: "; } }
In this example, there are two tables: nat and filter:
- The nat table contains two chains: prerouting and postrouting.
- The prerouting chain is used for DNAT (Destination NAT)
- The postrouting chain is used for SNAT (Source NAT) with masquerading
- The filter table contains two chains: output and forward.
- The output chain is for outgoing traffic from the router itself
- The forward chain is for traffic passing through the router
- In the forward chain, we have a rule that logs any traffic coming from the 192.168.1.0/24 subnet and going out through the “eth0” interface.
Save this configuration to a file, for example nat.nft. Then apply it using the following command, as root:
nft -f nat.nft
DHCP server
- Open a terminal and become root
- aptitude install isc-dhcp-server
- Configure /etc/dhcp/dhcpd.conf (Example t.b.d.)
- Run ip address add 192.168.1.1/24 dev eth0
- Run systemctl start isc-dhcp-server.service
Debugging
[ pick one of ]
systemctl [status start restart stop enable] [nftables.service networking.service isc-dhcp-server.service] journalctl -xeu [nftables.service networking.service isc-dhcp-server.service]
Useful links
Search for debian “use computer as a router”
How to set up a linux server as a router
Setting up an Ubuntu Wired/Wireless Router
Debian Router/Gateway in 15 Minutes
How to set up a NAT router on a Linux-based computer
nftables
Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy
RSS
Disclaimer
Privacy statement
Bugs statement
Cookies
Copyright © : 2014 - 2024 Webevaluation.nl and the authors
Changes reserved.