Debian Squeeze as a router

debian configuration router

19,444

Solution 1

Don't bridge your internal and external interfaces. Your box is a router, not a switch. To make your machine a router you have to tell it to ,,forward'' packets between interfaces. I do so by echo 1>/proc/sys/net/ipv4/ip_forward. IIRC the way(TM) to do it is adding a line net.ipv4.ip_forward=1 to /etc/sysctl.conf and then execute /etc/init.d/procps restart.

The proc file system, usually mounted to /proc is a representation of kernel information and configuration as files that can be read and written. By writing 0 or 1 to /proc/sys/net/ipv4/ip_forward we are disabling or enabling the kernel function to forward IP packets between interfaces. We want the kernel to forward packets!

Now your machine is a router but you also need maquerading. To do that you need to:

iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j MASQUERADE (see http://tldp.org/HOWTO/IP-Masquerade-HOWTO/ if you like to know more)

As long as we're using IPv4: You will only get one IP-address from your ISP and all your clients share this one address when interacting with systems on the internet. Masquerading takes care of everything to handle this sharing of an IP-address. The point is we need to tell iptables when to apply masquerading. If iptables won't accept -i and -o anymore a suitable replacement rule is

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE

You may need to replace the subnet definitions 192.168.0.0/24 (both!) with the subnet your clients live in. The rule says "do masquerading for all packets that originate from the client subnet and are addressed to hosts outside the client subnet"

I don't know Dreamplug, but you should have some file /etc/firewall* or /etc/iptables* where you can add this statement, so that this statement is executed on every reboot. Check your documentation for "firewall rules" and where you have to put them.

For your DHCP configuration, your lease times seem rediculously high. Take 3-5 0 off. Also there is a chance that there are clients out there that can't/don't handle such big numbers. Also you should reverse the ordering of domain-name-servers. Clients will ask the first server in the list first. If your router acts as a name server as well it is most likely to remember previous queries for some time. This means if your Clients request the same address a second time the answer is much quicker, compared to asking a google name server.

Solution 2

Remove the bridge. It's insecure in this type of arrangement.

Instead, install the arno-iptables-firewall package to easily and securely set up a secure router configuration. It will do the rest for you.

From the Debian package description:

Unlike other lean iptables frontends in Debian, arno-iptables-firewall will setup and load a secure, restrictive firewall by just asking a few question. This includes configuring internal networks for internet access via NAT and potential network services (e.g. http or ssh).

Unless you know how to set up iptables securely on your own, install this package.

19,444

Josh

Updated on September 18, 2022

Comments

Josh over 1 year

I'm trying to setup Debian Squeeze (ala Dreamplug) as a router. I can't seem to get the pieces to fit together.

ETH0: Upstream/internet - DHCP-Client
ETH1: Downstream/Lan - 192.168.0.1 DHCP-Server

sudo vim /etc/network/interfaces

auto lo br0
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
        iface eth1 inet static
        address 192.168.0.1
        network 192.168.0.0
        netmask 255.255.255.0
        broadcast 192.168.0.255

iface br0 inet dhcp
        bridge_ports eth0 eth1

sudo vim /etc/dhcp/dhcpd.conf

option domain-name "MyPlug.MyServer.com";
option domain-name-servers 8.8.8.8, 192.168.0.1;

default-lease-time 600000000;
max-lease-time 720000000;

subnet 192.168.0.0 netmask 255.255.255.0 {
    range 192.168.0.100 192.168.0.200;
    option routers 192.168.0.1;
    option broadcast-address 192.168.0.255;
}

sudo vim /etc/default/isc-dhcp-server

INTERFACES="eth1"

service networking restart
service isc-dhcp-server restart

My windows 7 machine picks up an IP... AFTER I force release/renew. I was able to get it to connect to the server via putty once.

Anything noticeably wrong with my settings? or anything else I can look for?

Josh almost 12 years

Dreamplug is an ARMEL PlugPC, currently running Debian 6.0. So, if ip_forward is on, bridge_utils is not needed? I've done some reading on iptables, and have some tutorials bookmarked, but am simply trying to get DHCP server on eth1 + internet access on computer connected to ETH1. The "rediculously high" lease times were max numbers that I planned on dropping to something reasonable once stuff was working. I'll read up on Masqueradeing.
Josh almost 12 years

debian 6: "iptables v1.4.8: Can't use -i with POSTROUTING"
Bananguin almost 12 years

added a suitable replacement rule
Josh over 11 years

Month later, but I was finally able to sit down and work on this again (Color me lazy). I've went back to the drawing board and am doing stuff a step at a time. I removed isc-dhpc-server and am using UDHCP instead (already installed) and after the MASQ worked successfully, I got shorewall installed and working as a firewall. I'll probably have another question or two in the next week to move things along, but this got me moving in the right direction. Thanks :) Read a tutorial and finally am grep'ing some of this (MASQ = NAT and what not).
Josh over 11 years

Currently, the DreamPlug is safely behind another router/firewall so my initial worries aren't about security, just getting the basics working. I have recently got Shorewall installed and working (After I was able to successfully DHCP and surf through the plug). Next up is DNS, then LAMP (Probably Drupal based) and maybe Webmin (or something comparable). I did up-vote because this post was helpful (Didn't know arno vs shorewall before) but users post was more helpful for the question at hand.