Debian Router/Gateway in 15 Minutes

A multitude of reasons exist as to why one would want to build a custom router vs. suffer with the performance, reliability issues, and limitations of an off-the-shelf solution. In the spirit of keeping this post short, I won’t launch into a long diatribe on the pros and cons of each here, but I have plenty of thoughts on this, so if you are interested, just ask.

What we are about to do is configure an incredibly fast and stable router/gateway solution for your home/office in about 15 minutes. (Note: This post assumes you already have your machine loaded up with a fresh copy of Debian 5.0 Lenny and you have the two needed NICs installed.

First, let’s make three initial assumptions:

  • eth0 is the public interface (the Cable/DSL modem is attached to this NIC)
  • eth1 is the private interface (your switch is connected to this NIC)
  • All of the client computers, servers, WAPs, etc. are connected to the switch

Let’s get started with the configuration. Set your timer and type quickly! :)

1.) Configure the network interfaces
Change the “address”, “netmask”, and “broadcast” values to match your internal network preferences.

nano -w /etc/network/interfaces
# The external WAN interface (eth0)
allow-hotplug eth0
iface eth0 inet dhcp

# The internal LAN interface (eth1)
allow-hotplug eth1
iface eth1 inet static
   address 192.168.0.1
   netmask 255.255.255.0
   network 192.168.0.0
   broadcast 192.168.0.255

2. Install and configure DNSmasq
DNSmasq is DNS forwarder and DHCP server. Change “domain” to the FQDN of your network and “dhcp-range” to the desired range of DHCP addresses you would like your router to serve out to clients.

apt-get install dnsmasq
nano -w /etc/dnsmasq.conf
interface=eth1
listen-address=127.0.0.1
domain=home.andreimatei.com
dhcp-range=192.168.0.100,192.168.0.110,12h

3.) Enable IP Forwarding
Uncomment the following line:

nano -w /etc/sysctl.conf
net.ipv4.ip_forward=1

4.) Configure iptables
We create a file called /etc/iptables.rules and put this rule set inside of it.  As an example, this set includes allowing tcp traffic in from the outside world on port 222 (I run SSH on this alternate port) and also port-forwards tcp port 50,000 to an internal machine with the ip of 192.168.0.3.  Use this as a guide for your own rules.

nano -w /etc/iptables.rules
*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 50000 -j DNAT --to-destination 192.168.0.3:50000
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -i eth0 -p tcp -m tcp --dport 50000 -m state --state NEW -j ACCEPT
COMMIT

5.) Activate your iptables rules

iptables-restore < /etc/iptables.rules

6.) Ensure iptables rules start on boot
Insert the following line into your /etc/network/interfaces file right underneath “iface lo inet loopback”

nano -w /etc/network/interfaces
pre-up iptables-restore < /etc/iptables.rules

7.) Reboot and Verify
That’s it! After a reboot, you should now have a very basic Linux Router/Gateway for your network.

This post obviously doesn’t cover some of the incredible additional flexibility which your new machine provides.  I urge you to explore topics on traffic shaping, throughput monitoring, Intrusion Detection, and VPN configuration to learn how to harness the true power of running a dedicated machine as the central traffic cop of your network.

11 thoughts on “Debian Router/Gateway in 15 Minutes”

  1. Hay this is a great article, it worked well for me on debian 6. The one thing that would be great to get into is hardening this install.

  2. terriffic how-to. I spent almost 20 hours (unbillable – of course) trying to figure out how to do this from scratch.
    once I found your how-to, the biggest obstacle I had was removing bind9.

    rock on.

  3. It works for me too (wheezy)
    I used an usb network adapter in order to have 2 ethernet interfaces on my notebook (10 dollars)
    Thanks a lot. So simple.

    1. Actually I faced an issue with the ftp client (I need to update a distant website). Even on the debian gateway.

      The solution was (the 2nd line for reboot persistence):
      `# modprobe ip_nat_ftp’
      `# echo “ip_nat_ftp” >> /etc/modules’

      (Note : the ftp server answer was “I won’t open a connection to 192.168.1.2 (only to 109.190.125.1)” with 109.x.x.x my public address.

  4. These cups are available in different styles and material.
    Try on the shoes before you buy them and walk around
    the store a bit to make sure they are the best fit.
    Boxing fitness involves hours of diligent training, cardio workout out and can even teach you additional self-defense.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>