Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.firewall > #117

Re: how to make a router

From Jörg Jellissen <joerg.jellissen@t-online.de>
Newsgroups linux.debian.maint.firewall
Subject Re: how to make a router
Date 2021-12-06 10:50 +0100
Message-ID <DriNc-tw-15@gated-at.bofh.it> (permalink)
References <DqoUG-XL-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hello,


when you know something about Linux you can use software from sratch.


I have also my own router with two network interfaces and one wireless 
lan card

take a look at


bind9                     -    DNS Server
isc-dhsp-server    -    DHCP Server for IPv4 and/or IPv6
hostapd                 -    Wireless Daemon
nftables                 -    !!!Important / Firewall

optionally if you like

webmin                -    Web based GUI
Am 03.12.2021 um 23:04 schrieb Ross Boylan:
> Hi, all!
>
> In short: if my box has 2 ethernet connections, one to the outside 
> world and one to my LAN, do I need to add a routing instruction so 
> that packets from my lan can  make it out to the internet?  Using 
> /etc/network/interfaces.
>
> Fuller Question:
>
> Currently my main system has one ethernet attached to my local network 
> (a switch, or maybe a dumb router); a wireless router on the network 
> is connected to the (outside) internet and currently provides NAT, 
> firewall and DHCP.*
>
> My goal is to attach the internet directly to my system by an ethernet 
> cable from the modem and take over as the primary router/firewall.
>
> Do I need to add an ip route command to get outbound (public internet) 
> traffic to actually go out?  This includes both traffic from my system 
> and from others on my local network.  Unlike nft, ip doesn't seem to 
> do negative commands, so I guess I would first give routing rules for 
> my local network and then send the rest out.**
>
> E.g., with eth0 my LAN and eth1 the WAN
> ip route add 192.168.1.0/24 <http://192.168.1.0/24> dev eth0
> # other routes I know something about
> # other unused private routes--or maybe those should just be dropped 
> by nft?
> # perhaps
> ip route add blackhole 192.168.0.0/16 <http://192.168.0.0/16>
> ip route add default dev eth1
> # nft does SNAT on the result
>
> I'm using ifup as my primary configuration; and have examples of nft 
> setup for firewalls and routers, including SNAT.  This is on buster, 
> though I hope to upgrade soon.  I edited sysctl.conf to allow forwarding.
>
> I had a similar setup a few years ago with iptables, and I don't 
> remember needing to route manually, so maybe I'm missing something.
>
> I've found it difficult to get current information; the "Debian 
> Reference" and "Securing Debian" are both pre nft, as is 
> https://wiki.debian.org/DebianFirewall. The documentation on netfilter 
> is naturally focused on nft, not on other changes one needs, and is 
> not Debian specific. The Debian specific information on iproute2 is 
> minimal; nftables does have some useful info on Debian integration. 
> ifup has a fair amount of documentation, though it does leave exactly 
> how specification in interfaces get translated to specific kernel 
> settings to the imagination (e.g., if I specify 2 interfaces will it 
> automatically guess how to route?).
>
> The whole thing is made more complex by the possible presence of other 
> dynamically created networks from libvirt and Docker.  I've mostly 
> been avoiding docker since it doesn't seem to play well with others, 
> e.g., it may delete all my existing rules.
>
> Ross
>
>
> *DHCP is the problem.  My main system provides customized DHCP and 
> DNS.  My old wireless router let me disable DHCP; my new Deco 5 only 
> lets me disable DHCP by disabling *all* the router features.  Which is 
> why I'm trying to get my main system to act as the router.
>
> **Given that interfaces listed first are not reliably configured 
> first, I'm not sure how to guarantee the outside routes get added 
> after the inside routes, at least if each is set when their respective 
> interface comes up.

-- 
Mit freundlichen Grüßen

Jörg Jellissen
Friesenstraße 3
47445 Moers

Mobil: (01573) / 5 34 42 18
Fax: (02841) / 4 08 62 77

E-Mail:joerg.jellissen@t-online.de

Back to linux.debian.maint.firewall | Previous | NextPrevious in thread | Find similar

Thread

how to make a router Ross Boylan <rossboylan@stanfordalumni.org> - 2021-12-03 23:10 +0100
  Re: how to make a router John Drabik <john@drabik.org> - 2021-12-04 04:10 +0100
  Re: how to make a router Jörg Jellissen <joerg.jellissen@t-online.de> - 2021-12-06 10:50 +0100

csiph-web