Introduction to the Debian router / gateway

There are many reasons to use your own self-configured router / gateway.
In this guide, I show you how to set up two servers with a shared internal private network and Debian 8 via the gridscale RESTful API.
Only one of the two servers will have access to the Internet, it works as a gateway between the private network and the Internet and at the same time supplies the internal private network with IPs via DHCP.

How to build a sample configuration with the gridscale RESTful API can be found here (German only).
For this guide, you simply connect one of the two servers to the internet via the public network.

If you want to skip the API section, you can build the two servers easily in the gridscale panel. The rest of this guide requires just two servers with the same network configuration and Debian 8 installed.

To start we need two servers running Debian 8 and the following:

  1. A private network that connects the two servers
  2. Router / gateway with 2 network interfaces
    * Public network (eth0)
    * Private network (eth1)
  3. Protected server with 1 network interface
    * Private network (eth0)

The router / gateway is assigned a public IP, the protected server is not (this then makes the router / gateway later).

Ok, lets go 🙂

[sc name=”Tutorials-Signup”]

1) Configuring the network interfaces 

Change the “address”, “netmask” and “broadcast” values of your internal network on the router / gateway.
Don’t change the network configuration of the protected server.

# nano -w /etc/network/interfaces source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 allow-hotplug eth0 iface eth0 inet dhcp iface eth0 inet6 dhcp # The internal LAN interface (eth1) allow-hotplug eth1 iface eth1 inet static address 10.0.0.1 netmask 255.255.255.0 network 10.0.0.0 broadcast 10.0.0.255

2) Installing and configuring DNSmasq 

DNSmasq is a DNS forwarder and DHCP server. Change “domain” to match the FQDN of your network and “dhcp-range” to the desired range of DHCP IP addresses that the router / gateway should assign to the clients on the private network.

# apt-get install dnsmasq
# nano -w /etc/dnsmasq.conf
interface=eth1
listen-address=127.0.0.1
domain=your.domain.name
dhcp-range=10.0.0.100,10.0.0.150,12h

3) Enable IP forwarding

Write the following line:

# nano -w /etc/sysctl.conf
net.ipv4.ip_forward=1

4) Installing and configuring iptables 

First we will install some tools needed to automatically load stored iptables rules on the next reboot of the router / gateway.
Both questions whether the current iptables rules should be saved, have to be answered with “Yes”.

apt-get install iptables-persistent

Now we will edit the file “/etc/iptables/rules.v4” created by the installation.
As an example, we set up NAT to give the servers on the private network access to the Internet:

nano -w /etc/iptables/rules.v4
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
-A INPUT -i lo -j ACCEPT
# allow ssh, so that we do not lock ourselves
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
# allow incoming traffic to the outgoing connections,
# et al for clients from the private network
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# prohibit everything else incoming 
-A INPUT -i eth0 -j DROP
COMMIT

5) Iptables Enable rules

iptables-restore < /etc/iptables/rules.v4

6) Reboot and check if everything works 

That’s it! After a reboot, you have a simple router / gateway for your private network.

7) And what has become of the “protected server”?

It has now received an IP from dnsmasq. From router/gateway:

root@router-gw:~# journalctl | grep "DHCPOFFER(eth1)"
Jan 28 18:07:16 router-gw dnsmasq-dhcp[994]: DHCPOFFER(eth1) 10.0.0.142 0a:93:33:9f:39:02

So we log off from the router / gateway via SSH (your workstation -> router / gateway -> protected server) with the previously used root password and check whether the protected server is on the Internet and the router / gateway is working:

# ssh 10.0.0.142
The authenticity of host '10.0.0.142 (10.0.0.142)' can't be established.
ECDSA key fingerprint is b5:e2:32:54:2d:b3:9c:29:51:f6:15:61:e7:b6:f8:ac.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.142' (ECDSA) to the list of known hosts.
root@10.0.0.142's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 28 18:14:58 2016

root@secure-server:~# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 0a:93:33:9f:39:02 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.142/24 brd 10.0.0.255 scope global eth0
        valid_lft forever preferred_lft forever
    inet6 fe80::893:33ff:fe9f:3902/64 scope link
        valid_lft forever preferred_lft forever

root@secure-server:~# ping -c 5 www.google.de
PING www.google.de (173.194.113.88) 56(84) bytes of data.
64 bytes from fra02s21-in-f24.1e100.net (173.194.113.88): icmp_seq=1 ttl=59 time=1.05 ms
64 bytes from fra02s21-in-f24.1e100.net (173.194.113.88): icmp_seq=2 ttl=59 time=1.28 ms
64 bytes from fra02s21-in-f24.1e100.net (173.194.113.88): icmp_seq=3 ttl=59 time=0.911 ms
64 bytes from fra02s21-in-f24.1e100.net (173.194.113.88): icmp_seq=4 ttl=59 time=1.01 ms
64 bytes from fra02s21-in-f24.1e100.net (173.194.113.88): icmp_seq=5 ttl=59 time=1.14 ms

--- www.google.de ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.911/1.081/1.284/0.130 ms