Introduction to the Debian router / gateway

There are many reasons to use your own self-configured router / gateway.
In this guide, I show you how to set up two servers with a shared internal private network and Debian 8 via the gridscale RESTful API.
Only one of the two servers will have access to the Internet, it works as a gateway between the private network and the Internet and at the same time supplies the internal private network with IPs via DHCP.

How to build a sample configuration with the gridscale RESTful API can be found here (German only).
For this guide, you simply connect one of the two servers to the internet via the public network.

If you want to skip the API section, you can build the two servers easily in the gridscale panel. The rest of this guide requires just two servers with the same network configuration and Debian 8 installed.

To start we need two servers running Debian 8 and the following:

  1. A private network that connects the two servers
  2. Router / gateway with 2 network interfaces
    * Public network (eth0)
    * Private network (eth1)
  3. Protected server with 1 network interface
    * Private network (eth0)

The router / gateway is assigned a public IP, the protected server is not (this then makes the router / gateway later).

Ok, lets go 🙂

[sc name=”Tutorials-Signup”]

1) Configuring the network interfaces 

Change the “address”, “netmask” and “broadcast” values of your internal network on the router / gateway.
Don’t change the network configuration of the protected server.

# nano -w /etc/network/interfaces source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 allow-hotplug eth0 iface eth0 inet dhcp iface eth0 inet6 dhcp # The internal LAN interface (eth1) allow-hotplug eth1 iface eth1 inet static address netmask network broadcast

2) Installing and configuring DNSmasq 

DNSmasq is a DNS forwarder and DHCP server. Change “domain” to match the FQDN of your network and “dhcp-range” to the desired range of DHCP IP addresses that the router / gateway should assign to the clients on the private network.

# apt-get install dnsmasq
# nano -w /etc/dnsmasq.conf

3) Enable IP forwarding

Write the following line:

# nano -w /etc/sysctl.conf

4) Installing and configuring iptables 

First we will install some tools needed to automatically load stored iptables rules on the next reboot of the router / gateway.
Both questions whether the current iptables rules should be saved, have to be answered with “Yes”.

apt-get install iptables-persistent

Now we will edit the file “/etc/iptables/rules.v4” created by the installation.
As an example, we set up NAT to give the servers on the private network access to the Internet:

nano -w /etc/iptables/rules.v4

-A INPUT -i lo -j ACCEPT
# allow ssh, so that we do not lock ourselves
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
# allow incoming traffic to the outgoing connections,
# et al for clients from the private network
# prohibit everything else incoming 
-A INPUT -i eth0 -j DROP

5) Iptables Enable rules

iptables-restore < /etc/iptables/rules.v4

6) Reboot and check if everything works 

That’s it! After a reboot, you have a simple router / gateway for your private network.

7) And what has become of the “protected server”?

It has now received an IP from dnsmasq. From router/gateway:

root@router-gw:~# journalctl | grep "DHCPOFFER(eth1)"
Jan 28 18:07:16 router-gw dnsmasq-dhcp[994]: DHCPOFFER(eth1) 0a:93:33:9f:39:02

So we log off from the router / gateway via SSH (your workstation -> router / gateway -> protected server) with the previously used root password and check whether the protected server is on the Internet and the router / gateway is working:

# ssh
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is b5:e2:32:54:2d:b3:9c:29:51:f6:15:61:e7:b6:f8:ac.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
root@'s password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 28 18:14:58 2016

root@secure-server:~# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 0a:93:33:9f:39:02 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
        valid_lft forever preferred_lft forever
    inet6 fe80::893:33ff:fe9f:3902/64 scope link
        valid_lft forever preferred_lft forever

root@secure-server:~# ping -c 5
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=59 time=1.05 ms
64 bytes from ( icmp_seq=2 ttl=59 time=1.28 ms
64 bytes from ( icmp_seq=3 ttl=59 time=0.911 ms
64 bytes from ( icmp_seq=4 ttl=59 time=1.01 ms
64 bytes from ( icmp_seq=5 ttl=59 time=1.14 ms

--- ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.911/1.081/1.284/0.130 ms