Im Durchschnitt wird dieses Tutorial Set up your Debian router / gateway in 10 minutes mit 5 bewertet, wobei 1.0 die schlechteste und 5.0 die beste Bewertung ist. Es haben insgesamt 565 Besucher eine Bewertung abgegeben.
564 1

Set up your Debian router / gateway in 10 minutes

vom gridscale Team Debian Networking
install a debian router/gateway in 10 minutes

Introduction to the Debian router / gateway

There are many reasons to use your own self-configured router / gateway.
In this guide, I describe how to set up two servers with a shared internal private network and Debian 8 via the gridscale RESTful API.
Only one of the two servers has access to the Internet, works as a gateway between the private network and the Internet and at the same time supplies the internal private network with IPs via DHCP.

How to build a sample configuration with the gridscale RESTful API can be found here (German only).
For this guide, you simply leave the connection to the Internet via the public network with one of the two servers.

If you want to build the two servers instead of the API easily in the gridscale panel, you can skip the API part. The rest of this guide requires just two servers with the same network configuration as Debian 8 installed.

We need two servers with Debian 8 with the following assumptions:

  1. Create a private network that connects the two servers
  2. Router / gateway with 2 network interfaces
    * Public network (eth0)
    * Private network (eth1)
  3. Protected server with 1 network interface
    * Private network (eth0)

The router / gateway is assigned a public IP, the protected server is not assigned (this then makes the router / gateway later).

Ok, lets go 🙂

1) Configuring the network interfaces 

Change the values for “address”, “netmask” and “broadcast” for your internal network on the router / gateway.
The protected server does not need to change the network configuration.

# nano -w /etc/network/interfaces source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 allow-hotplug eth0 iface eth0 inet dhcp iface eth0 inet6 dhcp # The internal LAN interface (eth1) allow-hotplug eth1 iface eth1 inet static address 10.0.0.1 netmask 255.255.255.0 network 10.0.0.0 broadcast 10.0.0.255

2) Installing and configuring DNSmasq 

DNSmasq is a DNS forwarder and DHCP server. Change “domain” to match the FQDN of your network and “dhcp-range” to the desired range of DHCP IP addresses that the router / gateway should assign to the clients on the private network.

# apt-get install dnsmasq
# nano -w /etc/dnsmasq.conf
interface=eth1
listen-address=127.0.0.1
domain=your.domain.name
dhcp-range=10.0.0.100,10.0.0.150,12h

3) Enable IP forwarding

Write the following line:

# nano -w /etc/sysctl.conf
net.ipv4.ip_forward=1

4) Installing and configuring iptables 

First we install some tools needed to automatically load stored iptables rules on the next reboot of the router / gateway.
Both questions whether the current iptables rules should be saved, have to be answered with “Yes”.

apt-get install iptables-persistent

We are now editing the file “/etc/iptables/rules.v4” created by the installation.
As an example, we set up NAT to give the servers on the private network access to the Internet:

nano -w /etc/iptables/rules.v4
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
-A INPUT -i lo -j ACCEPT
# allow ssh, so that we do not lock ourselves
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
# allow incoming traffic to the outgoing connections,
# et al for clients from the private network
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# prohibit everything else incoming 
-A INPUT -i eth0 -j DROP
COMMIT

5) Iptables Enable rules

iptables-restore < /etc/iptables/rules.v4

6) Reboot and check if everything works 

That’s it! After a reboot, you have a simple router / gateway for your private network.

7) And what has become of the “protected server”?

It has now received an IP from dnsmasq. From router/gateway:

root@router-gw:~# journalctl | grep "DHCPOFFER(eth1)"
Jan 28 18:07:16 router-gw dnsmasq-dhcp[994]: DHCPOFFER(eth1) 10.0.0.142 0a:93:33:9f:39:02

So we log off from the router / gateway via SSH (your workstation -> router / gateway -> protected server) with the previously used root password and check whether the protected server really comes to the Internet and the router / gateway really is working:

# ssh 10.0.0.142
The authenticity of host '10.0.0.142 (10.0.0.142)' can't be established.
ECDSA key fingerprint is b5:e2:32:54:2d:b3:9c:29:51:f6:15:61:e7:b6:f8:ac.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.142' (ECDSA) to the list of known hosts.
root@10.0.0.142's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 28 18:14:58 2016

root@secure-server:~# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 0a:93:33:9f:39:02 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.142/24 brd 10.0.0.255 scope global eth0
        valid_lft forever preferred_lft forever
    inet6 fe80::893:33ff:fe9f:3902/64 scope link
        valid_lft forever preferred_lft forever

root@secure-server:~# ping -c 5 www.google.de
PING www.google.de (173.194.113.88) 56(84) bytes of data.
64 bytes from fra02s21-in-f24.1e100.net (173.194.113.88): icmp_seq=1 ttl=59 time=1.05 ms
64 bytes from fra02s21-in-f24.1e100.net (173.194.113.88): icmp_seq=2 ttl=59 time=1.28 ms
64 bytes from fra02s21-in-f24.1e100.net (173.194.113.88): icmp_seq=3 ttl=59 time=0.911 ms
64 bytes from fra02s21-in-f24.1e100.net (173.194.113.88): icmp_seq=4 ttl=59 time=1.01 ms
64 bytes from fra02s21-in-f24.1e100.net (173.194.113.88): icmp_seq=5 ttl=59 time=1.14 ms

--- www.google.de ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.911/1.081/1.284/0.130 ms

Introduction to the Debian router / gateway There are many reasons to use your own self-configured router / gateway. In this guide, I describe how to set up two servers with a shared internal private network and Debian 8 via the gridscale RESTful API. Only one of the two servers has access to the Internet, […]

Schade, dass dir der Artikel nicht gefallen hat.
Was sollten wir deiner Meinung nach besser machen?

Vielen Dank für dein Feedback!
Wir melden uns bei dir, sobald der Artikel zu deinem Wunschthema fertig ist.

Übrigens: kennst du schon unser Tutorial zum Thema Install Jenkins on Debian 9?

×

Developer?

Get the latest gridscale developer tutorials here.
And don’t worry - we won’t spam you