Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

Router:Linux - Debian: Difference between revisions

Added comments on Bester
m (Changes to headings.)
(Added comments on Bester)
(16 intermediate revisions by 3 users not shown)
You'll need to use an ADSL or FTTC modem in bridge mode for this to work - see the page for your modem to see how to set that up.
 
This guide provides an example configuration for Debian Jessie. When partially under under Debian Bester, there were found to be few issues.
 
= Prerequsites =
* '''eth0''' is plugged directly into your modem or ONT
* '''eth1''' will be used for your LAN
Note that under Bester, you can expect naming conventions for the interfaces to be different, you'll therefore have to pay close attention to updating the interface names as you follow the guide
 
= Enabling IP forwarding =
= Howto =
To tell our Linux router to actually forward traffic, you must first enable IP forwarding in '''/etc/sysctl.conf'''.
 
Look for this section in '''/etc/sysctl.conf''':
== Setting up pppd ==
 
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
 
Uncomment the two lines starting with "net":
 
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
 
Now run:
 
sysctl -p
 
This will reload '''/etc/sysctl.conf''' - applying our changes.
 
= Setting up pppd =
pppd will be used to actually connect to A&A.
 
 
apt-get update
apt-get install pppdppp pppoe iproute2
 
pppd uses several different configuration files:
'''/etc/ppp/options''' should be left as-is - we will not change this file.
 
=== /etc/ppp/peers/aaisp ===
This file contains the settings that are used to configure your connection to A&A:
 
* '''noauth''' - don't require A&A to send authentication details
* '''persist''' - automatically reconnect if the connection drops
* '''maxfail 0''' - sets the the number of consecutive failed connection attempts before pppd gives up. Setting this to 0 means that pppd will retry forever
* '''mtu 1492''' - sets the max MTU for packets inside the PPP connection - 1492 is a "safe" value for PPPoE on most hardware. Some modems will be able to use "baby jumbo frames" (RFC 4638). See the "Using a full 1500 MTU" section for more details.
* '''noaccomp''' - disables address/control compression
* '''default-asyncmap''' - disables the negotationnegotiation of an asyncmap - forces all control characters to be escaped
* '''+ipv6''' - enable IPv6 support
* '''ipv6cp-use-ipaddr''' - use your IPv4 address as the local identifier for IPv6CP
* '''ifname pppoe-aaisp''' - renames the PPP connection from an automatically generated name (such as ppp0) to pppoe-aaisp - this makes further configuration easier!
 
=== /etc/ppp/chap-secrets ===
This file contains the password that is used to connect to A&A.
 
Replace "YourLinePasswordGoesHere" with the password for your A&A connection.
 
=== Making IPv6 work with pppd ===
Out of the box, you'll notice that you can't access the internet using IPv6.
 
This file will now be run every time your PPP connects, and will automatically create an IPv6 default route!
 
=== Testing pppd ===
 
Before you proceed, you should test your ppp configuration.
 
poff aaisp
 
= Setting up the rest of the router =
 
The rest of this configuration is split into two parts - one assuming that you have a connection with only one IPv4 address and will configure NAT, and one assuming you have a block of IPv4 allocated by A&A that you wish to use on your local network.
 
Home::1 will generally only have one IPv4 address.
 
== One IPv4 Address ==
 
=== Configuring /etc/network/interfaces ===
'''/etc/network/interfaces''' contains most of the network configuration for a Debian machine.
 
For our example, it should look like:
 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface - the network interface carrying PPP
auto eth0
iface eth0 inet manual
auto aaisp
iface aaisp inet ppp
provider aaisp
pre-up /sbin/ip link set eth0 up
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
iface eth1 inet6 static
address <your IPv6 address here>
netmask 64
 
Replace "<your IPv6 address here>" with the first address from the prefix you've been allocated. You can see this prefix on clueless.
 
By default, A&A will allocate a /48 prefix, but will only route it to your line in /56 or /64 chunks.
 
For example, your prefix might be: 2001:db8:b9::/48. You might have 2001:db8:b9:2041::/64 routed to your line. In this example, you'd use "2001:db8:b9:2041::1" as your IPv6 address.
 
If you're not sure what IPv6 address to use, contact support!
 
=== Configuring your firewall ===
 
You'll need to configure a firewall for IPv4 and IPv6. The best way to do this on Debian is to use the '''iptables-persistent''' package - this will take care of automatically loading your firewall configuration at boot.
 
This example will set up:
* Allowing all traffic from your LAN to the internet
* Blocking unsolicited traffic from the internet to your LAN
* NAT for IPv4
 
To set up some sensible defaults, do:
 
apt-get update
apt-get install iptables ip6tables
# clear any existing IPv4 rules
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed
# but allow outbound traffic by default
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
# Set up rules for traffic going directly to the router
iptables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT
iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT
# Set up rules for traffic being forwarded through the router
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT
# Handle IPv4 NAT
iptables -t nat -A POSTROUTING -o pppoe-aaisp -m comment --comment "NAT" -j MASQUERADE
# clear any existing IPv6 rules
ip6tables -F
ip6tables -X
# set up default IPv6 policies
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
# Set up rules for traffic going directly to the router
ip6tables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m comment --comment "Accept all ICMP" -j ACCEPT
ip6tables -A INPUT -i eth1 -m comment --comment "Accept all from LAN" -j ACCEPT
ip6tables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Accept related & return traffic" -j ACCEPT
ip6tables -A INPUT -m comment --comment "Reject all remaining input traffic" -j REJECT
# Set up rules for traffic being forwarded through the router
ip6tables -A FORWARD -p ipv6-icmp -m comment --comment "Forward all ICMP" -j ACCEPT
ip6tables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow LAN -> internet" -j ACCEPT
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules
apt-get install iptables-persistent
systemctl enable netfilter-persistent
 
== A block of IPv4 addresses ==
 
=== Configuring /etc/network/interfaces ===
'''/etc/network/interfaces''' contains most of the network configuration for a Debian machine.
 
For our example, it should look like:
 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface - the network interface carrying PPP
auto eth0
iface eth0 inet manual
auto aaisp
iface aaisp inet ppp
provider aaisp
pre-up /sbin/ip link set eth0 up
auto eth1
iface eth1 inet static
address <your IPv4 address here>
netmask <the correct subnet mask for your IPv4 block here>
iface eth1 inet6 static
address <your IPv6 address here>
netmask 64
 
Replace "<your IPv6 address here>" with the first address from the prefix you've been allocated. You can see this prefix on clueless. By default, A&A will allocate a /48 prefix, but will only route it to your line in /56 or /64 chunks. For example, your prefix might be: 2001:db8:b9::/48. You might have 2001:db8:b9:2041::/64 routed to your line. In this example, you'd use "2001:db8:b9:2041::1" as your IPv6 address.
 
If you're not sure what IPv6 address to use, contact support!
 
 
For IPv4, A&A will have allocated you a block to use.
 
For example, your block might be: 198.51.100.96/28. In this case, you'd have 16 addresses, 14 of which are usable. The first usable IP would be 198.51.100.97 - and we would use this for your LAN IP on the router. For a /28, the correct netmask would be "255.255.255.240".
 
If you're not sure what to use, contact support!
 
=== Configuring your firewall ===
 
You'll need to configure a firewall for IPv4 and IPv6. The best way to do this on Debian is to use the '''iptables-persistent''' package - this will take care of automatically loading your firewall configuration at boot.
 
This example will set up:
* Allowing all traffic from your LAN to the internet
* Blocking unsolicited traffic from the internet to your LAN
 
apt-get update
apt-get install iptables ip6tables
# clear any existing IPv4 rules
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed
# but allow outbound traffic by default
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
# Set up rules for traffic going directly to the router
iptables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT
iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT
# Set up rules for traffic being forwarded through the router
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT
# clear any existing IPv6 rules
ip6tables -F
ip6tables -X
# set up default IPv6 policies
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
# Set up rules for traffic going directly to the router
ip6tables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m comment --comment "Accept all ICMP" -j ACCEPT
ip6tables -A INPUT -i eth1 -m comment --comment "Accept all from LAN" -j ACCEPT
ip6tables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Accept related & return traffic" -j ACCEPT
ip6tables -A INPUT -m comment --comment "Reject all remaining input traffic" -j REJECT
# Set up rules for traffic being forwarded through the router
ip6tables -A FORWARD -p ipv6-icmp -m comment --comment "Forward all ICMP" -j ACCEPT
ip6tables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow LAN -> internet" -j ACCEPT
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules
apt-get install iptables-persistent
systemctl enable netfilter-persistent
 
= Appendicies =
Some users may want to change these settings. Some useful extras are documented below:
 
== Using a full 1500 MTU ==
 
 
[[Category:3rd Party Routers|Debian]]
26

edits