Router:Linux - Debian: Difference between revisions
Content deleted Content added
m Even more formatting fixes (still) |
m →/etc/ppp/chap-secrets: typo fix |
||
| (14 intermediate revisions by 5 users not shown) | |||
| Line 3: | Line 3: | ||
You'll need to use an ADSL or FTTC modem in bridge mode for this to work - see the page for your modem to see how to set that up. |
You'll need to use an ADSL or FTTC modem in bridge mode for this to work - see the page for your modem to see how to set that up. |
||
This guide provides an example configuration for Debian Jessie. |
This guide provides an example configuration for Debian Jessie, but it should largely work for future versions. This has been tested with Jessie, Stretch and Buster. |
||
= Prerequsites = |
= Prerequsites = |
||
* a Linux PC with Debian |
* a Linux PC with Debian already installed and two network interfaces - one for the connection to the modem, and one for the connection to your LAN |
||
* a ADSL or FTTC modem, or a fibre ONT (for FTTP) (as appropriate for your connection) |
* a ADSL or FTTC modem, or a fibre ONT (for FTTP) (as appropriate for your connection) |
||
| Line 12: | Line 12: | ||
* '''eth0''' is plugged directly into your modem or ONT |
* '''eth0''' is plugged directly into your modem or ONT |
||
* '''eth1''' will be used for your LAN |
* '''eth1''' will be used for your LAN |
||
Note that under Buster, you can expect naming conventions for the interfaces to be different, you'll therefore have to pay close attention to updating the interface names as you follow the guide. |
|||
= Enabling IP forwarding = |
|||
To tell our Linux router to actually forward traffic, you must first enable IP forwarding in '''/etc/sysctl.conf'''. |
|||
Look for this section in '''/etc/sysctl.conf''': |
|||
# Uncomment the next line to enable packet forwarding for IPv4 |
|||
#net.ipv4.ip_forward=1 |
|||
# Uncomment the next line to enable packet forwarding for IPv6 |
|||
# Enabling this option disables Stateless Address Autoconfiguration |
|||
# based on Router Advertisements for this host |
|||
#net.ipv6.conf.all.forwarding=1 |
|||
Uncomment the two lines starting with "net": |
|||
# Uncomment the next line to enable packet forwarding for IPv4 |
|||
net.ipv4.ip_forward=1 |
|||
# Uncomment the next line to enable packet forwarding for IPv6 |
|||
# Enabling this option disables Stateless Address Autoconfiguration |
|||
# based on Router Advertisements for this host |
|||
net.ipv6.conf.all.forwarding=1 |
|||
Now run: |
|||
sysctl -p |
|||
This will reload '''/etc/sysctl.conf''' - applying our changes. |
|||
= Setting up pppd = |
= Setting up pppd = |
||
| Line 19: | Line 49: | ||
apt-get update |
apt-get update |
||
apt-get install |
apt-get install ppp pppoe iproute2 |
||
pppd uses several different configuration files: |
pppd uses several different configuration files: |
||
| Line 58: | Line 88: | ||
* '''noauth''' - don't require A&A to send authentication details |
* '''noauth''' - don't require A&A to send authentication details |
||
* '''persist''' - automatically reconnect if the connection drops |
* '''persist''' - automatically reconnect if the connection drops |
||
* '''maxfail 0''' - sets |
* '''maxfail 0''' - sets the number of consecutive failed connection attempts before pppd gives up. Setting this to 0 means that pppd will retry forever |
||
* '''mtu 1492''' - sets the max MTU for packets inside the PPP connection - 1492 is a "safe" value for PPPoE on most hardware. Some modems will be able to use "baby jumbo frames" (RFC 4638). See the "Using a full 1500 MTU" section for more details. |
* '''mtu 1492''' - sets the max MTU for packets inside the PPP connection - 1492 is a "safe" value for PPPoE on most hardware. Some modems will be able to use "baby jumbo frames" (RFC 4638). See the "Using a full 1500 MTU" section for more details. |
||
* '''noaccomp''' - disables address/control compression |
* '''noaccomp''' - disables address/control compression |
||
* '''default-asyncmap''' - disables the |
* '''default-asyncmap''' - disables the negotiation of an asyncmap - forces all control characters to be escaped |
||
* '''+ipv6''' - enable IPv6 support |
* '''+ipv6''' - enable IPv6 support |
||
* '''ipv6cp-use-ipaddr''' - use your IPv4 address as the local identifier for IPv6CP |
* '''ipv6cp-use-ipaddr''' - use your IPv4 address as the local identifier for IPv6CP |
||
| Line 73: | Line 103: | ||
example@a.1 * YourLinePasswordGoesHere |
example@a.1 * YourLinePasswordGoesHere |
||
Replace "YourLinePasswordGoesHere" with the password for your A&A connection, and "example@a.1" with your PPP login details, both available from the [https://control.aa.net.uk Control Pages]. The login and password are per-line unique values, so you have to find the "Broadband Circuit Details" page for each line. The password is in an obscured box which becomes visible on mouse-hover. |
|||
Replace "YourLinePasswordGoesHere" with the password for your A&A connection. |
|||
== Making IPv6 work with pppd == |
== Making IPv6 work with pppd == |
||
| Line 166: | Line 196: | ||
iface aaisp inet ppp |
iface aaisp inet ppp |
||
provider aaisp |
provider aaisp |
||
pre-up /sbin/ip link set eth0 up |
|||
auto eth1 |
auto eth1 |
||
| Line 202: | Line 233: | ||
iptables -t nat -F |
iptables -t nat -F |
||
iptables -t mangle -F |
iptables -t mangle -F |
||
iptables -t filter -X |
iptables -t filter -X |
||
iptables -t nat -X |
iptables -t nat -X |
||
| Line 220: | Line 251: | ||
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
||
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
||
iptables -A INPUT -i pppoe-aaisp -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
||
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
||
| Line 226: | Line 257: | ||
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
||
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
||
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
||
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
||
| Line 267: | Line 298: | ||
# This file describes the network interfaces available on your system |
# This file describes the network interfaces available on your system |
||
# and how to activate them. For more information, see interfaces(5). |
# and how to activate them. For more information, see interfaces(5). |
||
# The loopback network interface |
# The loopback network interface |
||
auto lo |
auto lo |
||
| Line 279: | Line 310: | ||
iface aaisp inet ppp |
iface aaisp inet ppp |
||
provider aaisp |
provider aaisp |
||
pre-up /sbin/ip link set eth0 up |
|||
auto eth1 |
auto eth1 |
||
| Line 333: | Line 365: | ||
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
||
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
||
iptables -A INPUT -i pppoe-aaisp -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
||
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
||
| Line 339: | Line 371: | ||
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
||
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
||
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
||
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
||
| Line 372: | Line 404: | ||
== Using a full 1500 MTU == |
== Using a full 1500 MTU == |
||
[[Category:3rd Party Routers|Debian]] |
|||