Router:Linux - Debian: Difference between revisions
Content deleted Content added
Added firewalling sections & /etc/network/interfaces |
m →/etc/ppp/chap-secrets: typo fix |
||
| (18 intermediate revisions by 5 users not shown) | |||
| Line 3: | Line 3: | ||
You'll need to use an ADSL or FTTC modem in bridge mode for this to work - see the page for your modem to see how to set that up. |
You'll need to use an ADSL or FTTC modem in bridge mode for this to work - see the page for your modem to see how to set that up. |
||
This guide provides an example configuration for Debian Jessie. |
This guide provides an example configuration for Debian Jessie, but it should largely work for future versions. This has been tested with Jessie, Stretch and Buster. |
||
= Prerequsites = |
= Prerequsites = |
||
* a Linux PC with Debian |
* a Linux PC with Debian already installed and two network interfaces - one for the connection to the modem, and one for the connection to your LAN |
||
* a ADSL or FTTC modem, or a fibre ONT (for FTTP) (as appropriate for your connection) |
* a ADSL or FTTC modem, or a fibre ONT (for FTTP) (as appropriate for your connection) |
||
| Line 12: | Line 12: | ||
* '''eth0''' is plugged directly into your modem or ONT |
* '''eth0''' is plugged directly into your modem or ONT |
||
* '''eth1''' will be used for your LAN |
* '''eth1''' will be used for your LAN |
||
Note that under Buster, you can expect naming conventions for the interfaces to be different, you'll therefore have to pay close attention to updating the interface names as you follow the guide. |
|||
= Enabling IP forwarding = |
|||
To tell our Linux router to actually forward traffic, you must first enable IP forwarding in '''/etc/sysctl.conf'''. |
|||
Look for this section in '''/etc/sysctl.conf''': |
|||
# Uncomment the next line to enable packet forwarding for IPv4 |
|||
#net.ipv4.ip_forward=1 |
|||
| ⚫ | |||
# Uncomment the next line to enable packet forwarding for IPv6 |
|||
# Enabling this option disables Stateless Address Autoconfiguration |
|||
# based on Router Advertisements for this host |
|||
#net.ipv6.conf.all.forwarding=1 |
|||
Uncomment the two lines starting with "net": |
|||
# Uncomment the next line to enable packet forwarding for IPv4 |
|||
net.ipv4.ip_forward=1 |
|||
| ⚫ | |||
# Uncomment the next line to enable packet forwarding for IPv6 |
|||
# Enabling this option disables Stateless Address Autoconfiguration |
|||
# based on Router Advertisements for this host |
|||
net.ipv6.conf.all.forwarding=1 |
|||
Now run: |
|||
sysctl -p |
|||
This will reload '''/etc/sysctl.conf''' - applying our changes. |
|||
= Setting up pppd = |
= Setting up pppd = |
||
| Line 19: | Line 49: | ||
apt-get update |
apt-get update |
||
apt-get install |
apt-get install ppp pppoe iproute2 |
||
pppd uses several different configuration files: |
pppd uses several different configuration files: |
||
| Line 58: | Line 88: | ||
* '''noauth''' - don't require A&A to send authentication details |
* '''noauth''' - don't require A&A to send authentication details |
||
* '''persist''' - automatically reconnect if the connection drops |
* '''persist''' - automatically reconnect if the connection drops |
||
* '''maxfail 0''' - sets |
* '''maxfail 0''' - sets the number of consecutive failed connection attempts before pppd gives up. Setting this to 0 means that pppd will retry forever |
||
* '''mtu 1492''' - sets the max MTU for packets inside the PPP connection - 1492 is a "safe" value for PPPoE on most hardware. Some modems will be able to use "baby jumbo frames" (RFC 4638). See the "Using a full 1500 MTU" section for more details. |
* '''mtu 1492''' - sets the max MTU for packets inside the PPP connection - 1492 is a "safe" value for PPPoE on most hardware. Some modems will be able to use "baby jumbo frames" (RFC 4638). See the "Using a full 1500 MTU" section for more details. |
||
* '''noaccomp''' - disables address/control compression |
* '''noaccomp''' - disables address/control compression |
||
* '''default-asyncmap''' - disables the |
* '''default-asyncmap''' - disables the negotiation of an asyncmap - forces all control characters to be escaped |
||
* '''+ipv6''' - enable IPv6 support |
* '''+ipv6''' - enable IPv6 support |
||
* '''ipv6cp-use-ipaddr''' - use your IPv4 address as the local identifier for IPv6CP |
* '''ipv6cp-use-ipaddr''' - use your IPv4 address as the local identifier for IPv6CP |
||
| Line 73: | Line 103: | ||
example@a.1 * YourLinePasswordGoesHere |
example@a.1 * YourLinePasswordGoesHere |
||
Replace "YourLinePasswordGoesHere" with the password for your A&A connection, and "example@a.1" with your PPP login details, both available from the [https://control.aa.net.uk Control Pages]. The login and password are per-line unique values, so you have to find the "Broadband Circuit Details" page for each line. The password is in an obscured box which becomes visible on mouse-hover. |
|||
Replace "YourLinePasswordGoesHere" with the password for your A&A connection. |
|||
== Making IPv6 work with pppd == |
== Making IPv6 work with pppd == |
||
| Line 154: | Line 184: | ||
# This file describes the network interfaces available on your system |
# This file describes the network interfaces available on your system |
||
# and how to activate them. For more information, see interfaces(5). |
# and how to activate them. For more information, see interfaces(5). |
||
| ⚫ | |||
# The loopback network interface |
# The loopback network interface |
||
auto lo |
auto lo |
||
iface lo inet loopback |
iface lo inet loopback |
||
| ⚫ | |||
# The primary network interface - the network interface carrying PPP |
# The primary network interface - the network interface carrying PPP |
||
auto eth0 |
auto eth0 |
||
iface eth0 inet manual |
iface eth0 inet manual |
||
| ⚫ | |||
mtu 1508 |
|||
| ⚫ | |||
| ⚫ | |||
auto aaisp |
auto aaisp |
||
iface aaisp inet ppp |
iface aaisp inet ppp |
||
provider aaisp |
provider aaisp |
||
| ⚫ | |||
| ⚫ | |||
auto eth1 |
auto eth1 |
||
iface eth1 inet static |
iface eth1 inet static |
||
address 192.168.1.1 |
address 192.168.1.1 |
||
netmask 255.255.255.0 |
|||
| ⚫ | |||
iface eth1 inet6 static |
iface eth1 inet6 static |
||
address <your IPv6 address here> |
address <your IPv6 address here> |
||
netmask 64 |
|||
Replace "<your IPv6 address here>" with the first address from the prefix you've been allocated. You can see this prefix on clueless. |
Replace "<your IPv6 address here>" with the first address from the prefix you've been allocated. You can see this prefix on clueless. |
||
| Line 191: | Line 220: | ||
This example will set up: |
This example will set up: |
||
* Allowing all traffic from your LAN to the internet |
|||
* Blocking unsolicited traffic from the internet to your LAN |
|||
* NAT for IPv4 |
|||
To set up some sensible defaults, do: |
To set up some sensible defaults, do: |
||
| Line 204: | Line 233: | ||
iptables -t nat -F |
iptables -t nat -F |
||
iptables -t mangle -F |
iptables -t mangle -F |
||
iptables -t filter -X |
iptables -t filter -X |
||
iptables -t nat -X |
iptables -t nat -X |
||
iptables -t mangle -X |
iptables -t mangle -X |
||
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed |
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed |
||
# but allow outbound traffic by default |
# but allow outbound traffic by default |
||
| Line 222: | Line 251: | ||
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
||
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
||
iptables -A INPUT -i pppoe-aaisp -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
||
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
||
| Line 228: | Line 257: | ||
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
||
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
||
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
||
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
||
| Line 237: | Line 266: | ||
ip6tables -F |
ip6tables -F |
||
ip6tables -X |
ip6tables -X |
||
# set up default IPv6 policies |
# set up default IPv6 policies |
||
ip6tables -P FORWARD DROP |
ip6tables -P FORWARD DROP |
||
| Line 255: | Line 284: | ||
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT |
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT |
||
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT |
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT |
||
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules |
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules |
||
apt-get install iptables-persistent |
apt-get install iptables-persistent |
||
systemctl enable netfilter-persistent |
systemctl enable netfilter-persistent |
||
| ⚫ | |||
== A block of IPv4 addresses == |
== A block of IPv4 addresses == |
||
| Line 270: | Line 298: | ||
# This file describes the network interfaces available on your system |
# This file describes the network interfaces available on your system |
||
# and how to activate them. For more information, see interfaces(5). |
# and how to activate them. For more information, see interfaces(5). |
||
# The loopback network interface |
# The loopback network interface |
||
auto lo |
auto lo |
||
iface lo inet loopback |
iface lo inet loopback |
||
# The primary network interface - the network interface carrying PPP |
# The primary network interface - the network interface carrying PPP |
||
auto eth0 |
auto eth0 |
||
iface eth0 inet manual |
iface eth0 inet manual |
||
mtu 1508 |
|||
| ⚫ | |||
| ⚫ | |||
auto aaisp |
auto aaisp |
||
iface aaisp inet ppp |
iface aaisp inet ppp |
||
provider aaisp |
provider aaisp |
||
| ⚫ | |||
auto eth1 |
auto eth1 |
||
iface eth1 inet static |
iface eth1 inet static |
||
address <your IPv4 address here> |
address <your IPv4 address here> |
||
netmask <the correct subnet mask for your IPv4 block here> |
|||
| ⚫ | |||
iface eth1 inet6 static |
iface eth1 inet6 static |
||
address <your IPv6 address here> |
address <your IPv6 address here> |
||
netmask 64 |
|||
Replace "<your IPv6 address here>" with the first address from the prefix you've been allocated. You can see this prefix on clueless. By default, A&A will allocate a /48 prefix, but will only route it to your line in /56 or /64 chunks. For example, your prefix might be: 2001:db8:b9::/48. You might have 2001:db8:b9:2041::/64 routed to your line. In this example, you'd use "2001:db8:b9:2041::1" as your IPv6 address. |
Replace "<your IPv6 address here>" with the first address from the prefix you've been allocated. You can see this prefix on clueless. By default, A&A will allocate a /48 prefix, but will only route it to your line in /56 or /64 chunks. For example, your prefix might be: 2001:db8:b9::/48. You might have 2001:db8:b9:2041::/64 routed to your line. In this example, you'd use "2001:db8:b9:2041::1" as your IPv6 address. |
||
| Line 310: | Line 337: | ||
This example will set up: |
This example will set up: |
||
* Allowing all traffic from your LAN to the internet |
|||
* Blocking unsolicited traffic from the internet to your LAN |
|||
apt-get update |
apt-get update |
||
| Line 320: | Line 347: | ||
iptables -t nat -F |
iptables -t nat -F |
||
iptables -t mangle -F |
iptables -t mangle -F |
||
iptables -t filter -X |
iptables -t filter -X |
||
iptables -t nat -X |
iptables -t nat -X |
||
iptables -t mangle -X |
iptables -t mangle -X |
||
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed |
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed |
||
# but allow outbound traffic by default |
# but allow outbound traffic by default |
||
| Line 338: | Line 365: | ||
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
||
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
||
iptables -A INPUT -i pppoe-aaisp -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
||
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
||
| Line 344: | Line 371: | ||
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
||
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
||
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
||
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
||
| Line 350: | Line 377: | ||
ip6tables -F |
ip6tables -F |
||
ip6tables -X |
ip6tables -X |
||
# set up default IPv6 policies |
# set up default IPv6 policies |
||
ip6tables -P FORWARD DROP |
ip6tables -P FORWARD DROP |
||
| Line 368: | Line 395: | ||
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT |
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT |
||
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT |
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT |
||
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules |
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules |
||
apt-get install iptables-persistent |
apt-get install iptables-persistent |
||
systemctl enable netfilter-persistent |
systemctl enable netfilter-persistent |
||
| ⚫ | |||
= Appendicies = |
= Appendicies = |
||
| Line 378: | Line 404: | ||
== Using a full 1500 MTU == |
== Using a full 1500 MTU == |
||
[[Category:3rd Party Routers|Debian]] |
|||