Router:Linux - Debian: Difference between revisions
m (Fix some formatting on the /etc/network/interfaces examples) |
m (Fixing buster typos, and mentioning that this works with jessie, stretch and buster.) |
||
(15 intermediate revisions by 4 users not shown) | |||
Line 3: | Line 3: | ||
You'll need to use an ADSL or FTTC modem in bridge mode for this to work - see the page for your modem to see how to set that up. |
You'll need to use an ADSL or FTTC modem in bridge mode for this to work - see the page for your modem to see how to set that up. |
||
This guide provides an example configuration for Debian Jessie. |
This guide provides an example configuration for Debian Jessie, but it should largely work for future versions. This has been tested with Jessie, Stretch and Buster. |
||
= Prerequsites = |
= Prerequsites = |
||
* a Linux PC with Debian |
* a Linux PC with Debian already installed and two network interfaces - one for the connection to the modem, and one for the connection to your LAN |
||
* a ADSL or FTTC modem, or a fibre ONT (for FTTP) (as appropriate for your connection) |
* a ADSL or FTTC modem, or a fibre ONT (for FTTP) (as appropriate for your connection) |
||
Line 12: | Line 12: | ||
* '''eth0''' is plugged directly into your modem or ONT |
* '''eth0''' is plugged directly into your modem or ONT |
||
* '''eth1''' will be used for your LAN |
* '''eth1''' will be used for your LAN |
||
Note that under Buster, you can expect naming conventions for the interfaces to be different, you'll therefore have to pay close attention to updating the interface names as you follow the guide. |
|||
= Enabling IP forwarding = |
|||
To tell our Linux router to actually forward traffic, you must first enable IP forwarding in '''/etc/sysctl.conf'''. |
|||
Look for this section in '''/etc/sysctl.conf''': |
|||
# Uncomment the next line to enable packet forwarding for IPv4 |
|||
#net.ipv4.ip_forward=1 |
|||
⚫ | |||
# Uncomment the next line to enable packet forwarding for IPv6 |
|||
# Enabling this option disables Stateless Address Autoconfiguration |
|||
# based on Router Advertisements for this host |
|||
#net.ipv6.conf.all.forwarding=1 |
|||
Uncomment the two lines starting with "net": |
|||
# Uncomment the next line to enable packet forwarding for IPv4 |
|||
net.ipv4.ip_forward=1 |
|||
⚫ | |||
# Uncomment the next line to enable packet forwarding for IPv6 |
|||
# Enabling this option disables Stateless Address Autoconfiguration |
|||
# based on Router Advertisements for this host |
|||
net.ipv6.conf.all.forwarding=1 |
|||
Now run: |
|||
sysctl -p |
|||
This will reload '''/etc/sysctl.conf''' - applying our changes. |
|||
= Setting up pppd = |
= Setting up pppd = |
||
Line 19: | Line 49: | ||
apt-get update |
apt-get update |
||
apt-get install |
apt-get install ppp pppoe iproute2 |
||
pppd uses several different configuration files: |
pppd uses several different configuration files: |
||
Line 58: | Line 88: | ||
* '''noauth''' - don't require A&A to send authentication details |
* '''noauth''' - don't require A&A to send authentication details |
||
* '''persist''' - automatically reconnect if the connection drops |
* '''persist''' - automatically reconnect if the connection drops |
||
* '''maxfail 0''' - sets |
* '''maxfail 0''' - sets the number of consecutive failed connection attempts before pppd gives up. Setting this to 0 means that pppd will retry forever |
||
* '''mtu 1492''' - sets the max MTU for packets inside the PPP connection - 1492 is a "safe" value for PPPoE on most hardware. Some modems will be able to use "baby jumbo frames" (RFC 4638). See the "Using a full 1500 MTU" section for more details. |
* '''mtu 1492''' - sets the max MTU for packets inside the PPP connection - 1492 is a "safe" value for PPPoE on most hardware. Some modems will be able to use "baby jumbo frames" (RFC 4638). See the "Using a full 1500 MTU" section for more details. |
||
* '''noaccomp''' - disables address/control compression |
* '''noaccomp''' - disables address/control compression |
||
* '''default-asyncmap''' - disables the |
* '''default-asyncmap''' - disables the negotiation of an asyncmap - forces all control characters to be escaped |
||
* '''+ipv6''' - enable IPv6 support |
* '''+ipv6''' - enable IPv6 support |
||
* '''ipv6cp-use-ipaddr''' - use your IPv4 address as the local identifier for IPv6CP |
* '''ipv6cp-use-ipaddr''' - use your IPv4 address as the local identifier for IPv6CP |
||
Line 154: | Line 184: | ||
# This file describes the network interfaces available on your system |
# This file describes the network interfaces available on your system |
||
# and how to activate them. For more information, see interfaces(5). |
# and how to activate them. For more information, see interfaces(5). |
||
⚫ | |||
# The loopback network interface |
# The loopback network interface |
||
auto lo |
auto lo |
||
iface lo inet loopback |
iface lo inet loopback |
||
⚫ | |||
# The primary network interface - the network interface carrying PPP |
# The primary network interface - the network interface carrying PPP |
||
auto eth0 |
auto eth0 |
||
iface eth0 inet manual |
iface eth0 inet manual |
||
⚫ | |||
mtu 1508 |
|||
⚫ | |||
⚫ | |||
auto aaisp |
auto aaisp |
||
iface aaisp inet ppp |
iface aaisp inet ppp |
||
provider aaisp |
provider aaisp |
||
⚫ | |||
⚫ | |||
auto eth1 |
auto eth1 |
||
iface eth1 inet static |
iface eth1 inet static |
||
address 192.168.1.1 |
address 192.168.1.1 |
||
netmask 255.255.255.0 |
netmask 255.255.255.0 |
||
⚫ | |||
iface eth1 inet6 static |
iface eth1 inet6 static |
||
address <your IPv6 address here> |
address <your IPv6 address here> |
||
Line 191: | Line 220: | ||
This example will set up: |
This example will set up: |
||
* Allowing all traffic from your LAN to the internet |
|||
* Blocking unsolicited traffic from the internet to your LAN |
|||
* NAT for IPv4 |
|||
To set up some sensible defaults, do: |
To set up some sensible defaults, do: |
||
Line 204: | Line 233: | ||
iptables -t nat -F |
iptables -t nat -F |
||
iptables -t mangle -F |
iptables -t mangle -F |
||
iptables -t filter -X |
iptables -t filter -X |
||
iptables -t nat -X |
iptables -t nat -X |
||
iptables -t mangle -X |
iptables -t mangle -X |
||
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed |
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed |
||
# but allow outbound traffic by default |
# but allow outbound traffic by default |
||
Line 222: | Line 251: | ||
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
||
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
||
iptables -A INPUT -i pppoe-aaisp -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
||
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
||
Line 228: | Line 257: | ||
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
||
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
||
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
||
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
||
Line 237: | Line 266: | ||
ip6tables -F |
ip6tables -F |
||
ip6tables -X |
ip6tables -X |
||
# set up default IPv6 policies |
# set up default IPv6 policies |
||
ip6tables -P FORWARD DROP |
ip6tables -P FORWARD DROP |
||
Line 255: | Line 284: | ||
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT |
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT |
||
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT |
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT |
||
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules |
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules |
||
apt-get install iptables-persistent |
apt-get install iptables-persistent |
||
systemctl enable netfilter-persistent |
systemctl enable netfilter-persistent |
||
⚫ | |||
== A block of IPv4 addresses == |
== A block of IPv4 addresses == |
||
Line 270: | Line 298: | ||
# This file describes the network interfaces available on your system |
# This file describes the network interfaces available on your system |
||
# and how to activate them. For more information, see interfaces(5). |
# and how to activate them. For more information, see interfaces(5). |
||
# The loopback network interface |
# The loopback network interface |
||
auto lo |
auto lo |
||
iface lo inet loopback |
iface lo inet loopback |
||
# The primary network interface - the network interface carrying PPP |
# The primary network interface - the network interface carrying PPP |
||
auto eth0 |
auto eth0 |
||
iface eth0 inet manual |
iface eth0 inet manual |
||
mtu 1508 |
|||
⚫ | |||
⚫ | |||
auto aaisp |
auto aaisp |
||
iface aaisp inet ppp |
iface aaisp inet ppp |
||
provider aaisp |
provider aaisp |
||
⚫ | |||
auto eth1 |
auto eth1 |
||
iface eth1 inet static |
iface eth1 inet static |
||
address <your IPv4 address here> |
address <your IPv4 address here> |
||
netmask <the correct subnet mask for your IPv4 block here> |
netmask <the correct subnet mask for your IPv4 block here> |
||
⚫ | |||
iface eth1 inet6 static |
iface eth1 inet6 static |
||
address <your IPv6 address here> |
address <your IPv6 address here> |
||
Line 310: | Line 337: | ||
This example will set up: |
This example will set up: |
||
* Allowing all traffic from your LAN to the internet |
|||
* Blocking unsolicited traffic from the internet to your LAN |
|||
apt-get update |
apt-get update |
||
Line 320: | Line 347: | ||
iptables -t nat -F |
iptables -t nat -F |
||
iptables -t mangle -F |
iptables -t mangle -F |
||
iptables -t filter -X |
iptables -t filter -X |
||
iptables -t nat -X |
iptables -t nat -X |
||
iptables -t mangle -X |
iptables -t mangle -X |
||
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed |
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed |
||
# but allow outbound traffic by default |
# but allow outbound traffic by default |
||
Line 338: | Line 365: | ||
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT |
||
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT |
||
iptables -A INPUT -i pppoe-aaisp -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT |
||
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT |
||
Line 344: | Line 371: | ||
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu |
||
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT |
||
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT |
||
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT |
||
Line 350: | Line 377: | ||
ip6tables -F |
ip6tables -F |
||
ip6tables -X |
ip6tables -X |
||
# set up default IPv6 policies |
# set up default IPv6 policies |
||
ip6tables -P FORWARD DROP |
ip6tables -P FORWARD DROP |
||
Line 368: | Line 395: | ||
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT |
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT |
||
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT |
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT |
||
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules |
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules |
||
apt-get install iptables-persistent |
apt-get install iptables-persistent |
||
systemctl enable netfilter-persistent |
systemctl enable netfilter-persistent |
||
⚫ | |||
= Appendicies = |
= Appendicies = |
||
Line 378: | Line 404: | ||
== Using a full 1500 MTU == |
== Using a full 1500 MTU == |
||
[[Category:3rd Party Routers|Debian]] |
Latest revision as of 10:56, 13 September 2020
You might choose to use a Linux machine as your router rather than an off-the-shelf piece of routing hardware.
You'll need to use an ADSL or FTTC modem in bridge mode for this to work - see the page for your modem to see how to set that up.
This guide provides an example configuration for Debian Jessie, but it should largely work for future versions. This has been tested with Jessie, Stretch and Buster.
Prerequsites
- a Linux PC with Debian already installed and two network interfaces - one for the connection to the modem, and one for the connection to your LAN
- a ADSL or FTTC modem, or a fibre ONT (for FTTP) (as appropriate for your connection)
Assumptions
- eth0 is plugged directly into your modem or ONT
- eth1 will be used for your LAN
Note that under Buster, you can expect naming conventions for the interfaces to be different, you'll therefore have to pay close attention to updating the interface names as you follow the guide.
Enabling IP forwarding
To tell our Linux router to actually forward traffic, you must first enable IP forwarding in /etc/sysctl.conf.
Look for this section in /etc/sysctl.conf:
# Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host #net.ipv6.conf.all.forwarding=1
Uncomment the two lines starting with "net":
# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host net.ipv6.conf.all.forwarding=1
Now run:
sysctl -p
This will reload /etc/sysctl.conf - applying our changes.
Setting up pppd
pppd will be used to actually connect to A&A.
To install pppd, and the other software that will be required run:
apt-get update apt-get install ppp pppoe iproute2
pppd uses several different configuration files:
- /etc/ppp/options - default settings for pppd
- /etc/ppp/peers/aaisp - the configuration file for settings specific to connecting to A&A
- /etc/ppp/chap-secrets - the location where your A&A line password is stored
/etc/ppp/options should be left as-is - we will not change this file.
/etc/ppp/peers/aaisp
This file contains the settings that are used to configure your connection to A&A:
user your-username-here plugin rp-pppoe.so eth0 noipdefault defaultroute hide-password lcp-echo-interval 1 lcp-echo-failure 10 noauth persist maxfail 0 mtu 1492 noaccomp default-asyncmap +ipv6 ipv6cp-use-ipaddr ifname pppoe-aaisp
Each line in this file sets a different setting:
- user your-username-here - this line sets the username that pppd will use to log in. Replace "your-username-here" with your A&A line username. It will be in the form "example@a.1"
- plugin rp-pppoe.so eth0 - tells pppd to load the PPPoE plugin, and to use the network interface "eth0" to connect
- noipdefault - tells pppd not to try and guess an IP to use, but instead to use the IP explicitly given by A&A
- defaultroute - automatically set the PPP connection as your default route (for IPv4 only)
- hide-password - hides your password when logging authentication packets
- lcp-echo-interval 1 - send a LCP echo to A&A once every second
- lcp-echo-failure 10 - automatically drop the connection after 10 failed LCP echoes
- noauth - don't require A&A to send authentication details
- persist - automatically reconnect if the connection drops
- maxfail 0 - sets the number of consecutive failed connection attempts before pppd gives up. Setting this to 0 means that pppd will retry forever
- mtu 1492 - sets the max MTU for packets inside the PPP connection - 1492 is a "safe" value for PPPoE on most hardware. Some modems will be able to use "baby jumbo frames" (RFC 4638). See the "Using a full 1500 MTU" section for more details.
- noaccomp - disables address/control compression
- default-asyncmap - disables the negotiation of an asyncmap - forces all control characters to be escaped
- +ipv6 - enable IPv6 support
- ipv6cp-use-ipaddr - use your IPv4 address as the local identifier for IPv6CP
- ifname pppoe-aaisp - renames the PPP connection from an automatically generated name (such as ppp0) to pppoe-aaisp - this makes further configuration easier!
/etc/ppp/chap-secrets
This file contains the password that is used to connect to A&A.
# Secrets for authentication using CHAP # client server secret IP addresses example@a.1 * YourLinePasswordGoesHere
Replace "YourLinePasswordGoesHere" with the password for your A&A connection.
Making IPv6 work with pppd
Out of the box, you'll notice that you can't access the internet using IPv6.
This is because pppd doesn't create a default route for IPv6. We can force it to do this by creating another file.
Create /etc/ppp/ipv6-up.d/0000-defaultroute, and enter the following contents:
#!/bin/bash /sbin/ip -6 route add default dev $1
Now run:
chmod 755 /etc/ppp/ipv6-up.d/0000-defaultroute
This file will now be run every time your PPP connects, and will automatically create an IPv6 default route!
Testing pppd
Before you proceed, you should test your ppp configuration.
Firstly, run:
pppoe -I eth0 -A
This should produce some output similar to the following:
Access-Concentrator: acc-aln1.ry Got a cookie: 79 f0 19 2c d3 ec ae 4b 04 75 ee 8a 30 76 a6 ea AC-Ethernet-Address: a0:f3:e4:34:5f:8f
If something is wrong, you will probably get:
pppoe: Timeout waiting for PADO packets
If you get this error message, check your configuration matches the examples above. If you're still stuck, contact A&A support.
Now try to actually connect:
pon aaisp tail -n 20 /var/log/messages
This should produce output like the following:
Jul 15 22:05:45 router pppd[23049]: Plugin rp-pppoe.so loaded. Jul 15 22:05:45 router pppd[23050]: pppd 2.4.6 started by thomas, uid 0 Jul 15 22:05:45 router pppd[23050]: PPP session is 522 Jul 15 22:05:45 router pppd[23050]: Connected to 00:03:97:1c:80:02 via interface eth0 Jul 15 22:05:45 router pppd[23050]: Renamed interface ppp0 to pppoe-aaisp Jul 15 22:05:45 router pppd[23050]: Using interface pppoe-aaisp Jul 15 22:05:45 router pppd[23050]: Connect: pppoe-aaisp <--> eth0 Jul 15 22:06:32 router pppd[23050]: CHAP authentication succeeded Jul 15 22:06:32 router pppd[23050]: CHAP authentication succeeded Jul 15 22:06:32 router pppd[23050]: peer from calling number 00:03:97:1C:80:02 authorized Jul 15 22:06:32 router pppd[23050]: local IP address <your WAN IP address here> Jul 15 22:06:32 router pppd[23050]: remote IP address 81.187.81.187 Jul 15 22:06:32 router pppd[23050]: local LL address fe80::5893:5ee6:a435:8672 Jul 15 22:06:32 router pppd[23050]: remote LL address fe80::0203:97ff:fe19:8000
If it does, then your pppd configuration works perfectly! Run the following to disconnect, and do the rest of the configuration:
poff aaisp
Setting up the rest of the router
The rest of this configuration is split into two parts - one assuming that you have a connection with only one IPv4 address and will configure NAT, and one assuming you have a block of IPv4 allocated by A&A that you wish to use on your local network.
Home::1 will generally only have one IPv4 address.
One IPv4 Address
Configuring /etc/network/interfaces
/etc/network/interfaces contains most of the network configuration for a Debian machine.
For our example, it should look like:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface - the network interface carrying PPP auto eth0 iface eth0 inet manual auto aaisp iface aaisp inet ppp provider aaisp pre-up /sbin/ip link set eth0 up auto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 iface eth1 inet6 static address <your IPv6 address here> netmask 64
Replace "<your IPv6 address here>" with the first address from the prefix you've been allocated. You can see this prefix on clueless.
By default, A&A will allocate a /48 prefix, but will only route it to your line in /56 or /64 chunks.
For example, your prefix might be: 2001:db8:b9::/48. You might have 2001:db8:b9:2041::/64 routed to your line. In this example, you'd use "2001:db8:b9:2041::1" as your IPv6 address.
If you're not sure what IPv6 address to use, contact support!
Configuring your firewall
You'll need to configure a firewall for IPv4 and IPv6. The best way to do this on Debian is to use the iptables-persistent package - this will take care of automatically loading your firewall configuration at boot.
This example will set up:
- Allowing all traffic from your LAN to the internet
- Blocking unsolicited traffic from the internet to your LAN
- NAT for IPv4
To set up some sensible defaults, do:
apt-get update apt-get install iptables ip6tables # clear any existing IPv4 rules iptables -t filter -F iptables -t nat -F iptables -t mangle -F iptables -t filter -X iptables -t nat -X iptables -t mangle -X # set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed # but allow outbound traffic by default iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT # Set up rules for traffic going directly to the router iptables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT # Set up rules for traffic being forwarded through the router iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT # Handle IPv4 NAT iptables -t nat -A POSTROUTING -o pppoe-aaisp -m comment --comment "NAT" -j MASQUERADE # clear any existing IPv6 rules ip6tables -F ip6tables -X # set up default IPv6 policies ip6tables -P FORWARD DROP ip6tables -P INPUT DROP ip6tables -P OUTPUT ACCEPT # Set up rules for traffic going directly to the router ip6tables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT ip6tables -A INPUT -p ipv6-icmp -m comment --comment "Accept all ICMP" -j ACCEPT ip6tables -A INPUT -i eth1 -m comment --comment "Accept all from LAN" -j ACCEPT ip6tables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Accept related & return traffic" -j ACCEPT ip6tables -A INPUT -m comment --comment "Reject all remaining input traffic" -j REJECT # Set up rules for traffic being forwarded through the router ip6tables -A FORWARD -p ipv6-icmp -m comment --comment "Forward all ICMP" -j ACCEPT ip6tables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow LAN -> internet" -j ACCEPT ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT # Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules apt-get install iptables-persistent systemctl enable netfilter-persistent
A block of IPv4 addresses
Configuring /etc/network/interfaces
/etc/network/interfaces contains most of the network configuration for a Debian machine.
For our example, it should look like:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface - the network interface carrying PPP auto eth0 iface eth0 inet manual auto aaisp iface aaisp inet ppp provider aaisp pre-up /sbin/ip link set eth0 up auto eth1 iface eth1 inet static address <your IPv4 address here> netmask <the correct subnet mask for your IPv4 block here> iface eth1 inet6 static address <your IPv6 address here> netmask 64
Replace "<your IPv6 address here>" with the first address from the prefix you've been allocated. You can see this prefix on clueless. By default, A&A will allocate a /48 prefix, but will only route it to your line in /56 or /64 chunks. For example, your prefix might be: 2001:db8:b9::/48. You might have 2001:db8:b9:2041::/64 routed to your line. In this example, you'd use "2001:db8:b9:2041::1" as your IPv6 address.
If you're not sure what IPv6 address to use, contact support!
For IPv4, A&A will have allocated you a block to use.
For example, your block might be: 198.51.100.96/28. In this case, you'd have 16 addresses, 14 of which are usable. The first usable IP would be 198.51.100.97 - and we would use this for your LAN IP on the router. For a /28, the correct netmask would be "255.255.255.240".
If you're not sure what to use, contact support!
Configuring your firewall
You'll need to configure a firewall for IPv4 and IPv6. The best way to do this on Debian is to use the iptables-persistent package - this will take care of automatically loading your firewall configuration at boot.
This example will set up:
- Allowing all traffic from your LAN to the internet
- Blocking unsolicited traffic from the internet to your LAN
apt-get update apt-get install iptables ip6tables # clear any existing IPv4 rules iptables -t filter -F iptables -t nat -F iptables -t mangle -F iptables -t filter -X iptables -t nat -X iptables -t mangle -X # set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed # but allow outbound traffic by default iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT # Set up rules for traffic going directly to the router iptables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT # Set up rules for traffic being forwarded through the router iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT # clear any existing IPv6 rules ip6tables -F ip6tables -X # set up default IPv6 policies ip6tables -P FORWARD DROP ip6tables -P INPUT DROP ip6tables -P OUTPUT ACCEPT # Set up rules for traffic going directly to the router ip6tables -A INPUT -i lo -m comment --comment "Accept all from localhost" -j ACCEPT ip6tables -A INPUT -p ipv6-icmp -m comment --comment "Accept all ICMP" -j ACCEPT ip6tables -A INPUT -i eth1 -m comment --comment "Accept all from LAN" -j ACCEPT ip6tables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Accept related & return traffic" -j ACCEPT ip6tables -A INPUT -m comment --comment "Reject all remaining input traffic" -j REJECT # Set up rules for traffic being forwarded through the router ip6tables -A FORWARD -p ipv6-icmp -m comment --comment "Forward all ICMP" -j ACCEPT ip6tables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow LAN -> internet" -j ACCEPT ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT # Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules apt-get install iptables-persistent systemctl enable netfilter-persistent
Appendicies
Some users may want to change these settings. Some useful extras are documented below: