26
edits
Router:Linux - Debian: Difference between revisions
Added comments on Bester
m (Even more formatting fixes...) |
(Added comments on Bester) |
||
| (12 intermediate revisions by 3 users not shown) | |||
|
You'll need to use an ADSL or FTTC modem in bridge mode for this to work - see the page for your modem to see how to set that up.
This guide provides an example configuration for Debian Jessie. When partially under under Debian Bester, there were found to be few issues.
= Prerequsites =
* '''eth0''' is plugged directly into your modem or ONT
* '''eth1''' will be used for your LAN
Note that under Bester, you can expect naming conventions for the interfaces to be different, you'll therefore have to pay close attention to updating the interface names as you follow the guide
= Enabling IP forwarding =
To tell our Linux router to actually forward traffic, you must first enable IP forwarding in '''/etc/sysctl.conf'''.
Look for this section in '''/etc/sysctl.conf''':
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
Uncomment the two lines starting with "net":
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
Now run:
sysctl -p
This will reload '''/etc/sysctl.conf''' - applying our changes.
= Setting up pppd =
apt-get update
apt-get install
pppd uses several different configuration files:
* '''noauth''' - don't require A&A to send authentication details
* '''persist''' - automatically reconnect if the connection drops
* '''maxfail 0''' - sets
* '''mtu 1492''' - sets the max MTU for packets inside the PPP connection - 1492 is a "safe" value for PPPoE on most hardware. Some modems will be able to use "baby jumbo frames" (RFC 4638). See the "Using a full 1500 MTU" section for more details.
* '''noaccomp''' - disables address/control compression
* '''default-asyncmap''' - disables the
* '''+ipv6''' - enable IPv6 support
* '''ipv6cp-use-ipaddr''' - use your IPv4 address as the local identifier for IPv6CP
iface aaisp inet ppp
provider aaisp
pre-up /sbin/ip link set eth0 up
auto eth1
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed
# but allow outbound traffic by default
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT
iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT
ip6tables -F
ip6tables -X
# set up default IPv6 policies
ip6tables -P FORWARD DROP
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules
apt-get install iptables-persistent
systemctl enable netfilter-persistent
== A block of IPv4 addresses ==
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface aaisp inet ppp
provider aaisp
pre-up /sbin/ip link set eth0 up
auto eth1
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
# set up default traffic policies - drop all incoming and forwarded traffic except any that is explicitly allowed
# but allow outbound traffic by default
iptables -A INPUT -p icmp -m comment --comment "Accept all ICMP" -j ACCEPT
iptables -A INPUT -i eth1 -m comment --comment "Accept all from the LAN" -j ACCEPT
iptables -A INPUT -i pppoe-aaisp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT
iptables -A INPUT -m comment --comment "Reject all remaining traffic" -j REJECT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -o pppoe-aaisp -m comment --comment "Clamp MSS for traffic going via PPP" -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i eth1 -o pppoe-aaisp -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT
iptables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT
iptables -A FORWARD -m comment --comment "Reject all remaining traffic" -j REJECT
ip6tables -F
ip6tables -X
# set up default IPv6 policies
ip6tables -P FORWARD DROP
ip6tables -A FORWARD -i pppoe-aaisp -o eth1 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow related & return traffic WAN -> LAN" -j ACCEPT
ip6tables -A FORWARD -m comment --comment "Reject remaining forwarding traffic" -j REJECT
# Now install iptables-persistent. When asked, choose "YES" to save existing IPv4 and IPv6 rules
apt-get install iptables-persistent
systemctl enable netfilter-persistent
= Appendicies =
== Using a full 1500 MTU ==
[[Category:3rd Party Routers|Debian]]
| |||