Ubuntu Router/Firewall

**dschuett** · 08-23-2010

Hey everyone, I am fairly new to linux networking.

Here is what i am trying to accomplish:

Ubuntu Server running dhcp3-server with two nics:
eth0 (external/internet set up with dhcp since I have a dynamic ip from my ISP)
eth1 (internal with a static ip of 192.168.0.201)

eth1 is connected to a 8 port switch:
I would like to set up dhcp3-server to hand out ip addresses in the range of 192.168.0.100-192.168.0.200 (and obviously using this ubuntu server as the default gateway - 192.168.0.201)

client pc's will then be connected to the switch getting ip address from the ubuntu server

I have successfully configured the two nic cards on the server as described above, and have been able to manually set a client pc with an ip address in the same subnet... i can successfully ping eth1 192.168.0.201... but i can't get to the internet. I know it has to do with routing, but I'm not sure how to set this up.

I also am unsure on how to configure dhcp3-server to work as I described above.

Any help is appreciated!

here is what my /etc/network/interfaces file looks like if this helps any:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 192.168.0.201
netmask 255.255.255.0

**markcole** · 08-23-2010

Checkout iptables for firewall and forwarding. This should get you to where you need to be.

There are other guides out there, I just found this one quickly.

**Miller88** · 08-23-2010

Is this going to be a dedicated router box and just do routing and some other network services? If so - I'd recommend one of the many specialized distros out there like ClearOS, PfSense ... Routing with Ubuntu/RedHat/etc seems to be a bit more complicated than these distros. Plus anything extra you need can be apt-get or yum'd to install.

**dschuett** · 08-24-2010

I have followed this tutorial to the T, I am able to ping the internet with the router and ping the clients with the router. The clients get an IP address from the router (dhcp3) and the gateway shows 192.168.0.201 and netmask of 255.255.255.0 (eth1 - the internal nic on the router) but the clients can't ping the router (192.168.0.201) nor the internet (eth0). I know this has something to do with routing or IPTABLES, but i am completely new to this and any help is appreciated.

Also here is what route -n shows:
NOTE: what is with the 169.254.0.0 address???
and shouldn't i see 192.168.0.201 as a gateway???

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1
68.13.40.0 0.0.0.0 255.255.248.0 U 1 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
0.0.0.0 68.13.40.1 0.0.0.0 UG 0 0 0 eth0

TUTORIAL STARTS HERE:
How to make Ubuntu/Debian as a router

Here is your Ubuntu serve box with two interfaces,

eth0-------------Internet (set up with dhcp)
eth1-------------Internal

Note: Your Internet is running using eth0.

Step1: Install DHCP Server

#apt-get install dhcp3-server

Step 2: Configure the DHCP server

Edit the /etc/dhcp3/dhcpd.conf file and add your domain, ip range and other options.
NOTE: these are the only things i changed:

option domain-name "host name of my router";
#
# Internal network
#
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.200;
option broadcast-address 192.168.0.255;
option routers 192.168.0.201;
default-lease-time 600;
max-lease-time 7200;
}

Edit the /etc/default/dhcp3-server

INTERFACES= “eth1”

Step 3: Configure the Internal interface (eth1) with static IP.

Edit the /etc/network/interfaces file and add following

iface eth1 inet static
address 192.168.0.201
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.201

Step 4: Restart network and verify the eth1 interface's IP.

#/etc/init.d/network restart

check ip by ifconfig eth1, it will have 192.168.0.201 ip, if not please restart the interface/network service, you can also restart your machine if it is not in production environment.

Step 5: Restart the DHCP server.

#/etc/init.d/dhcp3-server restart

If everything is ok, it should run successfully,
Note: If your interface does not have any IP it might give error and does not restart, first configure your internal interface.

Step 6: Test the DHCP server.

connect the cable on interface eth1 and other side to your switch and connect your second pc, you will get the IP from 192.168.0.xxx range.

Open the syslog messeges with

#tail -f /var/log/syslog

of your debian box, it will also notify with leased ip and detail of requested machine.

Step 7: Enable forwarding

# echo 1 > /proc/sys/net/ipv4/ip_forward

open the file manually and uncomment

# nano /etc/sysctl.conf
net.ipv4.ip_forward = 1

Step 8: Add IPTABLES rule for NAT

Type following at command line

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Step 9: Final Testing

Your second Pc attached to LAN have internal ip, ping to a web address and you should get a reply!

**markcole** · 08-24-2010

What is the output of

Code:

iptables -L

**dschuett** · 08-24-2010

Originally Posted by markcole

What is the output of

Code:

iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I know it has something to do with iptables because the ONLY thing i've done to iptables is what it called for in the tutorial...

Thanks for your help

**markcole** · 08-24-2010

There should be rules to forward packets between the interfaces also.

Something like

Code:

iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

IIRC, you will need one for incoming packets also.

Thread Tools

Display

Ubuntu Router/Firewall

ubuntu router

Posting Permissions