Andrew Mercer
Docs
Andrew Mercer

Linux router

Basic router

[Internal LAN] 
  192.168.0.0/24
        |
     [Switch]
        |
 [Internal NIC on Linux Router]
        192.168.0.254
           |
   [Linux Router (acting as NAT/forwarder)]
           |
 [External NIC on Linux Router]
        192.168.100.254
           |
       [Modem]
        192.168.100.1

Netplan config

network:
  version: 2
  ethernets:
    # enp1s0 is the internal network interface plugged into lan switch
    enp1s0:
      dhcp4: false
      dhcp6: false
      addresses:
        - 192.168.0.254/24
      nameservers:
        addresses:
          - 192.168.0.1
    # enp4s0 is the external network interface plugged into modem switch
    enp4s0:
      dhcp4: false
      dhcp6: false
      addresses:
        - 192.168.100.254/24
      routes:
        - to: default
          via: 192.168.100.1
      nameservers:
        addresses:
          - 192.168.100.1

Enable packet forwarding

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sysctl -w net.ipv4.ip_forward=1

iptables rules

NAT internal traffic out to modem

iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE

Accept forwarding from internal to external

iptables -A FORWARD -i enps10 -o enps40 -j ACCEPT
iptables -A FORWARD -i enp4s0 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Final configuration

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Save iptables rules

sudo apt -y install iptables-persistent
sudo netfilter-persistent save

DHCP server

sudo apt -y install isc-dhcp-server && \
sudo systemctl enable isc-dhcp-server
# /etc/dhcp/dhcpd.conf

authoritative; # uncomment this line

subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.100 192.168.0.200;
  option routers 192.168.0.254;
  option subnet-mask 255.255.255.0;
  option domain-name-servers 9.9.9.9,149.112.112.112;
}
# /etc/default/isc-dhcp-server

INTERFACESv4="enp1s0"
sudo systemctl restart isc-dhcp-server && \
sudo systemctl status isc-dhcp-server && \
journalctl -xe | grep dhcp
Prev
OPNsense
Next
Merge multiple kubectl config files