WAN = eth0
LAN = eth1 (192.168.1.1)
Ensure devices are active with ip a. Directly after the name of each interface there is a section which will look something along the lines of <BROADCAST,MULTICAST,UP>. If UP is not included within this, enter the following. Replace <dev name> with the respective interface.
ip link set dev <dev name> up
Add the following to /etc/netplan/config.yaml. Multiple LAN interfaces may be added as required.
network:
version: 2
ethernets:
# WAN
eth0:
dhcp4: true
#LAN
eth1:
addresses: [192.168.1.1/24]
dhcp4: false
Apply the configuration.
netplan generate
netplan apply
Install package.
apt install isc-dhcp-server
Add LAN interface name as below to /etc/default/isc-dhcp-server.
INTERFACEv4="eth1"
Find and uncomment/edit the following lines in /etc/dhcp/dhcpd.conf. Multiple subnets may be added and should use the interfaces defined earlier in netplan.
option domain-name localhost.localdomain;
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 86400;
max-lease-time 86400;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
range 192.168.1.101 192.168.1.200;
}
Start server and enable on statup.
systemctl enable --now isc-dhcp-server
If using SSH be sure to allow SSH before enabling the firewall.
ufw allow ssh
Enable ufw.
ufw enable
Enable IP forwarding. Uncomment the following line in /etc/ufw/sysctl.conf.
net/ipv4/ip_forward=1
Enable NAT forwarding. Add the following to /etc/ufw/before.rules. Add between the first comment and filter options.
-s specifies the local subnet and -o specifies the WAN interface.
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT
Allow routing from LAN to WAN. In the same file as above add the following between #drop INVALID packets section and #ok icmp codes for input
# allow established connections in
-A ufw-before-input -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# forward between WAN and LAN
-A ufw-before-forward -i eth1 -o eth0 -j ACCEPT
-A ufw-before-forward -i eth0 -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
(Maybe something like this instead? [Doesn't work])
ufw route allow in on eth1 out on eth0
Create an rc.local to enable firewall rules on startup
#!/bin/bash
# /etc/rc.local
# Set default policies to drop.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Accept traffic on loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Forward established/related trafic in/out of WAN interface
# (If there are multiple LAN interfaces this section can be repeated for each)
iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
## LAN (This section can be repeated for all interfaces)
# Allow DNS lookups
iptables -A FORWARD -i eth1 -o eth0 -p udp -m udp --dport 53 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
# Allow ICMP
iptables -A FORWARD -i eth1 -o eth0 -p icmp -j ACCEPT
# rc.local needs to exit with 0
exit 0
Make it executeable
chmod 755 /etc/rc.local