Before we start, we need to ensure our interfaces are correctly configured
sudo nano /etc/network/interfaces
# LAN
auto eth0
iface eth0 inet static
address 192.168.32.2
network 255.255.255.0
# WAN
auto eth1
iface eth1 inet dhcp
#address 192.168.0.252
link-speed 1000
link-duplex full
# DMZ
#auth ethx
#iface ethx inet static
#gateway 192.168.0.1
#netmask 255.255.255.0
#dns-nameservers 8.8.8.8 8.8.4.4
STEP 1
Enable Forwarding
sudo vim -c '%s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/gc' -c 'wq' /etc/sysctl.conf
To apply changes immediately
sudo sysctl -p /etc/sysctl.conf
service network restart
STEP 2
Enable MASQUERADE and save firewall rules (default /etc/iptables/rules.v4)
sudo apt-get install iptables-persistent
sudo iptables -t nat-A POSTROUTING -s 192.168.1.x/24 -o wan -j MASQUERADE
STEP 3
Install DHCP server
sudo apt-get install isc-dhcp-server
Assign interfaces to issue IPs to your LAN
sudo nano /etc/default/isc-dhcp-serverINTERFACES="eth0"
STEP 4
Make backup of /etc/dhcp/dhcp.conf and making configuration
sudo cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup
sudo nano /etc/dhcp/dhcpd.conf
Make DHCP authoritative
sudo vim -c '%s/#authoritative/authoritative/gc' -c 'wq' /etc/dhcp/dhcpd.conf
Enter the following
sudo nano /etc/dhcp/dhcpd.conf
subnet 192.168.32.0 netmask 255.255.255.0 {
range 192.168.32.50 192.168.32.99;
option domain-name-servers 8.8.8.8, 8.8.4.4;
option domain-name "kim.sg";
option routers 192.168.32.2;
#for static ip reservation
host KimLaptopSamsung {
hardware ethernet E8:XX:XX:XX:XX:XX;
fixed-address 192.168.32.100;
}
}
STEP 5
Restart your dhcp server
sudo service isc-dhcp-server restart
STEP 6
You may wish to open some ports
sudo iptables -t nat -I PREROUTING -i wan -p tcp --dport 3389 -j DNAT --to-destination 192.168.32.100:3389
sudo iptables -t nat -I PREROUTING -i wan -p tcp --dport 25378 -j DNAT --to-destination 192.168.32.100:25378
Troubleshooting
Do not NAT the packets you will be tunnelling
sudo iptables -t nat -I POSTROUTING ! -d 192.168.32.0/24 -o eth1 -j MASQUERADE
sudo iptables -t nat -I POSTROUTING -s 192.168.1.0/24 ! -d 192.168.32.0/24 -o eth1 -j MASQUERADE
Delete the opened port (PREROUTING)
#Get the line number
sudo iptables -L -t nat --line
#Delete the rule with the line number
sudo iptables -t nat -D PREROUTING X
#Allows all loopback (lo) traffic
-A INPUT -i lo -j ACCEPT
#DROP all suspicious loopback address to 127/8 that doesn’t use lo interface
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
#Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#Reject all other INPUT
-A INPUT -j DROP
#
#Allow all FORWARD for LAN network
-A FORWARD -i lan -j ACCEPT
-A FORWARD -o lan -j ACCEPT
# Reject all other FORWARD
-A FORWARD -j DROP
#DROP outside connections that attempt to spoof private IP address ranges to infiltrate your LAN
#Assuming your LAN address is 192.168.1.0/24
-A FORWARD -s 192.168.1.0/24 -i wan -j DROP
#Forward only the packets that are associated with an established connection
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
##########################
### PORT FORWARDING ###
##########################
#Example port forwarding WAN:80 to LAN:80
#WAN = eth1
#LAN = eth0 (192.168.1.241)
#LAN host = 192.168.1.6
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.6
iptables -I FORWARD -i eth1 -o eth0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -d 192.168.1.6 -j SNAT --to-source 192.168.1.241
##############################
### Open ports in INPUT chain ###
##############################
#Allow your firewall itself to access web http (80), https (443) & dns (53)
-A INPUT -i wan -p tcp -m tcp -m multiport --sports 80,443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-I INPUT -p udp -m udp --sport 53 -j ACCEPT
#If your firewall is also a web server, open http & https for visitors
#Allows HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# If your firewall is also a SSH server, open ssh (22) for visitors
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
##################################
### More secured setting for INPUT ###
##################################
#Allows SSH (allow a visitor only 4 attempts per IP every 3 minutes)
-A INPUT -s x.x.x.x/32 -i wan -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP
#Permanently block after 30 tries within 1 minute.
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name SSH -j DROP
#Allow only your home to ping your firewall (icmp)
-A INPUT -s x.x.x.x/32 -i wan -p icmp -j ACCEPT
#Allow only your home to webmin your firewall
-A INPUT -s x.x.x.x/32 -i eth1 -p tcp -m tcp --dport 10000 -j ACCEPT
####################################
### More secured setting for OUTPUT ###
####################################
#I usually allow firewall itself to communicate out everything by default.
#However if you wish to prevent your firewall itself to communicate out, DROP Every OUTPUT.
-A OUTPUT -j DROP
#Open desired ports to allow your firewall itself to access
Example http, https & dns
-I OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-I OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-I OUTPUT -p udp -m udp --dport 53 -j ACCEPT
#If your firewall is also a SSH server, open ssh (22) & webmin (10000) for visitors
-I OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-I OUTPUT -p tcp -m tcp --sport 10000 -j ACCEPT
# Allow your firewall to response to ICMP
-A OUTPUT -p icmp -j ACCEPT