Setting up home router on Ubuntu

Before we start, we need to ensure our interfaces are correctly configured

sudo nano /etc/network/interfaces
# LAN
auto eth0
iface eth0 inet static
address 192.168.32.2
network 255.255.255.0

# WAN
auto eth1
iface eth1 inet dhcp
#address 192.168.0.252
link-speed 1000
link-duplex full

# DMZ
#auth ethx
#iface ethx inet static
#gateway 192.168.0.1
#netmask 255.255.255.0
#dns-nameservers 8.8.8.8 8.8.4.4

 

STEP 1

Enable Forwarding

sudo vim -c '%s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/gc' -c 'wq' /etc/sysctl.conf

To apply changes immediately

sudo sysctl -p /etc/sysctl.conf
service network restart

 

STEP 2

Enable MASQUERADE and save firewall rules (default /etc/iptables/rules.v4)

sudo apt-get install iptables-persistent

sudo iptables -t nat -A POSTROUTING -s 192.168.1.x/24 -o wan -j MASQUERADE

 

STEP 3

Install DHCP server

sudo apt-get install isc-dhcp-server

 Assign interfaces to issue IPs to your LAN

sudo nano /etc/default/isc-dhcp-server
INTERFACES="eth0"

 

STEP 4

Make backup of /etc/dhcp/dhcp.conf and making configuration

sudo cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup
sudo nano /etc/dhcp/dhcpd.conf

 Make DHCP authoritative

sudo vim -c '%s/#authoritative/authoritative/gc' -c 'wq' /etc/dhcp/dhcpd.conf

 Enter the following

sudo nano /etc/dhcp/dhcpd.conf
subnet 192.168.32.0 netmask 255.255.255.0 {
range 192.168.32.50 192.168.32.99;
option domain-name-servers 8.8.8.8, 8.8.4.4;
option domain-name "kim.sg";
option routers 192.168.32.2;

#for static ip reservation
host KimLaptopSamsung {
hardware ethernet E8:XX:XX:XX:XX:XX;
fixed-address 192.168.32.100;
}
}

 

STEP 5

Restart your dhcp server

sudo service isc-dhcp-server restart

 

STEP 6

You may wish to open some ports

sudo iptables -t nat -I PREROUTING -i wan -p tcp --dport 3389 -j DNAT --to-destination 192.168.32.100:3389
sudo iptables -t nat -I PREROUTING -i wan -p tcp --dport 25378 -j DNAT --to-destination 192.168.32.100:25378

 

Troubleshooting

Do not NAT the packets you will be tunnelling 

sudo iptables -t nat -I POSTROUTING ! -d 192.168.32.0/24 -o eth1 -j MASQUERADE
sudo iptables -t nat -I POSTROUTING -s 192.168.1.0/24 ! -d 192.168.32.0/24 -o eth1 -j MASQUERADE

 

Delete the opened port (PREROUTING)

#Get the line number
sudo iptables -L -t nat --line

#Delete the rule with the line number
sudo iptables -t nat -D PREROUTING X

 

 

 

 

 

#Allows all loopback (lo) traffic

-A INPUT -i lo -j ACCEPT

#DROP all suspicious loopback address to 127/8 that doesn’t use lo interface

-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP

 

#Accept all established inbound connections

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow ping

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

 

#Reject all other INPUT

-A INPUT -j DROP

#

 

#Allow all FORWARD for LAN network

-A FORWARD -i lan -j ACCEPT
-A FORWARD -o lan -j ACCEPT

# Reject all other FORWARD

-A FORWARD -j DROP

 

#DROP outside connections that attempt to spoof private IP address ranges to infiltrate your LAN
#Assuming your LAN address is 192.168.1.0/24

-A FORWARD -s 192.168.1.0/24 -i wan -j DROP

#Forward only the packets that are associated with an established connection

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

##########################
### PORT FORWARDING ###
##########################

#Example port forwarding WAN:80 to LAN:80
#WAN = eth1
#LAN = eth0 (192.168.1.241)
#LAN host = 192.168.1.6

iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.6

iptables -I FORWARD -i eth1 -o eth0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -d 192.168.1.6 -j SNAT --to-source 192.168.1.241

##############################
### Open ports in INPUT chain ###
##############################
#Allow your firewall itself to access web http (80), https (443) & dns (53)

-A INPUT -i wan -p tcp -m tcp -m multiport --sports 80,443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-I INPUT -p udp -m udp --sport 53 -j ACCEPT

#If your firewall is also a web server, open http & https for visitors
#Allows HTTP and HTTPS connections from anywhere

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# If your firewall is also a SSH server, open ssh (22) for visitors

-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

##################################
### More secured setting for INPUT ###
##################################
#Allows SSH (allow a visitor only 4 attempts per IP every 3 minutes)

-A INPUT -s x.x.x.x/32 -i wan -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP

#Permanently block after 30 tries within 1 minute.

sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name SSH -j DROP

 

#Allow only your home to ping your firewall (icmp)

-A INPUT -s x.x.x.x/32 -i wan -p icmp -j ACCEPT

#Allow only your home to webmin your firewall

-A INPUT -s x.x.x.x/32 -i eth1 -p tcp -m tcp --dport 10000 -j ACCEPT

 

 

####################################
### More secured setting for OUTPUT ###
####################################
#I usually allow firewall itself to communicate out everything by default.
#However if you wish to prevent your firewall itself to communicate out, DROP Every OUTPUT.

-A OUTPUT -j DROP

#Open desired ports to allow your firewall itself to access
Example http, https & dns

-I OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-I OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-I OUTPUT -p udp -m udp --dport 53 -j ACCEPT

#If your firewall is also a SSH server, open ssh (22) & webmin (10000) for visitors

-I OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-I OUTPUT -p tcp -m tcp --sport 10000 -j ACCEPT

# Allow your firewall to response to ICMP

-A OUTPUT -p icmp -j ACCEPT

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top