Simple router using Debian and Firewall-cmd as a base
Here is a quick rundown on how to make a simple Debian box into a router⌗
Removed un-needed items
apt purge iptables
Install required items
apt install bridge-utils firewalld dnsmasq
Enable IP Forwarding
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
Find NICs
ip a to find the NICs
Now we create the bridge. This is assuming your device has three NICs and you want two for LAN and one for WAN
nano /etc/network/interfaces
allow-hotplug eth0
auto eth0
iface eth0 inet dhcp
auto eth1
allow-hotplug eth1
iface eth0 inet manual
auto eth2
allow-hotplug eth2
iface eth2 inet manual
auto br0
iface br0 inet static
address 192.168.5.1
netmask 255.255.255.0
bridge_ports eth1 eth2
bridge_fd 0
bridge_stp off
- It probably wouldn’t hurt to reboot now. Hopefully all is working. The LAN IP will be 192.168.5.1 and the WAN IP will be picked up via DHCP.
Add firewalld rules
firewall-cmd --zone=home --add-interface=br0
firewall-cmd --zone=public --add-interface=eth0
firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=home --add-service=ssh
firewall-cmd --runtime-to-permanent
Configure DNS Masq (This assumes you want to use it for DHCP and DNS)
sed -i 's/#interface=/interface=br0/g' /etc/dnsmasq.conf
Find dhcp-range and make if what you’d like. I did the following
sed -i 's/#dhcp-range=192.168.0.50,192.168.0.150,12h/dhcp-range=192.168.5.50,192.168.5.150,4h/g'
Now we can allow DNS Masq thru the firewall for DNS and DHCP
firewall-cmd --zone=home --add-service=dns
firewall-cmd --zone=home --add-service=dhcp
Now we can enable all services
systemctl enable dnsmasq
If you want SSH from the WAN you can do the following
firewall-cmd --zone=public --add-service=ssh
We can can reboot again and hopefully it’s going to be working
reboot
YOU SHOULD NOW HAVE AN AWESOME WORKING ROUTER⌗
If you want to do port forwarding you can use the following.
192.168.9.99: Internal Device IP 8888: Internal Port 5555: External Port tcp: Protocol (tcp/udp)
firewall-cmd --permanent --add-forward-port=port=5555:proto=tcp:toaddr=192.168.9.99:toport=8888