/ Server / Debian Router - Iptables And Sysctl.Conf Configuration


Published:2015-06-12T13:23:24Z Edited:2017-06-22T13:23:24Z

Tody we'll finish configuring our awesome router, in the previous article we'd configured squid proxy, in this article we'll pass all LAN traffic through squid using iptables. 

 
In this debian router articles series also:
  1. Introduction.
  2. Hardware Requirements.
  3. Software installation.
  4. Basic Setup.
  5. /etc/network/Interfaces Configuration.
  6. Unbound dns server setup.
  7. DHCP server setup
  8. Squid setup
  9. Final step iptables and sysctl.conf configuration. (We are Here!)

 

Iptables

We Start by creating a file containing our rules, so lets create /etc/iptables-router.rules

vi /etc/iptables-router.rules
Lets allow all traffic Please note this is a BAD idea, yet we want this to keep it simple for easy debugging, you may skip this step if you like
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT
Next NAT all tcp traffic through squid on port 3377 (remember we've changed it from the default 3128)
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -s 10.5.5.0/24 -i eth1 -p tcp -m tcp -j REDIRECT --to-ports 3377 -A OUTPUT -s 10.5.5.0/24 -p tcp -m owner ! --uid-owner proxy -m tcp -j REDIRECT --to-ports 3377 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT
Allow traffic through the mangle table, its default to be allowed, this just in case
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
COMMIT
Save /etc/iptables-router.rules and exit.
 
Next we'd like this file to be loaded whenever the network brought up, so we need to create /etc/network/if-pre-up.d/router with the following content
#! /bin/sh

iptables-restore < /etc/iptables-router.rules

exit 0
Make it executable by running:
chmod a+x /etc/network/if-pre-up.d/router

sysctl.conf configuration

We need to do a few things in /etc/sysctl.conf
First turn source address verfiication by adding/uncommenting the following lines
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
Enable ip address forwarding, by adding/uncommenting the following line:
net.ipv4.ip_forward=1

 

Thats it, time to enjoy : )

you may reboot now to ensure everything is running, or restart each service we sat up one by one if you really know how :P
reboot

-------------------
cheers

Next
Debian Router - Setup
Previous
Debian Router - Network Interfaces Configuration
Tags