Skip to content

Instantly share code, notes, and snippets.

@fdcastel

fdcastel/setup-router.sh

Last active November 9, 2024 10:49
Show Gist options
  • Save fdcastel/bec6060f1587339ee58ce473fca02b74 to your computer and use it in GitHub Desktop.
Save fdcastel/bec6060f1587339ee58ce473fca02b74 to your computer and use it in GitHub Desktop.
Download ZIP
Configure a simple router based on Debian 12/Bookworm.
Raw
setup-router.sh
#
# setup-router.sh
#
# Configure a simple router based on Debian 12/Bookworm.
#
# Base image:
# https://cloud.debian.org/images/cloud/bookworm/20240901-1857/debian-12-genericcloud-amd64-20240901-1857.qcow2
#
#
# Configuration variables
#
WAN_IF_NAME=eth0
WAN_MAC_ADDRESS=bc:24:11:a7:a0:dd
LAN_IF_NAME=eth1
LAN_MAC_ADDRESS=bc:24:11:09:5f:73
LAN_IPV4=10.10.1.1
LAN_IPV4_PREFIX=24
DHCP_DOMAIN_NAME=lab.example.com
DHCP_RANGE=10.10.1.100,10.10.1.150,12h
#
# Configure network interfaces via netplan
#
# Configure WAN, dhcp
cat > /etc/netplan/60-$WAN_IF_NAME.yaml <<EOF
network:
version: 2
ethernets:
$WAN_IF_NAME:
dhcp4: true
match:
macaddress: $WAN_MAC_ADDRESS
set-name: $WAN_IF_NAME
EOF
# Configure LAN, static
cat > /etc/netplan/61-$LAN_IF_NAME.yaml <<EOF
network:
version: 2
ethernets:
$LAN_IF_NAME:
addresses:
- $LAN_IPV4/$LAN_IPV4_PREFIX
match:
macaddress: $LAN_MAC_ADDRESS
set-name: $LAN_IF_NAME
EOF
netplan apply
#
# Enable IP forwarding
#
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/00-enable-ip-forward.conf
service procps force-reload
#
# Add DHCP & DNS server (dnsmasq)
#
# Disable system DNSStubListener -- https://unix.stackexchange.com/a/358485/594172
sudo sed --in-place "s/^#DNSStubListener=yes$/DNSStubListener=no/g" /etc/systemd/resolved.conf
# Reload -- https://github.com/systemd/systemd/issues/20604#issuecomment-1437279491
systemctl restart systemd-resolved
# Install dnsmasq
apt-get install -y dnsmasq
# Configure dnsmasq
cat > /etc/dnsmasq.d/$LAN_IF_NAME.conf <<EOF
# Listen only on the specified interface(s). Dnsmasq automatically adds the loopback (local) interface to the list of interfaces to use when the --interface option is used.
interface=$LAN_IF_NAME
# Specifies DNS domains for the DHCP server.
domain=$DHCP_DOMAIN_NAME
# Enable the DHCP server
dhcp-range=$DHCP_RANGE
# Specify different or extra options to DHCP clients.
dhcp-option=option:router,$LAN_IPV4
dhcp-option=option:dns-server,$LAN_IPV4
EOF
cat > /etc/dnsmasq.d/shared.conf <<EOF
# Don't read the hostnames in /etc/hosts
no-hosts
# Don't read /etc/resolv.conf.
no-resolv
# Specify upstream servers directly.
server=1.1.1.1
server=1.0.0.1
# Do not provide DHCP, TFTP or router advertisement on the specified interface, but do provide DNS service.
no-dhcp-interface=lo
# Should be set when dnsmasq is definitely the only DHCP server on a network.
dhcp-authoritative
EOF
systemctl enable dnsmasq
systemctl restart dnsmasq
## NAT & Packet filtering (nftables)
apt install -y nftables
cat > /etc/nftables.conf << EOF
#!/usr/sbin/nft -f
flush ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 100;
oifname "$WAN_IF_NAME" masquerade
}
}
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
ct state established,related accept
iifname "lo" accept
iifname "$LAN_IF_NAME" accept
tcp dport ssh accept
icmp type echo-request accept
}
chain forward {
type filter hook forward priority 0;
policy drop;
ct state established,related accept
iifname "$LAN_IF_NAME" oifname "$WAN_IF_NAME" accept
}
chain output {
type filter hook output priority 0;
policy accept;
}
}
EOF
systemctl enable nftables
systemctl restart nftables
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment