Private Subnet with Ubuntu as Router

Suppose we have the following setup:

  • A Computer with Ubuntu installed and two physical network interfaces (might also be virtual, but that's advanced)
  • We have an internet connection on this computer set up and working. Internet traffic goes out (and in) on the network interface eth2
  • We want to create a private subnet
  • The private subnet shall be connected to the computer via the other interface. Here this interface is called eth3.
  • The private subnet shall have the IP subnet 192.168.10.0/24.
  • We want to assign IP adresses to any computer on that subnet via our Ubuntu computer.

This can be done as described here:

Install dnsmasq (DHCP and DNS server)

(Starting with Ubuntu 12.04, you have to disable network managers' instance of dnsmasq to get your own up and running. Comment out the line dns=dnsmasq in the file /etc/NetworkManager/NetworkManager.conf and restart network manager using sudo restart network-manager)

Install dnsmasq

sudo apt-get install dnsmasq

Change its configuration using sudo vi /etc/dnsmasq.conf, to make it look like (where eth3 is the name of the interface where you want to assign IP adresses via dnsmasq in the range defined by the other line):

interface=eth3
dhcp-range=192.168.10.50,192.168.10.150,12h

Restart dnsmasq:

sudo service dnsmasq restart

Get the firewall configuration right

with the ufw firewall

Allow all communication on the interface eth3:

sudo ufw allow in on eth3 to any
sudo ufw allow out on eth3 to any

Alternatively you can allow DNS and DHCP services (names as set in /etc/services) and allow the subnet:

sudo ufw allow domain
sudo ufw allow bootps

Now setup the NAT masquerading. This is done here as described for the Ubuntu Fire Wall - ufw on nowhere.dk. Add this new line in the first lines of /etc/ufw/before.rules:

-A POSTROUTING -s 192.168.10.0/24 -o ppp0 -j MASQUERADE

In addition you need to edit the ufw defaults with sudo vi /etc/default/ufw and set DEFAULT_FORWARD_POLICY="ACCEPT". Also you change sudo vi /etc/ufw/sysctl.conf and comment in net.ipv4.ip_forward=1

And restart ufw using sudo ufw disable && sudo ufw enable.

Port forwarding – If you want to forward a port to a computer on the subnet, read this post on ubuntuforums.org and add (one) more line(s) to /etc/ufw/before.rules:

# My DNAT rules
-A PREROUTING -i <iface> -p tcp --dport <port> -j DNAT --to-destination <addr>[:port]
-A PREROUTING -i <iface> -p udp --dport <port> -j DNAT --to-destination <addr>[:port]

After all beginning of the file /etc/ufw/before.rules should look like this:

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from 192.168.10.0/24 to the outer world via the interface eth2
-A POSTROUTING -s 192.168.10.0/24 -o eth2 -j MASQUERADE

# My DNAT rules: forward incoming tcp&udp connections on eth2 to port 1999 to the port 80 on machine 192.168.10.99:
-A PREROUTING -i eth2 -p tcp --dport 1999 -j DNAT --to-destination 192.168.10.99:80
-A PREROUTING -i eth2 -p udp --dport 1999 -j DNAT --to-destination 192.168.10.99:80

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

with iptables as firewall

Or with naked iptables as described here (in German). These settings will be gone after a reboot!:

sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -o eth2 -i eth1 -s 192.168.10.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -o eth2 -s 192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT

For port forwarding see http://www.debian-administration.org/articles/73

Debug Dnsmasq

Make sure dnsmasq listens to the addresses 53 (domain / dns) and 67 (bootps / dhcp) using

sudo netstat -lntup | grep dnsmasq

Add the following options to /etc/dnsmasq.conf:

log-queries
log-dhcp

Watch the firewall log for rejected packages and the syslog for dnsmasq-dhcp entries:

tail -f /var/log/ufw.log
tail -f /var/log/syslog | grep dnsmasq-dhcp

resources

Comments