Linux Router
Creating a Linux router is fairly simple. Some distros like Alpine Linux are well suited for it but any will do. I used Debian in this example.
Install the base OS without a desktop system. Assuming you have two network interfaces, pick one to be the LAN interface (traditionally the first one, eth0 or such) and set the address statically.
Basic Routing
To route, all you really need do is enable forwarding.
# as root
# enable
sysctl -w net.ipv4.ip_forward=1
# and persist
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
Private Range
If one side is a private network, such as in the 192.168
, you probably need to masquerade. This assumes you already have nftables
installed and it’s default rules in /etc/nftables.conf
# As root
# Add the firewall rules to masquerade
nft flush ruleset
nft add table nat
nft add chain nat postrouting { type nat hook postrouting priority 100\; }
nft add rule nat postrouting masquerade
# Persist the rules and enable the firewall
nft list ruleset >> /etc/nftables.conf
systemctl enable --now nftables.service
DNS and DHCP
If you want to provide network services such as DHCP and DNS, you can add dnsmasq
sudo apt install dnsmasq
Assuming the LAN interface is named eth0
and set to 192.168.0.1
.
vi /etc/dnsmasq.d/netboot.conf
interface=eth0
dhcp-range=192.0.1.100,192.0.1.200,12h
dhcp-option=option:router,192.168.0.1
dhcp-authoritative
systemctl enable --now nftables.service
Firewall
You may want to add some firewall rules too.
# allow SSH from the lan interface
sudo nft add rule inet filter input iifname eth0 tcp dport ssh accept
# allow DNS and DHCP from the lan interface
sudo nft add rule inet filter input iifname eth0 tcp dport domain accept
sudo nft add rule inet filter input iifname eth0 udp dport {domain, bootps}
# Change the default input policy to drop
sudo nft add chain inet filter input {type filter hook input priority 0\; policy drop\;}
You can fine-tune these a bit more with the nft example.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.