BYOR part deux Hello all!
I’m back again with part two of the Build Your Own Router Series!
In this post, we’re going to do the following:

  • Talk about our proposed network architecture
  • Set up our interfaces
  • Set up a DHCP server and define our subnets
  • Define some subnet ranges for our devices
  • Set up some DHCP reservations
  • Set up a DNS cache server
  • Set up some basic iptables rules and forwarding

What you must have before this point

You need a Linux machine with two NICs, updated and ready to go.(I’ll be using 64bit Debian Jesse)

The Network Architecture

Most likely, unless you have a particularly different setup, you have a modem connected to a combo router/wireless access point, or perhaps a modem+router+WAP all-in-one unit. See the images below for a diagram of this:

Typical All-In-One Home LAN

Typical All-In-One Home LAN

Our Home LAN

Typical Modem+Router/WAP/Switch Home LAN

The units in the red boxes usually handle the following things and not much more:

  • Routing
  • DHCP
  • DNS
  • Firewall

It’s likely a small system-on-a-chip (SoC) and is configured with a web GUI. The architecture we are proposing is a little different. We want to replace that router part (the part inside the red box) with our Linux machine. We’ll let the Linux kernel do our packet switching, and let a few services handle DHCP, DNS, and the Firewall.

Note: this will require that you have a separate modem with an Ethernet interface.

Our IP network will have the following properties:

Property Value or Description
Linux machine LAN IP

Let’s set up the interfaces

First, let’s see our two NICs and find out what the system calls them:

machine:/# ls /sys/class/net
	eth0  eth1  lo

So we now know our interfaces are named eth0 and eth1. Let’s designate eth0 as the WAN or Internet side of our machine, and designate eth1 as the LAN side of the interface.
Edit the /etc/network/interfaces to set up our WAN side to get and IP address from the ISP and our LAN side to have a static IP on our subnet.
The file should look similar to:

	source /etc/network/interfaces.d/*

	# The loopback network interface
	auto lo
	iface lo inet loopback

	# The WAN network interface
	allow-hotplug eth0
	iface eth0 inet dhcp

	# The LAN network interface
	allow-hotplug eth1
	iface eth1 inet static

Once you save this file and restart the network service, you should be able to see your interfaces using the tool ifconfig.
Now, plug in the WAN side to your router and let’s get on the internet!

Setting up DHCP

Since we want our Linux machine to hand out IP addresses on our LAN side, we need to install a DHCP server. Use your package manager to install isc-dhcp-server:

	apt-get install isc-dhcp-server

Now we need to tell the DHCP server what to do. Edit the DHCP configuration file (likely in /etc/dhcp/dhcpd.conf)

	option domain-name-servers    ;
	option routers                ;
	default-lease-time                      600;
	max-lease-time                          7200;
	ddns-update-style none;

	subnet netmask
		option broadcast-address;
		allow unknown-clients;	
		pool {



This will instruct the DHCP server to hand out addresses on the LAN in the range
Restart the DHCP service to have these changes take effect. You should now be able to plug your laptop into the LAN port on your Linux machine and get an IP address via DHCP.
Now that we have some addresses assigned for DHCP use, let’s assign some DHCP reservations. Editing the same config file, add this:

host my-laptop {
		hardware ethernet aa:bb:cc:dd:ee:ff;

The ‘hardware ethernet’ line should contain the MAC address of your laptop, and the ‘fixed-address’ line should be the address you want to give that machine each time it requests one. Another restart will cause these new changes to take effect.

DNS Cache server

This is the easy part!

	apt-get install bind9

Done! That’s all for a basic configuration.

Forwarding and Firewall

Now we have a machine which can hand out IP addresses, but it can’t actually forward any traffic yet! First thing’s first, let’s enable forwarding.
Edit /etc/sysctl.conf and change the line regarding IPv4 forwarding to

net.ipv4.ip_forward = 1

Then, to make these changes active, issue a ‘sysctl -p’
Now we can forward traffic, let’s create some iptables rules to keep us straight. Two things to note here,

  1. iptables rules must be re-enabled after each reboot
  2. iptables can be dangerous! always backup your configuration

Because iptables are not persistent between reboots, we’ll use a script! Let’s first create a file in /etc/network/ called ‘iptables-rules’. In this script, place the following iptables rules:





# accept all loopback
-A INPUT -s -d -i lo -j ACCEPT

# accept all pings
-A INPUT -p icmp -j ACCEPT

# accept all established connections
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable

# DNS from LAN
-A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 53 -j ACCEPT

# SSH from LAN
-A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT

# DHCP from LAN
-A INPUT -i eth1 -p udp --dport 67:68 -j ACCEPT

# forward packets along established/related connections

# forward from LAN to WAN 
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth1 -o tun0 -j ACCEPT

# drop all other forwarded traffic

# drop all other inbound traffic


The comments for each section describe what that particular rule accomplishes. Now, let’s make the script which will restore these rules on startup. Create an executable file in /etc/network/if-pre-up.d called iptables-restore-rules. In that file, insert this:

iptables-restore < /etc/network/iptables-rules

The location of this script, ensures that it will be executed *prior to* the network interfaces coming up, therefore protecting us from the internet!

Wrap up

Now we have a basic Linux router which can serve IP addresses, route packets between interfaces, and has a basic level of firewalling from the internet. In the next post, we’ll do some more iptables stuff, and talk about OpenVPN and how we can use policy based routing to route some traffic through a VPN and some around it.
As always, thanks for reading!