PPPOE
If you are using an ISP provided router then you probably will not need to set up pppoe, but if you are using a modem you will. From experience thus far it seems that FTP connection tend to work better with modems whereas FTTC have been better with routers. Vodafone multi IP in particular is much simpler to configure if you use the Vodafone router.
If you are using a modem (or a router in modem mode) then you will need to connect it at both ends before you begin. Once you have it connected then install and run pppoeconf and follow the instructions on screen and all being well you will have a connection which you can manage with
pon dsl-provider
to establish the connection or
poff dsl-provider
to disconnect. You can use ifconfig to review the connections. If you have one called ppp0 or similar with a public ip address assigned then you have a connection and should be able to access the internet from your server (curl https://www.debian.org should return the html for the debian website or you can just try an apt-get update).
Now
If you look at your /etc/network/interfaces You will note a configuration for your ppp interface that looks something like
auto dsl-provider
iface dsl-provider inet ppp
pre-up /bin/ip link set eno2 up # line maintained by pppoeconf
provider dsl-provider
As you can see the line that says “line maintained by pppoeconf” identifies the physical interface that your modem is connected to (in my case eno2)
PORT FORWARDING
In order to pass traffic from one interface to another you need to enable port forwarding. To do so immediately issue
echo 1 > /proc/sys/net/ipv4/ip_forward
at the command prompt. To make this permanent you need to edit /etc/sysctl.conf and either add or uncomment the line
net.ipv4.ip_forward = 1
IPTABLES
WARNING: The interface will be different depending on your initial setup. If you are using pppoe with a single static ip then it is likely that every you will use ppp0; if you are connected to a router then it will likely be a physical interface such as eno1, eno2, eth1…. etc. In the examples here we are going to assume that your configuration is a singe static IP and your are using pppoe and a modem (or router in modem mode) therefore everything references the virtual interface ppp0. For other interfaces it is simply a matter of changing this (everything else is the same).
To get things working properly we need to set up iptables. First thing to do is install iptables-persistent in the usual way and then back up any existing rules by issuing the command
iptables-save > /etc/iptables/rules.v4
Now we need to set up a few new rules:
- Allow anything from the loopback interface; Here we assume that the loopback is lo but running ifconfig will confirm this.
iptables -A INPUT -i lo -j ACCEPT
- Next, allow traffic from WAN to the router. Since it is dangerous to allow just anything from WAN, it should allow only packets that are part of a connection the router itself initiated. This prevents any random person on the internet from sending traffic to the router, but still ensures the router can still receive responses from the internet when it wants to. (CREDIT Chris Vo)
iptables -A INPUT -i ppp0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- Allow packets from the LAN interface (in my case eno1) to be forwarded to the WAN (ppp0)
iptables -A FORWARD -i eno1 -o ppp0 -j ACCEPT
- When we send packets from our LAN interface then well need to make it appear as though we were sending them from the WAN otherwise it may not know where to send any responses (it would also cause problems if every request appeared to come from a private subnet). We therefore want to create a rule that says that the LAN interface should MASQUERADE as the WAN
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
- Next we need tell our configuration which ports should be open to allow incoming traffic. In this example I am just going to open 53 for DNS on tcp and udp and 22 for ssh, but opening other ports is self explanatory
iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 53 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -m udp --dport 53 -j ACCEPT
- Last but not least we need to set a rule that drops any requests to ports that have not been explicitly set as open
-A INPUT -i ppp0 -j DROP
WARNING: This must be the LAST rule as if you try and open any more ports then it will just ignore those rules. Inserting additional rules can be done by directly editing the rules.v4 file (which we will explain how to do later).
Next save your rules by issuing the command
iptables-save > /etc/iptables/rules.v4
OPENING ADDITIONAL PORTS
To open additional ports the easiest thing to do is edit the /etc/iptables/rules.v4 file directly and then restore it. The file will contain something like
... -A INPUT -i lo -j ACCEPT -A INPUT -i eno1 -j ACCEPT -A INPUT -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i ppp0 -j DROP -A FORWARD -i eno1 -o eno2 -j ACCEPT ...
Note the line -A INPUT -i ppp0 -j DROP. you will have to place any rules to open additional ports above this line. To close a port just delete the respective line. Here we are opening port 80
... -A INPUT -i lo -j ACCEPT -A INPUT -i eno1 -j ACCEPT -A INPUT -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i ppp0 -j DROP ...
Once you have finished editing the file you can apply it with the command
iptables-restore < /etc/iptables/rules.v4
CLIENT GATEWAY
Finally you will now need to set your client gateway to the address of your server (either manually on the clients themselves or on your dhcp server. You clients should now be able to connect to the internet.
Recent Comments