PPPOE
If you are using an ISP provided router then you probably will not need to set up pppoe, but if you are using a modem you will. From experience thus far it seems that FTP connection tend to work better with modems whereas FTTC have been better with routers. Vodafone multi IP in particular is much simpler to configure if you use the Vodafone router.
If you are using a modem (or a router in modem mode) then you will need to connect it at both ends before you begin. Once you have it connected then install and run pppoeconf and follow the instructions on screen and all being well you will have a connection which you can manage with
pon dsl-provider
to establish the connection or
poff dsl-provider
to disconnect. You can use ifconfig to review the connections. If you have one called ppp0 or similar with a public ip address assigned then you have a connection and should be able to access the internet from your server (curl https://www.debian.org should return the html for the debian website or you can just try an apt-get update).
Now (DEBIAN STYLE OS):
If you look at your /etc/network/interfaces You will note a configuration for your ppp interface that looks something like
auto dsl-provider
iface dsl-provider inet ppp
pre-up /bin/ip link set eno2 up # line maintained by pppoeconf
provider dsl-provider
As you can see the line that says “line maintained by pppoeconf” identifies the physical interface that your modem is connected to (in my case eno2)
(ARCH STYLE)
Arch/Manjaro et al do not have the luxury of an interfaces configuration file so we are just using stock systemd-networkd instead. It’s configuration file is in /etc/systemd/network and doesn’t exist by default. Each file is given a name that starts with its precedence then the interface name and a “.network” suffix and they are processed in order of precedence so 10-xxx will be processed before 20-xxx:
10-eno1.network 20-eno2.network
This configuration is not using pppoe, just a standard connection and therefore we have a local interface and a WAN interface. In our example the local interface is 10 and the WAN is 20.
The files contain the following respectively:
[Match] Name=eno1 [Network] Address=172.17.1.23/16
for 10-eno1.network and
[Match] Name=eno2 [Address] Address=xxx.xxx.xx.99/24 [Route] Destination=0.0.0.0/0 Gateway=xxx.xxx.xx.97 Metric=1 GatewayOnLink=yes
:wFor 20-eno2.network; the WAN interface (where 99 is the address of the interface and 97 is the address of the gateway (this was set up against a Vodafone router which has a whole separate page dedicated to it on this blog).
The systemd configuration above would be identical to the following stanza in the /etc/network/interfaces file:
iface eno2 inet static
address xxx.xxx.xxx.99
netmask 255.255.255.0
broadcast xxx.xxx.xxx.xxx
post-up route add default gw xxx.xxx.xxx.xxx metric 1
post-down route del default gw xxx.xxx.xxx.xxx
systemd works out the broadcast for itself and automatically pulls the route when the interface is taken down. It has been rumoured that net-tools will be depreciated for some time now so I expect Debian will pull this method at some point but that rumour is around 10 years old now so don’t hold your breath.
Incidentally, while testing I just used the ip command to bring the interfaces up and set them (this works for ether Debian or Arch based os so I will give a brief outline here:
This method will liven up the interface but does not persist so you will have to use one of the methods above if you don’t want to set up the interface on every reboot.
ip set link up
brings the interface online.
ip addr add xxx.xxx.xxx.xxx/xx dev eno1
sets an ip address and subnet mask.
ip route add default via xxx.xxx.xxx.xxx dev eno2
will establish a route so that you can access your server from the outside world through interface eno2 (Note: The ip address is that of your gateway, not your interface).
If you have your dns set up correctly you should now have a link and be able to ssh to your server from the outside world.
PORT FORWARDING
In order to pass traffic from one interface to another you need to enable port forwarding. To do so immediately issue
echo 1 > /proc/sys/net/ipv4/ip_forward
at the command prompt. To make this permanent you need to edit /etc/sysctl.conf and either add or uncomment the line
net.ipv4.ip_forward = 1
IPTABLES
WARNING: The interface will be different depending on your initial setup. If you are using pppoe with a single static ip then it is likely that every you will use ppp0; if you are connected to a router then it will likely be a physical interface such as eno1, eno2, eth1…. etc. In the examples here we are going to assume that your configuration is a singe static IP and your are using pppoe and a modem (or router in modem mode) therefore everything references the virtual interface ppp0. For other interfaces it is simply a matter of changing this (everything else is the same).
To get things working properly we need to set up iptables. First thing to do is install iptables-persistent in the usual way and then back up any existing rules by issuing the command.
Alternatively for Arch style distributions you can use systemd’s built in iptables service. the only real difference is the rules are stored in /etc/iptables/iptables.rules. Setting them up is identical except for
DEBIAN: iptables-save > /etc/iptables/rules.v4 ARCH: iptables-save > /etc/iptables/iptables.rules
Now we need to set up a few new rules:
- Allow anything from the loopback interface; Here we assume that the loopback is lo but running ifconfig will confirm this.
iptables -A INPUT -i lo -j ACCEPT
- Next, allow traffic from WAN to the router. Since it is dangerous to allow just anything from WAN, it should allow only packets that are part of a connection the router itself initiated. This prevents any random person on the internet from sending traffic to the router, but still ensures the router can still receive responses from the internet when it wants to. (CREDIT Chris Vo)
iptables -A INPUT -i ppp0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- Allow packets from the LAN interface (in my case eno1) to be forwarded to the WAN (ppp0)
iptables -A FORWARD -i eno1 -o ppp0 -j ACCEPT
- When we send packets from our LAN interface then well need to make it appear as though we were sending them from the WAN otherwise it may not know where to send any responses (it would also cause problems if every request appeared to come from a private subnet). We therefore want to create a rule that says that the LAN interface should MASQUERADE as the WAN
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
- Next we need tell our configuration which ports should be open to allow incoming traffic. In this example I am just going to open 53 for DNS on tcp and udp and 22 for ssh, but opening other ports is self explanatory
iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 53 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -m udp --dport 53 -j ACCEPT
- Last but not least we need to set a rule that drops any requests to ports that have not been explicitly set as open
-A INPUT -i ppp0 -j DROP
WARNING: This must be the LAST rule as if you try and open any more ports then it will just ignore those rules. Inserting additional rules can be done by directly editing the rules.v4 file (which we will explain how to do later).
Next save your rules by issuing the command
iptables-save > /etc/iptables/rules.v4
OPENING ADDITIONAL PORTS
To open additional ports the easiest thing to do is edit the /etc/iptables/rules.v4 file directly and then restore it. The file will contain something like
... -A INPUT -i lo -j ACCEPT -A INPUT -i eno1 -j ACCEPT -A INPUT -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i ppp0 -j DROP -A FORWARD -i eno1 -o eno2 -j ACCEPT ...
Note the line -A INPUT -i ppp0 -j DROP. you will have to place any rules to open additional ports above this line. To close a port just delete the respective line. Here we are opening port 80
... -A INPUT -i lo -j ACCEPT -A INPUT -i eno1 -j ACCEPT -A INPUT -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i ppp0 -j DROP ...
Once you have finished editing the file you can apply it with the command
iptables-restore < /etc/iptables/rules.v4
CLIENT GATEWAY
Finally you will now need to set your client gateway to the address of your server (either manually on the clients themselves or on your dhcp server. You clients should now be able to connect to the internet.
Recent Comments