Debian Linux Home Router with IPv4 and IPv6

By | 2014/04/28

I use Debian Wheezy for a home router with an he.net IPv6 tunnel. Here are the configs I have in place for this to work!


Note: This is not a full how-to guide but rather a dump of config files. Hopefully this will be of use to fellow Linux geeks out there. I am using a /24 class B because I do not like to use 192.168.x.x.


Setup

Single box, two NICs.

eth0: Connected to cable modem

eth1: Connected to switch for internal network

Packages used:

iptables: Firewall and NAT for IPv4; firewall for IPv6 (ip6tables). Configured to allow ICMP and SSH.
isc-dhcp-server: IPv4 dhcp and DNS.
radvd: Announce IPv6 RA to internal client computers – provides IPv6 via stateless autoconfiguration.
fail2ban: Installed to limit ssh bots.
vnstat: Record amount of network traffic that passes through router.

IPv4 is provided via dhcp from the ISP. IPv6 is from an he.net tunnel.


Config Files

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0 eth1
iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
iface eth0 inet6 auto

auto eth1
iface eth1 inet static
        address 172.16.0.1
        netmask 255.255.255.0

iface eth1 inet6 static
        address 2001:470:8:xxx::1
        netmask 64

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
        address 2001:470:7:xxx::2
        netmask 64
        endpoint 216.66.22.2
        local xxx.xxx.xxx.xxx
        ttl 255
        gateway 2001:470:7:xxx::1


/etc/sysctl.conf

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
vm.swappiness=0


/etc/network/iptables.state

# Generated by iptables-save v1.4.14 on Fri Apr 25 21:58:14 2014
*nat
:PREROUTING ACCEPT [4192:195890]
:INPUT ACCEPT [2019:91167]
:OUTPUT ACCEPT [31:2686]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 25 21:58:14 2014
# Generated by iptables-save v1.4.14 on Fri Apr 25 21:58:14 2014
*filter
:INPUT DROP [6:294]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [59:6652]
:fail2ban-ssh - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "allow inbound traffic for established and related connections" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "allow SSH to this host from anywhere" -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 520 -m comment --comment "allow incoming RIP on the internal interface" -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -m comment --comment "allow any local-only traffic" -j ACCEPT
-A INPUT -s 216.66.22.2/32 -p ipv6 -m comment --comment "allow IPv6 tunnel traffic from HE" -j ACCEPT
-A INPUT -p icmp -m comment --comment "allow ICMP traffic to this host from anywhere" -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "allow inbound traffic for established and related connections" -j ACCEPT
-A FORWARD -i eth1 -m comment --comment "allow all Internet bound traffic from the internal network" -j ACCEPT
-A FORWARD -p icmp -m comment --comment "forward any ICMP traffic" -j ACCEPT
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Fri Apr 25 21:58:14 2014


/etc/network/ip6tables.state

# Generated by ip6tables-save v1.4.14 on Fri Apr 25 21:58:12 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "allow inbound traffic for established and related connections" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "allow SSH to this host from anywhere" -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 520 -m comment --comment "Accept RIP announcements from the internal interface" -j ACCEPT
-A INPUT -s ::1/128 -d ::1/128 -m comment --comment "allow any local-only traffic" -j ACCEPT
-A INPUT -p ipv6-icmp -m comment --comment "allow ICMP traffic to this host from anywhere" -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "allow inbound traffic for established and related connections" -j ACCEPT
-A FORWARD -i eth1 -o he-ipv6 -m comment --comment "allow all Internet bound traffic from the internal network" -j ACCEPT
-A FORWARD -p ipv6-icmp -m comment --comment "forward any ICMP traffic" -j ACCEPT
COMMIT
# Completed on Fri Apr 25 21:58:12 2014

Create this file and make executable to load firewall rules at boot or when restarting the network:
/etc/network/if-pre-up.d/iptables

#!/bin/sh
/sbin/iptables-restore < /etc/network/iptables.state
/sbin/ip6tables-restore < /etc/network/ip6tables.state

/etc/dhcp/dhcpd.conf

ddns-update-style none;

option domain-name "stmiller.org";
option domain-name-servers 208.67.222.222, 208.67.220.220;

default-lease-time 600;
max-lease-time 7200;

authoritative;

log-facility local7;

subnet 172.16.0.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option routers 172.16.0.1;
        range 172.16.0.100 172.16.0.149;
}

host bach {
   option host-name "bach.stmiller.org";
   hardware ethernet 00:13:72:72:c8:28;
   fixed-address 172.16.0.1;
}

host brahms {
   option host-name "brahms.stmiller.org";
   hardware ethernet 6c:f0:49:08:f7:a0;
   fixed-address 172.16.0.100;
}

host katiebook {
   option host-name "katiebook.stmiller.org";
   hardware ethernet 28:cf:da:ec:17:88;
   fixed-address 172.16.0.101;
}

host brother {
   option host-name "brother.stmiller.org";
   hardware ethernet 00:22:58:93:aa:fc;
   fixed-address 172.16.0.102;
}

/etc/default/isc-dhcp-server

# Defaults for isc-dhcp-server initscript
# sourced by /etc/init.d/isc-dhcp-server
# installed at /etc/default/isc-dhcp-server by the maintainer scripts

#
# This is a POSIX shell fragment
#

# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPD_CONF=/etc/dhcp/dhcpd.conf

# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPD_PID=/var/run/dhcpd.pid

# Additional options to start dhcpd with.
#       Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#       Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACES="eth1"


/etc/radvd.conf

interface eth1
{
   AdvSendAdvert on;
   AdvIntervalOpt on;
   MinRtrAdvInterval 60;
   MaxRtrAdvInterval 300;
   AdvLinkMTU 1280;
   AdvOtherConfigFlag on;
   AdvHomeAgentFlag off;
 
  prefix 2001:470:8:xxx::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr on;
   };
};

Pics! I use a mini-ITX atom board that has dual gig nics.

March 2015 edit: My config for IPv6 has changed, since my provider (TWC) now provides native IPv6. But overall similar setup.

Hopefully this will help! Thanks,

2 thoughts on “Debian Linux Home Router with IPv4 and IPv6

  1. Will

    I’m a rookie in building a home router but I would love to have some help using Debian 7 with two NIC’s like you are doing but use 192.168.1.xx and (ISP) eht0 inet as static. I’m not sure if I need the IP6 but would mind learning how to build a home router like you did.

    This is a big hobby for me. I am a Amateur Radio Operator who help run a network with 7 remote servers and building a good router/gateway is what I would like to do to manage all packet follow.

    Will / W4WWM

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.