Turn linux server into router
vim /etc/sysctl.conf
and uncomment net.ipv4.ip_forward = 1
IP Address binding
Add Address onto interface
ip addr add <IP/CIDR> dev <Interface>
Remove Address onto interface
ip addr remove <IP/CIDR> dev <Interface>
netplan
vim /etc/netplan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| network:
version: 2
ethernets:
eth0:
dhcp4: true
match:
macaddress: 0e:b7:13:d3:b3:48
set-name: eth0
ens19:
addresses: [172.16.15.254/24]
dhcp4: no
match:
macaddress: ce:08:ea:58:82:e5
set-name: ens19
|
DHCP server
systemctl
systemctl start isc-dhcp-server
Server daemon settings
vim /etc/default/isc-dhcp-server
vim /etc/dhcp/dhcpd.conf
Config
1
2
3
4
5
6
| subnet 172.16.15.0 netmask 255.255.255.0 {
option routers 172.16.15.0;
option subnet-mask 255.255.255.0;
option domain-name-servers 8.8.8.8;
range 172.16.15.111 172.16.15.222;
}
|
Iptable
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| #!/bin/sh
# NAT
## Masquerade everything out eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Firewall
## Accept everything target agent
iptables -A FORWARD -d 172.16.15.123 -j ACCEPT
## Accept connection that is already established.
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## Accept all ping
iptables -A FORWARD -p ICMP -d 172.16.15.0/24 -j ACCEPT
## Accept all DNS Query
iptables -A FORWARD -p udp --dport 53 -d 172.16.15.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -d 172.16.15.0/24 -j ACCEPT
## Block ssh access from VPN
iptables -A INPUT -i wg0 -p tcp --dport 22 -j DROP
## Block Internet from access LAN
iptables -A FORWARD -i eth0 -d 172.16.15.0/24 -j DROP
## Block VPN Zone from access LAN
iptables -A FORWARD -i wg0 -d 172.16.15.0/24 -j DROP
|
Wireguard VPN
Configuration
wg-quick
wg-quick <up/down> <interface/config_file>
Add wg to service
1
2
| systemctl enable wg-quick@wg0.service
systemctl daemon-reload
|
Start wg service
1
| systemctl start wg-quick@wg0
|