How To: Build a Simple Router with Ubuntu Server 18.04.1 LTS (Bionic Beaver)

I work in a public library as a system administrator. Recently my task was to put public computers behind a separate router in order to control internet access. As I have plenty of computer parts lying around I decided to build a router with some older computer with Linux operating system. In my case Ubuntu Server 18.04.1 LTS (Bionic Beaver).

I wrote this guide to help others with a similar task.

 

Prerequisites

  • A computer running Ubuntu Server 18.04.1 LTS. I’m not going into the details how to install Ubuntu operating system. It is pretty straightforward. If you need help for the basic installation you can use this guide on HowtoForge.
  • At least two network interfaces. One is for the WAN and the other for LAN part of a router.

You would also want to use some switch in a case you are going to connect multiple devices in the local network. But this is pretty much everything you need for a working router.

Note: As we are going to be messing up with the firewall, I would not recommend you to configure it via SSH. You may lock yourself out during the process.

 

1. Network Interfaces configuration

First, we need to configure the network interfaces we will be using. In my case, eth0 will be the WAN and eth1 LAN.

WAN (eth0) – this interface will get an IP from the ISP, so we leave it using DHCP.

LAN (eth1) – we configure the interface with a static IP within the subnet we are going to use for local area network

Just a little note, Ubuntu 18.04 does not use the traditional network configuration file /etc/network/interfaces. It uses NETPLAN. In my case, there is a config file, called 50-cloud-init.yaml inside the /etc/netplan/ folder. In your case, the file may have a different name, just look for the file with .yaml extension inside netplan folder.

Let’s open it with nano:

sudo nano /etc/netplan/50-cloud-init.yaml

 

Edit it accordingly to your network needs, in my example I configured like this:

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        eth0:
            dhcp4: true
        eth1:
            addresses:
            - 192.168.1.1/24
            dhcp4: false
            nameservers:
                addresses:
                - 8.8.8.8
                - 8.8.4.4
                search: []
    version: 2

 

To sum up: eth0 which is the WAN, gets IP from internet provider’s modem. Eth1 is LAN part of the router. We need it to have a static IP and DNS servers (in my example I used Google’s). Also we didn’t configure any gateway on eth1.

Save the configuration with following commands:

sudo netplan generate
sudo netplan apply

 

2. SETTING UP A DHCP SERVER

Next, we want to set up a DHCP server. We really don’t want to configure each client with static IP within the LAN network. For this task, we need to install the following package.

sudo apt-get install isc-dhcp-server

 

Next we need to edit /etc/default/dhcpd.conf file. This tells the DHCP server which network interface it should be listening to. In my case it of course eth1, the LAN interface.

We enter the command:

sudo nano /etc/default/dhcpd.conf

 

And edit accordingly, in my case it is:

INTERFACES="eth1"

 

Next step would be configuring the DHCP server. This is done by editing the file /etc/dhcp/dhcpd.conf

sudo nano /etc/dhcp/dhcpd.conf

 

Here is a bunch of different parameters, most of them are commented with # before every line. To keep it shorter, I will write it down only the parameters I used and/or edit them accordingly my needs. If you want, you can delete all the content of this file and just copy/paste the code below. Of course, you change the IPs, GATEWAYS, etc.. according to your own network configuration.

option domain-name "whatever.you.want";
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.1.0 netmask 255.255.255.0 {
     range 192.168.1.101 192.168.1.200;
     option subnet-mask 255.255.255.0;
     option routers 192.168.1.1;
     option broadcast-address 192.168.1.255;
}

 

Now let’s apply the settings and enable the DHCP server on boot with following commands:

sudo systemctl restart isc-dhcp-server
sudo systemctl enable isc-dhcp-server

 

With the following command, we check the status.

sudo systemctl status isc-dhcp-server

 

If everything is correctly set up, there must be a line, saying “ACTIVE“. Otherwise, you messed something up within /etc/dhcp/dhcpd.conf file. It may be missing some semicolon or bracket.

 

3. CONFIGURING FIREWALL

In order to have a functional router, we need to configure the firewall properly. This is done by writing down some iptables rules. In order to preserve the rules if the server is restarted, I created a script to be executed at boot time.

In Ubuntu 18.04 the file /etc/rc.local doesn’t exist anymore. But we can still create it with:

sudo nano /etc/rc.local

 

Next, copy/paste the following script. There are comments explaining each iptables rule. You can delete them if you wish, but you must NOT delete #!/bin/bash. Also, change eth0 and eth1 if your network interfaces have some different names.

#!/bin/bash

# /etc/rc.local

# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT

# Accept incoming packets from the WAN if the router initiated the connection.
iptables -A INPUT -i eth0 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT

# Forward LAN packets to the WAN.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i eth0 -o eth1 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT

# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# rc.local needs to exit with 0
exit 0

 

This script must be executed at boot time, so we need to make the file executable with the following command:

sudo chmod 755 /etc/rc.local

 

There we go! We have a working router, just do a sudo reboot command to reboot the server.

When I was configuring my server, after all these steps the routing still didn’t work. I banged my head trying to figure it out where I messed up. I realized that just after installation of operating system, I enabled UFW with sudo ufw enable. UFW stands for Uncomplicated Firewall. It is a program for altering iptables more easily and intuitively.

Anyways, it comes with default settings and in order to router work properly (to forward packages from WAN to LAN), you need to enable the following parameter inside /etc/ufw/sysctl.conf file.

We run the command:

sudo nano /etc/ufw/sysctl.conf

 

Now we just remove # in front of the following line:

net/ipv4/ip_forward=1

 

That’s all folks, now you have a fully working, powerful and reliable router. 🙂

Take care.

Profession: System Administrator, Stage Crew – Technician
Hobbies: Everything IT, Blogging, Music, Caving

Have none of social media accounts, just got rid of FB recently! 😉

2 Comments

  1. Matthew November 26, 2018
    • Blaz Valentinuzzi November 26, 2018

Leave a Reply

Do NOT follow this link or you will be banned from the site!