How To: Build a Simple Router with Ubuntu Server 18.04.1 LTS (Bionic Beaver)

I work in a public library as a system administrator. Recently my task was to put public computers behind a separate router in order to control internet access. As I have plenty of computer parts lying around I decided to build a router with some older computer with a Linux operating system. In my case Ubuntu Server 18.04.1 LTS (Bionic Beaver).

I wrote this guide to help others with a similar task.

 

Prerequisites

  • A computer running Ubuntu Server 18.04.1 LTS. I’m not going into the details on how to install Ubuntu operating system. It is pretty straightforward. If you need help for the basic installation you can use this guide on HowtoForge.
  • At least two network interfaces. One is for the WAN and the other for LAN part of a router. You would also want to use some switch in a case you are going to connect multiple devices in the local network. But this is pretty much everything you need for a working router.

If you are not that much into building a machine from your old computer parts, there are plenty of small form network appliances on the Amazon. They are like small fanless solid state computers with two or more network interfaces. I recommend this one:

Note that this one is a BAREBONE without RAM and SSD mSata. You need to buy them separately and put in by yourself. Like:

 

RAM:

 

…and mSATA SSD drive:

 

Note: As we are going to be messing up with the firewall, I would not recommend you to configure it via SSH. You may lock yourself out during the process.

 

1. Network Interfaces configuration

First, we need to configure the network interfaces we will be using. In my case, eth0 will be the WAN and eth1 LAN.

WAN (eth0) – this interface will get an IP from the ISP, so we leave it using DHCP.

LAN (eth1) – we configure the interface with a static IP within the subnet we are going to use for local area network

Just a little note, Ubuntu 18.04 does not use the traditional network configuration file /etc/network/interfaces. It uses NETPLAN. In my case, there is a config file, called 50-cloud-init.yaml inside the /etc/netplan/ folder. In your case, the file may have a different name, just look for the file with .yaml extension inside netplan folder.

Let’s open it with nano:

sudo nano /etc/netplan/50-cloud-init.yaml

 

Edit it accordingly to your network needs, in my example I configured like this:

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        eth0:
            dhcp4: true
        eth1:
            addresses:
            - 192.168.1.1/24
            dhcp4: false
            nameservers:
                addresses:
                - 8.8.8.8
                - 8.8.4.4
                search: []
    version: 2

 

To sum up: eth0 which is the WAN, gets IP from internet provider’s modem. Eth1 is LAN part of the router. We need it to have a static IP and DNS servers (in my example I used Google’s). Also we didn’t configure any gateway on eth1.

Save the configuration with following commands:

sudo netplan generate
sudo netplan apply

 

2. SETTING UP A DHCP SERVER

Next, we want to set up a DHCP server. We really don’t want to configure each client with static IP within the LAN network. For this task, we need to install the following package.

sudo apt-get install isc-dhcp-server

 

Next we need to edit /etc/default/isc-dhcp-server file. This tells the DHCP server which network interface it should be listening to. In my case it of course eth1, the LAN interface.

We enter the command:

sudo nano /etc/default/isc-dhcp-server

 

And under “INTERFACESv4” insert your LAN network interface. In my case it’s eth1:

INTERFACESv4="eth1"

 

Next step would be configuring the DHCP server. This is done by editing the file /etc/dhcp/dhcpd.conf

sudo nano /etc/dhcp/dhcpd.conf

 

Here is a bunch of different parameters, most of them are commented with # before every line. To keep it shorter, I will write it down only the parameters I used and/or edit them accordingly my needs. If you want, you can delete all the content of this file and just copy/paste the code below. Of course, you change the IPs, GATEWAYS, etc.. according to your own network configuration.

option domain-name "whatever.you.want";
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.1.0 netmask 255.255.255.0 {
     range 192.168.1.101 192.168.1.200;
     option subnet-mask 255.255.255.0;
     option routers 192.168.1.1;
     option broadcast-address 192.168.1.255;
}

 

Now let’s apply the settings and enable the DHCP server on boot with following commands:

sudo systemctl restart isc-dhcp-server
sudo systemctl enable isc-dhcp-server

 

With the following command, we check the status.

sudo systemctl status isc-dhcp-server

 

If everything is correctly set up, there must be a line, saying “ACTIVE“. Otherwise, you messed something up within /etc/dhcp/dhcpd.conf file. It may be missing some semicolon or bracket.

 

3. CONFIGURING FIREWALL

In order to have a functional router, we need to configure the firewall properly. This is done by writing down some iptables rules. In order to preserve the rules if the server is restarted, I created a script to be executed at boot time.

First lets enable UFW with…

sudo ufw enable

 

Next we need to enable forwarding packages from WAN to LAN. We the following parameter inside /etc/ufw/sysctl.conf file:

We open the file…

sudo nano /etc/ufw/sysctl.conf

 

…and we just remove the # in front of the following line:

net/ipv4/ip_forward=1

 

In Ubuntu 18.04 the file /etc/rc.local doesn’t exist anymore. But we can still create it with:

sudo nano /etc/rc.local

 

Next, copy/paste the following script. There are comments explaining each iptables rule. You can delete them if you wish, but you must NOT delete #!/bin/bash. Also, change eth0 and eth1 if your network interfaces have some different names.

#!/bin/bash

# /etc/rc.local

# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT

# Accept incoming packets from the WAN if the router initiated the connection.
iptables -A INPUT -i eth0 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT

# Forward LAN packets to the WAN.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i eth0 -o eth1 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT

# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# rc.local needs to exit with 0
exit 0

 

This script must be executed at boot time, so we need to make the file executable with the following command:

sudo chmod 755 /etc/rc.local

 

And that’s it. We reboot the router with sudo reboot command and we are good to go. 🙂

 

Take care. 🙂

16 Comments

  1. Matthew November 26, 2018
    • Blaz Valentinuzzi November 26, 2018
  2. Vik_hu December 20, 2018
    • Blaz Valentinuzzi December 21, 2018
  3. Adam Gwizdala January 22, 2019
  4. Adrian February 4, 2019
    • Blaz Valentinuzzi February 5, 2019
  5. Abraham Mallo February 16, 2019
  6. Tibor Erdélyi March 20, 2019
    • Blaz Valentinuzzi March 21, 2019
      • Tibor Erdélyi March 21, 2019
        • Blaz Valentinuzzi March 21, 2019
  7. ox April 4, 2019
    • Blaz Valentinuzzi April 4, 2019
  8. James April 18, 2019
    • Blaz Valentinuzzi April 18, 2019

Leave a Reply

Do NOT follow this link or you will be banned from the site!