Internet Gateway w/DHCP, DNS, netfilter [SOLVED]

Kernels & Hardware, configuring network, installing services

Internet Gateway w/DHCP, DNS, netfilter [SOLVED]

Postby rtfmoz » 2019-11-05 22:11

So I had a fun weekend building this... but since my knowledge of the Debian way of doing things is limited, I wanted someone with an experienced eye to review.

Image

Users connect to the wireless AP (AE) operating in bridge mode or they connect direct via ethernet to switch. Aquire a IP address and routing from dnsmasq to forward traffic to the Pi4 (Rasbian). The Pi4 has a wireless connection to the Internet, default route to wlan0 and routing turned on in the kernel. Using nftables, outbound traffic is source natted to the outbound address of the wlan0 interface. Traffic flows nicely from Users to the Internet and back again.

Implementation
The device is a Raspberry Pi 4 running Rasbian Buster with no configured networking. Once I updated wpa_supplicant it joined the wireless network and configured DNS, routing and wlan0. This is how I began. My surprise was the entire /etc/network/interfaces was empty. The dhcpcd daemon was looking after all the dynamic configuration and guides point me to its configuration for setting a static address on eth0. This was problematic as it always adds a default route, even if you don't specify one. So, in the end, I had to tell it to ignore eth0 with denyinterfaces option. I wasn't able to find any network manager so I manually created eth0 in interfaces.d.

Then configured dnsmasq software as the DHCP server on eth0 to handling DNS queries and handing out addresses and client routes. Then the routing kernel tweaks were done. So that covered DNS, DHCP client & server, routes & routing but last and not least was addressing. Found out iptables is being depreciated in Debian Buster so use nftables. Didn't know how to write netfilter rules as you can see from my single masquerade rule.

The relevant configuration is listed below, any and all assistance greatly appreciated. Note this is not the entire configuration, just what I added to each of the files. I did try to have dhcpcd create eth0 using an inform option. It created the interface but nothing worked so I went back to interfaces.d/eth0. In the case of ../interface.d/eth0 this was a new file.

Code: Select all
# dhcpcd had already pickup the wireless network and configured a default route and
# somehow provided DNS even though resolv.conf says 127.0.0.1 ??
# Here I tell it to ignore eth0 so I can configure manually.
/etc/dhcpcd.conf
denyinterfaces eth0

# the loopback and wlan0 interfaces already existed courtesy of dhcpcd?
/etc/network/interfaces.d/eth0
auto eth0
iface eth0 inet static
address 192.168.99.1
netmask 255.255.255.0

/etc/dnsmasq.conf
interface=eth0
listen-address=127.0.0.1
domain=mydomain.com
dhcp-range=192.168.99.10,192.168.99.250,6h

/etc/wpa_supplicant/wpa_supplicant.conf
network={
     ssid="MyLocalNetwork"
     psk=xxxxxxxxxxxxxxxxx
}

/etc/sysctl.conf
net.ipv4.ip_forward=1

/etc/nftables.conf
table ip nat {
   chain PREROUTING {
      type nat hook prerouting priority 0; policy accept;
   }

   chain POSTROUTING {
      type nat hook postrouting priority 100; policy accept;
      masquerade
   }
}
Last edited by rtfmoz on 2019-11-06 21:29, edited 1 time in total.
rtfmoz
 
Posts: 3
Joined: 2019-11-05 21:42

Re: Internet Gateway w/DHCP, DNS, netfilter

Postby rtfmoz » 2019-11-06 12:15

They say the lord helps those who help themselves... a firewall ruleset after a night of learnings.

Code: Select all
table inet filter {
   chain input {
      type filter hook input priority 0; policy drop;
      iif "lo" accept
      iif "eth0" jump lan
      iif "wlan0" jump wan
   }

   chain forward {
      type filter hook forward priority 0; policy drop;
      iif "eth0" jump lan
      iif "wlan0" jump wan
   }

   chain output {
      type filter hook output priority 0; policy accept;
   }

   chain lan {
      accept
   }

   chain wan {
      ct state vmap { invalid : drop, established : accept, related : accept }
      ip protocol icmp icmp type { echo-reply, destination-unreachable, time-exceeded } accept
      pkttype { broadcast, multicast } return
      log prefix "dropped packet"
   }
}
table ip nat {
   chain prerouting {
      type nat hook prerouting priority 0; policy accept;
   }

   chain postrouting {
      type nat hook postrouting priority 0; policy accept;
      oif "wlan0" masquerade
   }
}
rtfmoz
 
Posts: 3
Joined: 2019-11-05 21:42

Re: Internet Gateway w/DHCP, DNS, netfilter [SOLVED]

Postby rtfmoz » 2019-11-06 21:32

I did some further investigation into dhcpcd. Turning off systemd-networkd an removing that config I discovered the parameters I needed. The final pieces I added to dhcpcd are below. The key was static and nogateway. Static stops dhcpcd treating it as a dynamic address allocation and nogateway stops it from creating default routes for the interface.

The final config for the entire solution is below.

/etc/dhcpcd.conf (added at end of file)
Code: Select all
interface eth0
static ip_address=192.168.99.1/24
nogateway



/etc/dnsmasq.conf (changed entries)
Code: Select all
interface=eth0
listen-address=127.0.0.1
domain=mydomain.com
dhcp-range=192.168.99.10,192.168.99.250,6h



/etc/wpa_supplicant/wpa_supplicant.conf (added)
Code: Select all
network={
     ssid="MyLocalNetwork"
     psk=xxxxxxxxxxxxxxxxx
}



/etc/sysctl.conf (modifed entry)
Code: Select all
net.ipv4.ip_forward=1



/etc/nftables.conf (replaces all other rules)
Code: Select all
table inet filter {
   chain input {
      type filter hook input priority 0; policy drop;
      iif "lo" accept
      iif "eth0" jump lan
      iif "wlan0" jump wan
   }

   chain forward {
      type filter hook forward priority 0; policy drop;
      iif "eth0" jump lan
      iif "wlan0" jump wan
   }

   chain output {
      type filter hook output priority 0; policy accept;
   }

   chain lan {
      accept
   }

   chain wan {
      ct state vmap { invalid : drop, established : accept, related : accept }
      ip protocol icmp icmp type { echo-reply, destination-unreachable, time-exceeded } accept
      pkttype { broadcast, multicast } return
      log prefix "dropped packet"
   }
}
table ip nat {
   chain prerouting {
      type nat hook prerouting priority 0; policy accept;
   }

   chain postrouting {
      type nat hook postrouting priority 0; policy accept;
      oif "wlan0" masquerade
   }
}
rtfmoz
 
Posts: 3
Joined: 2019-11-05 21:42


Return to System configuration

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable
cron