Debian network configuration

Assign a static IP

Assign a static IP to interface ens192:

user@machine:~$ vim /etc/network/interfaces

allow-hotplug ens192
iface ens192 inet static
ufw Masquerading

IP Masquerading can be achieved using custom ufw rules. This is possible because the current back-end for ufw is iptables-restore with the rules files located in /etc/ufw/*.rules. These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related.

The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufw command line rules.

  1. First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:


    Then edit /etc/ufw/sysctl.conf and uncomment:

  2. Now add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:

Configure Debian as a network gateway

Step1: allow forwarding

vim /etc/sysctrl.d/local.conf


Step2: on the network address translation table, after we have figured out the routing of a packet on output eth0 (the external), replace the return address information with our own so the return packets come to us. Also, remember that we did this (like a lookup table that remembers this connection).

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Allow packets that want to come from eth1 (the internal interface) to go out eth0 (the external interface).

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Use that lookup table we had from before to see if the packet arriving on the external interface actually belongs to a connection that was already initiated from the internal.

iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT