Linux Networking Concepts


Table of Contents

1 Configuring NICs - ip command

ip link set dev eth0 up

ip link show eth0

ip addr add dev eth0

RFC1918 sets aside three large ranges for private networks: - ( - ( - (

We're configuring, which is an IP range that includes -, this includes 256 addresses

254 are usable after setting aside as the network address and as the broadcast address

ping -c 2 -n


2 Enabling NAT to the outside

  • Configuring eth2 to receive an IP address via DHCP
  • Using IPtables to enable NAT on packets heading out through eth2
  • NAT - Network Address Translation table
  • Rewrites packet headers in order to make them appear as if they come from your router
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
iptables -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT

the -t option specifies the packet matching table to use. in this case, we-re going to use the nat table. -A indicates that the specified rule should be appended to the selected chain, which in this case is POSTROUTING, the POSTROUTING chain is processed after the kernel handles packet routing. o specifies the output interface. in our example, the ETH 0 interface contains the internal IP systems and ETH2 leads to the internet. -j specifies what to do if the packet matches the rule. In this case, w're going to masquerade the packet (modify the IP).

Put them togheter and we have matching packets heading out on ETH2; rewrite the source IP address and track it in the NAT table.

The second command is added in the -m command, which matches a packet property, in this case state. For the packest that came in on ETH2 (from the internet), and destined eo ETH0 (lan), check to se if they ar related or are a aprt of an estaclished connection. Finally, any packets that come in on ETH0 (lan) and are heading out on eth2 (internet), are just automatically accepted.

3 Setting UP DHCP

apt-get install isc-dhcp-server

sudo sed -i 's/^INTERFACES.*/INTERFACE="eth0"/g' /etc/default/isc-dhcp-server


ddns-update-style none;
option domain-name "";
option domain-name-servers,;
default-lease-time 600;
max-lease-time 7200;
subnet netmask {
  option routers;

4 Setting Up a Firewall with iptables

Default Deny configuration:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
iptables -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

4.1 Port Forwarding

iptables -t nat -A PREROUTING -p tcp -i eth2 --dport 80 \
      -j DNAT --to-destination

iptables -A FORWARD -p tcp -d --dport 8080 \
      -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

4.2 Syntax to block an IP address

iptables -A INPUT -s IP-ADDRESS -j DROP

Replace IP-ADDRESS with your actual IP address. For example, if you wish to block an ip address for whatever reason then type the command as follows:

iptables -A INPUT -s -j DROP

If you have IP tables firewall script, add the above rule to your script.

If you just want to block access to one port from an ip to port 25 then type command:

iptables -A INPUT -s -p tcp --destination-port 25 -j DROP

Another example

sudo iptables -A INPUT -s -p tcp --destination-port 80  -j DROP


  • Hook it up to a switch that has VLAN enabled
  • Creating virtual interfaces assigned to the desired VLAN
  • We have a single router with a public-facing IP address on one interface and a private IP address on the second interface.
  • Add additional IP addresses to the internal interface
  • The IP command allows you to assign multiple IPs to a single interface, with optinal interface aliases like eth0:0
  • This will allow you to assign IP addresses to systems behind the firewall within one of the few ranges tand have them all route appropriately
  • Downsides:
    • All internal IPs exists within the same collision domain of the network
    • Ability to move systems between those IP ranges and potentially bypassing access control rules

Another option: To plugin a 3rd network card into the system.

3rd option: configure the switch into dedicated VLANs and plug the LAN side of yor router into a port configured as a trunk. From there, Linux can be configured to use VLAN tagging to split your single physical interface into a pair of virtual interfaces and tag packets.

ip link add link eth0 name eth0.1 type vlan id 1
ip link add link eth0 name eth0.2 type vlan id 2

6 Configuring DNS

  • Setting up your system to talk to a nameserver
  • Setting up a local recursive resolver
  • Configuring dynamic DNS on your local network
  • Setting up a nameserer for your public domain
  • Setting up a slave nameserver

6.1 Setting up a local recursive resolver

apt-get install bind9

Author: Sebastian Emilio Narvaez

Created: 2019-10-12 Sat 22:16

Emacs 25.2.2 (Org mode 8.2.10)