Versão avaliada: Debian 11 Bullseye
Versão avaliada: Debian 12 Bookworm
Instale as dependências
# apt install vlan isc-dhcp-server net-tools dnsutils psmisc netcat logrotate binutils nftables
Na versão Bookworm
# apt install vlan isc-dhcp-server net-tools dnsutils psmisc netcat-traditional logrotate binutils nftables
Suba o módulo 802.1q
# modprobe 8021q
Criar rotas de rede
# echo "500 firsttable" | tee -a /etc/iproute2/rt_tables
# echo "501 secondtable" | tee -a /etc/iproute2/rt_tables
Configurar sysctl
# echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.d/local.conf
# echo "net.ipv4.conf.all.arp_filter = 0" | tee -a /etc/sysctl.d/local.conf
# echo "net.ipv4.conf.all.rp_filter = 2" | tee -a /etc/sysctl.d/local.conf
# sysctl -p /etc/sysctl.d/local.conf
Rever: OU aqui /etc/sysctl.conf OU aqui /etc/sysctl.d/99-sysctl.conf
Configurar as interfaces
# vi /etc/network/interfaces
allow-hotplug eth0
#iface eth0 inet dhcp
iface eth0 inet static
address 192.168.1.109/24
getaway 192.168.1.254
dns-nameservers 192.168.1.254 1.1.1.1 8.8.8.8 9.9.9.9
# VLAN_255
auto eth0.255
iface eth0.255 inet static
address 10.0.0.1/24
#vlan-raw-device eth0 <- Opcional se a interface vlan for eth0.255
# VLAN_300
auto eth0.300
iface eth0.300 inet static
address 172.17.0.1/29
# VLAN_301
auto eth0.301
iface eth0.301 inet static
address 172.18.0.1/29
Subir as interfaces (Opcional)
# ifup eth0.255 && ifup eth0.300 && ifup eth0.301
Libere as interfaces que tera o serviço DHCP Server
# vi /etc/default/isc-dhcp-server
INTERFACESv4="eth0.255 eth0.300 eth0.301"
Configurarção do DHCP Server
# vi /etc/dhcp/dhcpd.conf
# VLAN_255
subnet 10.0.0.0 netmask 255.255.255.0 {
authoritative;
range 10.0.0.70 10.0.0.99;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
option routers 10.0.0.1;
option domain-name-servers 1.1.1.1,8.8.8.8,9.9.9.9;
#option domain-name "local.matrix";
default-lease-time 600;
max-lease-time 7200;
}
# VLAN_300
subnet 172.17.0.0 netmask 255.255.255.248{
pool{
range 172.17.0.3 172.17.0.6;
}
option subnet-mask 255.255.255.248;
option broadcast-address 172.17.0.7;
option routers 172.17.0.1;
option domain-name-servers 1.1.1.3,9.9.9.11;
default-lease-time 600;
max-lease-time 7200;
}
# VLAN_301
subnet 172.18.0.0 netmask 255.255.255.248{
pool{
range 172.18.0.3 172.18.0.6;
}
option subnet-mask 255.255.255.248;
option broadcast-address 172.18.0.7;
option routers 172.18.0.1;
option domain-name-servers 1.1.1.3,9.9.9.11;
default-lease-time 600;
max-lease-time 7200;
}
Nota: Conforme a configuração da subnet é configurado para a porta Ethernet
Reiniciar
# reboot
Configurar NAT
NFTABLES
# systemctl enable nftables.service && systemctl restart nftables.service
# nft add table nat
# nft 'add chain nat postrouting { type nat hook postrouting priority 100 ; }'
# nft add rule nat postrouting oifname eth0 ip saddr 10.0.0.0/24 counter masquerade
# nft add rule nat postrouting oifname eth0 ip saddr 172.17.0.0/29 counter masquerade
# nft add rule nat postrouting oifname eth0 ip saddr 172.18.0.0/29 counter masquerade
Ou edite o arquivo
# vi /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
#type filter hook input priority 0;
type filter hook input priority 0; policy drop;
ct state invalid counter drop
icmp type timestamp-request counter drop
ct state {related,established} counter accept
iifname "lo" counter accept
# REGRAS ADICIONAIS
iifname eth0 ip saddr 192.168.1.0/24 tcp dport 22 ct state new,established counter accept
counter drop
}
chain output {
#type filter hook output priority 0;
type filter hook output priority 0; policy drop;
ct state invalid counter drop
icmp type timestamp-request counter drop
ct state {related,established} counter accept
oifname "lo" counter accept
# REGRAS ADICIONAIS
oifname {eth0} udp dport {domain,ntp} counter accept
oifname eth0 tcp dport {http,https} counter accept
oifname {eth0} ip protocol icmp ip daddr 0.0.0.0/0 counter accept
counter drop
}
chain forward {
#type filter hook forward priority 0;
type filter hook forward priority 0; policy drop;
ct state invalid counter drop
icmp type timestamp-request counter drop
ct state {new,related,established} counter accept
# REGRAS ADICIONAIS
counter drop
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname eth0 ip saddr 10.0.0.0/24 counter masquerade
oifname eth0 ip saddr 172.17.0.0/29 counter masquerade
oifname eth0 ip saddr 172.18.0.0/29 counter masquerade
}
}
Testes
# ping -I eth0.255 8.8.8.8
# tail -f -n 40 /var/log/syslog
# dhcpd -t <- testa
# cat /var/lib/dhcp/dhcpd.leases
# ip r