Firewall and router on Debian

Network interfaces

/etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

# WAN network interface
auto eth0
iface eth0 inet static
address 172.16.2.19
netmask 255.255.255.240
network 172.16.2.16
broadcast 172.16.2.31
gateway 172.16.2.17

# LAN network interface
auto eth1
iface eth1 inet static
address 192.168.122.1
netmask 255.255.255.224
network 192.168.122.0
broadcast 192.168.122.31

UFW

apt-get install ufw

/etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

/etc/ufw/sysctl.conf

net/ipv4/ip_forward=1

/etc/ufw/before.rules

#add the following code to the top

# NAT table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port Forwardings
-A PREROUTING -i eth0 -p tcp --dport 10000 -j DNAT --to-destination 192.168.122.14:10000

# Forward traffic through eth0 (Internet)
-A POSTROUTING -s 192.168.122.0/27 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT

#insert lines between ='"#allow dhcp client to work' and '#ufw-not-local'

# allow dhcp server (broadcast requests)
-A ufw-before-input -p udp -i eth1 --sport 67:68 --dport 67:68 -j ACCEPT

ufw allow in on eth1 to any
ufw allow out on eth1 to any

ufw allow ssh
ufw allow smtp
ufw allow https
ufw allow http
ufw allow 9058

ufw disable && ufw enable

Dnsmasq

apt-get install dnsmasq

/etc/dnsmasq.conf

domain-needed
bogus-priv
resolv-file=/etc/resolv.dnsmasq
local=/homelan/
user=dnsmasq
listen-address=127.0.0.1
listen-address=192.168.122.1
no-dhcp-interface=eth0
expand-hosts
domain=homelan
dhcp-range=192.168.122.2,192.168.122.20,255.255.255.224,72h
dhcp-host=home-desktop,192.168.122.2,6c:f0:49:7a:52:10
dhcp-host=home-laptop,192.168.122.3,00:13:e8:99:4b:f7
dhcp-host=home-receiver,192.168.122.4,00:1e:b8:06:4e:11
dhcp-host=faix-desktop,192.168.122.5,00:18:8b:68:aa:4b
dhcp-host=faix-laptop,192.168.122.6,00:13:ce:11:02:fc
dhcp-host=faix-receiver,192.168.122.7,00:1e:b8:06:4c:72
dhcp-host=jan-phone,192.168.122.8,d4:20:6d:44:72:ac
dhcp-host=wassana-phone,192.168.122.9,e8:99:c4:02:2c:00
dhcp-host=home-printer,192.168.122.10,00:01:e6:7d:14:36
dhcp-host=faix-printer,192.168.122.11,00:01:e6:31:6d:e7
dhcp-host=home-tablet,192.168.122.12,ac:22:0b:a1:af:f6
dhcp-host=faix-xbmc,192.168.122.13,b8:27:eb:ad:47:a5
dhcp-host=home-alarm,192.168.122.14,00:19:ba:02:6a:49
dhcp-option=option:router,192.168.122.1
dhcp-option=option:ntp-server,192.168.122.1
dhcp-option=27,1
dhcp-option=vendor:MSFT,2,1i
dhcp-lease-max=20
dhcp-leasefile=/var/lib/misc/dnsmasq.leases
dhcp-authoritative
neg-ttl=3600
mx-target=home-server
localmx
log-facility=/var/log/dnsmasq.log
conf-dir=/etc/dnsmasq.d
dns-forward-max=200
log-async

touch /var/log/dnsmasq.log /var/lib/misc/dhcp.leases
chown dnsmasq /var/log/dnsmasq.log /var/lib/misc/dhcp.leases

/etc/resolv.conf

nameserver 127.0.0.1

/etc/resolv.dnsmasq

domain homelan
search homelan
nameserver 8.8.8.8
nameserver 8.8.4.4

chown dnsmasq /etc/resolv.dnsmasq

/etc/hosts

127.0.0.1 localhost
192.168.122.1 home-server server
192.168.122.2 home-desktop
192.168.122.3 home-laptop
192.168.122.4 home-receiver
192.168.122.5 faix-desktop
192.168.122.6 faix-laptop
192.168.122.7 faix-receiver
192.168.122.8 jan-phone jan
192.168.122.9 wassana-phone wassana
192.168.122.10 home-printer printer1
192.168.122.11 faix-printer printer2
192.168.122.12 home-tablet tablet
192.168.122.13 faix-xbmc
192.168.122.14 home-alarm alarm
192.168.122.29 home-switch switch
192.168.122.30 home-wifi wifi

/etc/logrotate.d/dnsmasq

/var/log/dnsmasq.log {
    weekly
    missingok
    rotate 5
    notifempty
    delaycompress
    sharedscripts
    postrotate
        [ ! -f /var/run/dnsmasq/dnsmasq.pid ] || kill -USR2 `cat /var/run/dnsmasq/dnsmasq.pid`
    endscript
    create 0640 dnsmasq root

NTP server

apt-get install ntp

/etc/ntp.conf

driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server 195.113.144.201
server 195.113.144.238
server 127.127.1.0
fudge 127.127.1.0 stratum 10

restrict -4 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict 192.168.122.0 mask 255.255.255.224 nomodify notrap noquery

broadcast 192.168.122.224

Linux kernel settings

/etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.tcp_rfc1337 = 1
fs.file-max = 100000
vm.swappiness = 10
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
net.core.optmem_max = 40960
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.core.netdev_max_backlog = 50000
net.ipv4.tcp_max_syn_backlog = 30000
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_timestamps = 0