Gateway box
This documents initially setting up an internet gateway for Couchdesign
for these gateways:
"perilin.jones.dk" locally at "192.168.222.1".
"graograman.jones.dk" locally at "192.168.222.2".
Install and initially setup system
Follow the guide at http://box.redpill.dk/ to install image from there.
Run "box-add-tui" to have terminal user-interface (TUI) tools like Midnight Commander.
Run "box-add-gateway" to have DHCP service and network routing setup.
Adapt gateway settings to local network
Edit file /etc/systemd/network/10-eth0.network;
locate this (likely last) line:
DHCP=yes
replacing the line to set fixed address in a /24 subnet,
like this (adapt address to match this system):
Address=192.168.222.2/24
Edit file /etc/dhcp/dhcpd.conf;
locate the (likely almost last) long line starting like this:
subnet 192.168.101.0 ...
add similar line below but with all mentions of network changed to "192.168.222"
and router changed to the address of this system,
like this (adapt address to match this system):
subnet 192.168.222.0 netmask 255.255.255.0 { range 192.168.222.50 192.168.222.250; option routers 192.168.222.2; }
Edit file /etc/default/isc-dhcp-server;
locate this (likely almost last) line:
INTERFACESv4=""
add builtin network interface like this:
INTERFACESv4="eth0"
Install and setup firewall service
Install package firewalld:
apt install firewalld
Adapt firewalld to match our network topology
(press the actual [TAB] key where mentioned, to autocomplete):
firewall-cmd --set-default-zone=external
firewall-cmd --add-interface=en[TAB]
firewall-cmd --add-service=dhcpv6-client
firewall-cmd --add-service=mosh
firewall-cmd --zone=internal --remove-service=samba-client
firewall-cmd --zone=internal --remove-service=dhcpv6-client
firewall-cmd --zone=internal --add-interface=eth0
firewall-cmd --zone=internal --add-service=dhcp
firewall-cmd --zone=internal --add-service=dhcpv6
firewall-cmd --zone=internal --add-service=dns
firewall-cmd --add-forward-port=proto=tcp:toaddr=192.168.222.250:port=80
firewall-cmd --add-forward-port=proto=tcp:toaddr=192.168.222.250:port=443
firewall-cmd --runtime-to-permanent
Edit file /etc/firewalld/firewalld.conf;
locate this (likely almost last) line:
FirewallBackend=iptables
changing the line to use backend "nftables", like this:
FirewallBackend=nftables
Edit file /etc/systemd/network/10-eth0.network;
locate in section [Network] these options
IPMasquerade=yes
IPForward=yes
Remove both options if they exist (handled by firewalld now).
reboot the system.