Linux Router Configuration Guide

An interactive guide to converting a Xubuntu VM into a functional router.

Introduction

This guide details the process of converting a Xubuntu 24.04 LTS Virtual Machine into a functional Linux Router. You will learn to configure network interfaces, enable IP forwarding, and set up Network Address Translation (NAT) using UFW and Gufw. This section outlines the project's parameters.

Operating System

Xubuntu 24.04 LTS (VirtualBox)

Role

Router VM Configuration

1. Network Topology & Interface Identification

The first step is to identify which network interface connects to the internet (WAN) and which connects to your internal network (LAN). This is crucial for setting up the routing rules correctly. We use the `ip address` command to list all interfaces and their configurations.

Command Used:

ip address

Results Identified:

  • WAN Interface (Internet): `enp0s3`
    • Configuration: Bridged Adapter (DHCP from physical router)
    • IP: www.xxx.yyy.zzz (This is the IP from your home router's DHCP server)
  • LAN Interface (Internal): `enp0s8`
    • Configuration: Internal Network ("lan")
    • IP Target: `192.168.1.1` (This will be our router's gateway IP)

2. LAN Interface Configuration

Now we must assign a static IP address to the internal LAN interface (`enp0s8`). This address will serve as the default gateway for all client machines on the internal network. This was done using the GUI (Advanced Network Configuration).

IPv4 Settings (for `enp0s8`):

  • Method: Manual
  • Address: `192.168.1.1`
  • Netmask: `24` (or 255.255.255.0)
  • Gateway: *Left Blank* (This is critical to prevent routing conflicts!)

Verification:

After saving, confirm the router itself still has internet access.

ping google.com

3. Firewall & Routing Configuration

This section covers the core of the router setup: enabling packet forwarding and sharing the internet connection (NAT). We will use a hybrid method combining the **Gufw** (GUI) for simple rules and **nano** (CLI text editor) for advanced configuration that the GUI doesn't support.

Key Tools:

  • UFW (Uncomplicated Firewall): The backend firewall.
  • Gufw (GUI): For managing basic allow/deny rules.
  • Nano (Text Editor): For editing configuration files.

4. Step A: Allow LAN Traffic (via Gufw)

First, we must tell the firewall to trust traffic coming from our internal LAN. Since Gufw cannot configure NAT, we use it just for this access rule.

  1. Open **Firewall Configuration** (Gufw).
  2. Unlock settings (if required).
  3. Add a new rule with these properties:
    • Action: Allow
    • Direction: In
    • From: `192.168.1.0/24` (The entire LAN subnet)
    • To: Any

5. Step B: Enable Packet Forwarding (File Edit)

By default, UFW drops all forwarded packets for security. We must change this policy to `ACCEPT` to allow our router to pass traffic from the LAN to the WAN.

File to Edit:

sudo nano /etc/default/ufw

Change Required:

Find this line:

# OLD
DEFAULT_FORWARD_POLICY="DROP"

And change it to:

# NEW
DEFAULT_FORWARD_POLICY="ACCEPT"

6. Step C: Enable NAT / Masquerading (File Edit)

This is the "Internet Sharing" part. We add rules to the `*nat` table, which is processed *before* UFW's main filter. This rule tells the kernel to rewrite the source IP of packets from the LAN (`192.168.1.0/24`) to match the router's public IP on the WAN interface (`enp0s3`).

File to Edit:

sudo nano /etc/ufw/before.rules

Addition:

Place this exact block at the **very top** of the file, after any comments but before the `*filter` line:

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Masquerade traffic from LAN (enp0s8) to WAN (enp0s3)
-A POSTROUTING -s 192.168.1.0/24 -o enp0s3 -j MASQUERADE
COMMIT

7. Applying Changes

To make all our new configurations active, the firewall must be reloaded. This ensures it reads the new `DEFAULT_FORWARD_POLICY` and the new `before.rules` NAT configuration.

Method 1 (GUI):

  1. In the Gufw window, switch Status **OFF**.
  2. Wait one second.
  3. Switch Status back **ON**.

Method 2 (CLI):

sudo ufw disable && sudo ufw enable

8. Final Verification

The final step is to confirm that the rules are loaded correctly into the kernel's firewall tables. We check two things: the UFW status (for our LAN rule) and the `iptables` NAT table (for our MASQUERADE rule).

Check UFW Status:

This confirms the `ALLOW` rule for the LAN is active.

sudo ufw status verbose

Check NAT Rules:

This confirms the `MASQUERADE` rule is loaded from `before.rules`.

sudo iptables -t nat -L POSTROUTING -n -v

9. Lab Notes & Troubleshooting

This section contains important troubleshooting notes and key takeaways from the lab. These are critical for understanding *why* certain steps were taken and how to avoid common problems.

Gufw Display Error

Initially, `gufw` failed to launch via CLI due to a display server permission error (`Gtk-WARNING`).

Solution: Rebooting the VM resolved the display server/root permission conflict, allowing Gufw to open normally.

Critical: Gateway Setting

It is absolutely critical that the LAN interface (`enp0s8`) does **not** have a Gateway IP set in the network manager. If it does, it will override the router's correct default route to the internet (via `enp0s3`), and the router will lose internet access.

End of Lab & Next Steps

The Router VM is now successfully acting as a gateway. The next logical step is to configure your Client VM on the "lan" network to use this router.

  • Client IP:** (e.g., `192.168.1.10`)
  • Client Netmask:** `24` (or `255.255.255.0`)
  • Client Default Gateway: `192.168.1.1` (The router's LAN IP)
  • Client DNS: `8.8.8.8` (or any public DNS)