Ubuntu LTS 14.04 Server Router From Scratch

Building your very own Ubuntu Server from Scratch is as great way to get a grasp at how things work under the hood, not to mention you’ll end up with a router that does what it is told to do and nothing more.

I’m going to assume you have a working WAN side connection and are able to access the Internet.

The interface mapping is:

eth0 -> LAN side
eth1 -> WAN side

Enable PACKET Forwarding

Edit /etc/sysctl.conf and uncomment (or add) the following line:


So far, so good!

Setting up IPTABLES

The heart of every router is the firewall and in our case, this means we have deal with iptables. The good part is that it does exactly what we tell it to do. Create /etc/iptables.rules and add the following to it:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state -–state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

And now modify the /etc/network/interfaces file as follows:

iface eth0 inet static
  post-up iptables-restore < /etc/iptables.rules

Which will cause the networking to refresh the iptables config every time the interface comes online. Neat!

Setting up DHCP

Install the package that handles the DHCP service using this command:

apt-get install isc-dhcp-server bind9

After which the first thing is to bind DHCP to an interface (or multiple ones, at that). Look up /etc/default/isc-dhcp-server and modify it so that it contains your network interface (preferably the LAN side, if we are talking about homo/SOHO usage):


Be extra sure to assign a static IP address to this interface

Next up is the DHCP config itself, which contains the networks and the IP scopes as well: /etc/dhcp/dhcpd.conf

ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
option subnet-mask;
option broadcast-address;
option routers;
option domain-name-servers;
option domain-name "ubuntu.router";

subnet netmask {

Now we need to restart the service so the changes would take effect:

/etc/init.d/isc-dhcp-server restart

You should be able to browse the Internet with any connected DHCP client.

Do not forget to harden the security of your shiny new router!

Thanks for reading! Please consider Buying me a Coffee or checking out Colibri!