Ubuntu – How to configure 2 lan cards

14.04lanserver

I have Ubuntu 14.04 installed on my system and I make it as a server in my office with having 15 employees working. I have 2 LAN cards in my system:

  • One for input from router to my Ubuntu server
  • Other one from my system to a switch, which connects all my employees from through that switch via LAN cables.

Now, how can I configure my both LAN cards, as I wants to block some sites and make some restriction on the network.

Best Answer

I'll assume that on your server eth0 is connected to the switch and eth1 is connected to the router. I'll assume that your LAN network address is 10.1.1.0/255.255.255.0 I'll assume that your router is 192.168.0.1/255.255.255.0

On the NIC connected to the switch, assign an IP address in the same range as the LAN served by your switch. But without gateway definition. In /etc/network/interfaces :

auto eth0
iface eth0 inet static
   address 10.1.1.1
   netmask 255.255.255.0

On the NIC connected to the router, I see two possibility regarding your own setup :

  1. You assign a fixed IP, in the same range as the one of your router and you set the default gateway toward this router IP. In this case, you should add this to your /etc/network/interfaces
auto eth1
iface eth1 inet static
    address 192.168.0.2
    netmask 255.255.255.0
    gateway 192.168.0.1
  1. The router is able to assign dynamically an IP to your server (DHCP), then you just have to configure this NIC as a DHCP enabled NIC. In this case, you should add this to your /etc/network/interfaces
auto eth1
 iface eth1 inet dhcp

The second setup is to be sure that you will be able to route traffic between these two NIC's. To allow this, you will have to adapt the file /etc/sysctl.conf. In this file, uncomment the following line :

net.ipv4.ip_forward=1

This setting will be activated at the next reboot, if you want to activate it manually without rebooting, you can do the following :

sudo echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

The third step is to be sure that all the PC of your employees are configured to use 10.1.1.1, the IP of the LAN card connected to the switch as default gateway.

The above steps will help you to setup the network connections of your server, but if you need to enforce restrictions for your employees, you will have to consider the following also :

  1. Using iptables (aka Linux Firewall) to block some traffic you are not allowing to the Internet. Iptables rules can be very complex to manage, so I suggest that you install and try the software called ufw, the Uncomplicated Firewall that will make your life easier with Iptables. More information about this tools can be found on the Ubuntu Community Help Wiki, among others.
  2. You may also consider to install a Web Proxy server, like Squid. A Web proxy server will allow you to restrict the web sites that can be visited by your employees. Web proxy can also enable authentication, so only known users are allowed to use it. Rules in Squid can be setup in such way that user1 and user2 doesn't have the same restrictions. Have a look to the site of this products for information on how to set it up.
  3. In the Web Browser of each PC, you have to specify the internal IP address of your server (in my example 10.1.1.1) as proxy server. To be sure that your employees don't go directly to the Internet, bypassing the proxy and its protections, you will have to create firewall rules on the server to block traffic toward port 80 & 443 from the LAN to the Internet.
  4. The setup of Squid can be completed with some addons that retrieve lists of web sites categories to allow blocking more easy. For instance, squidguard can be combined with Squid to retrieve blacklists of web sites to automatically block access to these sites without having to configure each of them manually within the standard Squid configuration. More info there.

All of these three software mentioned above are available from the standard Ubuntu repository, so just doing :

sudo apt-get install ufw squid squidguard

will install the software. You will have to refine their configuration to follow your needs.

Remark :

Making your server a Web Proxy is also possible if your server only have one NIC. Depending of your router type, it may be possible to do all the firewall things in it. In this case, it will be more easy to do the network setup :

  1. Router IP is the default gateway for any device on the network, PC & server
  2. Router, server and PC's are connected to the same switches
  3. Router, server and PC's are in the same subnet, so if the router is DHCP-capable, it can do the DHCP for the PC's too, and you don't have to bother about the network configuration on each PC
  4. Squid & squidguard can still be installed on your server and used by all PC's.
Related Question