Debian Server Networking Configuration: Complete Guide
Proper network configuration is fundamental to server administration. This comprehensive guide covers everything from basic network setup to advanced configurations including VLANs, bonding, routing, and troubleshooting on Debian servers.
Network Configuration Basics
Network Interface Management
Debian uses systemd-networkd or traditional networking scripts. Here's how to work with both:
# View network interfaces
ip addr show
ip link show
# Traditional interface configuration
sudo nano /etc/network/interfaces
Basic interface configuration:
# The loopback network interface
auto lo
iface lo inet loopback
# Primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8 8.8.4.4
dns-search example.com
Using systemd-networkd
Enable systemd-networkd:
# Disable traditional networking
sudo systemctl disable networking
sudo systemctl stop networking
# Enable systemd-networkd
sudo systemctl enable systemd-networkd
sudo systemctl enable systemd-resolved
sudo systemctl start systemd-networkd
sudo systemctl start systemd-resolved
Create network configuration:
sudo nano /etc/systemd/network/10-eth0.network
[Match]
Name=eth0
[Network]
Address=192.168.1.100/24
Gateway=192.168.1.1
DNS=8.8.8.8
DNS=8.8.4.4
[Route]
Gateway=192.168.1.1
Metric=100
Advanced Network Configuration
Network Bonding (Link Aggregation)
Install bonding support:
sudo apt install ifenslave
Configure bonding:
sudo nano /etc/network/interfaces
# Bond interface
auto bond0
iface bond0 inet static
address 192.168.1.100
netmask 255.255.255.0
gateway 192.168.1.1
bond-slaves eth0 eth1
bond-mode active-backup
bond-miimon 100
bond-downdelay 200
bond-updelay 200
# Slave interfaces
auto eth0
iface eth0 inet manual
bond-master bond0
auto eth1
iface eth1 inet manual
bond-master bond0
Bonding modes: - mode=0 (balance-rr): Round-robin - mode=1 (active-backup): Failover - mode=2 (balance-xor): XOR hash - mode=3 (broadcast): All slaves - mode=4 (802.3ad): LACP - mode=5 (balance-tlb): Adaptive transmit - mode=6 (balance-alb): Adaptive load
VLAN Configuration
Install VLAN support:
sudo apt install vlan
sudo modprobe 8021q
echo "8021q" | sudo tee -a /etc/modules
Configure VLANs:
sudo nano /etc/network/interfaces
# Physical interface
auto eth0
iface eth0 inet manual
# VLAN 10
auto eth0.10
iface eth0.10 inet static
address 192.168.10.100
netmask 255.255.255.0
vlan-raw-device eth0
# VLAN 20
auto eth0.20
iface eth0.20 inet static
address 192.168.20.100
netmask 255.255.255.0
vlan-raw-device eth0
Bridge Configuration
Create network bridge:
sudo apt install bridge-utils
Configure bridge:
# Bridge interface
auto br0
iface br0 inet static
address 192.168.1.100
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports eth0 eth1
bridge_stp off
bridge_fd 0
bridge_maxwait 0
Firewall Configuration
Using nftables (Modern Approach)
# Install nftables
sudo apt install nftables
# Create basic ruleset
sudo nano /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Accept established connections
ct state established,related accept
# Accept loopback
iif lo accept
# Accept ICMP
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# Accept SSH
tcp dport 22 accept
# Accept HTTP/HTTPS
tcp dport { 80, 443 } accept
# Log dropped packets
log prefix "[nftables] Dropped: " level debug
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT table for masquerading
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
oifname "eth0" masquerade
}
}
Enable nftables:
sudo systemctl enable nftables
sudo systemctl start nftables
Advanced iptables Rules
sudo nano /usr/local/bin/setup-firewall.sh
#!/bin/bash
# Firewall Setup Script
# Clear existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Protection against common attacks
# Syn-flood protection
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
# Port scanning protection
iptables -N port-scanning
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
iptables -A port-scanning -j DROP
# ICMP flood protection
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
# Allow specific services
# SSH (with rate limiting)
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# HTTP/HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# DNS (if running DNS server)
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# Save rules
iptables-save > /etc/iptables/rules.v4
echo "Firewall configured successfully"
DNS Configuration
Setting Up BIND9
# Install BIND9
sudo apt install bind9 bind9-utils dnsutils
# Configure BIND9
sudo nano /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// Forwarding
forwarders {
8.8.8.8;
8.8.4.4;
};
// Security
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { any; };
// Access control
allow-query { localhost; 192.168.1.0/24; };
allow-transfer { none; };
allow-update { none; };
// Hide version
version "DNS Server";
};
Create DNS Zone
sudo nano /etc/bind/named.conf.local
zone "example.com" {
type master;
file "/etc/bind/zones/db.example.com";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.192.168.1";
};
Create zone file:
sudo mkdir /etc/bind/zones
sudo nano /etc/bind/zones/db.example.com
$TTL 604800
@ IN SOA ns1.example.com. admin.example.com. (
2024020701 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; Name servers
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
; A records
ns1 IN A 192.168.1.10
ns2 IN A 192.168.1.11
@ IN A 192.168.1.100
www IN A 192.168.1.100
mail IN A 192.168.1.20
; MX records
@ IN MX 10 mail.example.com.
; CNAME records
ftp IN CNAME www.example.com.
DHCP Server Configuration
Install and Configure ISC DHCP
# Install DHCP server
sudo apt install isc-dhcp-server
# Configure interface
sudo nano /etc/default/isc-dhcp-server
INTERFACESv4="eth0"
INTERFACESv6=""
Configure DHCP:
sudo nano /etc/dhcp/dhcpd.conf
# Global options
option domain-name "example.com";
option domain-name-servers 192.168.1.10, 192.168.1.11;
default-lease-time 600;
max-lease-time 7200;
# Enable DDNS updates
ddns-update-style interim;
update-static-leases on;
# Subnet declaration
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.200;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
# Static IP assignments
host server1 {
hardware ethernet 00:11:22:33:44:55;
fixed-address 192.168.1.50;
}
host printer {
hardware ethernet 00:11:22:33:44:66;
fixed-address 192.168.1.60;
}
}
# VLAN subnet
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.100 192.168.10.200;
option routers 192.168.10.1;
}
Network Troubleshooting
Diagnostic Tools Script
sudo nano /usr/local/bin/network-diagnostics.sh
#!/bin/bash
# Network Diagnostics Script
echo "=== Network Diagnostics Report ==="
echo "Date: $(date)"
echo ""
# Interface status
echo "=== Network Interfaces ==="
ip addr show
echo ""
# Routing table
echo "=== Routing Table ==="
ip route show
echo ""
echo "=== IPv6 Routes ==="
ip -6 route show
echo ""
# DNS configuration
echo "=== DNS Configuration ==="
cat /etc/resolv.conf
echo ""
# Connection status
echo "=== Active Connections ==="
ss -tunapr | head -20
echo ""
# Network statistics
echo "=== Network Statistics ==="
netstat -s | head -50
echo ""
# ARP table
echo "=== ARP Table ==="
arp -n
echo ""
# Test connectivity
echo "=== Connectivity Tests ==="
hosts="8.8.8.8 google.com gateway"
for host in $hosts; do
echo -n "Ping $host: "
if ping -c 1 -W 2 $host >/dev/null 2>&1; then
echo "OK"
else
echo "FAILED"
fi
done
echo ""
# Bandwidth test
echo "=== Bandwidth Usage ==="
if command -v iftop >/dev/null 2>&1; then
timeout 5 iftop -t -s 5 2>/dev/null | head -20
fi
echo ""
# Firewall rules
echo "=== Firewall Rules ==="
if command -v nft >/dev/null 2>&1; then
nft list ruleset | head -50
else
iptables -L -n -v | head -50
fi
Network Performance Testing
# Install performance tools
sudo apt install iperf3 mtr-tiny tcpdump nmap
# Create performance test script
sudo nano /usr/local/bin/network-performance.sh
#!/bin/bash
# Network Performance Testing Script
TEST_SERVER="speedtest.example.com"
INTERFACE="eth0"
echo "=== Network Performance Test ==="
echo ""
# MTU discovery
echo "=== MTU Discovery ==="
ping -c 1 -M do -s 1472 $TEST_SERVER 2>/dev/null
if [ $? -eq 0 ]; then
echo "MTU 1500 is working fine"
else
echo "MTU issues detected, testing..."
for size in 1472 1464 1452 1400; do
if ping -c 1 -M do -s $size $TEST_SERVER >/dev/null 2>&1; then
echo "Max MTU size: $((size + 28))"
break
fi
done
fi
echo ""
# Latency test
echo "=== Latency Test ==="
ping -c 10 $TEST_SERVER | tail -1
echo ""
# Traceroute
echo "=== Traceroute ==="
mtr -r -c 10 $TEST_SERVER
echo ""
# Bandwidth test with iperf3
echo "=== Bandwidth Test ==="
if command -v iperf3 >/dev/null 2>&1; then
echo "Starting iperf3 client test..."
iperf3 -c $TEST_SERVER -t 10 -P 4
fi
echo ""
# Interface statistics
echo "=== Interface Statistics ==="
ip -s link show $INTERFACE
IPv6 Configuration
Enable IPv6
# Check IPv6 support
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
# Enable IPv6
echo "net.ipv6.conf.all.disable_ipv6 = 0" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 0" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Configure IPv6 Addresses
sudo nano /etc/network/interfaces
# IPv6 static configuration
iface eth0 inet6 static
address 2001:db8::100
netmask 64
gateway 2001:db8::1
dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844
# IPv6 with SLAAC
iface eth0 inet6 auto
accept_ra 1
VPN Configuration
OpenVPN Server Setup
# Install OpenVPN
sudo apt install openvpn easy-rsa
# Setup PKI
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh
./easyrsa build-server-full server nopass
Server configuration:
sudo nano /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
Network Security Hardening
Kernel Network Security
sudo nano /etc/sysctl.d/99-network-security.conf
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Log Martians
net.ipv4.conf.all.log_martians = 1
# Ignore ICMP ping requests (optional)
#net.ipv4.icmp_echo_ignore_all = 1
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Accept ICMP redirects only for gateways listed in default gateway list
net.ipv4.conf.all.secure_redirects = 0
# Disable packet forwarding (unless router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Enable TCP/IP SYN cookies
net.ipv4.tcp_syncookies = 1
# Increase TCP max buffer size
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728
# Enable TCP Fast Open
net.ipv4.tcp_fastopen = 3
# Increase the number of incoming connections
net.core.somaxconn = 65535
# Increase the netdev budget
net.core.netdev_budget = 600
net.core.netdev_budget_usecs = 20000
Best Practices
- Documentation: Keep network diagrams and IP assignments documented
- Monitoring: Implement network monitoring with tools like Nagios or Zabbix
- Security: Always use firewalls and keep them properly configured
- Redundancy: Implement failover for critical services
- Testing: Test all changes in a lab environment first
- Backup: Backup network configurations regularly
- Updates: Keep network software and firmware updated
- Segmentation: Use VLANs to segment network traffic
Conclusion
Proper network configuration is crucial for server reliability and security. This guide covers the essential aspects of Debian network configuration from basic setup to advanced features. Regular monitoring, proper documentation, and security best practices will ensure your network infrastructure remains stable and secure.