Mubuyu LogoMubuyu
Infrastructure

Network Configuration on Linux Server

By Isaac Hatilima
December 16, 2025
3 min read

This article walks through configuring networking on a Linux server with IP forwarding, NAT, and bridge-based networking, commonly used on bare-metal hosts running virtualization platforms (e.g. Proxmox) or routing traffic for multiple subnets. This is a builds on from the Bare Metal Linux Server Configuration guide.

By default, Hetzner bare-metal servers are provisioned with one public IPv4 address and one private IPv6 address on Hetzner’s internal network. In this guide, we assume an additional public IPv4 subnet has been purchased, alongside the planned private subnet(s).

We assume:

  • A host with one public IPv4 and IPv6 address
  • An additional public IPv4 subnet
  • One or more private subnets thought out

1. Enable IPv4 and IPv6 Forwarding

To allow the server to route traffic between interfaces and subnets, IP forwarding must be enabled at the kernel level.

Edit /etc/sysctl.conf and add:

net.ipv6.conf.all.forwarding=1
net.ipv4.ip_forward=1

Apply the changes immediately:

sudo sysctl -p /etc/sysctl.conf

At this point, the kernel is allowed to forward traffic. Routing rules come next.

2. Update /etc/network/interfaces file with our subnets.

+ auto vmbr0
+ iface vmbr0 inet static
+   address 172.20.20.207
+   bridge-ports none
+   bridge-stp off
+   bridge-fd 0

# Public IPs from public subnet
+   up ip route add <Subnet-IP>/32 dev vmbr0

+   post-up echo 1 > /proc/sys/net/ipv4/ip_forward
+   post-up echo 1 > /proc/sys/net/ipv4/conf/enp8s0/proxy_arp
+   post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/proxy_arp
  
#Examples of private Subnets to add

+ auto vmbr1
+ iface vmbr1 inet static
+   address 192.168.10.1/24
+   bridge-ports none
+   bridge-stp off
+   bridge-fd 0

+ auto vmbr2
+ iface vmbr2 inet static
+   address 172.200.200.1/24
+   bridge-ports none
+   bridge-stp off
+   bridge-fd 0

Be careful when picking private subnets especially if you plan to run containerization. Try to avoid puting yourself in a confused state with Docker or Kubernetes IPs.

3. Enable NAT and Forwarding Rules

We now configure basic forwarding and ICMP rules using iptables.

sudo iptables -P FORWARD ACCEPT
sudo iptables -A INPUT -i vmbr1 -p icmp -j ACCEPT
sudo iptables -A INPUT -i vmbr2 -p icmp -j ACCEPT
sudo netfilter-persistent save
  • FORWARD ACCEPT allows routed traffic between bridges
  • ICMP is enabled so diagnostics (ping, MTU discovery) don’t break
  • Rules are persisted across reboots

Apply changes:

   ifreload -a

4. Add MASQUERADE IP Rules

sudo iptables -t nat -A POSTROUTING -s <Public-Subnet>/29 -o enp35s0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o enp35s0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 172.200.200.0/24 -o enp35s0 -j MASQUERADE

NATed Public IP config on Ubuntu Server

Ubuntu network config for public NATed subnet works differently, and here is a snippet of how you need to configure it. nano /etc/netplan/01-netcfg.yaml 

network:
    version: 2
    ethernets:
        eth0:
            addresses:
            - <Server-IP>/24
            match:
                macaddress: ac:b4:c1:d2:ea:fa
            nameservers:
                addresses:
                - 1.1.1.1
                - 8.8.8.8
                search: []
            routes:
            -   to: default
                via: HOST_SERVER_IP
            set-name: eth0