How to set up a NAT router on a Linux-based computer

Network address translation (NAT) router

Requirements

 * You are familiar with Linux or UNIX.
 * You know what "router", "NAT", "IP" and "net-mask" means
 * You have 3 working ethernet cards, that are installed and recognized by your computers. We do not explain how to install ethernet cards, but we do explain how to configure them from the beginning...
 * You must be aware of why you need NAT Firewall and its advantages.

Preparation
Supposing you have 2 computers: computer A and computer B.

In this example, A has Internet reachability through the eth0 interface through another NAT router (but we don't care about this). If in your case A is connected directly to the Internet, then you will have to change the IPs of your computers in order to make it work.


 * A has 2 network Interface cards:
 * (ip: 192.168.1.3)
 * (ip: 192.168.0.1)
 * B has 1 network Interface card：
 * (ip: 192.168.0.2)

The main NAT router thought which A gets the Internet on the other end of the eth0 cable has an IP of 192.168.1.1. In some situations, if A will not be behind a NAT router, but will have a default Gateway configured. In this case, it will be your gateway's IP address (that A obtained with the DHCP client for example).

We want to make B have Internet access through A.

We want to use the  network interface card from A to share the Internet connection with B. We link A and B with a cable that connects its   card to the   card of B.

Ethernet card configuration
First, we configure the eth1 address on A: ifconfig eth1 192.168.0.1 netmask 255.255.255.0

If we type  on A, we should see something similar to: Destination    Gateway         Genmask         Flags Metric Ref    Use Iface 192.168.1.0    *               255.255.255.0   U     0      0        0 eth0 192.168.0.0    *               255.255.255.0   U     0      0        0 eth1 default        192.168.1.1     0.0.0.0         UG    0      0        0 eth0
 * 1) route

The network 192.168.1.0 is the network that we use for the internet access (the  card of A) and the 192.168.0.0 represents the network that links A with B (  card of A).

Now that we have an IP address assigned to A network card, we must do something similar to B: ifconfig eth0 192.168.0.2 netmask 255.255.255.0

Test the configuration so far
Now we can test that the connection between A and B works. Disable all the firewalls you might have to test this.


 * 1) From the machine A, we test if we can reach B: You should see the "X bytes from …" message. If you have "network unreachable" or if you don't see anything in about 5 seconds, there is a configuration problem.
 * 2) Then from the machine B, we test if we can reach A: You should see the "X bytes from …" message. If you have "network unreachable" or if you don't see anything in about 5 seconds, there is a configuration problem.

configure B for NAT
route add default gw 192.168.0.1
 * Now we have to tell B that we want to use the card eth0 from A (labeled 192.168.0.1) for everything :

If we type route on B, we should have something similar to : Destination    Gateway         Genmask         Flags Metric Ref    Use Iface 192.168.0.0    *               255.255.255.0   U     0      0        0 eth0 default        192.168.0.1     0.0.0.0         UG    0      0        0 eth0
 * 1) route

configure A for NAT
Now that we have a connection from A to B, we can tell A to share internet connection with B.

modprobe iptable_nat echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth1 -j ACCEPT
 * Go to computer A and share its internet connection with B by typing the two commands :

configure DNS (domain name resolution)
At this point, you should be able to reach internet ip addresses from B, but you could not reach something like www.gnu.org. That's because you need to tell to B where to find the server that converts domain names like www.gnu.org into an ip address.

If you don't have that file or if in the file you have 127.0.0.1, ask your provider to find out what dns servers you have or look into your router configuration (if you have one). Once you find out your dns ip addresses, put them in /etc/resolv.conf at B.
 * Copy the file /etc/resolv.conf from A to B.

The dnsmasq program is an alternative to writing fixed IP addresses into /etc/resolv.conf. To install it use your general installation program, for instance on machine A:

sudo apt-get install dnsmasq

To check this is running, run the netstat command and see if dnsmasq on machine A is listening on port 53:

netstat -luntp

final test
ping gnu.org
 * Now we can test that we have internet on B by pinging a internet website :

Quick scripts
If you don't want to understand all the steps above, you can launch those scripts as root on the hosts :

modprobe iptable_nat echo 1 > /proc/sys/net/ipv4/ip_forward ifconfig eth1 192.168.0.1 netmask 255.255.255.0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth1 -j ACCEPT
 * Run this script on the host A :
 * 1) !/usr/bin/env bash
 * 1) Commands Credit: Farukesh, DITISS, CDAC

ifconfig eth0 down ifconfig eth0 192.168.0.2 netmask 255.255.255.0 route del -net default 2>/dev/null route add default gw 192.168.0.1 2>/dev/null echo "nameserver xx.xx.xx.xx" > /etc/resolv.conf
 * Run this script on the host B where xx.xx.xx.xx is your dns server :
 * 1) !/usr/bin/env bash