Network address translation (NAT) router
Requirements[]
- You are familiar with Linux or UNIX.
- You know what "router", "NAT", "IP" and "net-mask" means
- You have 3 working ethernet cards, that are installed and recognized by your computers. We do not explain how to install ethernet cards, but we do explain how to configure them from the beginning...
- You must be aware of why you need NAT Firewall and its advantages.
Steps[]
Preparation[]
Supposing you have 2 computers: computer A and computer B.
In this example, A has Internet reachability through the eth0 interface through another NAT router (but we don't care about this). If in your case A is connected directly to the Internet, then you will have to change the IPs of your computers in order to make it work.
- A has 2 network Interface cards:
eth0
(ip: 192.168.1.3)eth1
(ip: 192.168.0.1)
- B has 1 network Interface card:
eth0
(ip: 192.168.0.2)
The main NAT router thought which A gets the Internet on the other end of the eth0 cable has an IP of 192.168.1.1. In some situations, if A will not be behind a NAT router, but will have a default Gateway configured. In this case, it will be your gateway's IP address (that A obtained with the DHCP client for example).
We want to make B have Internet access through A.
We want to use the eth1
network interface card from A to share the Internet connection with B. We link A and B with a cable that connects its eth1
card to the eth0
card of B.
Ethernet card configuration[]
First, we configure the eth1 address on A:
ifconfig eth1 192.168.0.1 netmask 255.255.255.0
If we type route
on A, we should see something similar to:
# route Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
The network 192.168.1.0 is the network that we use for the internet access (the eth0
card of A) and the 192.168.0.0 represents the network that links A with B (eth1
card of A).
Now that we have an IP address assigned to A network card, we must do something similar to B:
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
Test the configuration so far[]
Now we can test that the connection between A and B works. Disable all the firewalls you might have to test this.
- From the machine A, we test if we can reach B:
# ping 192.168.0.2 PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=1.27 ms 64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.658 ms
You should see the "X bytes from …" message. If you have "network unreachable" or if you don't see anything in about 5 seconds, there is a configuration problem.
- Then from the machine B, we test if we can reach A:
# ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.737 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.633 ms
You should see the "X bytes from …" message. If you have "network unreachable" or if you don't see anything in about 5 seconds, there is a configuration problem.
configure B for NAT[]
- Now we have to tell B that we want to use the card eth0 from A (labeled 192.168.0.1) for everything :
route add default gw 192.168.0.1
If we type route on B, we should have something similar to :
# route Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
configure A for NAT[]
Now that we have a connection from A to B, we can tell A to share internet connection with B.
- Go to computer A and share its internet connection with B by typing the two commands :
modprobe iptable_nat echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth1 -j ACCEPT
configure DNS (domain name resolution)[]
At this point, you should be able to reach internet ip addresses from B, but you could not reach something like www.gnu.org. That's because you need to tell to B where to find the server that converts domain names like www.gnu.org into an ip address.
- Copy the file /etc/resolv.conf from A to B.
If you don't have that file or if in the file you have 127.0.0.1, ask your provider to find out what dns servers you have or look into your router configuration (if you have one). Once you find out your dns ip addresses, put them in /etc/resolv.conf at B.
The dnsmasq program is an alternative to writing fixed IP addresses into /etc/resolv.conf. To install it use your general installation program, for instance on machine A:
sudo apt-get install dnsmasq
To check this is running, run the netstat command and see if dnsmasq on machine A is listening on port 53:
netstat -luntp
final test[]
- Now we can test that we have internet on B by pinging a internet website :
ping gnu.org
Quick scripts[]
If you don't want to understand all the steps above, you can launch those scripts as root on the hosts :
- Run this script on the host A :
#!/usr/bin/env bash modprobe iptable_nat echo 1 > /proc/sys/net/ipv4/ip_forward ifconfig eth1 192.168.0.1 netmask 255.255.255.0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth1 -j ACCEPT #Commands Credit: Farukesh, DITISS, CDAC
- Run this script on the host B where xx.xx.xx.xx is your dns server :
#!/usr/bin/env bash ifconfig eth0 down ifconfig eth0 192.168.0.2 netmask 255.255.255.0 route del -net default 2>/dev/null route add default gw 192.168.0.1 2>/dev/null echo "nameserver xx.xx.xx.xx" > /etc/resolv.conf
See also[]
From HowTo Wiki, a Wikia wiki.