How to set up a NAT router on a Linux-based computer

Network address translation (NAT) router

Requirements

• You are familiar with Linux or UNIX.
• You know what "router", "NAT", "IP" and "net-mask" means
• You have 3 working ethernet cards, that are installed and recognized by your computers. We do not explain how to install ethernet cards, but we do explain how to configure them from the beginning...
• You must be aware of why you need NAT Firewall and its advantages.

Steps

preparation

Supposing you have 2 computers : computer A and computer B.

In this example, A has Internet reachability through the eth0 interface through another NAT router (but we don't care about this). If in your case A is connected directly to the Internet, then you will have to change the IPs of your computers in order to make it work...

A has 2 network Interface cards :

• eth0 (ip:192.168.1.3)
• eth1 (ip:192.168.0.1)

B has 1 network Interface card

• eth0 (ip:192.168.0.2)

The main NAT router thought which A gets the Internet on the other end of the eth0 cable has an IP of 192.168.1.1. In some situations, if A will not be behind a NAT router, but will have a default Gateway configured. In this case, it will be your gateway's IP address (that A obtained with the DHCP client for example).

We want to make B have Internet access through A.

We want to use the eth1 network interface card from A to share the Internet connection with B. We link A and B with a cable that connects its eth1 card to the eth0 card of B.

Ethernet card configuration

• We configure the eth1 address on A :

ifconfig eth1 192.168.0.1 netmask 255.255.255.0

If we type route on A, we should have something similar to :

# route
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

The network 192.168.1.0 is the network that we use for the internet access (the eth0 card of A) and the 192.168.0.0 represents the network that links A with B (eth1 card of A).

• Now that we have an ip address assigned to A network card, we must do something similar to B :

ifconfig eth0 192.168.0.2 netmask 255.255.255.0

test the configuration so far

Now we can test that the connection between A and B works. Disable all the firewalls you might have to test this.

• From the machine A, we test if we can reach B :

# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=1.27 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.658 ms

You should see the "X bytes from ...". If you have "network unreachable" or if you don't see anything in about 5 seconds, there is a configuration problem.

• From the machine B, we test if we can reach A :

# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.737 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.633 ms

You should see the "X bytes from ...". If you have "network unreachable" or if you don't see anything in about 5 seconds, there is a configuration problem.

configure B for NAT

• Now we have to tell B that we want to use the card eth0 from A (labeled 192.168.0.1) for everything :

route add default gw 192.168.0.1

If we type route on B, we should have something similar to :

# route
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

configure A for NAT

Now that we have a connection from A to B, we can tell A to share internet connection with B.

• Go to computer A and share its internet connection with B by typing the two commands :

modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT

configure DNS (domain name resolution)

At this point, you should be able to reach internet ip addresses from B, but you could not reach something like www.gnu.org. That's because you need to tell to B where to find the server that converts domain names like www.gnu.org into an ip address.

• Copy the file /etc/resolv.conf from A to B.

If you don't have that file or if in the file you have 127.0.0.1, ask your provider to find out what dns servers you have or look into your router configuration (if you have one). Once you find out your dns ip addresses, put them in /etc/resolv.conf at B.

The dnsmasq program is an alternative to writing fixed IP addresses into /etc/resolv.conf. To install it use your general installation program, for instance on machine A:

sudo apt-get install dnsmasq

To check this is running, run the netstat command and see if dnsmasq on machine A is listening on port 53:

netstat -luntp

final test

• Now we can test that we have internet on B by pinging a internet website :

ping gnu.org

Quick scripts

If you don't want to understand all the steps above, you can launch those scripts as root on the hosts :

• Run this script on the host A :

#!/usr/bin/env bash
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig eth1 192.168.0.1 netmask 255.255.255.0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
#Commands Credit: Farukesh, DITISS, CDAC

• Run this script on the host B where xx.xx.xx.xx is your dns server :

#!/usr/bin/env bash
ifconfig eth0 down
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
route del -net default 2>/dev/null
route add default gw 192.168.0.1 2>/dev/null
echo "nameserver xx.xx.xx.xx" > /etc/resolv.conf

See also

• Linux
   

From HowTo Wiki, a Wikia wiki.