This step-by-step tutorial shows how to set up Network Address Translation (NAT) with Open Source Linux operating system and iptables firewall. This will allow your system to act as gateway and to provide Internet access to multiple hosts in Local Area Network (LAN) using a single public IP address.

Requirements

1. Hardware server with 2 (two) network interface cards (NICs).
2. Any Linux distribution (get more information at DistroWatch.com).
3. Linux kernel with networking and iptables support.
4. iptables package (you can find latest release at NetFilter’s Download page).

Basic definitions

aa.aa.aa.aa is Wide Area Network (WAN) IP address (bb.bb.bb.bb is WAN netmask).
cc.cc.cc.cc is LAN IP address (e.g. 192.168.0.1 or 10.0.0.1), dd.dd.dd.dd is LAN netmask (e.g. 255.255.255.0).
ee.ee.ee.ee is default gateway for Internet connection.

eth0 is hardware name of the NIC connected to WAN base.
eth1 is name of LAN connected NIC.

Step-by-step set up

1. Apply two NICs to hardware server.
2. Verify that both NICs are recognized by Linux well and are fully workable:

dmesg | grep eth0
dmesg | grep eth1

the output may vary but in most cases it would be like following one:

eth1: RealTek RTL8139 at 0xe0830000, 00:30:4f:3b:af:45, IRQ 19
eth1:  Identified 8139 chip type ’RTL-8100B/8139D’
eth0: link up, 100Mbps, full-duplex, lpa 0x41E1

Similar output should be for eth0 NIC.

To verify that NICs are recognized by Linux as networking devices use the following commands:

ifconfig eth0
ifconfig eth1

In case of success the output will be as follows:

eth0      Link encap:Ethernet  HWaddr 00:50:56:C0:00:08
          inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

You can find full manual page for ifconfig command here.

3. Configure WAN interface (eth0) to get Internet connection:

ifconfig eth0 aa.aa.aa.aa netmask bb.bb.bb.bb

e.g.

ifconfig eth0 123.45.67.89 netmask 255.255.255.248

WAN IP address and netmask should be provided by your ISP.

4. Set up WAN NIC settings to apply after server start up.

Configuration files containing NIC settings may have different syntax and location in various distributions. For such distributions as RedHat, Fedora, Centos and similar ones eth0 configuration file is at /etc/sysconfig/network-scripts/ifcfg-eth0. In Debian, Ubuntu NIC settings are located at single file /etc/network/interfaces.

To edit configuration files use any preferred text editor like vim, GNU nano or any other.

After editing /etc/sysconfig/network-scripts/ifcfg-eth0 should look as follows:

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=aa.aa.aa.aa        # e.g. 123.45.67.89
NETMASK=bb.bb.bb.bb       # e.g. 255.255.255.0
GATEWAY=ee.ee.ee.ee       # e.g. 123.45.67.1
HWADDR=00:30:4f:3b:af:45  # MAC address (optional entry)

After making changes to /etc/network/interfaces section regarding eth0 NIC should looks like:

auto eth0
iface eth0 inet static
address aa.aa.aa.aa
netmask bb.bb.bb.bb
gateway ee.ee.ee.ee

Related links: detailed syntax description of /etc/sysconfig/network-scripts/ifcfg-ethN, manual page of /etc/network/interfaces.

5. Set up LAN NIC settings to apply after server start up. This step requires operations similar to previous step.

Edit /etc/sysconfig/network-scripts/ifcfg-eth1 and make sure that it looks like:

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=cc.cc.cc.cc       # e.g. 192.168.0.1
NETMASK=dd.dd.dd.dd      # e.g. 255.255.255.0
HWADDR=00:50:8d:d1:24:db # MAC address of LAN NIC (optional entry)

If you are using Debian or related Linux distribution, edit /etc/network/interfaces (see previous step):

auto eth1
iface eth1 inet static
address cc.cc.cc.cc
netmask dd.dd.dd.dd

6. Set up Domain Name System servers IP addresses by editing /etc/resolv.conf:

nameserver 203.145.184.13
nameserver 203.145.184.12

7. Enable IP Forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

8. Set up NAT with iptables:

To delete existing rules from every iptables table, execute the following commands:

iptables -F
iptables -t nat -F
iptables -t mangle -F

Related links: official iptables documentation.

Enable NAT by commands:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT

8. Configure LAN clients to access Internet via described gateway:

Use clients’ operating system tools to set up the following TCP/IP settings:

IP address: from the same network as cc.cc.cc.cc (you can use IP/Subnet calculator to get it)
Netmask: dd.dd.dd.dd
DNS: ff.ff.ff.ff
Gateway: cc.cc.cc.cc

Example:

IP address: 192.168.0.7
Netmask: 255.255.255.0
DNS: 209.160.67.13
Gateway: 192.168.0.1

Setting all this up can be a lot easier if you’re using a control panel rather than the command line, but I’ll save that for another article.

© Copyright NerdGrind 2009. All Rights Reserved.

Related posts:

• How to Increase Screen Size or Resolution in Virtualbox for Ubuntu or Linux
• Samsung Unveils Flexible OLED Concept Phone – Video
• Prada Announces Prada II Phone Will Accompany Bluetooth Watch
• FCC Documents Announce that Nokia N85 Coming to North America
• Casio 8.1 Megapixel W63CA – 480 x 800 Pixel OLED – Only in Japan