Linux "Router" a NAT gateway

This is a quick and dirty HOWTO of a simple "router" linux gateway with 2 network interfaces that provides Internet connectivity to the LAN through NAT.

The WAN interface is eth0
The LAN interface is eth1

The WAN interface eth0 is in 198.51.100.64/30 and it will use the IP address 198.51.100.66 with upstream default gateway 198.51.100.65.

The LAN interface eth1 is in 198.168.1.0/24 and it will use the IP address 198.168.1.1 . 198.168.1.1 will be the LAN default gateway.

Let's set the IP addresses.
# ifconfig eth0 up 
# ifconfig eth0 198.51.100.66 netmask 255.255.255.252
# ifconfig eth1 up
# ifconfig eth1 198.168.1.1 netmask 255.255.255.0


Let 's set the upstream gateway
# route add defaullt gw 198.51.100.65


First enable ipv4 forwarding :
#sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
or set it for now and permanently by setting net.ipv4.ip_forward=1 at /etc/sysctl.conf
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf 
# sysctl -p /etc/sysctl.conf
That should be enough if we are not using IPTables.

IF we are already using iptables we need to add the following rules. Let's enable talking among LAN hosts
# iptables -A FORWARD -i eth1 -j ACCEPT
# iptables -A FORWARD -o eth1 -j ACCEPT
Enable Network Address Translation
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Save the iptables rules:
# iptables-save > /etc/rules.iptables


To set these iptables rules after each reboot put this script at /etc/network/if-pre-up.d/iptables.
# cat /etc/network/if-pre-up.d/iptables
#!/bin/bash
/sbin/iptables-restore < /etc/rules.iptables
and make it executable
# chmod 700 /etc/network/if-pre-up.d/iptables 


If we want to make the eth0 and eth1 IP addresses and the default gateway stick through reboots we will have to change the /etc/network/interfaces file.
# cat /etc/network/interfaces 

auto lo
iface lo inet loopback

allow-hotplug eth0
iface eth0 inet static
 address 198.51.100.66
 netmask 255.255.255.252
 network 192.168.2.64
 broadcast 192.168.2.67
 gateway 192.168.2.65


allow-hotplug eth1
iface eth1 inet static
        address 192.168.1.1
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255



we are Done!

There are some minor security considerations if 192.168.2.65 is on the Internet and what could we do to enable servers behind the NAT to accept inbound traffic?

Here is a simple NAT gateway and Firewall set script.
# cat /etc/iptables-nat-rules.sh 
#!/bin/bash
#iptables-nat-rules.sh
#g0 2011 Set a simple NAT gateway

IPTABLES="/sbin/iptables"
LAN="eth0"
WAN="eth1"
SSHDPORT="22"
LAN_SRV_PORT="80"
LAN_SRV_IP="192.168.1.11"

#Flush Rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t nat -X

#Allow all loopback traffic and drop all traffic to 127/8 that does not go through lo 
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#Enable talking among LAN hosts
$IPTABLES -A FORWARD -i ${LAN} -j ACCEPT
$IPTABLES -A FORWARD -o ${LAN} -j ACCEPT

#Forward inbound traffic to a server behind the NAT
#$IPTABLES -t nat -A PREROUTING -i ${WAN} -p tcp --dport ${LAN_SRV_PORT} -j DNAT --to ${LAN_SRV_IP}:${LAN_SRV_PORT}

#Enable Network Address Translation
$IPTABLES -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

#Drop some old attacks on their tracks
$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

#Allow connections to sshd
$IPTABLES -A INPUT -p tcp --dport ${SSHDPORT} -j ACCEPT

#accept to ping
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#Drop second and further fragments of fragmented packets
$IPTABLES -A INPUT -f -j DROP
#Drop all other inbound traffic
$IPTABLES -A INPUT -j DROP





Linux - a NAT gateway