The WAN interface is eth0
The LAN interface is eth1
The WAN interface eth0 is in 198.51.100.64/30 and it will use the IP address 198.51.100.66 with upstream default gateway 198.51.100.65.
The LAN interface eth1 is in 198.168.1.0/24 and it will use the IP address 198.168.1.1 . 198.168.1.1 will be the LAN default gateway.
Let's set the IP addresses.
# ifconfig eth0 up # ifconfig eth0 198.51.100.66 netmask 255.255.255.252 # ifconfig eth1 up # ifconfig eth1 198.168.1.1 netmask 255.255.255.0
Let 's set the upstream gateway
# route add defaullt gw 198.51.100.65
First enable ipv4 forwarding :
#sysctl -w net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1or set it for now and permanently by setting net.ipv4.ip_forward=1 at /etc/sysctl.conf
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf # sysctl -p /etc/sysctl.confThat should be enough if we are not using IPTables.
IF we are already using iptables we need to add the following rules. Let's enable talking among LAN hosts
# iptables -A FORWARD -i eth1 -j ACCEPT # iptables -A FORWARD -o eth1 -j ACCEPTEnable Network Address Translation
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Save the iptables rules:
# iptables-save > /etc/rules.iptables
To set these iptables rules after each reboot put this script at /etc/network/if-pre-up.d/iptables.
# cat /etc/network/if-pre-up.d/iptables #!/bin/bash /sbin/iptables-restore < /etc/rules.iptablesand make it executable
# chmod 700 /etc/network/if-pre-up.d/iptables
If we want to make the eth0 and eth1 IP addresses and the default gateway stick through reboots we will have to change the /etc/network/interfaces file.
# cat /etc/network/interfaces
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static
address 198.51.100.66
netmask 255.255.255.252
network 192.168.2.64
broadcast 192.168.2.67
gateway 192.168.2.65
allow-hotplug eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
we are Done!
There are some minor security considerations if 192.168.2.65 is on the Internet and what could we do to enable servers behind the NAT to accept inbound traffic?
Here is a simple NAT gateway and Firewall set script.
# cat /etc/iptables-nat-rules.sh
#!/bin/bash
#iptables-nat-rules.sh
#g0 2011 Set a simple NAT gateway
IPTABLES="/sbin/iptables"
LAN="eth0"
WAN="eth1"
SSHDPORT="22"
LAN_SRV_PORT="80"
LAN_SRV_IP="192.168.1.11"
#Flush Rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t nat -X
#Allow all loopback traffic and drop all traffic to 127/8 that does not go through lo
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#Enable talking among LAN hosts
$IPTABLES -A FORWARD -i ${LAN} -j ACCEPT
$IPTABLES -A FORWARD -o ${LAN} -j ACCEPT
#Forward inbound traffic to a server behind the NAT
#$IPTABLES -t nat -A PREROUTING -i ${WAN} -p tcp --dport ${LAN_SRV_PORT} -j DNAT --to ${LAN_SRV_IP}:${LAN_SRV_PORT}
#Enable Network Address Translation
$IPTABLES -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#Drop some old attacks on their tracks
$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
#Allow connections to sshd
$IPTABLES -A INPUT -p tcp --dport ${SSHDPORT} -j ACCEPT
#accept to ping
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#Drop second and further fragments of fragmented packets
$IPTABLES -A INPUT -f -j DROP
#Drop all other inbound traffic
$IPTABLES -A INPUT -j DROP
Linux - a NAT gateway
