Xmodulo: How To Set Up Internet Connection Sharing With Iptables On Linux

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

Menu

Xmodulo
Linux FAQs, tips and tutorials

Boost BGP Network Performance by 42% - [Free Demo]

How to set up Internet connection sharing with iptables on Linux


Last updated on June 9, 2014 Authored by Wayan Ari Agustina 2 Comments

In this tutorial, I'll explain how to share a single Internet connection among multiple devices on Linux. While consumer-grade WiFi routers have
become mainstream nowadays, making this problem a non-issue, suppose you don't have one at home. However, say you have a Linux box
already assembled with a modem and a LAN card. The modem is connected to the Internet with a dynamic public IP address, and the LAN
card connected to your switch/hub. Other devices (Linux/Windows PC, laptop) are connected to the switch without having any Internet
connection. To share the Internet connection of the Linux box, you have to turn the box into a gateway, so that it can relay traffic to and from
other devices.

Glossary of Terms
Private IP address (non-routeable address) is an IP address used for a Local Area Network (not visible through Internet).
Public IP address (routeable address) is an IP address that is visible through Internet.
IP masquerading is a function that allows set of machines to reach the Internet via a MASQ gateway. Those machines behind the
MASQ gateway is never visible to the Internet. Any outgoing and incoming traffic from and to the machines behind the MASQ gateway
must pass through the MASQ gateway.
Network Address Translation (NAT) is a function that can make a private IP address reaches the Internet with the help of IP
masquerading.

Hardware Requirements
One Linux box with two interfaces (one public IP address and the other private IP address), which will be used as a gateway.
One or more Linux/Windows PC or laptop with private IP addresses.
Switch/HUB (optional).

Step-by-Step Guide
The following procedure is required on the Linux box (the connection sharing gateway).
1. Activate IP forwarding

In order to set up Internet connection sharing, you need to enable IP forwarding on the Linux box with a kernel parameter. Startup kernel
parameters stored in /etc/sysctl.conf.
Open the file, and locate line with the following parameter "# net.ipv4.ip_forward = 0". Remove hash mark (i.e., uncomment it), and set the
value to 1. It should look like the following:
net.ipv4.ip_forward = 1

You may also activate IP forwaring at run time by the following command:
$ sudo sysctl -w net.ipv4.ip_forward=1
$ sudo sysctl -p
2. NAT configuration

Another important part of Internet connection sharing is NAT configuration which can be done using iptables command. iptables maintains four
firewall tables:
FILTER (the default table)
NAT
MANGLE
RAW
converted by Web2PDFConvert.com

In this tutorial we will use only two tables: FILTER and NAT tables.
First, flush all active firewall rules.

$ sudo iptables -X
$ sudo iptables -F
$ sudo iptables -t nat -X
$ sudo iptables -t nat -F

On the INPUT table, you have to set chain FORWARD to ACCEPT target, so all packets passed through the box will be processed correctly.
$ sudo iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

On the NAT table, you have to enable IP masquerading for your WAN interface. We assume that the WAN interface is ppp0. To enable IP
masquerading on ppp0 interface, you can use the following command:
$ sudo iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
3. Configuring a private IP address

After all configuration is completed on the Linux box, you have to configure the DNS server and default gateway of other devices
(Linux/Windows PC, laptop), so that they point to the Linux box. Note that you don't need to set up a DNS server on the Linux box. Every DNS
request from other devices are automatically forwarded by the Linux box to your upstream ISP.
If you are using Linux on the other devices, you can use the following command to change their default gateway and DNS servers. I assume
that you are using 192.168.1.0/24 private IP address segment, and that 192.168.1.1 is the IP address assigned to the Linux box.
$ sudo ip route del default
$ sudo ip route add default via 192.168.1.1
$ sudo sh -c "echo 'nameserver 192.168.1.1' > /etc/resolv.conf"

If you have other Linux devices, you can repeat the command above on other devices.
If you have a Windows device, you can change the default gateway and the DNS server via network connection properties on the control panel.
4. The complete script

Here is the complete script which sets up Internet connection sharing on the Linux box. The WAN interface (ppp0) needs to be replaced
according to your environment.
$ sudo vi /usr/local/bin/ishare

converted by Web2PDFConvert.com

#!/bin/bash
## Internet connection shating script
sysctl -w net.ipv4.ip_forward=1
sysctl -p
iptables -X
iptables -F
iptables -t nat -X
iptables -t nat -F
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE

Save the above script to /usr/local/bin/ishare, and then change the executable bit by the following command.
$ sudo chmox +x /usr/local/bin/ishare

If you want the script executed every startup, you can register the script to /etc/rc.local. Open /etc/rc.local, before statement "exit 0", add the
following line:
/usr/local/bin/ishare

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at
Xmodulo? Enter your email address below, and we will deliver our Linux posts straight
to your email box, for free. Delivery powered by Google Feedburner.
Your email address

Subscribe

Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

Share

Tweet

45

Share

submit

Related FAQs:

How to close an open DNS resolver


What are available iptables management tools with GUI
How to run iptables automatically after reboot on Debian
How DNS works
How to check DNS propagation on Linux
Categories: Networking
Tags: dns, iptables

2 thoughts on How to set up Internet connection sharing with iptables on Linux


Anders on June 9, 2014 at 4:01 pm said:

Reply

I would use tha package shorewall instead of hacking your own iptables, as it is too easy to make errors in a hand
written iptables rule.
And to share a network, using IPv6 is much easier using tunneling with Hurricane Electric or through the package gogoc (and
the TSP-protocol). Then just set up net.ipv6.all.forwarding=1 and install package radvd.
Reply

converted by Web2PDFConvert.com

Ram on May 15, 2015 at 6:24 am said:


"On the INPUT table, you have to set chain FORWARD to ACCEPT target"
Please correct the above line (INPUT table?)
Thanks
Leave a comment

Your email address will not be published. Required fields are marked *
Comment

Name *

Email *

Website

Post Comment
Notify me of follow-up comments by email.
Notify me of new posts by email.

How to turn Vim into a full-fledged IDE


How to set up Samba as a Primary Domain Controller

Linux FAQ categories


Amazon AWS
Android
Arch Linux
Audio
Business
CentOS
Chromium OS
Cisco
Cloud Services
CloudStack
Databases
Debian
Desktop
Development
Editors
Fedora
Filesystem
Games
Google
Graphics
converted by Web2PDFConvert.com

Hadoop
Hardware
Java
Kernel
KVM
Lightweight Linux
Linux Mint
Math
Networking
Open vSwitch
OpenStack
OpenWRT
Perl
PHP
Productivity
Publishing
Python
Raspberry Pi
Security
Shells
System
System Administration
Ubuntu
Utilities
Video
VirtualBox
Virtualization
VMware
Vyatta
Web
Windows Azure
Xen
XenServer

Subscribe to daily Linux FAQ tips


Enter your email address

Subscribe

Search

Related Linux FAQs

How to install
OpenVPN on
CentOS or Redhat

How to set a default How to set up a


How to configure
gateway on
secure FTP service HTTP load balancer
CentOS
with vsftpd on Linux with HAProxy on
Linux

How to run SQL


queries against
Apache log files on
Linux

How to access a
Linux server behind
NAT via reverse
SSH tunnel

converted by Web2PDFConvert.com

Ask Xmodulo
How to install a device driver for Mellanox ConnectX-4 Ethernet card on Linux
How to fix configure: error: pcre.h not found
How to enable and use logging module in Python
How to remove all network namespaces at once on Linux
How to plot a bar graph on Gnuplot
How to disable MAC learning in a Linux bridge
How to enable .htaccess in Apache HTTP server
How to add bookmarks to a PDF document on Linux
How to record a particular area of desktop screen on Linux
How to add proxy exceptions on Ubuntu desktop

Xmodulo List
Kryo
Apache Maven
Graphite
Cool Reader
netdata
Anjuta
ClamAV
GNU Octave
Audacity
CodeLite

About Advertise Write for Us Contact


Hosted by Stablehost

converted by Web2PDFConvert.com

You might also like