Setting NAT On Linux

This step-by-step tutorial shows how to set up Network Address Translation (NAT) with Open
Source Linux operating system and iptables firewall. This will allow your system to act as
gateway and to provide Internet access to multiple hosts in Local Area Network (LAN) using a
single public IP address.

Requirements

1. Hardware server with 2 (two) network interface cards (NICs).

2. Any Linux distribution (get more information at DistroWatch.com).
3. Linux kernel with networking and iptables support.
4. iptables package (you can find latest release at NetFilter’s Download page).

Basic definitions

aa.aa.aa.aa is Wide Area Network (WAN) IP address (bb.bb.bb.bb is WAN netmask).

cc.cc.cc.cc is LAN IP address (e.g. 192.168.0.1 or 10.0.0.1), dd.dd.dd.dd is LAN netmask (e.g.
255.255.255.0).
ee.ee.ee.ee is default gateway for Internet connection.

eth0 is hardware name of the NIC connected to WAN base.

eth1 is name of LAN connected NIC.

Step-by-step set up

1. Apply two NICs to hardware server.

2. Verify that both NICs are recognized by Linux well and are fully workable:

dmesg | grep eth0

dmesg | grep eth1

the output may vary but in most cases it would be like following one:

eth1: RealTek RTL8139 at 0xe0830000, 00:30:4f:3b:af:45, IRQ 19

eth1: Identified 8139 chip type ’RTL-8100B/8139D’
eth0: link up, 100Mbps, full-duplex, lpa 0x41E1

Similar output should be for eth0 NIC.

To verify that NICs are recognized by Linux as networking devices use the following
commands:

ifconfig eth0
ifconfig eth1
In case of success the output will be as follows:

eth0 Link encap:Ethernet HWaddr 00:50:56:C0:00:08

inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

You can find full manual page for ifconfig command here.

3. Configure WAN interface (eth0) to get Internet connection:

ifconfig eth0 aa.aa.aa.aa netmask bb.bb.bb.bb

e.g.

ifconfig eth0 123.45.67.89 netmask 255.255.255.248

WAN IP address and netmask should be provided by your ISP.

4. Set up WAN NIC settings to apply after server start up.

Configuration files containing NIC settings may have different syntax and location in various
distributions. For such distributions as RedHat, Fedora, Centos and similar ones eth0
configuration file is at /etc/sysconfig/network-scripts/ifcfg-eth0. In Debian, Ubuntu NIC settings
are located at single file /etc/network/interfaces.

To edit configuration files use any preferred text editor like vim, GNU nano or any other.

After editing /etc/sysconfig/network-scripts/ifcfg-eth0 should look as follows:

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=aa.aa.aa.aa # e.g. 123.45.67.89
NETMASK=bb.bb.bb.bb # e.g. 255.255.255.0
GATEWAY=ee.ee.ee.ee # e.g. 123.45.67.1
HWADDR=00:30:4f:3b:af:45 # MAC address (optional entry)

After making changes to /etc/network/interfaces section regarding eth0 NIC should looks like:

auto eth0
iface eth0 inet static
address aa.aa.aa.aa
netmask bb.bb.bb.bb
gateway ee.ee.ee.ee
Related links: detailed syntax description of /etc/sysconfig/network-scripts/ifcfg-ethN, manual
page of /etc/network/interfaces.

5. Set up LAN NIC settings to apply after server start up. This step requires operations similar to
previous step.

Edit /etc/sysconfig/network-scripts/ifcfg-eth1 and make sure that it looks like:

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=cc.cc.cc.cc # e.g. 192.168.0.1
NETMASK=dd.dd.dd.dd # e.g. 255.255.255.0
HWADDR=00:50:8d:d1:24:db # MAC address of LAN NIC (optional entry)

If you are using Debian or related Linux distribution, edit /etc/network/interfaces (see previous
step):

auto eth1
iface eth1 inet static
address cc.cc.cc.cc
netmask dd.dd.dd.dd

6. Set up Domain Name System servers IP addresses by editing /etc/resolv.conf:

nameserver 203.145.184.13
nameserver 203.145.184.12

7. Enable IP Forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

8. Set up NAT with iptables:

To delete existing rules from every iptables table, execute the following commands:

iptables -F
iptables -t nat -F
iptables -t mangle -F

Related links: official iptables documentation.

Enable NAT by commands:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth1 -j ACCEPT

8. Configure LAN clients to access Internet via described gateway:

Use clients’ operating system tools to set up the following TCP/IP settings:

IP address: from the same network as cc.cc.cc.cc (you can use IP/Subnet calculator to get it)
Netmask: dd.dd.dd.dd
DNS: ff.ff.ff.ff
Gateway: cc.cc.cc.cc

Example:

IP address: 192.168.0.7
Netmask: 255.255.255.0
DNS: 209.160.67.13
Gateway: 192.168.0.1

Setting all this up can be a lot easier if you’re using a control panel rather than the command line,
but I’ll save that for another article.