Linux NAT router¶

This document presents some commands to configure a Linux NAT router in an IPv4 network. NAT means Network Address Translation and has been designed to provide Internet connectivity when there is only a limited number of addresses assigned to a network.

Network architecture¶

For the sake of clarity, this document uses following interface names and network addresses:

               +--------------------------------+
               |             Linux              |      Private Network
Internet ------| eth0        Router        eth1 |----- (Wifi, VPN...)
               | 192.0.2.42          10.13.37.1 |       10.13.37.0/24
               +--------------------------------+             |
                                                              |
                                                         +---------+
                                                         | Private |
                                                         |  Host   |
                                                         +---------+

Hosts connected to the private network don’t have public IPv4 addresses and are configured to connect to the Internet via a router sitting at 10.13.37.1.

To configure the router so that the private host gets access to the Internet, you need to issue following commands on the Linux router:

Configure the firewall to do NAT:

# If the public address (192.0.2.42) is static, use this command
iptables -t nat -A POSTROUTING -s 10.13.37.0/24 -o eth0 -j SNAT --to-source 192.0.2.42

# Otherwise if the public address is dynamic, use this command
iptables -t nat -A POSTROUTING -s 10.13.37.0/24 -o eth0 -j MASQUERADE

Configure the firewall to allow packet forwarding:

iptables -A FORWARD -s 10.13.37.0/24 -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -d 10.13.37.0/24 -i eth0 -o eth1 -j ACCEPT

Enable packet forwarding via sysctl (sysctl -w writes to /proc/sys/...):

sysctl -w net.ipv4.conf.eth0.forwarding=1
sysctl -w net.ipv4.conf.eth1.forwarding=1

# Previous entries may not exists in old kernels. In such case, use:
# sysctl -w net.ipv4.ip_forward=1
# ... which acts like: sysctl -w net.ipv4.conf.all.forwarding=1

Persistent configuration¶

You may create following files to write your configuration in a way it is kept across rebooting.

/etc/iptables/iptables.rules (please adapt this path according to your Linux distribution):

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# (... INPUT and OUTPUT filters ...)
-A FORWARD -s 10.13.37.0/24 -i eth1 -o eth0 -j ACCEPT
-A FORWARD -d 10.13.37.0/24 -i eth0 -o eth1 -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.13.37.0/24 -o eth0 -j SNAT --to-source 192.0.2.42
COMMIT

/etc/sysctl.d/ip_forward.conf (or /etc/sysctl.conf on old systems):

net.ipv4.conf.eth0.forwarding=1
net.ipv4.conf.eth1.forwarding=1

Linux NAT router¶

Network architecture¶

Persistent configuration¶

Table of Contents

Previous topic

Next topic

This Page