Linux Router : Network Address Translation (NAT) Tutorial

The most simple function of linux router is doing Network Address Translation (NAT) job. With NAT function we can share internet access to other network with LAN connection behind linux router

Basically there are two command we can use to activated NAT feauture so that naby computer behind proxy server can access internet. The command are :

• /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MAS QUERADE

This command we use if we have Dynamic WAN IP address in ethernet1 card (eth1)

• /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT -to 202.150.44.11

This command we use if we have Fixed WAN IP address (example: 202.150.44.11) in the ethernet1 card (eth1)

Normally we use certain script (share.sh) and put it in /root folder with 744 access mode so it is executable. To activate this script unter the command below:

• /root/share.sh start
  

To stop the script, enter the command below:

• /root/share.sh. stop

For example:
eth0: LAN (192.168.0.0/24) : 192.168.0.100
eth1 : WAN (192.1681.1/24) : 192.168.1.100

share.sh file should contain:
#!/bin/bash
# Save this and activate through # file_name start
# and de-activate through # file_name start
# This firewall script can be usedfor workstation, laptop, router
# or server that are not running network service (such as web server, ftp
# server etc)
# change the parameter UPLINK with interface device to the internet
# In our case WLAN router with NIC wlan0 connected to the internet
# and LAN connection with eth0
# if you use dail upmodem, you might use ppp0 as your UPLINK

• UPLINK="eth1"

# if you run the gateways as router and foward IP packet between eth devices
# please fill .yes. if not please fill .no.

• ROUTER="yes"

# Please change 192.168.1.100 to your static IP address of UPLINK device.
# For those who use dail up or dynamic IP, please enter .dynamic.
# NAT="192.168.1.100"

• NAT="dynamic"

# please list all network interfaces including eth devices
# as well as dial-up interfaces such as ppp0

• INTERFACES="lo eth0 eth1"
• if ["$1"="start"]
• then
• echo "Activating Firewall"
• /sbin/iptables -P INPUT DROP
• /sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
• /sbin/iptables -A INPUT -m state --state
• ESTABLISHED,RELATED -j ACCEPT
  
• /sbin/iptables -A INPUT -p tcp -i ! ${UPLINK} -j REJECT --reject-with tcp-reset
• /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable

# turn off packet spoofing in all interfaces

• for x in ${INTERFACES}
• do
• echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
• done

• if ["$ROUTER"="yes"]
• then

# Activate IP forwarding at router

• echo 1 > /proc/sys/net/ipv4/ip_forward
• if ["$NAT"!="dynamic"]
• then

# Dynamic IP address, activate Masquerading

• echo "Activating Masquerading (Dynamic IP)"
• /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j MAS
• QUERADE
• elif ["$NAT"!=""]
• then
  

# Static IP address use source NAT

• echo "Activating SNAT (static IP)"
• /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT}
• fi
• fi
• elif ["$1"="stop"]
• then
• echo "Deactivating Firewall"
• /sbin/iptables -F INPUT
• /sbin/iptables -P INPUT ACCEPT
• /sbin/iptables -F FORWARD
• /sbin/iptables -P FORWARD ACCEPT
• /sbin/iptables -F OUTPUT
• /sbin/iptables -P OUTPUT ACCEPT

# Turn off NAT or MASQUERADING

• /sbin/iptables -t nat -F POSTROUTING
• fi

You need to change the script if you have different network topology