User Tools

Site Tools


how_to_make_a_quick_nat_router_on_ubuntu

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

how_to_make_a_quick_nat_router_on_ubuntu [2010/12/03 23:30] (current)
tkbletsc created
Line 1: Line 1:
 +If you've got an Ubuntu box with two NICs and you want a quick NAT router, do the following. This guide assumes that eth0 is your **local network** and eth1 is your **internet connection**. ​ Reverse "​eth0"​ and "​eth1"​ in these directions if that's not the case.  This has been tested on Ubuntu 8.04.
  
 +1. Remove network manager. ​ It sucks anyway, and has very little use if you're not on a laptop
 +
 +  $ sudo apt-get remove network-manager
 +
 +2. Configure both NICs.  Set the internet NIC (eth1 below) to automatic DHCP mode, and the local NIC (eth0 below) to a static IP of 192.168.0.1 with netmask 255.255.255.0. To do this, you can either (a) use the GUI in System | Admin | Network, or (b) as root, edit /​etc/​network/​interfaces so it looks like:
 +
 +<​file>​
 +auto lo
 +iface lo inet loopback
 +
 +# internet
 +auto eth1
 +iface eth1 inet dhcp
 +pre-up iptables-restore < /​etc/​iptables.rules
 +pre-up echo 1 > /​proc/​sys/​net/​ipv4/​ip_forward
 +
 +# local
 +iface eth0 inet static
 +address 192.168.0.1
 +netmask 255.255.255.0
 +auto eth0
 +</​file>​
 +
 +3. If you used the GUI in step 2, you'll need to edit /​etc/​network/​interfaces and add the following lines after your "​iface"​ line for the internet interface:
 +
 +  pre-up iptables-restore < /​etc/​iptables.rules
 +  pre-up echo 1 > /​proc/​sys/​net/​ipv4/​ip_forward
 +
 +Either way, your completed file should look like the example in step 2.
 +
 +4. Put the following rules into /​etc/​iptables.rules:​
 +
 +<​file>​
 +#​!/​usr/​bin/​env iptables-restore
 +#
 +# NAT with eth1=remote and eth0=local, adapted from:
 +#   ​http://​danieldegraaf.afraid.org/​info/​iptables/​examples
 +# specifically,​
 +#   ​http://​danieldegraaf.afraid.org/​info/​iptables/​nat2
 +#
 +*filter
 +:FORWARD DROP [0:0]
 +:INPUT DROP [0:0]
 +:OUTPUT ACCEPT [0:0]
 +-A FORWARD -m state --state RELATED,​ESTABLISHED -j ACCEPT
 +-A FORWARD -i eth0 -j ACCEPT
 +# (1/2) To forward a port, you need to add TWO lines. ​ First, here:
 +#   -A FORWARD -p tcp --dport <​WAN_PORT>​ -j ACCEPT
 +-A INPUT -m state --state RELATED,​ESTABLISHED -j ACCEPT
 +-A INPUT -i lo -j ACCEPT
 +# To accept a port on the router, add a line like:
 +#   -A INPUT -p tcp --dport 25 -j ACCEPT
 +# To open ALL ports:
 +#   -A INPUT -j ACCEPT
 +-A INPUT -j ACCEPT
 +COMMIT
 +*nat
 +:PREROUTING ACCEPT [0:0]
 +:​POSTROUTING ACCEPT [0:0]
 +:OUTPUT ACCEPT [0:0]
 +# (2/2) To forward a port, you need to add TWO lines. ​ Second, here:
 +#   -A PREROUTING -i eth1 -p tcp --dport <​WAN_PORT>​ -j DNAT --to-destination <​LAN_IP>​
 +-A POSTROUTING -o eth1 -j MASQUERADE
 +COMMIT
 +</​file>​
 +
 +The comments tell you how to add port forwarding. ​ This configuration leaves all ports open on the router.
 +
 +Steps 1-5 take care of enabling NAT routing itself. ​ We just need to add a DHCP server so new hosts will get IPs.
 +
 +5. Install dhcp3-server:​
 +
 +  $ sudo apt-get install dhcp3-server
 +
 +6. Add our NAT subnet to the config file "''/​etc/​dhcp3/​dhcpd.conf''"​. To get the domain name servers, "cat /​etc/​resolv.conf"​ and copy the IPs and use them in the "​domain-name-servers"​ line.
 +
 +<​file>​
 +subnet 192.168.0.0 netmask 255.255.255.0 {
 +  range 192.168.0.100 192.168.0.200;​
 +  option routers 192.168.0.1;​
 +  option domain-name-servers 152.1.1.248,​ 152.1.1.161;​
 +}
 +</​file>​
 +
 +7. Restart the DHCP server:
 +
 +  $ sudo /​etc/​init.d/​dhcp3-server restart
 +
 +8. Make sure it started okay by checking the syslog:
 +
 +  $ less /​var/​log/​syslog
 +
 +You should see something like:
 +<​file>​
 +May 16 13:26:42 if dhcpd: Internet Systems Consortium DHCP Server V3.0.6
 +May 16 13:26:42 if dhcpd: Copyright 2004-2007 Internet Systems Consortium.
 +May 16 13:26:42 if dhcpd: All rights reserved.
 +May 16 13:26:42 if dhcpd: For info, please visit http://​www.isc.org/​sw/​dhcp/​
 +May 16 13:26:42 if dhcpd: Wrote 0 leases to leases file.
 +May 16 13:26:42 if dhcpd: ​
 +May 16 13:26:42 if dhcpd: No subnet declaration for eth1 (152.14.92.129).
 +May 16 13:26:42 if dhcpd: ** Ignoring requests on eth1.  If this is not what
 +May 16 13:26:42 if dhcpd: ​   you want, please write a subnet declaration
 +May 16 13:26:42 if dhcpd: ​   in your dhcpd.conf file for the network segment
 +May 16 13:26:42 if dhcpd: ​   to which interface eth1 is attached. **
 +May 16 13:26:42 if dhcpd: ​
 +</​file>​
 +
 +That error about "No subnet declaration for eth1" is good -- we don't **want** to do DHCP server on our internet uplink!
 +
 +9. Connect a machine to the LAN side and boot it up.  It should get an IP and be able to access the internet.
how_to_make_a_quick_nat_router_on_ubuntu.txt ยท Last modified: 2010/12/03 23:30 by tkbletsc