If you've got an Ubuntu box with two NICs and you want a quick NAT router, do the following. This guide assumes that eth0 is your local network and eth1 is your internet connection. Reverse "eth0" and "eth1" in these directions if that's not the case. This has been tested on Ubuntu 8.04.
1. Remove network manager. It sucks anyway, and has very little use if you're not on a laptop
$ sudo apt-get remove network-manager
2. Configure both NICs. Set the internet NIC (eth1 below) to automatic DHCP mode, and the local NIC (eth0 below) to a static IP of 192.168.0.1 with netmask 255.255.255.0. To do this, you can either (a) use the GUI in System | Admin | Network, or (b) as root, edit /etc/network/interfaces so it looks like:
auto lo iface lo inet loopback # internet auto eth1 iface eth1 inet dhcp pre-up iptables-restore < /etc/iptables.rules pre-up echo 1 > /proc/sys/net/ipv4/ip_forward # local iface eth0 inet static address 192.168.0.1 netmask 255.255.255.0 auto eth0
3. If you used the GUI in step 2, you'll need to edit /etc/network/interfaces and add the following lines after your "iface" line for the internet interface:
pre-up iptables-restore < /etc/iptables.rules pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
Either way, your completed file should look like the example in step 2.
4. Put the following rules into /etc/iptables.rules:
#!/usr/bin/env iptables-restore # # NAT with eth1=remote and eth0=local, adapted from: # http://danieldegraaf.afraid.org/info/iptables/examples # specifically, # http://danieldegraaf.afraid.org/info/iptables/nat2 # *filter :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -j ACCEPT # (1/2) To forward a port, you need to add TWO lines. First, here: # -A FORWARD -p tcp --dport <WAN_PORT> -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT # To accept a port on the router, add a line like: # -A INPUT -p tcp --dport 25 -j ACCEPT # To open ALL ports: # -A INPUT -j ACCEPT -A INPUT -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # (2/2) To forward a port, you need to add TWO lines. Second, here: # -A PREROUTING -i eth1 -p tcp --dport <WAN_PORT> -j DNAT --to-destination <LAN_IP> -A POSTROUTING -o eth1 -j MASQUERADE COMMIT
The comments tell you how to add port forwarding. This configuration leaves all ports open on the router.
Steps 1-5 take care of enabling NAT routing itself. We just need to add a DHCP server so new hosts will get IPs.
5. Install dhcp3-server:
$ sudo apt-get install dhcp3-server
6. Add our NAT subnet to the config file "/etc/dhcp3/dhcpd.conf". To get the domain name servers, "cat /etc/resolv.conf" and copy the IPs and use them in the "domain-name-servers" line.
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.100 192.168.0.200;
  option routers 192.168.0.1;
  option domain-name-servers 152.1.1.248, 152.1.1.161;
}
7. Restart the DHCP server:
$ sudo /etc/init.d/dhcp3-server restart
8. Make sure it started okay by checking the syslog:
$ less /var/log/syslog
You should see something like:
May 16 13:26:42 if dhcpd: Internet Systems Consortium DHCP Server V3.0.6 May 16 13:26:42 if dhcpd: Copyright 2004-2007 Internet Systems Consortium. May 16 13:26:42 if dhcpd: All rights reserved. May 16 13:26:42 if dhcpd: For info, please visit http://www.isc.org/sw/dhcp/ May 16 13:26:42 if dhcpd: Wrote 0 leases to leases file. May 16 13:26:42 if dhcpd: May 16 13:26:42 if dhcpd: No subnet declaration for eth1 (152.14.92.129). May 16 13:26:42 if dhcpd: ** Ignoring requests on eth1. If this is not what May 16 13:26:42 if dhcpd: you want, please write a subnet declaration May 16 13:26:42 if dhcpd: in your dhcpd.conf file for the network segment May 16 13:26:42 if dhcpd: to which interface eth1 is attached. ** May 16 13:26:42 if dhcpd:
That error about "No subnet declaration for eth1" is good – we don't want to do DHCP server on our internet uplink!
9. Connect a machine to the LAN side and boot it up. It should get an IP and be able to access the internet.