A bit about

Hello, everyone! All you can see below is just my bank of information. Some material I've found in the fathomless net, some I've learned myself. Don't think all of the information here is right or actual, but may be it could be of use for you :) All feedback is welcome, especially constructive ones :)

Tuesday, July 28, 2009

NAT configuration in Debian

Currently my home network consists of several computers and each of them needs access to the Internet. My provider requires VPN connection, so one computer should be a router and control traffic by means of NAT. The easiest way is to buy a special router which has convenient web interface, but I hadn't enough money, so I decided to configure my Linux server for this purpose.

That's what I had: local home network with subnet number 192.168.1.0/24 (the first server's Ethernet controller is connected to it); DHCP in provider's network (the second server's controller) and VPN connection. I won't describe creation of VPN connection in this post, may be later.

Let's say that my eth0 interface has IP 192.168.1.1 (home network); eth1 interface obtains network setting through DHCP; and ppp0 is the interface which is created on VPN connection.

My routing table is simple and just describes my connections and default route:
$ sudo route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
213.219.200.230 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.251.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
Now I have to configure my firewall, which will replace IP address for outgoing packets. The POSTROUTING chain of NAT is responsible for this. So I do this by simple command:
# /sbin/iptables -v -t nat -A POSTROUTING -o eth1 -j MASQUERADE
This activates NAT for eth1 interface. Each packet which is routed on this interface will be processed by firewall in order to replace source IP address of the packet with server's one (that's how NAT works).

I also duplicated this command for ppp0, and later wrote a script which is executed on system startup. This script fully configures iptables according to my requirements:
#!/bin/bash

echo "IpTables Loading";

int_if="eth0";
ext_if="eth1";
ppp_if="ppp0";

lo_if="lo";

cmd="/sbin/iptables -v";

$cmd -F;
$cmd -t nat -F;
$cmd -t mangle -F;
$cmd -X;

$cmd -A INPUT -i $lo_if -j ACCEPT;

$cmd -A INPUT -j ACCEPT;
$cmd -A OUTPUT -j ACCEPT;
$cmd -A FORWARD -j ACCEPT;

$cmd -t nat -A POSTROUTING -o $ext_if -j MASQUERADE;
$cmd -t nat -A POSTROUTING -o $ppp_if -j MASQUERADE;

echo 1 > /proc/sys/net/ipv4/ip_forward;
echo 1 > /proc/sys/net/ipv4/ip_dynaddr;

at 7:26 PM
Labels: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)