Network Address Translation (NAT) means that one computer shares single internet connection and single ip to many computers. Internet connection is a critical part of network, so stability and security make Linux and iptables an obvious choise for the sharing server.
This howto explains a complete setup for internet connection sharing using free, standard tools: dhcpd and iptables.
(c) 2003 Tero Karvinen
Hindi translation (pdf) contributed by Shishir Malani.
If you are connecting a couple of computers to internet, you should first check if you can share a connection with a simple switch or hub. If a switch works, it is easier to set up than NAT. Just plug it in and start the computers.
To use NAT as described in this document, you need a sharing computer with two network interface cards one public ip-address and Linux operating system. Client computer can have any operating system that supports DHCP. Computers are connected to eachother with either a crossover ethernet cable (with red connectors) or two normal ethernet cables and a switch.
Connect eth0 (first network card) to internet. Give it a real ip-number, so that you can browse the network. With most isp:s, 'setup', 'dhcp'.
Connect eth1 to your internal network. Give it a static, non-public ip, such as 10.0.0.1. Because it becomes the default route (see 'route'), your network connection stops working.
Fix your default gateway, edit /etc/sysconfig/network, add to it
GATEWAYDEV="eth0"
Then
/etc/init.d/network restart
You should be able to browse the net again.
Add NAT rules to your firewall. If you are using my per-host firewall, add these rules below the HOLES section.
####### NAT #######
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Use setup "Network" to type static ip-numbers to clients. Use private,
non-routable ip-numbers, such as
Ip Address: 10.0.0.2
Subnet Mask: 255.255.0.0
Default Gateway: 10.0.0.1
Domain Name Server: whatever you used before
Choose the same dns as you used before to get to internet. It was given by
your isp, you can check it from the computer sharing the internet connection
less /etc/resolv.conf.
Now you can browse the internet with your client computer.
If you have a switch and many computers in your internal network, you can give client ip's with dhcp.
yum install dhcp
Configure dhcp server. The subnet netmask row below chooses the right network card
(eth1). Use your favourite editor nano /etc/dhcpd.conf (pico and vi
work here too). The file does not exist automatically, so you have to create it.
# /etc/dhcpd.conf
ddns-update-style interim;
subnet 10.0.0.0 netmask 255.255.0.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.0.0;
option domain-name-servers whatever isp gave you, separated with commas;
range 10.0.0.2 10.0.0.253;
}
You obviously don't want to give ip-numbers to the internet trough eth0. The correct subnet .. netmask row should do the trick, but just to be sure you can check your logs:
$ grep "Ignoring requests on" /var/log/messages Nov 19 14:08:06 hki1-1-1-09 dhcpd: ** Ignoring requests on eth0. If this is not what
Activate dhcp on clients. setup, "Network".
Well done, you can now connect a huge number of computers to single internet connection with a single ip-address.
Tested with Red Hat Linux 9 Shrike and Fedora Core 1. Some ideas from Kiistala, Ilkka 2003: dhcp h1 (Link is down, 404). TODO: Links, picture of setup. Script combined with packet filtering firewall
Copyright 2003-11-19 (initial release, nat as a separate document) Tero Karvinen. GNU Free Documentation License. XHTML Basic 1.0