15

We have a simple router which has NAT of symmetric type, but because this router doesn't provide us with any debugging interface, we cannot figure out if a specific packet reaches the NAT or not.

Thus we want to setup a LINUX computer making it be a router with symmetric NAT, in this way we can capture all packets to this "NAT" and get the information we want. How can we do this on linux (Fedora system, kernel 2.6.xx)?

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Steve Peng
  • 559
  • 1
  • 8
  • 18

3 Answers3

21

To set a linux machine as a router you need the following

1- Enable forwarding on the box with

echo 1 > /proc/sys/net/ipv4/ip_forward

Assuming your public interface is eth1 and local interface is eth0

2- Set natting the natting rule with:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

3- Accept traffic from eth0:

iptables -A INPUT -i eth0 -j ACCEPT

4- Allow established connections from the public interface.

iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

5- Allow outgoing connections:

iptables -A OUTPUT -j ACCEPT
MohyedeenN
  • 1,063
  • 1
  • 12
  • 15
  • 3
    INPUT and OUTPUT chains affect only packets actually addressed to the router and packets actually generated by the router, respectively. What you need are rules on the FORWARD chain, which handle packets passing through. – pepoluan Jan 03 '14 at 15:38
  • yes correct, but when you do natting the packets are sent via the public interface and they are sent through the OUTPUT chain if i am not mistaken here, if all the ips are public and you are not doing natting then only the forward chain is needed, the same for the INPUT as the packets are sent via the public interface ip you will need to allow the previously established sessions to come back through the INPUT chain. – MohyedeenN Jan 03 '14 at 15:42
  • 3
    Um, I don't think so. All Netfilter diagrams I found on the Internet indicates that OUTPUT chains apply only to packets generated by Local Processes. For example: http://upload.wikimedia.org/wikipedia/commons/8/8f/Diagrama_linux_netfilter_iptables.gif – pepoluan Jan 06 '14 at 14:20
  • @MohyedeenN I can't thank you enough, I wish I could +1 this 100x. After an entire day pulling my hair out, this was exactly what I needed. Thank you!! – Arthur Maltson Oct 10 '15 at 03:24
  • Also on the machine on the private network add: route add default gw 192.168.0.1 #Or whatever the ip address of the NAT is You may also need to update the resolv.conf file to find the nameservers – Xofo Jan 05 '17 at 23:36
  • 1
    **YOU FORGOT THE MOST IMPORTANT PART. THESE SETTINGS WILL BE LOST AFTER REBOOT.** – Smit Johnth Mar 05 '21 at 18:57
  • 2
    BTW, I downvoted this a while ago because steps 3-5 are not relevant, and could expose network services to the world unintentionally. – multithr3at3d Mar 05 '21 at 23:25
10

I think the other answers missed some important points. Here's another way, assuming iptables is in a fresh state, once again using eth0 as the internal interface and eth1 as external:

  1. Enable IP forwarding in the kernel:

    echo 1 > /proc/sys/net/ipv4/ip_forward
# or
sysctl -w net.ipv4.ip_forward=1

    To persist this change after reboot, add or uncomment net.ipv4.ip_forward=1 in /etc/sysctl.conf or a file in /etc/sysctl.d.

  2. Enable masquerade on eth1 to rewrite the source address on outgoing packets. If you truly want symmetric NAT, you'll need the --random at the end:

    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --random

  3. Configure forwarding rules. By default, iptables will forward all traffic unconditionally. You probably want to restrict inbound traffic from the internet, but allow all outgoing:

    # Allow traffic from internal to external
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Allow returning traffic from external to internal
iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
# Drop all other traffic that shouldn't be forwarded
iptables -A FORWARD -j DROP

Note that we didn't touch the INPUT or OUTPUT chains in the filter table; these have nothing to do with being a router.

To persist these firewall changes after reboot:

iptables-save > /etc/sysconfig/iptables
systemctl enable --now iptables

This step will vary depending on the Linux distribution.

multithr3at3d
  • 287
  • 2
  • 9
  • What would be your preferred way to persist ip_forward on reboot? – thomasrutter Oct 02 '20 at 08:41
  • 1
    @thomasrutter Edit or create a file in `/etc/sysctl.d/`, with contents `net.ipv4.ip_forward=1`. – multithr3at3d Oct 02 '20 at 22:25
  • **YOU FORGOT THE MOST IMPORTANT PART. THESE SETTINGS WILL BE LOST AFTER REBOOT.** – Smit Johnth Mar 05 '21 at 18:57
  • 1
    @SmitJohnth yes, please see the last sentence and the above comments. That part is fairly distribution-specific. – multithr3at3d Mar 05 '21 at 23:24
  • @multithr3at3d So this is not a ready manual, you still have to search. Who needs this if it's deleted after reboot? – Smit Johnth Mar 06 '21 at 19:04
  • @PhilipCouling I don't know what is " competent linux users" you mention, but I think they don't ask how to setup NAT. – Smit Johnth Aug 17 '23 at 16:17
  • @PhilipCouling this is your use case. Don't spread it to everyone. – Smit Johnth Aug 17 '23 at 16:55
  • @SmitJohnth no, we google it and hit this page as the first result. Not everything is done from memory and not everything is obvious from reference manuals. That's why we have QA sites. FYI persisting iptables on many distributions is as simple as installing one package. It's something we set and forget. So to many users this answer will be all they need because they enabled persistence when they installed their server. – Philip Couling Aug 17 '23 at 16:56
  • @SmitJohnth It's not really clear what your problem is though. Persisting iptables is a trivial thing to google so why do you feel the need to bold all caps complain about it? – Philip Couling Aug 17 '23 at 16:58
  • @PhilipCouling explain me, why do you need manual to make NAT without saving configuration? – Smit Johnth Aug 17 '23 at 17:00
  • @SmitJohnth [I just did](https://serverfault.com/questions/564866/how-to-set-up-linux-server-as-a-router-with-nat/1013036?noredirect=1#comment1489233_1013036) enabling persistence is something I did when I installed the server in the first place. Actually I put it in my cloud init script ages ago. It isn't a manual step on all distributions. It's something that can be setup to be automatic. And it regularly is setup to be automatic. – Philip Couling Aug 18 '23 at 00:53
  • @PhilipCouling it doesn't answer the question "why do you need manual to make NAT without saving configuration?" – Smit Johnth Aug 18 '23 at 01:22
  • @SmitJohnth correct. It answers why saving configuration doesn't need to be part of this question or many thousands of answers across this and other stack exchange sites. But if you must have an answer to that point... because 95% of our servers never get rebooted. We spin up a new VM swing network routing across and destroy the old one. Rebooting=downtime – Philip Couling Aug 18 '23 at 02:49
  • @PhilipCouling So it's just your needs, why do you spread it to everyone? – Smit Johnth Aug 18 '23 at 13:35
  • @SmitJohnth I'm not. [You are](https://serverfault.com/questions/564866/how-to-set-up-linux-server-as-a-router-with-nat/1013036?noredirect=1#comment1376012_1013036) for your needs. – Philip Couling Aug 18 '23 at 14:13
  • @PhilipCouling Yes you do. – Smit Johnth Aug 19 '23 at 01:58
  • @SmitJohnth lol. really? I was genuinely just pointing out that you are demanding the answers cover your personal needs and have now plainly proven that those needs are not universal. So with that I'll leave you the last word. – Philip Couling Aug 19 '23 at 02:01
  • @PhilipCouling how many % of users do not need to save settings after modifying it? – Smit Johnth Aug 19 '23 at 02:02
0

This is the simple script could do the trick it has all the essence which needed by router its well tested on UBUNTU 16.04 

#!/bin/bash
# This script is written to make your Linux machine Router
# With this you can setup your linux machine as gateway.
# Author @ Mansur Ul Hasan
# Email  @ mansurali901@gmail.com

  # Defining interfaces for gateway.
  INTERNET=eth1
  LOCAL=eth0

# IMPORTANT: Activate IP-forwarding in the kernel!

   # Disabled by default!
   echo "1" > /proc/sys/net/ipv4/ip_forward

   # Load various modules. Usually they are already loaded 
   # (especially for newer kernels), in that case 
   # the following commands are not needed.

   # Load iptables module:
   modprobe ip_tables

   # activate connection tracking
   # (connection's status are taken into account)
   modprobe ip_conntrack

   # Special features for IRC:
   modprobe ip_conntrack_irc

   # Special features for FTP:
   modprobe ip_conntrack_ftp

   # Deleting all the rules in INPUT, OUTPUT and FILTER   
   iptables --flush

   # Flush all the rules in nat table 
   iptables --table nat --flush

   # Delete all existing chains
   iptables --delete-chain

   # Delete all chains that are not in default filter and nat table
   iptables --table nat --delete-chain

   # Allow established connections from the public interface.
   iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

   # Set up IP FORWARDing and Masquerading
   iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
   iptables --append FORWARD --in-interface $LOCAL -j ACCEPT

   # Allow outgoing connections
   iptables -A OUTPUT -j ACCEPT
Mansur Ul Hasan
  • 262
  • 3
  • 9
  • Seeing this a little late... Note that there is no need to load any kernel modules manually, as they will be loaded automatically when using iptables. Additionally, loading extra modules (e.g. for FTP and IRC) is unnecessary and just adds extra attack surface, unless you require those specific capabilities. You also didn't add any DROP rules, so other machines on the WAN network can openly reach into your LAN if they add a static route. Lastly, the modifications to INPUT and OUTPUT don't have any effect since the default policy is ACCEPT. – multithr3at3d Aug 24 '23 at 16:52