Howto use NAT on Fedora Core 9 machine with iptables

Network Address Translation is a technique to masquerade IP addresses on your internal LAN to the outside world. In other words; the outside world will not be able to look into your network.

This technique is easy to setup and maintain, saves IP addresses and is likely more secure that pure routing. To set it up, you require:

  1. A Linux machine, for this example Fedora Core 9
  2. Two network cards, eth0 attached to you LAN, eth1 connected to the internet.
  3. A little bit of Linux/UNIX knowledge
  4. 30 minutes or so

Enable IP forwarding

To be able to use IP forwarding, you must tell the kernel that it's okay to forward traffic from one network card to another. This setting is found in /etc/sysctl.conf. Set net.ipv4.ip_forward to 1.
To do this, execute:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

The first command enables IP forwarding now, a reboot would undo this setting. To enable this setting for every reboot, also execute that second line.

Enable the firewall (IPtables)

Make sure the service IPtables is running now and is started at bootup:

# service iptables status
<output omitted>
# chkconfig --list iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Configure the firewall (IPtables)

Now that the kernel knows it's allowed to forward traffic from one NIC to another, configure the firewall. The firewall is the intelligent part of setting up NAT, IPtables actually 'does the work'. Here are the commands to set it up:

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Safe the firewall rules

You have only configured the firewall for now, a reboot would undo all settings. Run this command once you are happy with the setup:

# /sbin/service iptables save

Reboot to test the setup. Your LAN client will have to set the default route to the IP address of the NAT machine's LAN NIC.

About Consultancy Articles Contact




References Red Hat Certified Architect By Robert de Bock Robert de Bock
Curriculum Vitae By Fred Clausen +31 6 14 39 58 72
By Nelson Manning [email protected]