Sharing an Internet Connection Using NAT


On the Internet there are many scripts available that set up Internet connection sharing using iptables. Each of these scripts boils down to the same few basic iptables commands, albeit with minor differences. This section discusses those few statements to explain how a connection can be shared. You can use the statements presented in this section or refer to the Linux IP Masquerade HOWTO for complete scripts. The tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html Web page holds the simplest of these scripts.

There are two ways you can share a single connection to the Internet (one IP address). Both involve setting up NAT to alter addresses in packets and then forward them. The first allows clients (browsers, mail readers, and so on) on several systems on a LAN to share a single IP address to connect to servers on the Internet. The second allows servers (mail, Web, FTP, and so on) on different systems on a LAN to provide their services over a single connection to the Internet. You can use iptables to set up one or both of these configurations. In both cases, you need to set up a system that is a router: It must have two network connectionsone connected to the Internet and the other to the LAN.

For optimal security, use a dedicated system as a router. Because data transmission over a connection to the Interneteven over a broadband connectionis relatively slow, using a slower, older system as a router does not generally slow down a LAN. This setup also gives you some defense against intrusion from the Internet. A workstation on the LAN can also function as a router, but this setup means that you maintain data on a system that is directly connected to the Internet. The following sections discuss the security of each setup.

The examples in this section assume that the device named eth0 connects to the Internet on 10.255.255.255 and that eth1 connects to the LAN on 192.168.0.1. Substitute the devices and IP addresses that your systems use. If you use a modem to connect to the Internet, you need to substitute ppp0 (or another device) for eth0 in the examples.

For the examples in this section to work, you must turn on IP forwarding. First give the following command and make sure everything is working:

# /sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1


Once you know that iptables is working correctly, change the 0 to a 1 in the following line in /etc/sysctl.conf to make the kernel always perform IP forwarding:

net.ipv4.ip_forward = 0


After making this change, give the command /sbin/sysctl p to apply the change and to make sure that there are no typographical errors in the configuration file.

Connecting Several Clients to a Single Internet Connection

Configuring the kernel of the router system to allow clients on multiple local systems on the LAN to connect to the Internet requires you to set up IP masquerading, or SNAT (source NAT). IP masquerading translates the source and destination addresses in the headers of network packets that originate on local systems and the packets that remote servers send in response to those packets. These packets are part of connections that originate on a local system. The example in this section does nothing to packets that are part of connections that originate on the remote systems (on the Internet): These packets cannot get past the router system, which provides some degree of security.

The point of rewriting the packet headers is to allow systems with different local IP addresses to share a single IP address on the Internet. The router system translates the source or origin address of packets from local systems to that of the Internet connection, so that all packets passing from the router to the Internet appear to come from a single system10.255.255.255 in the example. All packets sent in response by remote systems on the Internet to the router system have the address of the Internet connection10.255.255.255 in the exampleas their destination address. The router system remembers each connection and alters the destination address of each response packet to become that of the local, originating system.

The router system is established by four iptables commands, one of which sets up a log of masqueraded connections. The first command puts the first rule in the FORWARD chain of the Filter (default) table (A FORWARD):

# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT


To match this rule, a packet must be

  1. Received on eth0 (coming in from the Internet): i eth0.

  2. Going to be sent out on eth1 (going out to the LAN): o eth1.

  3. Part of an established connection or a connection that is related to an established connection: state ESTABLISHED,RELATED.

The kernel accepts (j ACCEPT) packets that meet these three criteria. Accepted packets pass to the next appropriate chain or table. Packets from the Internet that attempt to create a new connection are not matched and therefore not accepted by this rule. Packets that are not accepted pass to the next rule in the FORWARD chain.

The second command puts the second rule in the FORWARD chain of the Filter table:

# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT


To match this rule, a packet must be

  1. Received on eth1 (coming in from the LAN): i eth1.

  2. Going to be sent out on eth0 (going out to the Internet): o eth0.

The kernel accepts packets that meet these two criteria, which means that all packets that originate locally and are going to the Internet are accepted. Accepted packets pass to the next appropriate chain/table. Packets that are not accepted pass to the next rule in the FORWARD chain.

The third command puts the third rule in the FORWARD chain of the Filter table:

# iptables -A FORWARD -j LOG


Because this rule has no match criteria, it acts on all packets it processes. This rule's action is to log packetsthat is, it logs packets from the Internet that attempt to create a new connection.

Packets that get to the end of the FORWARD chain of the Filter table are done with the rules set up by iptables and are handled by the local TCP stack. Packets from the Internet that attempt to create a new connection on the router system are accepted or returned, depending on whether the service they are trying to connect to is available on the router system.

The fourth command puts the first rule in the POSTROUTING chain of the NAT table. Only packets that are establishing a new connection are passed to the NAT table. Once a connection has been set up for SNAT or MASQUERADE, the headers on all subsequent ESTABLISHED and RELATED packets are altered the same way as the first packet. Packets that are sent in response to these packets automatically have their headers adjusted so that they return to the originating local system.

# iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE


To match this rule, a packet must be

  1. Establishing a new connection (otherwise it would not have come to the NAT table).

  2. Going to be sent out on eth0 (going out to the Internet): o eth0.

The kernel MASQUERADEs all packets that meet these criteria. In other words, all locally originating packets that are establishing new connections have their source address changed to the address that is associated with eth0 (10.255.255.255 in the example).

Following are the four commands together:

# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # iptables -A FORWARD -j LOG # iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE


You can put these commands in /etc/rc.local or in a script called by this file on the router system to have them executed each time the system boots. Alternatively, you can put them in /etc/sysconfig/iptables, leaving off the iptables command at the beginning of each line and adding a final line with the word COMMIT on it. When you put the commands in the iptables file, they are executed by the iptables init script each time it is called. For more information refer to "Copying Rules to and from the Kernel"on page 776.

To limit the local systems that can connect to the Internet, you can add a s (source) match criterion to the last command:

# iptables -t NAT -A POSTROUTING -o eth0 -s 192.168.0.0-192.168.0.32 -j MASQUERADE


In the preceding command, s 192.168.0.0-192.168.0.32 causes only packets from an IP address in the specified range to be MASQUERADEd.

Connecting Several Servers to a Single Internet Connection

DNAT (destination NAT) can set up rules to allow clients from the Internet to send packets to servers on the LAN. This example sets up an SMTP mail server on 192.168.1.33 and an HTTP (Web) server on 192.168.1.34. Both protocols use TCP. SMTP uses port 25 and HTTP uses port 80, so the rules match TCP packets with destination ports of 25 and 80. The example assumes the mail server does not make outgoing connections and uses another server on the LAN for DNS and mail relaying. Both commands put rules in the PREROUTING chain of the NAT table (A PREROUTING t NAT):

#  iptables -A PREROUTING -t NAT -p tcp --dport 25 --to-source 192.168.0.33:25 -j DNAT #  iptables -A PREROUTING -t NAT -p tcp --dport 80 --to-source 192.168.0.34:80 -j DNAT


To match these rules, the packet must use the TCP protocol (p tcp) and have a destination port of 25 (first rule, dport 25) or 80 (second rule, dport 80).

The to-source is a target specific to the PREROUTING and OUTPUT chains of the NAT table; it alters the destination address and port of matched packets as specified. As with MASQUERADE and SNAT, subsequent packets in the same and related connections are altered appropriately.

The fact that the servers cannot originate connections means that neither server can be exploited to participate in a DDoS attack (page 1028) on systems on the Internet and cannot send private data from the local system back to a malicious user's system.




A Practical Guide to Red Hat Linux
A Practical Guide to Red HatВ® LinuxВ®: Fedoraв„ў Core and Red Hat Enterprise Linux (3rd Edition)
ISBN: 0132280272
EAN: 2147483647
Year: 2006
Pages: 383

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net