Section 11.3. Configuring a Linux Gateway

11.3. Configuring a Linux Gateway

One popular use for Linux is as a gateway between networks. The software associated with the gateway is fairly simple. In fact, it can be loaded from permanent media, such as a CD. That technique prevents crackers from breaking into the gateway and thus breaking the security barrier, or firewall, commonly configured between networks.

Configuring a Linux gateway normally requires three basic administrative steps:

  • Configuring your system to forward IP traffic.

  • Setting up masquerading.

  • Creating a firewall between networks.

The only thing you absolutely need to do is configure IP forwarding. It is disabled by default. For this annoyance, I assume you're configuring a computer with two network cards, and each card is connected to a different network.

There are many excellent firewall configuration tools, but this annoyance shows you how to configure the system by hand. If you use the tools, you'll overwrite the configuration files that you may create as you review this annoyance.

11.3.1. IP Forwarding

Linux normally disables IP forwarding between network cards, and it is disabled in the default configurations of our preferred distributions. The way you activate IP forwarding depends on whether you've configured an IPv4 or IPv6 network.

Here, I assume that your system supports the /proc filesystem with kernel settings, along with the sysctl program to access kernel switches. Your system meets these requirements if you have a /proc directory and an /etc/sysctl.conf file.

If there are problems, you'll want to make sure the appropriate settings are active in your kernel. Specifically, you should see the following settings in the active config-* file in the /boot directory:


If these settings don't reflect what you need, you can't just edit this configuration file. In that case, you'll need to recompile the kernel, as described in the "Recompiling the Kernel" annoyance in Chapter 7. Forwarding on an IPv4 network

To activate forwarding on an IPv4 network, you'll need to toggle the ip_forward setting in the appropriate kernel configuration directory. The simplest way to do so is with the following command:

 echo "1" > /proc/sys/net/ipv4/ip_forward 

To make sure forwarding is turned on the next time you boot your computer, open /etc/sysctl.conf and add the following directive:

 net.ipv4.ip_forward = 1 Forwarding on an IPv6 network

To activate forwarding on an IPv6 network, you'll need to toggle the forwarding setting in the appropriate kernel configuration directory. The simplest way to do so is with the following command:

 echo "1" > /proc/sys/net/ipv6/conf/all/forwarding 

To make sure forwarding is turned on the next time you boot your computer, open /etc/sysctl.conf and add the following directive:

 net.ipv6.conf.all.forwarding = 1 

This assumes you've installed all other components required to configure an IPv6 network. For more information, see the related HOWTO written by Peter Bieringer at

11.3.2. IP Masquerading

When you have one IP address on the Internet for your network, you need to find a way to share it with all the computers on your network. The standard is with IP masquerading. Once configured, your gateway substitutes the IP address of the network interface card it uses to reach the Internet for the address of any computer on your network that requests data from the Internet.

Naturally, IP masquerading assumes you've activated IP forwarding, as I described in the previous section.

The current standard for configuring IP address translation on a gateway is iptables, the same command used to erect firewalls. Here you use it to alter network packets with Network Address Translation, specifically with the iptables -t nat command.

As an example, if your Internet connection uses a device named wlan0 and your LAN uses IP addresses on the private network, the command you need is:

 iptables -t nat -A POSTROUTING -s -o wlan0 -j MASQUERADE 

As described earlier, this command uses Network Address Translation. It adds (-A) the rule to the end of the iptables chain. It modifies network packets as they leave the network (POSTROUTING). It specifies (-s) source IP addresses to be those from your LAN ( It points to wlan0 as the output interface (-o). For all data that meets these standards, computers on your LAN MASQUERADE on the external network with the IP address assigned to wlan0.

To save this command, you'll need to run iptables-save and send the result to a file with a command such as:

 iptables-save >> firewall 

You could save the iptables commands to the standard configuration file for the distribution, but that would risk conflicts with settings written by tools such as Red Hat's Firewall Configuration tool. If you want to make these commands part of your firewall, you'll have to modify those files manually.

11.3.3. Firewalls

Detailed instructions on creating a firewall are beyond the scope of this book. However, the gateway between networks is the best place to create a firewall, so I'll mention some of the considerations for doing so.

Both Red Hat/Fedora and SUSE Linux have their own firewall configuration tools. These tools are excellent and can be used to create a fairly simple firewall. You can build upon the firewall created by these tools as needed.

You can start the standard Red Hat/Fedora Firewall Configuration tool with the system-config-securitylevel command. Results are saved to /etc/sysconfig/iptables.

You can open the SUSE firewall tool in YaST. Results are saved to /etc/sysconfig/SUSEfirewall2.

There is no standard firewall tool available for Debian. However, there are a substantial number of available options, including several excellent GUI tools.

In addition, a number of third-party firewall generators are available online. As is standard with open source software, neither I nor O'Reilly endorses any of these systems (or anything else in the book).

For more information, see the related annoyance "My Firewall Blocks My Internet Access," in Chapter 8.

Linux Annoyances for Geeks
Linux Annoyances for Geeks: Getting the Most Flexible System in the World Just the Way You Want It
ISBN: 0596008015
EAN: 2147483647
Year: 2004
Pages: 144
Authors: Michael Jang © 2008-2017.
If you may any questions please contact us: