This article describes how to use Iptables to implement NAT forwarding, in effect using a machine as a gateway. We assume that the machine that acts as a gateway has at least NIC Eth0 and eth1, uses eth0 to represent the network card connected to the external network, and uses ETH1 to represent the network card connected to the intranet switch. The internal subnet is 10.0.0.0, through the NAT mechanism, the machine in the intranet can access the Internet through the gateway machine without the need for an additional public IP.
The configuration values in this article need to be changed as appropriate for the specific environment.
First, the Gateway side
1. Configure a static IP for the LAN network adapter (previously ensured that another external network card eth0 has been able to access the Internet normally. The eth1 has been configured for the intranet static IP can skip this step)
sudo 10.0. 0.11/ Dev eth1
This assumes that the IP of the eth1 is 10.0.0.11.
2. Configure NAT Rules
sudo 10.0. 0.0/ m conntrack--ctstate NEW-J ACCEPTsudo iptables-a forward-m conntrack--cts Tate Established,related-J ACCEPTsudo iptables-t nat-F postroutingsudo iptables- T nat-a postrouting-o Eth0-j Masquerade
The first rule allows the forwarding of the initial network packet, the second rule allows the network packet to be forwarded after the connection has been established, and the third sets Nat.
Next you need to save the iptables rule to ensure that NAT rules are loaded each time you restart:
2.1 Saving Iptables rules
sudo sudo Tee /etc/iptables.sav
2.2 Edit the/etc/rc.local file and add the following line to "Exit 0":
iptables-Restore </etc/iptables.sav
This will automatically load NAT-related iptables rules each time you restart the machine.
3 Enable route forwarding, edit the /etc/sysctl.conf file, delete the starting "#", Release
#net. ipv4.ip_forward=1
The comment. Then make it effective:
sudo sysctl-p
This allows us to complete the setup at one end of the gateway.
Second, client side
Once the Gateway machine setup is complete, any OS client can access the external network by connecting to the gateway. As an example of Ubuntu server as a client, assume that the client's eth0 is connected to the intranet 10.0.0.0 where the gateway eth1 resides,
1. Assign a static IP to the eth0 (need to be on the same network segment as the server-side eth1, and if configured you can skip this step), edit the/etc/network/interfaces file:
Auto eth0iface eth0 inet static 10.0. 0.31 255.255. 255.0 10.0. 0.11 DNS-nameservers yourdnsserver
Because our Gateway service does not serve as a DNS server, there is a need for additional client-specific DNS servers, typically obtained from Network service providers (ISPs).
2. Next Configure the Routing gateway
sudo 10.0. 0.11 Dev eth0
For the gateway configuration to take effect, if the NameServer field in the/etc/resolv.conf file has been generated previously, then the client should already have access to the external network, or edit/etc/resolv.conf to add the fields:
NameServer Yourdnsserver
Because Dns-nameservers is already configured in the/etc/network/interfaces file, the DNS configuration is not affected when the client machine is restarted.
At this point the client has been able to access the extranet through the gateway machine, and if you do not know the DNS server address of the ISP, you can use OpenDNS as an alternative.
Third, Advanced gateway configuration
DHCP and DNS server functions can be configured for the Gateway machine, thus simplifying the networking configuration of client machines while eliminating the process of configuring DNS for client;
1. Installing DNSMASQ
sudo Install DNSMASQ
2. back up the DNSMASQ configuration file for reference
sudo CP /etc/dnsmasq.conf/etc/dnsmasq.conf-backup
3. Edit the DNSMASQ configuration file/etc/dnsmasq.conf and add the following two lines:
interface=eth1dhcp-range=10.0. 0.100,10.0. 0.250, 72h
Note that this is the configuration of the Dhcp/dns,interface field for the gateway machine that needs to be set to the network adapter that the machine is connected to, and that the DHCP IP pool should be in the same network segment that we configured earlier.
4. Restart the DNSMASQ service
sudo /etc/init.d/dnsmasq restart
This allows the client to acquire dynamic IP and resolve the domain name automatically.
Ubuntu set NAT shared network (command line method)