Wednesday, May 07, 2008

Configure a masqueraded router

A router need at least 2 network interfaces. The following example using 2 network interfaces, eth0 and eth1 as example. eth0 is external network interface. All packets passed thru' this interface will be masqueraded before sending out. In real world situation, this interface is usually refer to internet gateway. eth1 is internal network interface. This is usually gateway for internal private network. There are 2 steps configure a masquerade router. Step 1: Enable IP packet forwarding
sysctl -w net.ipv4.ip_forward=1
Step 2: Enable IP packet masquerading Firewall (IPTABLES)
# Clearing any existing rules and setting default policy..

iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

# FWD: Allow all connections OUT and only existing and related ones IN

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Enabling SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The masquerading router should have up once the above script is executed. You may try to ping both eth0 and eth1 to confirm that. Also try to ping public network to make sure it works. You may persist the iptables rules using
service iptables save

No comments: