Created
October 11, 2017 17:12
-
-
Save JamesOBenson/f7c7bd5ad872b7da73aa55030c9b406f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://help.ubuntu.com/community/Router#Enable_IP_forwarding_and_Masquerading | |
| 4.5. Enable IP forwarding and Masquerading | |
| Doing the above might not be enough to make the Ubuntu machine a real router which does NAT (Network Address Translation) and IP Forwarding. The following script configures the Kernel IPTable and IP forwarding. You will have to configure at least the script's 2 variables; the 1st is the external network interface; the 2nd is the internal network interface. | |
| EXTIF="eth0" | |
| INTIF="eth1" | |
| The script was originally from a Ubuntu router guide forum article which has 2 internal network interfaces. What's showing below uses only 1 internal network interface. You will have to modify the script manually or use the script in the Ubuntu router guide forum article if you need to configure 2 internal network interfaces. | |
| echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" | |
| DEPMOD=/sbin/depmod | |
| MODPROBE=/sbin/modprobe | |
| EXTIF="eth0" | |
| INTIF="eth1" | |
| #INTIF2="eth0" | |
| echo " External Interface: $EXTIF" | |
| echo " Internal Interface: $INTIF" | |
| #====================================================================== | |
| #== No editing beyond this line is required for initial MASQ testing == | |
| echo -en " loading modules: " | |
| echo " - Verifying that all kernel modules are ok" | |
| $DEPMOD -a | |
| echo "----------------------------------------------------------------------" | |
| echo -en "ip_tables, " | |
| $MODPROBE ip_tables | |
| echo -en "nf_conntrack, " | |
| $MODPROBE nf_conntrack | |
| echo -en "nf_conntrack_ftp, " | |
| $MODPROBE nf_conntrack_ftp | |
| echo -en "nf_conntrack_irc, " | |
| $MODPROBE nf_conntrack_irc | |
| echo -en "iptable_nat, " | |
| $MODPROBE iptable_nat | |
| echo -en "nf_nat_ftp, " | |
| $MODPROBE nf_nat_ftp | |
| echo "----------------------------------------------------------------------" | |
| echo -e " Done loading modules.\n" | |
| echo " Enabling forwarding.." | |
| echo "1" > /proc/sys/net/ipv4/ip_forward | |
| echo " Enabling DynamicAddr.." | |
| echo "1" > /proc/sys/net/ipv4/ip_dynaddr | |
| echo " Clearing any existing rules and setting default policy.." | |
| iptables-restore <<-EOF | |
| *nat | |
| -A POSTROUTING -o "$EXTIF" -j MASQUERADE | |
| COMMIT | |
| *filter | |
| :INPUT ACCEPT [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| -A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| -A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT | |
| -A FORWARD -j LOG | |
| COMMIT | |
| EOF | |
| echo -e "\nrc.firewall-iptables v$FWVER done.\n" | |
| After configuring the 2 variables, save the script below as nat.sh and make it executable by doing | |
| chmod a+x nat.sh | |
| Now, test the script by running as root | |
| sudo sh nat.sh | |
| Investigate the messages from the console output to see if any error happened. If everything looks fine, use another host in the internal network to test if it can access the external network (presumably the Internet). A quick way to test is pinging Google public DNS from the console. | |
| ping -c 3 -W 10 8.8.8.8 | |
| If ping responds, make our new script bootable so we don't have to run the script every time we restart. | |
| sudo cp nat.sh /etc/init.d/ | |
| sudo ln -s /etc/init.d/nat.sh /etc/rc2.d/S95masquradescript | |
| As a final test, restart your computer and test to see if you still have the same functionality. If so then congratulations! If not then make sure you followed the above correctly so the script is bootable. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment