How to set up NAT in Linux using iptables

This is a small step by step tutorial to set up NAT on a linux machine using iptables. NAT, network address translation is a technique to share internet connection with private networks. Your system will act as gateway and will provide Internet access to multiple hosts in Local Area Network using one single public IP address.

To set up a NAT in Linux, the gateway computer should have 2 network interface cards(NICs), it will need two network connections and IP addresses. One for the private network and one external Public IP.

The system on which NAT is set up will act as the gateway for private network. According to this tutorial this computer should meet the following requirements:

1) It should have at least 2 NICs(network interface controllers). One to connect to Internet and the other to connect to the private network.
2) It should be running Linux.
3) It should have a kernel supporting iptables.  

Terminologies and Concepts

The 2 interfaces concerned will be eth0 and eth1.
eth0 -> This will be the interface connected to the Internet.
eth1 -> This interface will be connected to the private network.

Check both the NICs

First of all check if both of the NICs are recognized by your system and working properly. To see if they get recognized you may try running this command

[jasonleon]$ lspci

This command will tell you if your NICs are being recognized by the system or not. Now, run the following commands to see if they are working properly or not.

[jasonleon]$ dmesg | grep eth0
[jasonleon]$ dmesg | grep eth1

The output may vary from system to system and will be diff. for both the interfaces. But it should look more or less like this.

[338187.673976] Inbound IN=eth0 OUT= MAC= SRC=10.0.0.1 DST=10.0.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 
[338875.736758] r8169: eth0: link down
[338877.757877] r8169: eth0: link up

Now, let us see if they are being recognized as networking devices too or not. Run these commands to confirm it.

[jasonleon]$ ifconfig eth0
[jasonleon]$ ifconfig eth1

ifconfig is a utility to configure the network interfaces. If you see the output of both of the commands similar to this

eth0    Link encap:Ethernet  HWaddr 00:21:70:94:56:b2  
    inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
    inet6 addr: fe80::221:70ff:fe94:56b2/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    RX packets:690495 errors:0 dropped:0 overruns:0 frame:0
    TX packets:748777 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000 
    RX bytes:482335870 (482.3 MB)  TX bytes:763131223 (763.1 MB)
    Interrupt:250 

then it means that both of the interfaces are being recognized as network devices/interfaces and so we are in a state to proceed futher.

Configure your iptables to enable NAT

Now, I am assuming that you have already configured your system to be able to connect to Internet. Now, we need to configure the iptables to enable NAT.
Assuming that you don't have any previous tables run this command to delete the previous rules so that we may define new ones.

iptables -F OR iptables --flush
iptables -t nat -F OR iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

Now we will enable Packet Forwarding by Kernel, run this command in the terminal

[jasonleon]$ echo 1 > /proc/sys/net/ipv4/ip_forward

Now, we need to create new rules. Run the following series of commands to create new rules

[jasonleon]$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE OR iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

[jasonleon]$ iptables -A FORWARD -i eth1 -j ACCEPT OR iptables --append FORWARD --in-interface eth1 -j ACCEPT

Configuring the server's eth1 interface

Now, we need to configure the network settings of eth1 interface and assign it an IP address so that the machines on the private network may use it as a gateway. For this we will have to edit the files that contain configurations for NICs

For Fedora, centOS and Redhat users eth1 configuration file is located at /etc/sysconfig/network-scripts/ifcfg-eth1
After editing it should look as follows.

DEVICE=eth1
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
BOOTPROTO=static

In Ubuntu, Debian eth0 configuration file is at /etc/network/interfaces.

auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0

Configure the client side to access Internet through our Gateway

Add the following entries on the client machine to access Internet. Gateway will be the IP address we have assigned to our machine on eth1 interface. Remember to keep the IP address of the client machine in the same class of Gateway's IP address.

IP address: 192.168.10.3
Netmask: 255.255.255.0
DNS: 209:59.31.54
Gateway: 192.168.10.1

You can decide the netmask on the basis of what class of network you want. For this you might want to know a little about classless and classful networks. 

You can read more about classful networks http://linuxers.org/wiki/classful-networks

Classless Networks

I won't go into the details of Classless networks but just to end the discussion I will explain a bit. Here, as the name suggests networks are not divided into classes and network address and host addresses in an IP are not decided on the position of the "." (dots). Here they are decided in binary form e.g. when you convert the IP address in the binary form then one may say that the first 12 bits constitute the network address and the rest is the host addresses.