Introduction
If you are having two network interface cards or some other component that connects you to the internet along with a network interface card installed in your ubuntu system, it can be transformed into an immensely powerful router. You can establish basic NAT (Network Address Translation), activate port forwarding, form a proxy, and prioritize traffic observed by your system so that your downloading stuff do not intervene with gaming. This article will explicate setting up your ubuntu system as a router which can later be configured as a firewall with prior knowledge of 'IPTables'. The resulting setup will help you to control traffic over ports and make your system less vulnerable to security breaches.Gateway Setup
Pre-requisites:- Computer with Ubuntu OS
- Two network cards
- Internet connectivity
- Knowledge of iptables
Host A (192.168.1.8) ⇐⇒ Eth1 ⇐⇒ Ubuntu Gateway ⇐⇒ Eth0 ⇐⇒ Host B (10.10.6.205)
In summary:
- eth1 = Network adapter connected to internet (external).
- eth0 = Network adapter connected to a computer in the same subnet (internal).
- 10.10.6.0 = Subnet for eth0
- 192.168.1.8 = IP address of Host A, any computer in the internet.
- 10.10.6.203 = IP address of eth0.
- 10.10.6.204 = IP address of eth1.
- 10.10.6.205 = IP address of Host B, any computer in the same subnet.
Configuring Network Interface Cards
Each network interface has to be assigned with a static IP address. The method of allocating static IP addresses to the interfaces differs for desktop edition and server edition of Ubuntu. Both the methods are elaborated below.For Ubuntu- Desktop edition:
System Settings ⇒ Network ⇒ Select Interface ⇒ Options
For Ubuntu- Server edition:
1. Open Terminal (Ctrl+Alt+T)
2. Enter following command to edit 'interfaces' file:
sudo vim /etc/network/interfaces
3. Edit the file with the following lines:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.10.6.203
netmask 255.255.255.0
gateway 10.10.6.203
auto eth1
iface eth1 inet static
address 10.10.6.204
netmask 255.255.255.0
gateway 10.10.6.2
Enable IP forwarding
Configure the Ubuntu system so as to initiate routing between two interfaces by enabling IP forwarding:
sudo sh -c “echo 1 /proc/sys/net/ipv4/ip forward’’
Edit /etc/sysctl.conf, and (up to 10.04) add these lines:
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1
From 10.10 onwards, it is sufficient to edit /etc/sysctl.conf and uncomment:
# net.ipv4.ip forward=1
so that it reads:
net.ipv4.ip forward=1
IP Masquerading
To enable IP masquerading, enter following set of commands in terminal:sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
sudo iptables -A FORWARD -i eth1 -o eth0 -m state -–state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
 |
| Result |
Do not forget to save these IPTables rules. Unless they are saved, they will be lost after next system reboot as they are stored in volatile memory.
# iptables-save > /etc/iptables.rules
Above command will activate previously saved IPTables rules when system reboots making the changes permanent.
Credits: Mr. Mahesh Doijade (TechDarting.com)
shouldn't eth0 be in the same network as the client? Is presume the client would use eth0 as its def gw?
ReplyDeleteNoooooo
DeleteAll due respect to the webmaster, I see several problems with this configuration. Routers are used to break up broadcast domains, so instead of having two interfaces in 10.10.6.0/24, one host should be in something like 10.10.6.0/23 and the other should be in something like 10.10.7.0/23 to make two different subnets communicate. Also, since eth0 has a default gateway of 10.10.6.203 which is localhost, the command in IPtables should read "sudo iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE", eth0 should be set (with forward) rules to the NAT interface, and eth1 should use 10.10.6.203/23 as its default gateway to reach the outside. That scenario would be a better fit sir. Kind regards and thank you for your post. Admin Lin
DeleteWell, in above experimentation, eth0 (the router in fact) and the client were in the same network. And IP address of eth0 was the default gateway for the client.
ReplyDeletePlus 1 for you. :)
I cannot find the gateway 10.10.6.2 from your connection diagram or summary. Can you show me where it is.
ReplyDeleteThis experiment was performed in the college campus and the gateway 10.10.6.2 was located between the Switch and Host A.
DeleteIf 10.10.6.2 is between the switch and host A (192.168.1.0 network) then the routing aspect of the article happened on the 10.10.6.2 gateway and not the Ubuntu "router"...
Deleteshoudn't the eth0 gateway be (10.10.6.204) ? or it is right as you did it ?
ReplyDeleteIt worked fine for me.
DeleteGetting an error:
ReplyDeletefirewall:~$ sudo iptables -A FORWARD -i eth1 -o eth0 -m state -state RELATED,ESTABLISHED -j ACCEPT
Bad argument `RELATED,ESTABLISHED'
Try `iptables -h' or 'iptables --help' for more information.
Any ideas?
Hi. Theres a mistype with your tuto, it should be: sudo iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ReplyDeleteThanks for the tuto, saved my day!
when i enter the command: sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
ReplyDeletei get this message: iptable: no chain\target\match by that name
what should i do?
Try updating your kernel version and reboot your system.
DeleteLots of crap may happen while using abovemention configuration.
ReplyDeleteFirst of all, it may be OK to enable Path MTU Discovery with MSS Clamping (http://lartc.org/howto/lartc.cookbook.mtu-mss.html). Otherwise half of sites won't work.
Secondly, sometimes it's necessary to disable TCP timestamps (http://www.tmltechnologies.com/html-2012/index.php/linux-rescue-kits/82-secret/91-disable-tcp-timestamps-on-linux). Otherwise you may face specific TCP ports unreachability.
Other tricks may involve MTU lowering.
Consider that.
I read your post. Thanks so much!
ReplyDeleteI have problems for my network: Host A, RedHat Linux (2 Lan Cards), Host B.
_ Host A: 192.168.1.2 netmask 255.255.255.0 gw 192.168.1.1 (connect to eth0 - RedHat).
_ RedHat Linux: eth0 192.168.1.1 netmask 255.255.255.0
eth1 192.168.2.1 netmask 255.255.255.0
_ Host B: 192.168.2.2 netmask 255.255.255.0 gw 192.168.2.1 (connect to eth1 RedHat).
From Host A, I can ping to eth0, eth1 but I can't ping to Host B
And From Host B, I can ping to eth0, eth1 but I can't ping to Host A
Can you help me?
If Host A and Host B are in the same network, there is no need of a router!
ReplyDeleteI tryied with host A and host B in differents networks but it doesn't work :(
Any tips???
Here eth1 should be in 192.168.1.x network. then only Host A can reach eth1 as a Gateway. It should not be in 10.0.6.x
ReplyDeleteIf both of your cards are in the same [sub]network the PC is not routing is switching.
ReplyDeleteIn the configuration described the Switch must be rounting or Host A will never see your PC NIC.
DNS not resolving in the client machine, but it is resolving in the server. please help.
ReplyDeleteHave been trying for 2 days to get ubuntu to route IP traffic from my raspberrypi zero connected via USB. The 3 commands:sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
ReplyDeletesudo iptables -A FORWARD -i eth1 -o eth0 -m state -–state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
work great!
Not abke to ping 192.168.50.4 from my router ethernet 192.168.50.1 and vice versa.
ReplyDeletePls. suggest
Can this tutorial be followed for wlan interface?
ReplyDeleteheyy can you create a script that the linux server turns into router? thanks
ReplyDelete