In this guide, replace
<internal> with the device names of your external and internal network interfaces respectively.
You can list your network devices with the
ip addr or
ip link command.
1. Allow IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
2. Enable masquerade
Masquerade allows all the hosts on the server’s internal network to hide behind and use it’s IP address on the external network.
iptables -t nat -A POSTROUTING -o <external> -j MASQUERADE
3. Set forwarding policy
Two way NAT (private hosts can get out and external hosts can get in)
iptables -A FORWARD -i <internal> -o <external> -j ACCEPT iptables -A FORWARD -i <external> -o <internal> -j ACCEPT
One way NAT (private hosts can get out, only connections they established can come back in)
iptables -A FORWARD -i <internal> -o <external> -j ACCEPT iptables -A FORWARD -i <external> -o <internal> -m state --state RELATED,ESTABLISHED -j ACCEPT
(Optional) Make permanent
You can edit
/etc/sysctl.conf adding the line
net.ipv4.ip_forward = 1
to always allow IP forwarding when the system reboots.
Then, create a script to apply your IP tables rules. Most distributions allow you to put commands in
/etc/rc.local that will be executed on boot. Some distributions have their own methods to save iptables rules, but some don’t. Creating a script is guaranteed to work for anyone (no guarantee of any kind is expressed or implied).
Add something like this to
/etc/rc.local or a new script.
INTNET="eth1" EXTNET="eth0" echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o $EXTNET -j MASQUERADE iptables -A FORWARD -i $EXTNET -o $INTNET -j ACCEPT iptables -A FORWARD -i $INTNET -o $EXTNET -j ACCEPT
and make sure it is executable (some distributions enable and disable processing of the file through the executable bit):
chmod a+x /etc/rc.local