Enabling NAT to the outside
Connecting two local networks is useful, but these days it's more common to want to connect a local network to the Internet. The basic concept works the same, but with the necessary addition of NAT. NAT rewrites your packet headers in order to make them appear as if they come from your router, thus effectively hiding your system's address from the destination.
How to do it…
Create a third NIC (eth2) on server 1 and connect it to your cable modem or ISP's router.
- Configure
eth2to receive an IP address via DHCP:auto eth2 iface eth2 inet dhcp
- Use
iptablesto enable NAT on packets heading out througheth2:# /sbin/iptables -t nat -A POSTROUTING -o eth2 \ -j MASQUERADE # /sbin/iptables -A FORWARD -i eth2 -o eth0 -m \ state --state RELATED,ESTABLISHED -j ACCEPT # /sbin/iptables -A FORWARD -i eth0 –o eth2 -j ACCE PT
How it works…
In the last section, we discussed how in order for two systems on different networks to be able to talk to each other, they need to have routes defined which will forward packets to a router that can deliver the packet to the appropriate destination. The same is true on the Internet.
If server 2 attempts to contact an IP address on the Internet, for example Google's nameserver at 8.8.8.8, your router will pass them onto the destination. Let's give that a try:
# ping -c 2 8.8.8.8 PING 8.8.8.9 (8.8.8.8) 56(84) bytes of data. --- 8.8.8.8 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms
No responses were received. So what went wrong here?
You'll recall that I said the IP addresses that we were using were defined by RFC1918 as internal IP address space. Due to this, these IP addresses are not directly usable as Internet hosts. In our example, one of the two following things will happen:
- Our router will send packets out of the Internet-facing interface, where it will travel across the Internet to our destination, which will respond to the packet. The response will not be able to find its way back to our system due to the un-routed nature of the destination.
- Our router will send the packets out of its Internet-facing interface, where the next hop will drop the packets due to implementing egress filtering of traffic with invalid source addresses.
Iptables is a command-line tool in Linux for interfacing with the Linux kernel firewall, which is implemented as a part of the netfilter subsystem.
Let's break down the first command line:
- The
-toption specifies the packet matching table to use. In this case, we're going to use thenattable. f-Aindicates that the specified rule should be appended to the selected chain, which in this case is POSTROUTING. The POSTROUTING chain is processed after the kernel handles packet routing.-ospecifies the output interface. In our example, theeth0interface contains the internal IP systems andeth2leads to the Internet.-jspecifies what to do if the packet matches the rule. In this case, we're going to masquerade the packet (modify the IP).
Put them together and we have matching packets heading out on eth2; rewrite the source IP address and track it in the NAT table.
The second command is added in the -m command, which matches a packet property, in this case state. For the packets that came in on eth1 (from the Internet), and destined to eth0 (lan), check to see if they are related to or are a part of an established connection. If so, accept the packet and assign it to the FORWARD chain. The FORWARD chain handles any packet that is being passed through your router rather than the packets originating from the system (OUTPUT chain) or packets destined to your system (INPUT chain).
Finally, any packets that come in on eth0 (lan) and are heading out on eth2 (Internet) are just automatically accepted.
