Tuesday, June 21, 2011

Configuring Linux Box as a Gateway

 Configuring Linux Box as a Gateway

Hardware Requirement.

1.       Server with Linux Installed having two Interface (NIC) card. One should be connected to your outgoing Internet connection, while the other is plugged into your local network
2.        Switch / Hub

Information Required :
aaa.aaa.aaa.aaa is Public Network IP address (bbb.bbb.bbb.bbb is Public netmask).
ccc.ccc.ccc.ccc is LAN IP address (e.g., ddd.ddd.ddd.ddd is LAN netmask (e.g.
eee.eee.eee.eee is default gateway for Internet connection.
First of all we enable IP forwarding to enables a gateway to send or forward, IP packets to destination IP addresses on another network.
To determine whether IP forwarding is enabled or not, run the command
cat proc/sys/net/ipv4/ip_forward

If the output is 1, IP forwarding is enabled; if the output is 0, IP forwarding is not enabled. If it is not enable then
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
To activate the changes
Run sysctl –p

After that we  create the network configuration file for the gateway computer with the commandvim /etc/sysconfig/network
Next, enter the following information into this file:NETWORKING=yes
 After that we create configuration files for each of the network interface cards on the gateway. The first interface card for which we’ll create a configuration file is the interface that forwards packets to the outside world. The first Ethernet interface configured on a Linux system is always eth0.

To configure the first network interface, create the /etc/sysconfig/network-scripts/ifcfg-eth0 file. To do this, run the command

vim  /etc/sysconfig/network-scripts/ifcfg-eth0
IPADDR=aaa.aaa.aaa.aaa        # IP ADDRESS provided by ISP
NETMASK=bbb.bbb.bbb.bbb       # NETMASK provided by ISP
GATEWAY=eee.eee.eee.eee       #

Now we configure the second interface (eth1)

vim /etc/sysconfig/network-scripts/ifcfg-eth1 
IPADDR=ccc.ccc.ccc.ccc       # e.g. Private IP ADDRESS
NETMASK=ddd.ddd.ddd.ddd      # e.g.
Set up Domain Name System servers IP addresses by editing /etc/resolv.conf:
vim /etc/resolv.conf
nameserver (Public DNS Server)
nameserver (Public DNS Server)
Set up NAT with iptables
To delete existing rules from every iptables table, execute the following commands:
Check iptable server is on or not, if it is not ON then on it with command
/etc/init.d/iptables start
chkconfig –level 35 iptables on (So that everytime service will automatically started on runlevel 3 and 5)
Now we delete existing rules from every iptables table, execute the following commands:
iptables -F
iptables -t nat -F
iptables -t mangle -F

Enable NAT by commands:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT

iptables-save > /etc/sysconfig/iptables
Configure LAN clients to access Internet via described gateway:
Use clients' operating system tools to set up the following TCP/IP settings:
IP address: from the same network as ccc.ccc.ccc.ccc
Netmask: ddd.ddd.ddd.ddd
DNS: fff.fff.fff.fff
Gateway: ccc.ccc.ccc.ccc

IP address:
 HOST webserver on port 80 from Machine -1
So in this setup if I want to run a public service like httpd, not on the gateway server ( where it is visible to outside ) but on an internal machine ( which is not visible outside ) how do I make it available to the outside internet.
To make the above scenario of exposing and internal machine's service to outside we need to use port forwarding on the gateway server. Which is assigning a port on the gateway to accept all connections and forward it to the internal machines port where the service is listening to.
Let xxx.xxx.xxx.xxx be the IP address of the gateway server connected to the cable modem and , the IP address of the internal machine. And say we want to run a web server ( httpd ) on 192,168.0.2 on port 80 which should be available to the outside internet. We can forward the port 80 on xxx.xxx.xxx.xxx to port 80 of
Source: xxx.xxx.xxx.xxx:80 -- forwarded to ->
You can chhose any port on xxx.xxx.xxx.xxx it need not match the port we are forwarding to.
Source: xxx.xxx.xxx.xxx:8888 -- forwarded to ->
Port Forwarding using Iptables
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx
                                --dport 8888 -j DNAT --to
/sbin/iptables -A FORWARD -p tcp -i eth0 -d --dport 80 -j ACCEPT

Note that this document comes without warranty of any kind. But every effort has been made to provide the information as accurate as possible. I welcome emails from any readers with comments, suggestions, and corrections at webmaster_at admin@linuxhowto.in

Copyright © 2012 LINUXHOWTO.IN

1 comment: