Configuring Simplest Internet Connection Sharing

Problem

You want to enable Internet connection sharing on your Linux router. You have one or more networks behind your router using private address ranges. You don’t want to set up a firewall because you’re taking care of that elsewhere, or you just want to do some testing, so you want plain old simple Internet connection sharing.

Solution

Use this iptables script:

#!/bin/sh
#minimal iptables script for
#sharing an Internet connection
#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
WAN_IFACE="eth1"

# Load kernel modules
$mod ip_tables
$mod iptable_filter
$mod iptable_nat
$mod ip_conntrack
$mod iptable_mangle
$mod ipt_MASQUERADE
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X

# Set default policies
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT

$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

# Always have an entry for interface lo
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -i lo -j ACCEPT

# Rewrite source addresses to WAN address
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 22.33.44.55

Of course, you must substitute your own interface name and WAN address. If you don’t have a static WAN address, but get it from DHCP, use this line instead:

# Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

echo '1' > /proc/sys/net/ipv4/ip_forward

This script offers zero protection—it does no packet filtering at all, but only handles the job of rewriting your private addresses to your WAN address and back again.

See Also

• To learn about NAT and iproute2, see Martin Brown’s excellent “Guide to IP Layer Network Administration with Linux”:

http://linux-ip.net/html/index.html


/etc/amazon


biOos