Iptables: How-to Share your internet connection
Posted by chantra on December 10th, 2006
- Iptables: How-to Share your internet connection
- Iptables: How-to Share your internet connection — page 2
- Iptables: How-to Share your internet connection — page 3
- Iptables: How-to Share your internet connection — page 4
iptables is a command line tool which allow system administrators to configure Linux packet filtering ruleset.
Using iptables, you are able to tweak packet filtering, Network Address Translation (NAT) and packet mangling which in the end are going to allow you to secure your server, share your Internet connection and log unwanted traffic.
iptables is not really what we could call an easy to get with tool, but once you know the basis, it won’t be that scary 
.
This tutorial will provide a sample script you can use to share your Internet access and will give an overview on how to use iptables
1. Introduction
Most people will be freaked out when you pronounce the name iptables because it is not much of an easy to understand software, man page is huge as well as iptables capabilities.
To be able to set up a home router, you don’t actually need to spend nights and nights going through iptables man page, a grasp of the basis is enough to get your firewall up and running.
This tutorial provides a sample script you should be able to use out of the box or at most, changing 2 parameters will be able to get you running.
2. Iptables
To be able to understand what the firewall do, there is some basis you need to know. Here I’m going to go over what make iptables handle network packets.
2.1. Chain Rules
Iptables use a set of chain rules to check weather or not a packet should be accepted. By default, there is 3 chains:
- INPUT: packet is destinate to the machine running iptables
- FORWARD: packet needs to be forwarded to another machine
- OUTPUT: packet going out of the machine running iptables
So when a packet reaches the firewall, the first thing the kernel is going to do is to determine where the packet is going. According to the destination, the kernel will check the packet against the rules of the appropriate chain.
2.2. Actions (TARGET)
For each chain we define a list of rules and actions (called targets in iptables’jargon) to take when a packet match a rule. Main actions are:
- ACCEPT: accept the packet
- REJECT: discard the packet and inform the source
- DROP: discard the packet but don’t say anything to the source
As soon as a packet has matched a rule, the kernel will apply the action it is said to do and won’t go further. If the packet did not match any rules, the kernel will use the default policy defined for that chain.
This beeing said, we can now get into the script.
hi thanks for your great article.
i have adapted your script to my ubuntu server. it’s my firewall. it’s a pc only for that.
right now my firewall can ping my local network. but the local network is not surfing the net. these pcs cannot go out.
do you have an idea? i do not have anymore my dmz and webserver. so only a local network and a pc-firewall.
firewall eth2 ping local network eth1
local network eth1 not go out on the web
thanks
Nadia
Hi,
This sound like you did not enable IP forwarding on your firewall. Check your sysctl settings on page 4.
yes it’s done, i have done this at the begining. i will look at it another time, because i have flush 2-3 times the iptables script and rebegin maybe it’s affected the sysclt… do i need to put this enabling in the iptable script of firewall?
there is no need to have the sysctl settings in your iptables script. If set it /etc/sysctl.conf, it will be set at boot time.
There might be something wrong in your firewall settings then.
If all you need is to share your internet connectin, you can use a 1 liner:
iptables -t nat -A POSTROUTING -o eth0 -m comment –comment “LAN to Internet” -j MASQUERADE
(replace eth0 by whichever interface is connected to internet)
everything is ok for the ip forwarding (=1)
also i have these lines of my iptable :
$ipt -P INPUT DROP
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -t nat -A POSTROUTING -o $WAN -j MASQUERADE
$ipt -t nat -A PREROUTING -i $WAN -p tcp –dport 80 -j DNAT –to 192.168.1.1:80
$ipt -A FORWARD -i $WAN -m state –state NEW,INVALID -j DROP
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $LAN -j ACCEPT
my LAN eth1 can ping my static ip (i have adsl with ip static)
but the LAN cannot go out on the net
my firewall eth2 can ping the LAN 192.168.1.0/24
and the firewall go out on the web
???? it’s probably something very easy that i cannot see….like always!
thanks to help me!
something weird happen since yesterday. i wanted to add a rules that i forget :
$ipt -A FORWARD -i $WAN -p tcp –dport 80 -m state –state NEW -j ACCEPT
and i get the answer : -A command not found.
whatever i do even if i redo a rules :
$ipt -A INPUT …
$ipt -A INPUT …
i received the error : -A command not found.
what’s wrong? i didn’t get this error before. since last night i get it and i reboot twices. a bug?
Have you properly set WAN and LAN to your actual external/internal devices.
the reason why you are getting ‘-A command not found’ is because $ipt is not set (this get define in the script attached in page 4).
supposing your external interface is eth0, you might want to
* run the rescue script (page 4)
* run the command:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
and work it out from there.
that’s weird because all my iptables script was made with $ipt and set like at the page 4. and 2 days after iptables didn’t reconized $ipt anymore.
yes the $WAN and $LAN are set at the beginning. the other problem, is each time that i reboot my pc i need to do ifup eth1 for the LAN interface. i never had this problem before. my eth1 and eth2 are set in /etc/network/interfaces.
i may not try this tonight, and friday until synday i will be able to work on my firewall, so probably monday i will give news about that.
until last night, the LAN can ping my statif ip, but cannot go out on the web. and the firewall ping the LAN.
thansk for everything
hi i’m come back
well i have flush everything on the firewall and start everything from the beginning
i re-do my iptables rules
everything now is ok on the side of the firewall. the eth2 and eth1 are set and up after a reboot
the firewall ping my switch LAN 192.168.1.1
the firewall ping pc on my LAN 192.168.1.5 and others
i have done also to check : nmap -sP 192.168.1.5
Nmap scan report for 192.168.1.5
Host is up (0.0012s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
LAN 192.168.1.5 ping my ip static (firewall have a ip static)
LAN 192.168.1.5 ping also the switch LAN 192.168.1.1
LAN 192.168.1.5 cannot ping http://www.google.com (host unknown)
the ipforwarding = 1
and yes i have a rule for the nat :
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
which :
WAN=”eth2″
LAN=”eth1″
i don’t know what to do next
thanks chantra
i try another thing…which i forgot before. on my pc from the LAN, i have insert dns-nameserver …. in /etc/network/interfaces…. now when i do a ping from the LAN i have a ping, but received the answer destination host unreachable. at least i got something!
i was validating the dns and some errors were in my configuration. so now the dns are ok on each configuration of interfaces LAN and WAN
so now between pc from the LAN they can ping each others.
192.168.1.4 ping 192.168.1.2 ….
but both received destination unreachable when they do ping http://www.google.com or ping ip_google
both cannot ping dns1 of my firewall, but can ping my ip_static
my firewall can ping all pcs from my LAN
everything is ok for my firewall
maybe a rules?
nadia
i also had an error on my netmask (before it was LAN : 192.168.1.1… and 255.255.255.0 i changed for 255.255.255.0 but 192.168.0.1)
still have destination host unreachable from my LAN to out…
keep working….
today i had change the cable to see if it’s ok between the switch and the firewall and still get the same dest. host unreachable error. so it’s not the rj45 cable the problem.
keep working
still working on that but now i think i will take a break, still get the host destination unreachable error from the LAN trying to ping outside the world
and also i saw that nobody help me since 10 days so i will take a break.
Hi Nadia,
There could be thousand reason why your settings are not working. Did you try to use the 1 simple iptables rule to share your connection? -j MASQUERADE
iptables -t nat -A POSTROUTING -o
Your host unreacheable issue sound like a routing issue. Do you give a default route to your LAN devices?
Have you tried to traceroute do a known destination like 8.8.8.8 (google dns).
hi
if i do only this rule iptables -t nat -A POSTROUTING -o -j MASQUERADE nothing work the lan don’t go outside
the 2 interfaces on my firewall when i do ethtool or mii-tool … respond link ok
i have change cable from the switch to firewall same error
yes here is my config from my LAN pc in /etc/network/interfaces
ip 192.168.0.1/24
gateway 192.168.0.1
netmask 255.255.255.0
dns-nameserver my_dns
and the usual network broadcast settings
when i do traceroute 8.8.8.8 goes nowhere * * * *…. all the 30 hops
thanks for your help
your /etc/network/interfaces does not look right syntactically, and even if it did, ip 192.168.0.1 for your lan pc with gateway 192.168.0.1 is plain wrong. Googling should help you solving these kind of issues. http://wiki.debian.org/NetworkConfiguration contains great material on setting up your network interfaces in Debian.
hi well i never thaught that a gateway will be 192.168.0.254! not from website like https://help.ubuntu.com/12.10/serverguide/network-configuration.html
so right now on pc from my LAN the basic settings are :
ip 192.168.0.4
netmask 255.255.255.0
gateway 192.168.0.254
and on my firewall
the eth2 is my adsl interfaces
and
the LAN interfaces :
auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0
gateway 192.168.0.254
dns-nameservers my_dns_ip
my LAN still not ping google.com
i well i do not know what to do now
my settings of my firewall :
# The loopback network interface
auto lo
iface lo inet loopback
# ADSL eth2
# Local Network eth1 ….interfaces for my LAN switch
auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.254
dns-nameservers my_dns
on the pc of my LAN :
# The loopback network interface
auto lo
iface lo inet loopback
# Local Network eth0
auto eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.254
dns-nameservers my_dns
for the last test i have only do :
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
thanks
Nadia, You router is most likely getting its gateway/dns from your ADSL provider with dhcp.
On you router, your eth1 should look like:
auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0
Your PC on your LAN has to use your router as a gateway, its eth0 config should look like:
# Local Network eth0
auto eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
dns-nameservers my_dns
hi thanks
so here it goes for my firewall
# ADSL eth2
…
# Local Network eth1
auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0
and my pc for the LAN
# Local Network eth0
auto eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
dns-nameservers my_dns …..i have an ip static and 2 dns so usual i put there my dns1
right now as like before:
the pc from the lan ping the gateway
the firewall ping the gateway and the pc LAN
but the LAN cannot ping google.com ….
damn it
root@cyberdark-firewall:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
my_static_ip 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
root@cyberdark-firewall:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 ppp0
my_ISP * 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
root@cyberdark-firewall:~# ifconfig
eth1 Link encap:Ethernet HWaddr 00:10:5a:01:f7:b2
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::210:5aff:fe01:f7b2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:636 errors:0 dropped:0 overruns:0 frame:0
TX packets:158 errors:0 dropped:0 overruns:0 carrier:5
collisions:5 txqueuelen:1000
RX bytes:67726 (67.7 KB) TX bytes:22903 (22.9 KB)
Interrupt:11 Base address:0xa000
eth2 Link encap:Ethernet HWaddr 00:c0:26:7d:68:2a
inet6 addr: fe80::2c0:26ff:fe7d:682a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11212 errors:0 dropped:0 overruns:0 frame:0
TX packets:9506 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11456113 (11.4 MB) TX bytes:1301082 (1.3 MB)
Interrupt:5 Base address:0xd400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:42 errors:0 dropped:0 overruns:0 frame:0
TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3316 (3.3 KB) TX bytes:3316 (3.3 KB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:my_local_ip P-t-P:my_remote_ip Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:10581 errors:0 dropped:0 overruns:0 frame:0
TX packets:9074 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
root@cyberdark-firewall:~# cat /etc/resolv.conf
nameserver my_dns1
nameserver my_dns2