linux box as a router

Two scenario –

1. Private – Public
2. Private – Private ( inside your LAN)

1. Private – Public

a) Assign Public IP address to the Fast Ethernet Card with the followings;

eth0
IP Address (61.5.156.1) change with your public IP address
Net Mask (Provided by the Internet service provider)
Default Gateway
Preferred DNS

b) Create a virtual IP address on this Fast Ethernet Card

Copy and paste the configuration file of the eth0 with a new name eth0:0
Assign a private IP Address like you have assigned the other computers in your local area network

eth0:0
IP Address (192.168.1.10)
Net mask (255.255.255.0)
Default Gateway (leave this blank)

c) Creating forwarding rules with iptables:

Delete and flush. Default table is “filter”. Others like “nat” must be explicitly stated.

iptables –F – Flush all the rules in filter and nat tables
iptables –t nat –F
iptables –delete-chain

Delete all chains that are not in default filter and nat table
iptables –table nat –delete-chain

# Set up IP FORWARDing and Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT

d) Enables packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

e) Create a route for internal packets:

route add -net 192.168.1.0/24 gw 61.5.156.146 dev eth0

Change 61.5.156.146 with your Gateway IP Address

2. Private – Private

Assume,

Your current net – 192.168.1.0/24 and gateway/firewall – 192.168.1.1
Now wanna create a separate Lan 192.168.2.0/24 and forward packet through 192.168.1.1 to outside world using a box inside your network.

Choose a box you wanna turn it as router and follow the steps

a) IP setting will be as follows –
eth0 – 192.168.1.15
255.255.255.0
192.168.1.1 (gw)
eth0:0 – 192.168.2.1
255.255.255.0
gw ( leave blank)

b) Then on gw machine ( 192.168.1.1) make sure the followings –

Add a POSTROUTING for 192.168.2.0/24 LAN

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/20 -d ! 192.168.0.0/20 -j SNAT –to-source

[ This will forward and reverse packets from gw 192.168.2.0 network to outside world ]

And add a route for your 192.168.2.0/24 lan –

route add -net 192.168.2.0/24 gw 192.168.1.15

Also make sure your DNS allow query from outside your lan –

allow-query {
192.168.0.0/20;
};

c) Enables packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

Now you go!! you are done! your 2.0 network will be able to talk to outside world through 192.168.1.15 -> 192.168.1.1

Note: On your client machine ( say 192.168.2.20) use 192.168.2.1 as your default gateway and 192.168.1.1 as nameserver.

If you want to restrict that none from 2.0/24 network can reach anyone of 1.0/24 network – except 1.1 then
add the following rules with your firewall –

iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -p all -j REJECT -o eth0
[ This will block all traffic of 1.0/24 lan from 2.0/24 lan ]

iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.1.1 -p all -j ACCEPT -o eth0
[ only allow traffic for gw ]

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: