linux box as a router

Two scenario –

1. Private – Public
2. Private – Private ( inside your LAN)

1. Private – Public

a) Assign Public IP address to the Fast Ethernet Card with the followings;

IP Address ( change with your public IP address
Net Mask (Provided by the Internet service provider)
Default Gateway
Preferred DNS

b) Create a virtual IP address on this Fast Ethernet Card

Copy and paste the configuration file of the eth0 with a new name eth0:0
Assign a private IP Address like you have assigned the other computers in your local area network

IP Address (
Net mask (
Default Gateway (leave this blank)

c) Creating forwarding rules with iptables:

Delete and flush. Default table is “filter”. Others like “nat” must be explicitly stated.

iptables –F – Flush all the rules in filter and nat tables
iptables –t nat –F
iptables –delete-chain

Delete all chains that are not in default filter and nat table
iptables –table nat –delete-chain

# Set up IP FORWARDing and Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT

d) Enables packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

e) Create a route for internal packets:

route add -net gw dev eth0

Change with your Gateway IP Address

2. Private – Private


Your current net – and gateway/firewall –
Now wanna create a separate Lan and forward packet through to outside world using a box inside your network.

Choose a box you wanna turn it as router and follow the steps

a) IP setting will be as follows –
eth0 – (gw)
eth0:0 –
gw ( leave blank)

b) Then on gw machine ( make sure the followings –


iptables -t nat -A POSTROUTING -o eth0 -s -d ! -j SNAT –to-source

[ This will forward and reverse packets from gw network to outside world ]

And add a route for your lan –

route add -net gw

Also make sure your DNS allow query from outside your lan –

allow-query {;

c) Enables packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

Now you go!! you are done! your 2.0 network will be able to talk to outside world through ->

Note: On your client machine ( say use as your default gateway and as nameserver.

If you want to restrict that none from 2.0/24 network can reach anyone of 1.0/24 network – except 1.1 then
add the following rules with your firewall –

iptables -I FORWARD -s -d -p all -j REJECT -o eth0
[ This will block all traffic of 1.0/24 lan from 2.0/24 lan ]

iptables -I FORWARD -s -d -p all -j ACCEPT -o eth0
[ only allow traffic for gw ]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: