Setup firewall with iptables in Ubuntu (Part 3)

Masquerading (Many to One NAT)
NAT = Network Address Translation

Mean that all traffics from your networks behind the firewall will be appear on the internet as if as it is only originated form a single ip address.

The masquerade IP address always defaults to the IP address of the firewall’s main interface. It will be easier for you to configure iptables NAT with DHCP because you don’t have to specify the NAT IP address.

 

Masquerade needs iptables_nat module and IP forwarding = enabled to run.

 

 

Step 1. Load the iptables_nat module

taufanlubis@zyrex:~$ sudo modprobe -a iptable_nat

or

put at /etc/rc.local

modprobe -a iptable_nat

 

Check if it’s already uploaded.

root@zyrex:/home/taufanlubis# sudo modprobe -l | grep iptable_nat

/lib/modules/2.6.20-16-generic/kernel/net/ipv4/netfilter/iptable_nat.ko

root@zyrex:/home/taufanlubis#

 

 

Step 2. Enable routing by modifying the ip_forward at /proc/sys/net/ipv4 from value ‘0’ to ‘1’.

0 = disable/ 1=enable

taufanlubis@zyrex:~$ su root

Password:

root@zyrex:/home/taufanlubis# echo 1 > /proc/sys/net/ipv4/ip_forward

Check the value.

root@zyrex:/home/taufanlubis# cat /proc/sys/net/ipv4/ip_forward

1

root@zyrex:/home/taufanlubis#

 

 

Step 3. Allow masquerading

Let’s try a case.

You have 2 interface in your router.

eth0 is the internet interface

eth1 is the private network interface

If you configure your firewall to do masquerading, you should use the ip address from eth1 as a default gateway for all your severs on the network.

 

taufanlubis@zyrex:~$ sudo iptables -A POSTROUTING -t nat -s 192.168.0.1/24 -o et

h0 -d 0/0 -j MASQUERADE

 

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

After ‘network address translation table‘ from ‘ip 192.168.0.1-192.168.0.254 destined to any ip address‘ are masqueraded, the packets then are routed via the filter table’s FORWARD chain.

Allowed outbound: New, established and related connections

Allowed inbound: Established and related connections

 

Check the iptables’ rules again.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

ACCEPT 0 — anywhere anywhere state NEW,RELATED,ESTABLISHED

ACCEPT 0 — anywhere anywhere state RELATED,ESTABLISHED

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

You will not see the POSTROUTING chain rule because the ‘iptables rules‘ displays INPUT, FORWARD and OUTPUT information only.