Routing , NAT and Gateways in Linux

September 18, 2005
This article explains the concept of a router, NAT, and a gateway and how to configure these in Linux.

What is a router ?


A router is a device that directs network traffic destined for an entirely different network in the right direction.

What is a gateway?


Any device which acts as the path to or from your network to a different network / the Internet is considered to be a gateway.

What is NAT ?


Network Address Translation (NAT) is a capability of a routing machine to alter the source or destination IP address / port of the packet passing through it.

This is used in situations where multiple machines with private IP addresses need to access the Internet / another network, with only one public IP address available.

A common name for this is IP masquerading. With masquerading, your router acts as a proxy. In this case, Linux keeps track of the packet(s) journey so that during transmission and receipt of data, the content of the session remains intact. Usually NAT is implemented on your gateway machine / router using iptables.

As an example, consider two machines residing in two entirely different networks as shown below.

Name of network      Network address
---------------      ---------------
      A               192.168.1.0/16
      B               192.168.2.0/16

These are two separate 'Class C' networks.

So for a computer in network 'A' to directly communicate with a computer in the network 'B', you need a intermediary at the source network (A) to direct the traffic to the destination network (B) - and vice versa.

This is the job of a router. So there will be a router on network A and another router on network B.

A router is also a gateway and usually does masquerading (NAT) of data packets passing through it.


How to configure a Linux machine as a router


A machine running Linux can be configured to act as a router between two networks. To activate routing functionality , you enable IP forwarding.

Here is how you do it.

Log into your Linux machine which you wish to configure as a router; Open a terminal and enter the following command -

echo "1" > /proc/sys/net/ipv4/ip_forward

This enables IP forwarding on your Linux machine.

You need to log in as root or your account should have super user privileges.


Unfortunately, the changes will be lost if your machine is rebooted. So to make the change persistent across reboots, open the file /etc/sysctl.conf in your favourite editor, and uncomment/add the line shown in red:

#FILE : /etc/sysctl.conf
...
net.ipv4.ip_forward = 1
...
#net.ipv6.conf.all.forwarding=1

To enable packet forwarding for IPv6, uncomment (remove '#') the second red line also.

Each time you make changes to the sysctl.conf file, you need to let the kernel know about the changes. This is done by executing the command :

# sysctl -p

For your Linux machine to act as a router, you need two Ethernet cards in your machine. Alternately, you can also configure a single Ethernet card to have multiple IP addresses.


Convert your Linux Router as a Gateway


Suppose your Linux router is known by the host name LINUX_ROUTER and it is assigned a local network address 192.168.0.1. To assign it the role of a gateway machine, you should add the default route in all the other machines on the local network as follows.

# route add default gw LINUX_ROUTER

The route command also takes an IP address instead of the hostname as shown below.

# route add default gw 192.168.0.1

... where 192.168.0.1 is the internal IP address of your Linux router.

The route command has to be executed on all the host machines in the network except the router.


To check if the default gateway is correctly set, run the route command as shown below.

# route -n

... and here is the output -

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
...
...

In the output above (truncated for brevity), default gateway for the host machine is set as indicated and its flags have the value UG.

'U' means the network is UP, and
'G' means Gateway.

Additional routes can be set using route command if needed.

If all the machines are assigned an IP address using DHCP, this step can be ignored because DHCP assigns the default gateway automatically along with the IP address.


Configuring NAT on the router


On your Linux machine acting as the gateway or router, open a terminal and run the following iptables command to enable NAT.

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Iptables is a firewall in Linux. Learn more about iptables.

0 comments: