Интернет шлюз на Ubuntu / Debian
Обновлено: 16.02.2023 Опубликовано: 23.01.2019
- Включение redirect на уровне ядра.
- Настройкой брандмауэра.
- Опционально, настройка проброса портов.
Настройка ядра системы
sysctl -p /etc/sysctl.d/gateway.conf
Если мы получим ошибку sysctl command not found, либо нужно установить пакет:
либо перезайти в режим суперпользователя с загрузкой его окружения:
В случае с единственным сетевым адаптером больше ничего делать не потребуется — Ubuntu начнет работать как Интернет-шлюз.
В случае с несколькими сетевыми адаптерами, настраиваем сетевой экран.
Настройка брандмауэра
Как правило, управление брандмауэром netfilter в Linux на базе Debian выполняется с помощью утилиты iptables.
Iptables
Предположим, что сеть Интернет настроена через интерфейс ens160, а локальная сеть доступна через ens32. Создадим правило:
iptables -t nat -I POSTROUTING -o ens160 -j MASQUERADE
Если на сервере для доступа в локальную и глобальную сети используются разные сетевые интерфейсы, нам может понадобиться создать еще два правила.
iptables -I FORWARD -i ens32 -o ens160 -m state —state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i ens32 -o ens160 -j ACCEPT
* интерфейс ens160, как условились ранее, используется для доступа в Интернет. Интерфейс ens32 — локальная сеть.
Сохраняем настройки iptables:
apt install iptables-persistent
Проброс портов (Port Forwarding)
Необходим для перенаправление сетевых запросов на сервер, стоящий за NAT и не имеющий прямого выхода во внешнюю сеть.
Iptables
Настройка выполняется двумя командами:
iptables -t nat -A PREROUTING -p tcp -m tcp -d 10.8.232.111 —dport 25 -j DNAT —to-destination 192.168.0.15:8025
iptables -t nat -A POSTROUTING -p tcp -m tcp -s 192.168.0.15 —sport 8025 -j SNAT —to-source 10.8.232.111:25
iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 25 -j DNAT —to-destination 192.168.0.15:8025
iptables -A FORWARD -p tcp -d 192.168.0.15 —dport 8025 -m state —state NEW,ESTABLISHED,RELATED -j ACCEPT
* где eth0 — внешний сетевой интерфейс.
iptables -I INPUT 1 -p tcp —dport 8025 -j ACCEPT
* обратите внимание, что мы разрешаем порт, на который переводим запрос, так как цепочки POSTROUTING и PREROUTING работают до цепочки FILTER, а потому открывать нужно не входящий порт (25), а тот, на который назначается пакет (8025).
Не забываем сохранить правила:
Linux Blog
This tutorial shows how to set up network-address-translation (NAT) on a Linux system with iptables rules so that the system can act as a gateway and provide internet access to multiple hosts on a local network using a single public IP address. This is achieved by rewriting the source and/or destination addresses of IP packets as they pass through the NAT system.
[Note] The location of the files (ifcfg-ethx, network. etc ..) mentioned below might be different in different distribution, check the manuals of your distribution to edit the correct file.
Step by Step Procedure
Step 1. Add 2 Network cards to the Linux box
Step 2. Verify the Network cards, check if they installed properly or not
Step 3. Configure eth0 for Internet with a Public (External network or Internet)
# cat ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
BROADCAST=xx.xx.xx.255 # Optional Entry
HWADDR=00:50:BA:88:72:D4 # Optional Entry
IPADDR=xx.xx.xx.xx
NETMASK=255.255.255.0 # Provided by the ISP
NETWORK=xx.xx.xx.0 # Optional
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=xx.xx.xx.1 # Provided by the ISP
BOOTPROTO=none
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05 # Optional
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.0.0 # Specify based on your requirement
BROADCAST=»»
IPADDR=192.168.1.1 # Gateway of the LAN
NETWORK=192.168.0.0 # Optional
USERCTL=no
ONBOOT=yes
Step 5. Host Configuration (Optional)
# cat /etc/hosts
127.0.0.1 nat localhost.localdomain localhost
Step 6. Gateway Configuration
# cat /etc/sysconfig/network
nameserver 208.67.222.222 # Primary DNS Server provided by the ISP
nameserver 208.67.220.220 # Secondary DNS Server provided by the ISP
Step 8. NAT configuration with IP Tables
First of all you have to flush and delete existing firewall rules. So flush rules by typing in terminal:
Step 9. Testing
Ping the Gateway of the network from client system: ping 192.168.2.1
Try it on your client systems: ping google.com
Configuring PCs on the network (Clients)
All PC’s on the private office network should set their «gateway» to be the local private network IP address of the Linux gateway computer.
The DNS should be set to that of the ISP on the internet.
Windows 2000, XP, Configuration:
Select «Start» + Settings» + «Control Panel»
Select the «Network» icon
Select the tab «Configuration» and double click the component «TCP/IP» for the ethernet card. (NOT the TCP/IP -> Dial-Up Adapter)
Select the tabs:
«Gateway»: Use the internal network IP address of the Linux box. (192.168.1.1)
«DNS Configuration»: Use the IP addresses of the ISP Domain Name Servers.
«IP Address»: The IP address (192.168.XXX.XXX — static) and netmask (typically 255.255.0.0 for a small local office network) of the PC can also be set here.
3 comments:
this is very old now, is it possible to update it for 2011.
Hello. I run a small WISP with Public IP address system. I intend to be able to control the Access outside of the bandwidth management so as to be able to automatically discontinue the service for clients that choose not to pay at due dates. each BTS is a routed Network. So i intend to use their Public IP addresses.
How can I use Linux as a Gateway?
NOTE: If client devices ( computer B in this example) want to obtain internet through the gateway computer, maybe they still need to configure nameserver resolution. This is not explained here (a gateway does not necessarily serve internet).
I am trying to understand the fundamentals of networks routing.
So I am experimenting with my LAN (I don’t need internet for now, just LAN communications). I know the network configuration matters are a rather complex thing, but I am just trying to make a computer (say A) to act as a gateway for another (say B) (both running Ubuntu Linux).
I only need B to be capable to reach the router, that is only reachable for A. This is the case:
Router for computer A --> 192.168.0.1 Computer A - eth0 --> 192.168.0.2 Computer A - eth1 --> 192.168.1.1 Computer B - eth0 --> 192.168.1.2 Computer A connects fine to router.
Computer A and B connect fine (ping, SSH. etc) between them.
Computer B can not reach the router for computer A. I was thinking that just adding on B Computer A as default gateway and activating IP Forwarding on A would make B to be able to reach the router for A:
luis@ComputerB:~$ sudo route add default gw 192.168.1.1 luis@ComputerB:~$ sudo routel target gateway source proto scope dev tbl 127.0.0.0 broadcast 127.0.0.1 kernel link lo local 127.0.0.0 8 local 127.0.0.1 kernel host lo local 127.0.0.1 local 127.0.0.1 kernel host lo local 127.255.255.255 broadcast 127.0.0.1 kernel link lo local 192.168.1.0 broadcast 192.168.1.2 kernel link eth0 local 192.168.1.2 local 192.168.1.2 kernel host eth0 local 192.168.1.255 broadcast 192.168.1.2 kernel link eth0 local default 192.168.1.1 eth0 169.254.0.0 16 link eth0 192.168.1.0 24 192.168.1.2 kernel link eth0 root@ComputerA:~$ echo 1 > /proc/sys/net/ipv4/ip_forward luis@ComputerB:~$ ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. ^C (No ping response) Is this the correct procedure to make a computer running Linux to act as a gateway for another computer in a simple manner?