- How to set up a NAT router on a Linux-based computer
- Test the configuration so far [ ]
- configure B for NAT [ ]
- configure A for NAT [ ]
- configure [ ]
- final test [ ]
- How to Configure NAT on Ubuntu
- How Does the NAT Work?
- What will we cover?
- Pre-flight Check
- Experimental Setup
- Let’s Begin…
- Testing The Setup
- Conclusion
- About the author
- Ali Imran Nagori
- How to build Linux Router with Ubuntu Server 20.04 LTS
- How to build Linux Router with Ubuntu Server 20.04 LTS
How to set up a NAT router on a Linux-based computer
Supposing you have 2 computers: computer A and computer B.
In this example, A has Internet reachability through the eth0 interface through another NAT router (but we don’t care about this). If in your case A is connected directly to the Internet, then you will have to change the IPs of your computers in order to make it work.
- A has 2 network Interface cards:
- eth0 (ip: 192.168.1.3)
- eth1 (ip: 192.168.0.1)
- B has 1 network Interface card:
- eth0 (ip: 192.168.0.2)
The main NAT router thought which A gets the Internet on the other end of the eth0 cable has an IP of 192.168.1.1. In some situations, if A will not be behind a NAT router, but will have a default Gateway configured. In this case, it will be your gateway’s IP address (that A obtained with the Ethernet card configuration [ ]
First, we configure the eth1 address on A:
ifconfig eth1 192.168.0.1 netmask 255.255.255.0
If we type route on A, we should see something similar to:
# route Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
The network 192.168.1.0 is the network that we use for the internet access (the eth0 card of A) and the 192.168.0.0 represents the network that links A with B ( eth1 card of A).
Now that we have an IP address assigned to A network card, we must do something similar to B:
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
Test the configuration so far [ ]
Now we can test that the connection between A and B works. Disable all the firewalls you might have to test this.
- From the machine A, we test if we can reach B:
# ping 192.168.0.2 PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=1.27 ms 64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.658 ms
# ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.737 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.633 ms
configure B for NAT [ ]
- Now we have to tell B that we want to use the card eth0 from A (labeled 192.168.0.1) for everything :
route add default gw 192.168.0.1
If we type route on B, we should have something similar to :
# route Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
configure A for NAT [ ]
Now that we have a connection from A to B, we can tell A to share internet connection with B.
modprobe iptable_nat echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth1 -j ACCEPT
configure [ ]
At this point, you should be able to reach internet ip addresses from B, but you could not reach something like www.gnu.org. That’s because you need to tell to B where to find the server that converts domain names like www.gnu.org into an ip address.
If you don’t have that file or if in the file you have 127.0.0.1, ask your provider to find out what dns servers you have or look into your router configuration (if you have one). Once you find out your dns ip addresses, put them in /etc/resolv.conf at B.
The dnsmasq program is an alternative to writing fixed IP addresses into /etc/resolv.conf. To install it use your general installation program, for instance on machine A:
sudo apt-get install dnsmasq
To check this is running, run the netstat command and see if dnsmasq on machine A is listening on port 53:
final test [ ]
#!/usr/bin/env bash modprobe iptable_nat echo 1 > /proc/sys/net/ipv4/ip_forward ifconfig eth1 192.168.0.1 netmask 255.255.255.0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth1 -j ACCEPT #Commands Credit: Farukesh, DITISS, CDAC
#!/usr/bin/env bash ifconfig eth0 down ifconfig eth0 192.168.0.2 netmask 255.255.255.0 route del -net default 2>/dev/null route add default gw 192.168.0.1 2>/dev/null echo "nameserver xx.xx.xx.xx" > /etc/resolv.conf
How to Configure NAT on Ubuntu
NAT or Network Address Translation allows multiple computers on a private network to share a common IP to access the Internet. One set of IP addresses is used inside the organization and the other set is used by it to present itself to the internet. This helps in conserving limited public IP space. At the same time, it also provides security by hiding the internal network from direct access from the outside world.
How Does the NAT Work?
NAT simply converts the source address of the outgoing packet to a public IP address to make it routable on the internet. In the same way, the source address of the response packets coming from outside (internet) is converted back to local or private IP address.
What will we cover?
In this guide we will learn to set up Ubuntu 20.04 as a NAT router. For this we will use an Ubuntu VM as NAT router and another Ubuntu VM as client VM for the purpose of testing. To test the setup, we are using Virtualbox for creating and managing virtual machines(VMs).
Pre-flight Check
- Two Ubuntu VMs with one having two network interfaces(NICs).
- Ubuntu 20.04 installed on both the VMs.
- Administrative(sudo) access on both the VMs.
Experimental Setup
We have used the following setup for the two VMs mentioned above:
1. VM1 (NAT Router): Our Router machine has two network interfaces: enp0s3 and enp0s8 (these names may vary depending on the system). The enp0s3 interface acts as a WAN(internet) interface and is accessible from the outside world(Internet). Its IP address is assigned via DHCP and in our case it is 192.168.11.201.
The enp0s8 interface is a local or LAN interface and is accessible only on the local network where our client will be deployed. We have manually set the IP address for this interface as 10.10.10.1/24 and the “gateway address is left blank”.
2. VM2 (Client Machine): The client machine has only one local or LAN interface i.e. enp0s3. It is attached to the local network of the above machine(VM2) with the IP address set to 10.10.10.3/24. The only thing to care of is that the gateway in this case is the local interface (enp0s8) IP address of the above machine(VM2) i.e., 10.10.10.1
The summary of the configuration of the two virtual machines is given in the below table:
| Interface Name → | enp0s3 | enp0s8 | ||
|---|---|---|---|---|
| VM Name ↓ | IP address | Gateway IP | IP address | Gateway IP |
| VM1(NAT Router ) | 192.168.11.201/24 | Via DHCP | 10.10.10.1/24 | |
| VM2(Client) | 10.10.10.3/24 | 10.10.10.1 | ||
Let’s Begin…
Now that we have set up the required IP addresses on our machine, we are set to configure them. Let us first check the connectivity between these machines. Both the machines should be able to ping each other. VM1, which is our NAT router machine, should be able to reach the global internet as it is connected to WAN via enp0s3. VM2, which is our local client machine, should not be able to reach the internet until we configure the NAT router on VM1. Now, follow the steps below:
Step 1. First check the IP addresses on both the machines with the command:
Step 2. Also check the connectivity of the machines before configuring the NAT router as mentioned above. You can use the ping command like:
Result for the VM1 (NAT Router VM) are shown below:
Result for the VM2 (ClientVM) are shown below:
Both the VMs are working as we have expected them to be. Now we will start configuring VM2(NAT Router).
Step 3. On VM2 open the sysctl.conf file and set the “net.ipv4.ip_forward” parameter to one by uncommenting it:
Step 4. Now enable the changes to above file using the command:
Step 5. Now, install the iptables-persistent package (boot-time loader for netfilter rules, iptables plugin) using:
Step 6. List the already configured iptable policies by issuing the command:
Step 7. Now mask the requests from inside the LAN with the external IP of NAT router VM.
$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
Step 8. Save the iptable rules using:
Testing The Setup
Now, to check if everything is working fine, ping any public IP from the VM2(client):
Note: If you want, you can add a DNS server manually in the client network configuration for domain name resolution. This will suppress the ‘Temporary failure in name resolution’. We have used the Google DNS IP i.e. 8.8.8.8 in our VM1.
We can see that ping is now working as expected on VM1(client machine).
Conclusion
NAT is a very essential tool for preserving limited public IPv4 address space. Although IPv6 is emerging next generation IP protocol which is supposed to finish the IPv4 limitations, but that’s a long way process; so until then NAT is very important for organizations.
About the author
Ali Imran Nagori
Ali imran is a technical writer and Linux enthusiast who loves to write about Linux system administration and related technologies. You can connect with him on LinkedIn
.
How to build Linux Router with Ubuntu Server 20.04 LTS
Linux router configuration is simple, you just need to make sure the router have two interfaces that connected to the network that will be routed, enable packet forwarding and iptables for NAT if needed. There are more advanced configuration, but in this post we will build Linux router on Ubuntu Server 20.04 to allow LAN traffic through to internet on WAN interface with NAT.
How to build Linux Router with Ubuntu Server 20.04 LTS
Ubuntu Server 20.04 comes with netplan as default network interface configuration tool.If you are not familiar with netplan please read the previous post about Ubuntu Server 20.04 LTS — Basic Network Configuration with netplan.
- enp0s3 is the WAN interface, it will be configured to obtain IP address from DHCP server.
- enp0s8 is the LAN interface, it will be configured to use 10.10.10.1/24 IP address.
nano /etc/netplan/anything.yaml
This configuration below addedd interface enp0s3 to obtain dhcp and enp0s8 to use 10.10.10.1/24 IP address. Just add lines that red colored to your configuration file, if it is a newly installed Ubuntu Server.
network: version: 2 renderer: networkd ethernets: enpos3: dhcp4: yes enp0s8 addresses: - 10.10.10.1/24 
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables command line will not be saved after the system reboot, there are many ways to make it persistent after reboot. This time we will use the easiest way to install iptables-persistent package to the Ubuntu server.
apt update -y && apt install iptables-persistent
It will asks you to save the current ipv4 and ipv6 iptables rules, answer yes to save it or no to save it later.
iptables-save > /etc/iptables/rules.v4 This command will save the iptables rules to /etc/iptables/rules.v4 , where later it will be restored by iptables-persistent on every reboot.
If all going well, we have finished building Linux Router with Ubuntu Server 20.04 LTS. According to the topology, the clients use 10.10.10.0/24 network address. So configure the clients accordingly.
You can watch all the activity above on building Linux Router with Ubuntu Server 20.04 LTS from this youtube video below. If you still have any problems, please put your comments.