Networking / Beginners

Building an Internet-Connection Sharing Firewall on a Static WAN IP Address

Your Linux firewall box is assembled and ready to go to work. But first, you must configure a firewall and Internet connection sharing. You're still on IPv4, and your LAN uses mostly nonroutable, private IP addresses, so you want a NAT (Network Address Translation) firewall. You have the type of Internet account that gives you a static, public IP address.

The fw_nat script from the previous section needs one line changed. Find:


and replace it with:

$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source

Use your own WAN IP address, of course.

Static addresses are good candidates for being put in variables at the beginning of the script, like this:


Then, your rule looks like this:

$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source $WAN_IP

You could still use the MASQUERADE target, but that incurs more overhead because it checks which IP address to use for every packet.

Source network address translation (SNAT) rewrites the source address of every packet, leaving your network to the IP address of your firewall box. This is necessary for hosts with private-class addresses to be able to access the Internet.

You can see your NAT-ed addresses with netstat-nat:

# netstat-nat
Proto 	NATed Address 		  Foreign Address 		 State
tcp 	    	 ESTABLISHED
udp 		 ASSURED
udp 		 ASSURED

netstat-nat is not the netstat command with a -nat option; it is a separate command.

Use the -n flag to display IP addresses instead of hostnames.

[Previous] [Contents] [Next]