Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
Your Linux firewall box is assembled and ready to go to work. But first, you must configure a firewall and Internet connection sharing. You're still on IPv4, and your LAN uses mostly nonroutable, private IP addresses, so you want a NAT (Network Address Translation) firewall. You have the type of Internet account that gives you a static, public IP address.
The fw_nat script from the previous section needs one line changed. Find:
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
and replace it with:
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 22.214.171.124
Use your own WAN IP address, of course.
Static addresses are good candidates for being put in variables at the beginning of the script, like this:
Then, your rule looks like this:
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source $WAN_IP
You could still use the MASQUERADE target, but that incurs more overhead because it checks which IP address to use for every packet.
Source network address translation (SNAT) rewrites the source address of every packet, leaving your network to the IP address of your firewall box. This is necessary for hosts with private-class addresses to be able to access the Internet.
You can see your NAT-ed addresses with netstat-nat:
# netstat-nat Proto NATed Address Foreign Address State tcp stinkpad.alrac.net:41435 126.96.36.199:www ESTABLISHED tcp stinkpad.alrac.net:45814 annyadvip3.doubleclick.net:www TIME_WAIT tcp stinkpad.alrac.net:45385 annymdnvip2.2mdn.net:www TIME_WAIT tcp stinkpad.alrac.net:50392 188.8.131.52:www ESTABLISHED udp stinkpad.alrac.net:32795 auth.isp.net:domain ASSURED udp stinkpad.alrac.net:32794 auth.isp.net:domain ASSURED
netstat-nat is not the netstat command with a -nat option; it is a separate command.
Use the -n flag to display IP addresses instead of hostnames.
In this tutorial:
- Building a Linux Firewall
- Iptables and NAT, SNAT, and DNAT
- Assembling a Linux Firewall Box
- Configuring Network Interface Cards on Debian
- Configuring Network Interface Cards on Fedora
- Identifying Which NIC Is Which
- Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address
- Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
- Displaying the Status of Your Firewall
- Turning an iptables Firewall Off
- Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down
- Testing Your Firewall
- Configuring the Firewall for Remote SSH Administration
- Allowing Remote SSH Through a NAT Firewall
- Multiple SSH Host Keys Past NAT
- Running Public Services on Private IP Addresses
- Setting Up a Single-Host Firewall
- Setting Up a Server Firewall
- Configuring iptables Logging
- Writing Egress Rules