Networking / Beginners

Building an Internet-Connection Sharing Firewall on a Static WAN IP Address

Your Linux firewall box is assembled and ready to go to work. But first, you must configure a firewall and Internet connection sharing. You're still on IPv4, and your LAN uses mostly nonroutable, private IP addresses, so you want a NAT (Network Address Translation) firewall. You have the type of Internet account that gives you a static, public IP address.

The fw_nat script from the previous section needs one line changed. Find:

$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

and replace it with:

$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 1.2.3.4

Use your own WAN IP address, of course.

Static addresses are good candidates for being put in variables at the beginning of the script, like this:

WAN_IP="1.2.3.4"

Then, your rule looks like this:

$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source $WAN_IP

You could still use the MASQUERADE target, but that incurs more overhead because it checks which IP address to use for every packet.

Source network address translation (SNAT) rewrites the source address of every packet, leaving your network to the IP address of your firewall box. This is necessary for hosts with private-class addresses to be able to access the Internet.

You can see your NAT-ed addresses with netstat-nat:

# netstat-nat
Proto 	NATed Address 		  Foreign Address 		 State
tcp 	stinkpad.alrac.net:41435  64.233.163.99:www 	    	 ESTABLISHED
tcp 	stinkpad.alrac.net:45814  annyadvip3.doubleclick.net:www TIME_WAIT
tcp 	stinkpad.alrac.net:45385  annymdnvip2.2mdn.net:www 	 TIME_WAIT
tcp 	stinkpad.alrac.net:50392  63.87.252.186:www 		 ESTABLISHED
udp 	stinkpad.alrac.net:32795  auth.isp.net:domain 		 ASSURED
udp 	stinkpad.alrac.net:32794  auth.isp.net:domain 		 ASSURED

netstat-nat is not the netstat command with a -nat option; it is a separate command.

Use the -n flag to display IP addresses instead of hostnames.

[Previous] [Contents] [Next]