Search This Blog

Saturday, 3 July 2010

Linux iptables Basic Commands-Linux as a router

iptables is the inbuilt firewall in Linux kernel. It can be used for allowing and blocking the traffic passing trough the system.

Configuring iptables to work Linux as a router:

For Linux to work as a router, there should be two NICs normally.

Here we implement the router with below network settings with two NICs

eth1 ->, net mask =, Gateway: -> connected with modem and hence internet, No other system in my LAN des not have direct acces to this modem.

eth0 ->, netmask connected with LAN, All system in the LAN has to communicate to internet trough this host.

For Linux to act as route, 2 settings must be done.

1. IP forwarding: This can be achieved temporary by setting the status to 1 as below.

#echo 1 >/proc/sys/net/ipv4/ip_forward

For making it permanet and active on next reboot, we have to enable it by editing /etc/sysctl.conf and edit as below:
net.ipv4.ip_forward = 1
To enable this chage, run the command
sysctl -p /etc/sysctl

2. Adding iptables entry for packets routing:

Before you add any entry, make sure iptables service is running. 
[root@shimna /]# chkconfig --list|grep iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
If its on yet on service level 2-5, make it on using below command.
[root@shimna /]# chkconfig iptables on

Make sure you don't have any unwanted iptables running currently

[root@shimna /]# iptables -nvL

If any unwanted iptables are running, flush all the rules using -F option and save the same.
[root@shimna /]# iptables -F
[root@shimna scripts]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@shimna scripts]#

Now you can add the entry to route the packets:

[root@shimna scripts]# iptables -t nat -A POSTROUTING -o eth1 -s -j MASQUERADE

The above setting can be verified by below command:

[root@shimna scripts]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 19 packets, 1554 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      eth1

Chain OUTPUT (policy ACCEPT 19 packets, 1554 bytes)
 pkts bytes target     prot opt in     out     source               destination

Now your Linux system is ready to act as a router. You can configure all other system the LAN gate way as the Linux host LAN IP.

No comments:

Post a Comment