Comments on Step-By-Step Configuration of NAT with iptables

1. The example is using 190.1.0.0/16 for private IP addresses. This is bad. That block is real live addresses, allocated to ISPs in Latin America and the Carribean. Private IP addresses should be choosen from one of the following blocks:

192.168.0.0/16

172.16.0.0/12

 10.0.0.0/8

 2. The example uses 190.1.7.1 as the address of the gateway on the LAN in step #4, but pings it at 190.1.6.1 in step #9.

Are you sure what are you talking about?

 It is called NAT because the inside addresses are Translated into the outside address.

For example my home inside NAT is 70.80.90.0/24.

(i.e. 192.168.0.0/16, 172.16.0.0/12,  10.0.0.0/8 as suggested by Mr. tzs)

 Unless you are doing some subnetting here, I would suggest keeping those internal addresses at their defaults which are:

192.168.1.0/24, ie mask 255.255.255.0 for a class c address.

172.16.0.0/16 mask 255.255.0.0 for class b

10.0.0.0/8 255.0.0.0 for class a

Worst howto ever?

Hi All,

I tried and it is working fine till Step 7..

After that you can follow

https://www.howtoforge.com/internet-connection-sharing-masquerading-on-linux

The MASQUERADE steps explained over here works fine till the system is not restarted.

Best Regards,

Sharib Tasneem

SAP BASIS Consultant

It should be noted that /etc/sysconfig exists on SuSE / Novell systems, if you are a Ubuntu server user this will not exist.  The equivalent file is /etc/network/interfaces, but the syntax differs.

I'd like to discuss some configuration instructions that I can't get working.  You seem to have a handle on this tech.

 Please email me, rather not post configs here on this site.

hello tim...

can u help me with proper way to set up this nat 

Please be clear before you post anything?

Howto FAIL.

Either you bought the 70.80.90.0/24 adress space or your inside NAT addressing is bad, because any connection attempt to 70.80.90.15 or similar in that network will never leave your home network, even though this may be real public adress used somewhere out there in the Internet. Always use private adresses inside the NATed network!

Yeah I use 66.102.0.0/16... what could possible go wrong:P

#ping google.com
PING google.com (66.102.7.99)

I am sure that won't be a problem

I would suggest 0.0.0.0/0

http://reddragon-linux.blogspot.com/2011/05/linux-internet-gateway-server-setup.html

buddy, you copied parts of this inept article and posted it on your blog???

Then linux users want to know why companies are still running Microsoft. This how to will make me run back.

My server is loged in with root but msg showing no root folder/directory found. it is login with home .. why its hapen??? any one help me.. and how to masquerade to other internet user with that firewall..??? I m not a linux engineer but i have responsibilty to solve that.... please help me..

Complete steps at the following link http://www.ittechguru.net/?p=21

its not working for me i am tryed in DSL Linux server internet where shared from server to client but rules is not working what can i do ? how to block ? my client xp machine where bypassed ...:(

Hi, I will give an relevant update for users that need it on XenServer 6.2 (newest at this time) so, I tried and tried and made it work :)

 1. for eg. OVH gaves you server with one NIC (eth1) so this is first problem if you aren't using your own server. The answer to this is creating new external network with VLAN (i used 1024) on ETH1 (NIC1) and give this new network an IP in your XenCenter (Networking), for me 10.20.30.1 / 24 - why not :)

 2. go to console of the serwer and check your interfaces i have (I won't write all):

eth1 - external network (OVH - with my static IP) - will call it EXT1
xapi0 - external network for internal use (our 10.20.30.0/24 network) - will call it INT1
xenbr1 - network bridge for vSwitch - all networks

 you can check all information via ifconfig command

3. system changes
a. Edit file /etc/sysctl.conf
nano /etc/sysctl.conf
b. Uncomment the following line to enable packet forwarding for IPv4 and other stuff

net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.xenbr0.send_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
kernel.sysrq = 1
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
vm.dirty_ratio = 5
kernel.printk = 4 4 1 4

4. creating NAT

$IPTABLES -t nat -A POSTROUTING -s $INT1/255.255.255.0 -j MASQUERADE
$IPTABLES -I RH-Firewall-1-INPUT -s $INT1/24 -j ACCEPT

PS. i made a bash script and added it to my starting scripts or you can use add it to /etc/sysconfig/iptables

5. testing

from my VM - ping google.com - OK

VM cofig:
IP - 10.20.30.50 (static)
gateway - 10.20.30.1
nameserver - 10.20.30.1

I could use command lokkit but in my case there is no MASQUERADE there, that ISP makes it hard as allways !!!

http://support.citrix.com/article/CTX123930

I hope it hepled someone more :)

nice.  easy.  works. thanks.

i can't configuration DNS y ?

 Nice. I stumbled into getting this working 5 Years ago. Nice to know I did it right.

Excellent tutorial. Clear and to the point.

iptables --table nat --append POSTROUTING --out-interface wlp2s0 --in-interface enp1s0 -j ACCEPTiptables v1.4.21: Can't use -i with POSTROUTING

Hello,

Any idea how to configure source NAT on Ubuntu Linux?

I have only a LAN network 10.x.x.x to which is connected Ubuntu box. Inside Ubuntu there is a VM with IP in thetwork 172.x.x.x

I need all the packets coming from network 10.x.x.x to Ubuntu box to be forwarded to the VM and all the packets from the VM to be forwarded to NIC on Ubuntu box with ip in network 10.x.x.x

For all the hosts in network 10.x.x.x the network 172.x.x.x will be transperant. I think it can be achieved with source NAT on Ubuntu exit interface to network translating the source IP of the packets coming from the VM 172.x.x.x to 10.x.x.x

Of course the Ubuntu box needs to translate the incoming packets destination address from 10.x.x.x to 172.x.x.x but this is easy to configure. I am stack with the outgoing packets source address translation from 172.x.x.x to 10.x.x.x

Thank you for the help.

The above comment is correct, and you are wrong and should not be using the 70.80.90.0/24 range for your internal IP address allocation.

This is because outside of your network, there exists a real host with the IP address 70.80.90.0...255, and so you won't be able to access it from within your internal network as your router will simply forward it to the internal hosts and not try and find it on the internet.

As explained above the only 3 internal address ranges that should be used are 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8

Hi, How to log NAT table to a file?