In this tutorial, I will detail how to setup an Ubuntu server as a NAT router.
The server has 2-network interfaces: enp0s3 (WAN) and enp0s8(LAN). NAT is enabled on the WAN-NIC. A DHCP-Server is installed and it leases IP-addresses to clients over server's enp0s8 interface.
SERVER SPECS
root@ubuntu-DHC-SVR-RTR:/home/tokunbo# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
Lets go............
1) CONFIGURE NETWORK INTERFACES
My server has 2-network interfaces, configured as follows:
#Interface to the internet
auto enp0s3
iface enp0s3 inet dhcp
#interface to my LAN
auto enp0s8
iface enp0s8 inet static
address 172.16.1.2
netmask 255.255.255.0
network 172.16.1.0
gateway 172.16.1.2
2) INSTALL DHCP SERVER
- How to install a DHCP server in Ubuntu Server 16.04
Check if DHCP is running: systemctl status isc-dhcp-server
3) EDIT SYSCTL.CONF
edit this file: /etc/sysctl.conf and uncomment:
# net.ipv4.ip_forward=1
so that it reads:
net.ipv4.ip_forward=1
save the file and exit
apply the change with command: sudo sysctl -p /etc/sysctl.conf
4) CHECK FOR EXISTING IP-TABLES
I do not have any existing IP-table rules on my server:
before NAT configuration: I check my iptables: iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
5) CONFIGURE NAT ON enp0s3
On our router we add these two instructions:
iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
iptables -A FORWARD -i enp0s8 -j ACCEPT
or
iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
iptables -A FORWARD -i enp0s3 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT
- where enp0s3 is the interface to the internet
- where enp0s8 is the interface to my LAN, also my DHCP-server interface,
Explanation of the above:
line1 = enable NAT on interface enp0s3, use enp0s3 for outgoing packets;
line2 = forward IP-packets from enps03 to enp0s8 where there is an established initial request;
line3 = forward packages from enp0s8 to enp0s3
After NAT configuration , I check IPtables:
root@ubuntu-SERVERCLONER:/home/tokunbo# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i enp0s3 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT
root@ubuntu-SERVERCLONER:/home/tokunbo#
6) CONFIGURE CLIENT-PC
- enable DHCP client on client PC
7) TESTING TIME
- do a ping to 8.8.8.8 from the client PC.
- do a ping to 8.8.4.4 from the client PC.
You would observe that ping is successful. This confirms that traffic originating from our client PC is successfully routed through the two interfaces on our server.....
While a ping to IP-address '8.8.8.8' is successful, a ping to domain name "google.com" is not. This is because we dont have a DNS server / service running/enabled. We need to tell our client-computer where to find the server that converts domain names to ip-addresses.
My client-PC is a Windows-7. Configuring my DNS settings(8.8.8.8) via the LAN-GUI, domain names and IP-address pings are successful. I now have internet access and webpages are opening, however through my server's interface.
7) SAVE IP-TABLE RULES: i nstall iptables-persistent
command: apt-get install iptables-persistent
to save ip-tables: netfilter-persistent save
netfilter-persistent reload
Save IP-table rules before rebooting the server, else IP-table configuration gets lost.
SIDENOTES
1) Step#2 - installing a DHCP server is optional. The DHCP server dynamically assigns IP-addresses to your client-PCs. If you prefer static IP-assignment in your LAN, just make sure that in Step#6, sample client-PC is configured like these below.
note: we assume our LAN range starts from 172.16.1.10 upwards. Client-PC IP-addresses MUST be in the same network as the server's network interface that would be recieving LAN traffic.
Sample-PC-1:
address 172.16.1.10
netmask 255.255.255.0
network 172.16.1.0
gateway 172.16.1.2
Sample-PC-2:
address 172.16.1.11
netmask 255.255.255.0
network 172.16.1.0
gateway 172.16.1.2
Sample-PC-3:
address 172.16.1.13
netmask 255.255.255.0
network 172.16.1.0
gateway 172.16.1.2