Posted inNetwork

Basic Linux Router Setup: Guide to Configuring NAT and Packet Forwarding

Network tutorial - IT technology blog
Network tutorial - IT technology blog

Introduction to Linux Router

In the field of information technology, whether it’s a small office or a large network system, efficient data connection and management are always top priorities. Have you ever wondered how computers in a local network access the internet, or how your services can be accessed from outside? It’s all thanks to routers.

Typically, we are familiar with commercial router devices that have user-friendly web interfaces. However, transforming a Linux server into a router offers superior flexibility and control that a conventional ‘box’ device can hardly match. With Linux, you can fine-tune every detail, from packet handling to implementing complex security policies.

When Linux takes on the role of a router, two core functions that need to be clearly understood are Network Address Translation (NAT) and Packet Forwarding. Packet Forwarding helps packets move between different networks. Meanwhile, NAT allows multiple devices to share a single public IP address, while ‘hiding’ themselves from the outside world. These are the foundations that transform a regular Linux server into a powerful network control center.

I recall a time when I was “racking my brain” over a rather tricky network issue. Intermittent packet loss would only occur during peak hours, making it extremely difficult to debug because it wasn’t constant and only seemed to “tease” when the network was overloaded.

At that time, I wished I could ‘see through’ every packet on the router, precisely control their path to find the root of the problem. That’s when I realized the true power of a self-configured Linux router – it gave me the transparency and power to solve the most challenging network problems. This is precisely why I want to share with you how to leverage Linux to build a basic but extremely effective router.

Core Concepts

What is a Router?

Simply put, a router is a device that connects and routes data packets between two or more different computer networks. You can imagine it as a traffic controller at a large intersection, ensuring that vehicles (packets) from one road move correctly to another efficiently.

For a Linux computer acting as a router, you need at least two network interfaces. One card connects to the Internet (WAN), and the other connects to the local network (LAN). Its primary task is to receive packets from one network and send them to the other, based on the packet’s destination address.

Packet Forwarding

By default, for security reasons, most Linux operating systems will not automatically forward packets between different network interfaces on the same machine. For example, if a packet arrives from eth1 (LAN) and has a destination address outside the Internet (via eth0), Linux will not automatically forward it. This feature needs to be explicitly enabled.

When Packet Forwarding is enabled, our Linux machine truly acts as a router. It will examine the destination address of packets not intended for itself and decide which interface to send them through to reach their destination.

Network Address Translation (NAT)

NAT is an extremely important technique, especially as IPv4 addresses are gradually depleting. The main function of NAT is to ‘translate’ IP addresses. Why do we need it?

  • Saving Public IP Addresses: Most Internet Service Providers (ISPs) only allocate you a few public IP addresses. NAT allows hundreds, even thousands, of devices within a local network (e.g., private IP addresses like 192.168.x.x) to share a single public IP address to access the Internet.
  • Security: Your internal network is ‘hidden’ behind the router’s public IP address. From the outside, devices in the LAN are almost ‘invisible’, creating an initial layer of security.

We will focus on the following two main types of NAT:

  • Source NAT (SNAT) / Masquerading: When a device in the LAN sends a packet to the Internet, the router changes the source IP address of the packet from the LAN device’s private IP address to the router’s public IP address. When the reply packet returns, the router ‘translates’ the destination IP address back to the original LAN device. MASQUERADE is a special form of SNAT, often used when the router’s public IP address is dynamic (changes).

    Example: Your computer (192.168.10.100) sends a request to google.com. The Linux router (public IP 203.0.113.5) will change the source IP of the packet to 203.0.113.5 before sending it out. Google responds to 203.0.113.5, and the router knows that the packet belongs to 192.168.10.100 and will forward it internally.

  • Destination NAT (DNAT) / Port Forwarding: Contrary to SNAT, DNAT is used when you want to allow devices from outside the Internet to access a specific service on a server inside your LAN. The router will change the destination IP address and potentially the destination port of the incoming packet from outside to the internal server’s address and port.

    Example: You have a web server in your LAN (192.168.10.100) running a service on port 80. You want users from the Internet to access this service via the router’s public IP (203.0.113.5). The router will translate packets arriving at port 80 of 203.0.113.5 to 192.168.10.100:80 and forward them internally.

Detailed Practice: Configuring a Linux Router

For this practice, you will need a Linux server (I use Ubuntu Server) with at least two network cards. Let’s name them eth0 (connecting to the Internet/WAN) and eth1 (connecting to the internal LAN).

1. Environment Preparation

  • Linux Router Machine:
    • eth0: Can receive a dynamic IP (DHCP) from the ISP or have a static IP (e.g., 192.168.1.100 if in a lab network, or a public IP).
    • eth1: Static IP for the internal network, e.g., 192.168.10.1/24. This will be the Default Gateway for machines in the LAN.
  • Client Machine in LAN:
    • Static IP or DHCP in the range 192.168.10.0/24, e.g., 192.168.10.100.
    • Default Gateway pointing to 192.168.10.1 (IP of eth1 on the router).
    • DNS: can be 8.8.8.8 or 1.1.1.1.

First, check your network interfaces using the command ip a:


ip a

If you are using Ubuntu Server and your interfaces have names like enp0s3, enp0s8, you can rename them for easier management, or keep the default names. In this guide, I will assume eth0 and eth1.

Configure a static IP address for eth1 (internal interface) using Netplan on Ubuntu. Create or edit the Netplan configuration file, for example /etc/netplan/01-netcfg.yaml (note: depending on the distribution, you might use /etc/network/interfaces or nmcli):


network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: true  # Or configure a static IP if you have a public IP
    eth1:
      dhcp4: false
      addresses: [192.168.10.1/24]

After editing, apply the configuration:


sudo netplan apply

2. Enable Packet Forwarding Function

For Linux to function as a router, we need to enable packet forwarding. Execute the following command in the terminal:


sudo sysctl -w net.ipv4.ip_forward=1

The above command is only temporary. For this setting to persist after a system reboot, you need to add it to the configuration file /etc/sysctl.conf:


echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p # Apply changes from sysctl.conf file

3. Configure NAT (Masquerading) with Iptables

Now, we will configure NAT so that machines in the LAN can access the Internet by ‘borrowing’ the router’s public IP address. We will use iptables, a powerful firewall management tool on Linux.

The following command will add a rule to the nat table, POSTROUTING chain. This rule will change the source IP address (SNAT) of outgoing packets via the eth0 interface to the IP address of eth0:


sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • -t nat: Specifies working on the nat table (Network Address Translation).
  • -A POSTROUTING: Adds a rule to the end of the POSTROUTING chain. This chain is processed after the packet has been routed.
  • -o eth0: Applies the rule to outgoing (output) packets via the eth0 interface.
  • -j MASQUERADE: ‘Jumps’ to the MASQUERADE target, which means changing the source IP of the packet to the IP of the outgoing interface (eth0).

4. Configure DNAT (Port Forwarding) with Iptables

If you have a web server (or any service) in your LAN (e.g., 192.168.10.100) that you want to allow access from the Internet, you need to configure DNAT. Let’s assume we want to forward port 80 (HTTP) from the router’s public IP to the internal web server:


sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.100:80
  • -A PREROUTING: Adds a rule to the end of the PREROUTING chain. This chain is processed immediately when a packet arrives at the interface.
  • -i eth0: Applies the rule to incoming (input) packets via the eth0 interface.
  • -p tcp --dport 80: Applies to TCP protocol packets arriving at destination port 80.
  • -j DNAT --to-destination 192.168.10.100:80: ‘Jumps’ to the DNAT target and changes the destination address of the packet to 192.168.10.100 and port 80.

5. Basic Firewall Configuration for the Router

After configuring NAT and Forwarding, protecting the router and the internal network is very important. You need to set up firewall rules to only allow valid traffic to pass through.

The FORWARD chain in iptables controls packets passing through the router (from one interface to another).


# Allow established and related connections to pass through the router
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow machines in the LAN (via eth1) to access the Internet (via eth0)
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# If there is DNAT (port forwarding), that traffic needs to be allowed into the internal server.
# Example: allow access to port 80 on 192.168.10.100 from eth0 to eth1
sudo iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -d 192.168.10.100 -j ACCEPT

# Set the default policy for the FORWARD chain to DROP (deny all if no rules match)
sudo iptables -P FORWARD DROP

# Additionally, you should also configure the firewall for the router itself (INPUT chain)
# Allow SSH to the router from anywhere (or limit IP if needed)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow packets initiated by the router (e.g., router pinging out)
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from the LAN to the router itself (e.g., for management)
sudo iptables -A INPUT -i eth1 -j ACCEPT

# Set the default policy for the INPUT chain to DROP
sudo iptables -P INPUT DROP

# Set the default policy for the OUTPUT chain to ACCEPT (router can send packets out)
sudo iptables -P OUTPUT ACCEPT

Important note: Setting the default DROP policy for FORWARD and INPUT is crucial for security. However, you need to ensure that all necessary ACCEPT rules have been added beforehand; otherwise, you might lock yourself out of your router or network.

6. Save Iptables Rules

The iptables rules you just created are only effective until the system reboots. For them to be automatically reloaded, you need to save them. A common method on Debian/Ubuntu is to use the iptables-persistent package:


sudo apt update
sudo apt install iptables-persistent

During the installation process, the system will ask if you want to save the current rules; choose Yes. Alternatively, you can manually save them at any time using the command:


sudo netfilter-persistent save

To reload the saved rules, use the command:


sudo netfilter-persistent reload

7. Test Configuration

After completing the configuration, check if your router is working as expected:

  • From a client machine in the LAN (192.168.10.100): 
    
ping 8.8.8.8         # Check Internet connection by IP
ping google.com      # Check Internet connection by domain name (requires active DNS)
traceroute google.com # Check the packet path, you will see it go through 192.168.10.1 first
  • From outside the Internet (if you have a public IP and have configured DNAT):

    Try accessing the service on your internal server (e.g., open a browser and access http://[public_IP_of_router]).

  • On the Linux Router machine: 
    
sudo iptables -t nat -L -v -n # View NAT rules
sudo iptables -L -v -n        # View FILTER rules (FORWARD, INPUT, OUTPUT)

    Check the packets and bytes columns to see if the rules are being used.

Conclusion

By transforming a Linux machine into a router, you not only save costs but also gain an extremely powerful and flexible network management system. We have together learned and configured Packet Forwarding to allow packets to move between networks, along with NAT (Masquerading for Internet access, Port Forwarding for internal service access) to secure and optimize IP address usage.

These are just the basic steps to set up a Linux router. From this foundation, you can expand with more advanced features such as a DHCP server, DNS caching, VPN server, or even an intrusion detection and prevention system (IDS/IPS). The true power of Linux lies in its infinite customizability, allowing you to build a network solution that best suits your specific needs.

Remember, understanding each layer of the network model and how packets move will be key to mastering all network issues, from simple glitches to the ‘nightmare’ of intermittent packet loss that I once experienced. Good luck!

Share:
Tags: