Today I would like to tell you some things on masquerading, an effective way for granting internet access to your internal network by setting up a gateway. Any host in your internal network – let’s call it LAN (Local Area Network) – sends its packets to the gateway if it wants to connect to the world outside of your LAN. This gateway now sends the packets to the outside and delivers the response back to the client that initiated the request. From the servers point of view outside in the internet it looks like the gateway is doing all the requests. Every packet coming from the LAN are masked.

The great benefit of masquerading: Hosts inside your LAN are not accessible from the big bad Internet. This protects you from direct attacks from there.

Enough talk – let’s get serious. What do we need for doing so?

• Iptables and its extensions for the kernel
• Two network cards

The gateway host has to be reachable by the clients. Do not forget to set it as gateway on the clients. The rest is done via some basic iptables shell commands:

First of all, we have to allow packet forwarding on the gateway host. A fast way is using the /proc interface if you do not want to mess around with your /etc/sysctl.conf

echo 1 > /proc/sys/net/ipv4/ip_forward

Masquerading itself is simply done with the following command

iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -j MASQUERADE

192.168.0.0 is the adress of our LAN. If you are using a different ip range, you need to adapt this entry. If you do not know what to put there, it should be sufficient using the first three segments of the servers IP adress and a 0 as 4th segment as we are adressing the network itself.

If something went wrong it is very simple resetting the firewall (iptables):

iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X