IP Forwarding

Setup: I have my laptop connected to the wireless network via eth1. A network cable from eth0 of my laptop connects into a switch that my desktop PC is also connected into. I want the desktop PC to connect to eth0 of the laptop, to be forwarded to eth1 and routed out onto the Internet.

• ASCII-Art Diagram to go HERE

In a debian-based GNU/Linux distro, I like to setup a specific /etc/network/interfaces (man interfaces) networking configuration file for each network setup I regularly use. I then run a simple bash shell script in my ~/bin/ directory to restart the networking service with the /etc/network/interfaces being a symbolic link to my actual config file. Note: be sure to make a copy of your /etc/network/interfaces file and chmod +x the netnat script.

• /etc/network/interfaces.nat

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

iface eth0 inet static
address 192.168.2.1
netmask 255.255.255.0

iface eth1 inet dhcp
wireless-essid WIRELESS-SSID

auto eth1
auto eth0

• ~/bin/netnat

#!/bin/sh

sudo rm /etc/network/interfaces
sudo ln -s /etc/network/interfaces.nat /etc/network/interfaces
sudo /etc/init.d/networking stop
sleep 3
sudo /etc/init.d/networking start

Note: Normally, I thought I just enable IP forwarding and that’s it... all the packets magically get forward out and back. Doing this though, my client PC could only connect to eth0→eth1 of my laptop and not to the gateway that eth1 was on. So I actually had to setup NAT as well, and then it worked.

• /etc/network/options

ip_forward=yes
spoofprotect=yes
syncookies=no

Note: This will enable IP Forwarding for everytime you setup networking, which you may not want. So one could setup a symlink hack like before with the interfaces file and create a /etc/network/options.nat as well then edit the netnat script. You may want to enable syncookies as well if your box is a server and you don’t want to be DOS’d by a SYN flood.

• Or enable IP forwarding the manual way as root

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

As root, run iptables to setup NAT on the external (wireless) interface eth1.

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Still on the server/gateway, we can combine all of this into a single shell script. Notice how sudo sh -c “cmd args > output” is used for shell redirection.

• ~/bin/netnat (enhanced all-in-one, but still need /etc/network/interfaces.nat)

#!/bin/sh

sudo rm /etc/network/interfaces
sudo ln -s /etc/network/interfaces.nat /etc/network/interfaces
sudo /etc/init.d/networking stop
# need to allow the forwarding of packets, see /etc/network/options
sudo sh -c "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward"
# need to actually forward the packets, setup NAT on external iface
sudo sh -c "sudo /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE"
sleep 3
sudo /etc/init.d/networking start

My desktop PC is also running debian

• /etc/network/interfaces

auto eth0
iface eth0 inet static
  address 192.168.2.10
  netmask 255.255.255.0
  broadcast 192.168.2.255
  gateway 192.168.2.1

Since the IP on the desktop PC was assigned statically, it has no idea what DNS servers to use (DHCP would tell it). So, you need to specify some nameservers in /etc/resolv.conf. Here are the one’s I use for my internet service... you may wish/need to specify your own.

• /etc/resolv.conf

nameserver 68.87.76.178
nameserver 68.87.66.196

From the desktop PC client, test your connectivity as follows:

1. ping gateway of network (eth0 on laptop) - local network works
2. ping internal interface (eth1) on laptop - forwarding works
3. ping gateway of wireless network - I needed to enable NAT for this
4. ping DNS servers - if this is good, you should be able to...
5. ping google.com