4. Sharing Internet connection (IP packet forwarding)

In order to use the system as a gateway you have to enable IP forwarding in the kernel. In order to do so, select Main Menu => System Settings => Kernel Tuning to start the Kernel Tuning tool, or become root and use the system-config-proc command. Select Networking => IP from the System tree on the left, then click on the second tab of the notebook on the right and check in IP Forwarding. Press Save and then Activate saved configuration.

Enabling IP packet forwarding

Figure 3. Kernel Tuning

The final step is to setup the sharing of a single IP address through network address translation (NAT). Many Internet connections provide only one IP address, which is used by the gateway. The computers in the local network have their addresses in a non-routable subnet such as 192.168.0.0/24. When the packets are routed out from the local network to the Internet, source addresses need to be replaced by the gateway with the address of the gateway. To set up this NAT, use the following command:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

What is this “-t nat” option? The rules for filtering/mangling IP packets are in chains, and the chains are in tables. There are three tables: filter (for ACCEPT, REJECT or DROP rules), nat (for network address translation), mangle (for other kinds of mangling than nat). You do not need to specify the table to add rules to a chain in the filter table, because it is the default. If you want to add rules to the nat table you need to specify it with the option above.

To keep this setup after restarting the system use the following command:

service iptables save

When the load of services exceeds the capacity of your gateway, you need to share the load among more machines. In this case use servers in your local network, and pass the traffic to them. For example you have a mail server at the address 192.168.0.1 and three web servers at the addresses 192.168.0.2-4. So use the following commands to redirect the packages coming to the port# 25 to 192.168.0.1 and the port# 80 to 192.168.0.2-4:

iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 192.168.0.1:25
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2-192.168.0.4:80