Ubuntu 14.04 as a Gateway / Router and a Firewall

My current system setup is Ubuntu 14.04 Desktop 64 Bit,and I am using Internet from a router using a public IP

eth0 - WAN Public IP 182.x.x.x  
eth1 - LAN private IP 192.168.0.1

Now I want to distribute this connection to other computers using my system as a Gateway, My system IP is 192.168.0.1 and other computers on the network are using static IP 192.168.0.2 and 192.168.0.255 as static and/or DHCP.

Also I want to setup a firewall on my system so that I can monitor and control traffic of other system's on the network.


Solution 1:

  1. Open a Terminal Ctrl+Alt+T

  2. Enter following command to edit interfaces file:

    sudo vim /etc/network/interfaces
    
  3. Edit the file with the following lines: (add your netmask and gateway)

    auto lo 
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet static
    address 182.x.x.x 
    netmask  x.x.x.x 
    gateway x.x.x.x
    
    auto eth1
    iface eth1 inet static 
    address 192.168.0.1
    netmask x.x.x.x
    
  4. Now edit /etc/sysctl.conf and uncomment:

    # net.ipv4.ip_forward=1
    

    so that it reads:

    net.ipv4.ip_forward=1
    

    and save it by entering

    sudo sysctl -p /etc/sysctl.conf

  5. To enable IP masquerading, enter following set of commands in terminal:

    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    
    sudo iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
    

Update: Fix strange "-–state" causing command to fail and fix nat MASQUERADE to eth0 (wan interface)

Solution 2:

@chreekat's comment is correct that the Ethernet adapters are swapped in step 5 of @Anbu's answer, and as shown (as of 2017-02-21) creates A HUGE SECURITY HOLE that permits unrestricted access to the private network by anyone on the public network.

The corrected configuration for step 5 is shown below.

Theory of operation: (Rule #2) Packets ingressing from the public network (eth0) are accepted for forwarding out to the private network (eth1) if and only if the ingressing public packet is related to a conversation that was established by a host on the private network. (Rule #3) Accept all packets ingressing from the private network (eth1) and forward them out to the public network (eth0).

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Solution 3:

This is what I use, works well always. A combination of various tutorials. Tested on Ubuntu 16.04LTS too.

Step A-- Make sure that ufw is installed

sudo apt-get install ufw

Step B -- Configure your network interfaces.

sudo nano /etc/network/interfaces

Configure the interfaces file to be something like this below:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The WAN primary network interface
iface eth0 inet static
        address 182.xxx.xxx.xxx
        netmask xxx.xxx.xxx.xxx
        gateway xxx.xxx.xxx.xxx

#LAN side interface
auto eth1
iface eth1 inet static
        address 192.168.0.1
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        address 192.168.0.1

Save the file by selecting CTRL-X from nano or any other editor you prefer.

Step C -- Allow IP Forward. Set the forwarding. Edit the file /etc/sysctl.conf

sudo nano /etc/sysctl.conf

Remove the comment on this line # net.ipv4.ip_forward=1 for it to be net.ipv4.ip_forward=1 Save changes and move to next step.

Step D -- Masquerading/forwarding rules

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Persist iptables changes

sudo su
sudo iptables-save > /etc/iptables.rules
sudo nano /etc/network/if-pre-up.d/iptables

Enter this content:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

Save changes Then edit/create next iptables file

sudo nano /etc/network/if-post-down.d/iptables

Enter this content:

#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.rules ]; then
    iptables-restore < /etc/iptables.rules
fi
exit 0

Save changes. Make both files executable

sudo chmod +x /etc/network/if-post-down.d/iptables
sudo chmod +x /etc/network/if-pre-up.d/iptables

Step E -- Finalize with ufw configuration

sudo nano /etc/default/ufw

Change parameter forward policy to accept

DEFAULT_FORWARD_POLICY="ACCEPT"

Save changes.

I have my SSH on port 49870, so I also allowed ufw to accept connections on that port:

sudo ufw allow 49870

Step F -- Do not forget to enable ufw.

sudo ufw enable

At this stage, just reboot your system. Then all LAN devices can use it as main gateway. On a side note, ufw is very convenient to manage firewall settings.