NAT Gateway, Iptables, Port Forwarding, DNS And DHCP Setup - Ubuntu 8.10 Server

Want to support HowtoForge? Become a subscriber!
 
Submitted by gibbsj (Contact Author) (Forums) on Thu, 2009-01-08 11:26. :: BIND | Ubuntu | DNS

NAT Gateway, Iptables, Port Forwarding, DNS And DHCP Setup - Ubuntu 8.10 Server

So you are too poor to afford another expensive router and want to do things yourself. You have found the right tutorial! This tutorial will show you how to set up an Ubuntu 8.10 router with NAT, port fowarding, a DNS server and a DHCP server.

Why Ubuntu you ask?

Not only is Ubuntu a great operating system, it's also very flexible and powerful enough to allow you  to get up and running in no time! Note: Please restart your computer after every step. This will ensure everything is working correctly.

Some of the basic things we are going to need are...

DHCP -- dhcp3-server
DNS -- bind9
iptables -- included /w ubuntu

 

First things first

Your going to need 2 network cards. Take your first network card, and plug your WAN connection into it. You should know what network card this is, eth0 eth1 ect... If you don't know what it is, trial and error my friend.

Let's just say that your WAN card is going to be eth0 (if it's eth1, just do everything the same but ajust your config accordingly). We want to locate the file /etc/network/interfaces. Do a VI on the file such as

sudo vi /etc/network/interfaces

You should see in the file (if you have nothing setup yet):

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback

We are going to add this to the file. As a side note, if you don't know how to use VI use nano or learn VI.

auto eth0
iface eth0 inet dhcp

The auto eth0 code tells eth0 to start on boot, similar to running

sudo ifconfig eth0 up

The code iface eth0 inet dhcp tells the eth0 interface to look for a DHCP server and get its info from there. This is important if your hooked up to a cable modem, as you will want to get a public IP from your ISP.

The next step to take is to configure your network card eth1. This will be your "LAN" card.

If you remember, our /etc/network/interfaces configuration looked like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp

We are going to VI into the interfaces file again and add a few more lines:

sudo vi /etc/network/interfaces

Add these lines to the bottom of the file.

auto eth1
iface eth1 inet static
        address         172.17.207.121
        netmask         255.255.255.0
        broadcast       172.17.207.255
        network         172.17.207.0

This just gives you a static IP address for your server on your LAN card.

Your file should now look like this.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
        address         172.17.207.121
        netmask         255.255.255.0
        broadcast       172.17.207.255
        network         172.17.207.0

Now, before we forget, let's edit your /etc/hosts file.

sudo vi /etc/hosts

Make the file look like mine, though if you call your server userve or myserver you can change it.

Also note the asus.local domain name, it's a good idea to use your own such as mydomain.local but you can use what I have for learning purposes.

We use .local because it's easy to remember and it's not public, so we will not interfere with anything.

127.0.0.1       localhost server.localhost
172.17.207.121  server.asus.local server asus.local

Now that we have our interfaces configured, we are going to install and set up a dhcp server. To install the dhcp server run the command

sudo apt-get install dhcp3-server

Let's edit the dhcpd.conf file. Start by running the command

sudo vi /etc/dhcp3/dhcpd.conf

Now if there is anything in that file, REMOVE IT.

Copy and paste this into your file, then write and quit.

ddns-update-style none;
option domain-name "whatever.local"; //change this to something you want.local such as mydomain.local
option domain-name-servers 172.17.207.121, 24.92.226.41; //you also might want to change that second dns server to your ISP's local DNS server
option routers 172.17.207.121;
default-lease-time 42300;
max-lease-time 84600;
authoritative;
log-facility local7;
subnet 172.17.0.0 netmask 255.255.255.0 {
        range 172.17.207.1 172.17.207.100; //you can expand the range just by changing .100 to .254 or somthing like that
}

Now run the command

sudo /etc/init.d/dhcp3-server start

This will start your DHCP server and we can label this part DONE.

 

Moving on to... DNS

Bind is the DNS package that we will be using. To install this, we just simply run

sudo apt-get install bind9

This will download and install our bind server.

Start by running the command

vi /etc/bind/named.conf

Then remove everything in the file and look for my comments, usually indicated by //.

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "asus.local" { //change asus.local to whatever you named your domain such as mydomain.local
type master;
file "/etc/bind/zones/asus.local.db"; //this file or foler does not exist so we will need to make it
};
zone "207.17.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/rev.207.17.172.in-addr.arpa";//this file does not exist so we will also need to make it
};
zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";

Before we can make the two files asus.local.db and rev.207.17.172.in-addr.arpa, we need to edit another file. So

sudo vi /etc/bind/named.conf.options

Remove everything in the file and use this...

options {
        directory "/var/cache/bind";
        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.
         forwarders {
          24.92.226.41; //very important, change this to your LOCAL ISP's DNS server(s)
      24.92.224.40;
         };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Pay attention to the comments, they tell you to CHANGE our forwarders address(es) to your LOCAL ISP's DNS.

Next, cd over to your bind directory:

cd /etc/bind/
sudo mkdir zones
cd zones
sudo vi asus.local.db

(Or use your domain name such as mydomain.local.db.)

Once you are in the asus.local.db file or mydomain.local.db file (whatever you called it), copy and paste this, make the appropriate changes to your domain name.

$ORIGIN .
$TTL 4000 ;
asus.local.     IN SOA  server.asus.local. admin.asus.local. (
2007031001      ; serial
28800           ; refresh
3600            ; retry
604800          ; expire
38400           ; min
)
                NS      server.asus.local.
$ORIGIN asus.local.
                IN      A       172.17.207.121
www             IN      A       172.17.207.121 //an example
server          IN      A       172.17.207.121 //an example
macpro          IN      A       172.17.207.4   //an example

If you do an nslookup macpro, you will get 172.17.207.4 back as an answer, so change the domain names and IP's according to your settings.

Next, we are going to vi the rev.207.17.172.in-addr.arpa file that does not exist yet. But it will once we save it. So assuming you're still in the zones folder:

vi rev.207.17.172.in-addr.arpa

Copy and paste what I have here, making the appropriate changes.

$ORIGIN .
$TTL 28800      ; 8 hours
207.17.172.IN-ADDR.ARPA IN SOA server.asus.local. admin.asus.local. (
                                2008110601 ; serial
                                28800      ; refresh (8 hours)
                                7200       ; retry (2 hours)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      server.asus.local.
$ORIGIN 207.17.172.IN-ADDR.ARPA.
4                     PTR    macpro.asus.local.

So now if you did a reverse lookup on 172.17.207.4, you would get macpro.asus.local.

Now run the command to start named:

sudo /etc/init.d/named start

If it does not start, check the logs in /var/logs.

 

Last but not least, IPTABLES

First thing is first, we need to edit sysctl.conf in the folder /etc/, so:

sudo vi /etc/sysctl.conf

Uncomment line 28. That means removing the # in front of it. The line should be net.ipv4.ip_forward=1

Next, let's vi over to rc.local:

sudo vi /etc/rc.local

Add these two lines to the bottom of the file:

/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE

This will set up your gateway using iptables. You can use iptables to make this more secure than this basic setup.

To forward ports, you can add something like this to the end of the rc.local file.

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d jgibbs.dyndns.org --dport 3389 -j DNAT --to 172.17.207.4:3389

The long line above will port forward all incoming traffic on port 3389 to the IP 172.17.207.4, so I can remote desktop into my Windows box from outside my network.

You can do this with any ports you wish.

RESTART!

Also, report any problems and I will fix this tutorial with updates. Thanks, Jeremy user gibbsj.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Thu, 2011-08-11 12:57.

Hi, The way u narrate is really awesome. Its easy to configure even for a start up like me.

I have configured every thing as above but at the end when i tried to give the
"sudo /etc/init.d/named start" command its showing the following message

"sudo: /etc/init.d/named: command not found"  so what could be the problem...

can u please help u out in this issue....

Submitted by prasinos (not registered) on Sun, 2010-11-28 22:01.

.local is a poor choice for a domain name, as it used as a default domain in avahi (zeroconf/mDNS implementation). It is better to use something else (or use nothing and rely on avahi).

Using bind and dhcp-server for a home network is overkill, try dnsmasq.


Submitted by Jason (not registered) on Fri, 2010-09-24 05:18.

I've been struggling for a couple days to get my network set up the way I wanted (with the equipment I have on hand), and your instructions were exactly what I needed to get it up and running.

Submitted by Anonymous (not registered) on Thu, 2009-10-08 11:01.
finally, i can implement this tutorial for my old cpu successfuly. but in the client, YM cannot connect to the server. how to solve this?thanks before for the reply!
Submitted by Stas (not registered) on Mon, 2009-03-16 15:23.
Thank you!
Submitted by Anonymous (not registered) on Sun, 2009-02-22 01:37.

So i just went through this entire article. It has been awhile since i have setup with linux but this tutorial was very well written.

I noticed in order for everything to work i needed to add these lines before the Exit 0 line in the iptable list

/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE

and also the gateway didnt want to replicate out to the clients so i changed the order of option routers to just under the ddns update style...

ddns-update-style none;
option routers 172.17.207.121;

 

but other than that it is up smoothly... now i have to play around with IPtables to limit access to specific addresses...

Submitted by Nausser (not registered) on Sat, 2009-02-14 05:56.

I've had zero luck with port forwarding 5900 to another Ubuntu machine. I'm running Ubuntu 8.10 64-bit server for my DHCP/NAT and hopefully someday VPN services. All in terms of internet access works great for connecting clients with the exception of the "Pinger Plus" device which cannot get an IP from my Ubuntu server, however, can obtain an address and ping with no problems if I use a windows or Cisco DHCP server. Not a huge deal but if anyone happens to know.

 As far as the port forwarding goes, I've tried every flavor of the instructions above. Help is greatly needed!

 

Thanks!

Submitted by Anonymous (not registered) on Mon, 2009-02-02 12:43.
Thanks, I have been looking around trying to get my DNS setup correctly and your article helped.
Submitted by Jamie (not registered) on Thu, 2009-01-22 15:59.
In the dhcpd.conf "subnet 172.17.0.0" should be  "subnet 172.17.207.0"
Submitted by Ryaz Khan (not registered) on Thu, 2009-01-15 14:25.

I am very sorry but I never understood this guy guides, I know it could be just me. In this he did not mentioned about default gateway for LAN where we are setting static IP address. Will any internet connection work without gateway? Not sure about that so please help. I thought gateway is the main door to enter to other networks. Again I could be worng

Thank you for reading my stupid comments

Submitted by Nausser (not registered) on Sat, 2009-02-14 06:02.

You may very well have figured this out already...

However, if you havn't, I wanted to post for others that you are correct in saying a gateway address is always needed for internet access.

 

When a computer has two or more NICs (Network Interface Cards), it needs to know which card gets it to the internet. It knows to always use the one with the default gateway listed. 

The other card probably eth1, does not connect to the internet, rather other computer connect to it as their default gateway to connect to the internet (internet sharing).

Hope this helps someone out.

Submitted by Seth (not registered) on Sun, 2009-01-11 05:08.

I am moving from a freeBSD router/gateway computer to Ubuntu, and am stuck on 1:1 Nat'ing.

 I have a class C subnet from my ISP, and connect using PPPoE. 

 In freeBSD the PPP daemon could do nat'ing, and was as easy as:

ppp.conf: ( public IPs changed to protect me )

...

    nat enable yes
    nat addr 192.168.1.2 x.x.x.170
    nat addr 192.168.1.3 x.x.x.171
    nat addr 192.168.1.4 x.x.x.172
    nat addr 192.168.1.5 x.x.x.173
    nat addr 192.168.1.6 x.x.x.174
    nat same_ports yes
    nat use_sockets yes

...

 Would you have some suggestions on how to configure iptables to provide this behavior?

( selected IPs get an external IP through NAT ( snat? ), all other IPs get normal NAT )

Thanks, 

Seth

Submitted by Seth (not registered) on Sun, 2009-01-11 18:51.

Not sure how I missed the message to not ask for help here, moving this to the forums :).

 

Seth

Submitted by Anonymous (not registered) on Sat, 2009-01-10 01:18.

1. There is not neccessity to restart.

2. Your set of ip, network and netmask is wrong.

 

Read more.

Submitted by gibbsj (registered user) on Sun, 2009-01-11 01:33.

Fixed the netmask problem.  Restarting insures everything is working.  Of course many times you could just do a /etc/init.d/networking restart ...

 But sometimes it's just better to tell people to restart.  

Submitted by Anonymous (not registered) on Fri, 2009-01-09 20:47.

"As a side note, if you don't know how to use VI use nano or learn VI."

 Nano is 100 times better than that old cluncky VI.

Your side / "funny" comments are so annoying I couldn't follow the article.... For the time being I'll stick to my ClarkConnect server...

Submitted by Anonymous (not registered) on Fri, 2009-04-03 19:36.
a note for newbies: VI is hard to learn and easy to forget if not been using for a while but it's "legacy" and you can find it and using it in very old systems.
Submitted by gibbsj (registered user) on Sun, 2009-01-11 01:44.

There really are not that many "funny" comments.  Lighten up..

 VI is far more powerful then nano, as VI does syntax highlighting ect.

Also, imagine you had someone who edited a file in notepad and now your document is full of ^M or somthing, with vi you could do

1,$ s/^M//g  to remove them... 

 You cant just do ^M though, you need to hit ctrl v to tell vi to use the literal input, then ctrl m to get your ^M.  Now imagine if you has a whole slew of changes to make at once, you can also do that with vi, also, imagion if you had multipal files, since vi uses ex, you can make those changes to all the files at once!  Very powerful stuff.  You will find that most real coder's still use VI or VIM.  Some use emacs which is also very good, but VI is the standard still.  Also, imagion you get your first job, as it sounds if your young, but.. you get your first job, and you get on a unix box.  No pico, no nano, no ee, but what is in ALL distrobutions of Unix???  VI!  Learning to work with bare bone tools that are always there will save your self lots of troble..

Submitted by Adbs (not registered) on Wed, 2010-03-10 14:36.

Hello all.

I think you've done a brilliant job and we should thank people who share their knowledge with others, instead of making ridiculous comments such as "Annoying comments" etc..

 

I personally thank you, I just wanted to ask you one thing,

I have a back-end webserver which resides on example : 192.168.1.3

A DHCP DNS servers which both run on the same machine on 192.168.1.1

Another Machine hosts the Proxy server (Squid3) on 192.168.1.4

Now I need to be able to use IPtables to forward all connections to the proxyserver  192.168.1.4

I want the proxy server to intercept all incoming connections and forward them accordingly to the back end server(s) and services.

But I am very limited in using iptables, can anyone here help with some suggestions please?

At the moment the iptables is set to allow simple browsing and access to the internet.

 

Internet >>> Machine (A) (router, DHCP, DNS) >>Switch >>(clients)  Machine (B) Proxy and webserver(s)

To the switch are connected the web-servers, the proxy-server and 3 windows clients 

It is set  in that order I hope it's clear, how can I do that please??

I will appreciate any help and thank you all :)

Regards

 

Submitted by McDaeMonD (not registered) on Tue, 2010-03-16 15:26.

try this links

http://www.howtoforge.com/dansguardian-content-filtering-with-transparent-proxy-on-ubuntu-9.10-karmic

Submitted by Anonymous (not registered) on Tue, 2009-02-17 14:02.
nano does have syntax highlighting.
Submitted by snehal (not registered) on Thu, 2009-01-08 13:37.

Thanks a lot. :)  

 

Submitted by phil (not registered) on Tue, 2010-06-15 21:00.

Just try this in nano

vi -O2 <file1> <file2>

or

vi -d <file1> <file2>

and commands in vi are *so* much more powerful

The quote I always repeat whenever anyone complains how hard vi is to learn is:

Yeah, it might be a steep hill to climb, but once you get to the top, you can fly.