How To Masquerade On Linux (Internet Connection Sharing)  

It's very simple to masquerade (internet connection sharing in Windows language ) on Linux with a few lines of iptables and ip_forward commands.

First of all you have to flush and delete existing firewall rules.

So flush rules by typing in terminal:

iptables -F
iptables -t nat -F
iptables -t mangle -F

Now delete these chains:

iptables -X
iptables -t nat -X
iptables -t mangle -X

Now it's time to save the iptables rules so type:

service iptables save
service iptables restart

Now all rules and chains have been cleared!

Check it in /etc/sysconfig/iptables which has all default rules set to accept.

Now open /etc/rc.d/rc.local and insert the line:

echo "1" > /proc/sys/net/ipv4/ip_forward

And then save and close the file.

Now asuming that your internet interface is eth0, type:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
service iptables restart

Note: check if iptables is set to start during boot up.

Or check the status of your iptables service:

chkconfig –list iptables

If level 5 is on then it's ok othewise start the service at level 5 or level 2345.

Note: The post is also available on my own site - article desktop.

Share this page:

15 Comment(s)

Add comment

Please register in our forum first to comment.


By: Naim

it was really great and use full information and i am really thankfull of the one who prepared and upload this information about internet sharing in linux machin i search lots of sites about this but there were no clear as much as that was in here once again really thanks.



 One small note.  "chkconfig -list iptables" should be "chkconfig --list iptables" (at least on my system, which is normal for all multi-character option names).

To explain (for noobies out there), the command can be "chkconfig -L iptables" or "chkconfig --list iptables".  Note the one dash versus two.  The single-character version, "L" has one dash.  the multi-character version "list", which means the same thing, has two dashes.  This seems to be a standard, as it's held true for every unix command I've used (I think).

 More inportant note:

Remember to configure your LAN adapter (in this case eth0) and give it an ip address.  If you want your computer to be like a router with a 198.168.x.1 style address, use "ifconfig eth0 netmask up".  You'll also need to use whatever configuration you system provides you to change the adapters address to so it will be set correctly at bootup.

By: Peet

Thanks, this was really simple and it works 100%. You need credit!

By: Anonymous

No, it does not work 100%... many of VPNs etc.  cant connect thru this

By: vishal

Great job. The best thing about this tutorial which makes it different from the others on web is that it has taught 'iptables flushing' before setting up IP forwarding.

By: ivucica

While I can certainly easily flush the iptables settings as instructed, Debian does not have a "services" command nor a folder /etc/sysconfig. I'll look elsewhere, but I'm torturing myself for the last full year trying to get IP forwarding to work; I must've messed something up in the tables and I can't fix it anymore.

By: Dane

I'm not sure if this is still a problem for you, but in versions of Debian that don't have the "service" command (NOT "serviceS"), I think you can find the needed script in /etc/init.d/iptables, or some such.  Just run a command like this (as root) to save/restart the iptables service:

 /etc/init.d/<NameOfIPtablesScript> save


/etc/init.d/<NameOfIPtablesScript> restart

 I hope this solves it for you!



By: Zorin

For Ubuntu you can use: iptables-save

By: Anand

I have virtual box OS centos in Fedora 14.

I want to access internet from centos to outside,So i have to set MASQUERADE as well as packet forward.

Packet forward is working fine. But MASQUERADE is not working.

I have tried the below command for MASQUERADE

"iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE"

 Anybody can help me?

By: rrvviinn81

is your IP static? if so, try

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source

By: manyam

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source

this is not forged ip address, when before executing this script internet is coming but after executing internet is not coming .if ping this there is no change ip address pls how to get forged using iptables.

By: need help

why after i try to run this command chkconfig -list iptables my ouput is "-list: unknown option"???

 did i miss any of the step?

By: Stancho

you're missing one "-". It's --list

By: alif

nice, tq it's work on my PCLINUX OS (server) and UBUNTU (client) 

By: al3ks91

sad that this is outdated and not working....