IP Forwarding for Home Networks

Consider a home network of GNU/Linux and MS/Windows machines, connected via ethernet. A GNU/Linux machine can connect to the Internet via PPP. We want to provide network access from all machines.

Internet using PPP. After installing iptables do the following on this host which will serve as the Internet gateway:

  # iptables --flush
  # iptables --table nat --flush
  # iptables --delete-chain
  # iptables --table nat --delete-chain
  # iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
  # iptables --append FORWARD --in-interface eth0 -j ACCEPT


This clears the rules for filtering and then adds a rule to provide the IP forwarding. Now we need to turn it on for the kernel:

  # echo 1 > /proc/sys/net/ipv4/ip_forward

And that's it!

There is some setup needed to have this survive a reboot. One approach is to do this through init.d.

The first step is to create a script file called /etc/init.d/myfirewall containing:

#! /bin/sh
#
# Set up a firewall for IP Masquerading
#
PATH=/bin:/usr/bin:/sbin:/usr/sbin

case "$1" in
  start)
    echo -n "Starting IP Masquerading: myfirewall"
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
    iptables --append FORWARD --in-interface eth0 -j ACCEPT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo "." 
    ;;
  stop)
    echo -n "Stopping IP Masquerading: myfirewall"
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo "." 
    ;;
  reload)
    echo "Not implemented." 
    ;;
  force-reload|restart)
    sh $0 stop
    sh $0 start
    ;;
  *)
    echo "Usage: /etc/init.d/myfirewall {start|stop|restart|force-reload|reload}"
    exit 1
    ;;
esac

exit 0

To have it started at boot and stopped at shutdown:

# update-rc.d myfirewall start 40 S . stop 89 0 6 .