Your Linux firewall box is assembled and ready to go to work. But first, you must configure a firewall and Internet connection sharing. You're still on IPv4, and your LAN uses mostly nonroutable, private IP addresses, so you want a NAT (Network Address Translation) firewall. You have the type of Internet account that gives you a static, public IP address.
The fw_nat script from the previous recipe needs one line changed. Find:
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
and replace it with:
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 1.2.3.4
Use your own WAN IP address, of course.
Static addresses are good candidates for being put in variables at the beginning of the script, like this:
WAN_IP="1.2.3.4"
Then, your rule looks like this:
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source $WAN_IP
You could still use the MASQUERADE target, but that incurs more
overhead because it checks which IP address to use for every
packet.
Source network address translation (SNAT) rewrites the source address of every packet, leaving your network to the IP address of your firewall box. This is necessary for hosts with private-class addresses to be able to access the Internet.
You can see your NAT-ed addresses with netstat-nat:
# netstat-nat
Proto NATed Address Foreign Address State
tcp stinkpad.alrac.net:41435 64.233.163.99:www ESTABLISHED
tcp stinkpad.alrac.net:45814 annyadvip3.doubleclick.net:www TIME_WAIT
tcp stinkpad.alrac.net:45385 annymdnvip2.2mdn.net:www TIME_WAIT
tcp stinkpad.alrac.net:50392 63.87.252.186:www ESTABLISHED
udp stinkpad.alrac.net:32795 auth.isp.net:domain ASSURED
udp stinkpad.alrac.net:32794 auth.isp.net:domain ASSUREDnetstat-nat is not the
netstat command with a -nat option; it is a separate
command.
Use the -n flag to display IP
addresses instead of hostnames.
man 8 iptables
man 8 netstat
Chapter 1, "Overview of TCP/IP," in TCP/IP Network Administration, by Craig Hunt (O'Reilly)
Oskar Andreasson's Iptables Tutorial: http://iptables-tutorial.frozentux.net/