You want to enable Internet connection sharing on your Linux router. You have one or more networks behind your router using private address ranges. You don't want to set up a firewall because you're taking care of that elsewhere, or you just want to do some testing, so you want plain old simple Internet connection sharing.
Use this iptables script, which follows the conventions used in Chapter 3:
#!/bin/sh ##/usr/local/bin/nat_share #minimal iptables script for #sharing an Internet connection #define variables ipt="/sbin/iptables" mod="/sbin/modprobe" WAN_IFACE="eth1" #load kernel modules $mod ip_tables $mod iptable_filter $mod iptable_nat $mod ip_conntrack $mod iptable_mangle $mod ipt_MASQUERADE $mod ip_nat_ftp $mod ip_nat_irc $mod ip_conntrack_ftp $mod ip_conntrack_irc #Flush all active rules and delete all custom chains $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -X $ipt -t nat -X $ipt -t mangle -X #Set default policies $ipt -P INPUT ACCEPT $ipt -P FORWARD ACCEPT $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT #always have an entry for interface lo $ipt -A INPUT -i lo -j ACCEPT $ipt -A OUTPUT -i lo -j ACCEPT #rewrite source addresses to WAN address $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 22.33.44.55
Of course, you must substitute your own interface name and WAN address. If you don't have a static WAN address, but get it from DHCP, use this line instead:
#Enable IP masquerading $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
This script offers zero protection—it does no packet filtering at all, but only handles the job of rewriting your private addresses to your WAN address and back again.
You're probably looking at this script and wondering "what is so simple about this giant script?" But it really is. All those kernel modules are required. You could get rid of that part of the script by building them into a custom kernel instead of using loadable modules. You could leave out the next section, the part that flushes existing rules and chains, by using a separate script to do this, such as fw_flush from Chapter 3. It's important to give iptables a clean start so you're not getting interefence from leftover rules or chains. Finally, you have to have the correct policies, or you might get unexpected results. The last line makes it possible to share your Internet connection.
This is a completely insecure setup. Why would you want to use this? It's good for testing, and for when you want to place your firewall somewhere else. For example, you might want to use a separate firewall for each network segment, or one firewall for a DMZ, and another one for your private networks.
There is a lot of overlap between routers and iptables, so don't make yourself crazy trying to over-complicate your routers. For example, ip also has options for configuring NAT. It's a bit of a pain, and full of perilous pitfalls. iptables gives you much finer control and fewer traps. As a general rule, leave routing to your routers, and packet-filtering and mangling to iptables.
Chapter 3 to learn more about iptables
To learn about NAT and iproute2, see Martin Brown's excellent "Guide to IP Layer Network Administration with Linux": http://linux-ip.net/html/index.html