How to set up Internet connection sharing with iptables on Linux

Last updated on October 12, 2020 by Dan Nanni

In this tutorial, I'll explain how to share a single Internet connection among multiple devices on Linux. While consumer-grade WiFi routers have become mainstream nowadays, making this problem a non-issue, suppose you don't have one at home. However, say you have a Linux box already assembled with a modem and a LAN card. The modem is connected to the Internet with a dynamic public IP address, and the LAN card connected to your switch/hub. Other devices (Linux/Windows PC, laptop) are connected to the switch without having any Internet connection. To share the Internet connection of the Linux box, you have to turn the box into a gateway, so that it can relay traffic to and from other devices.

Glossary of Terms

Hardware Requirements

Step-by-Step Guide

The following procedure is required on the Linux box (the connection sharing gateway).

1. Activate IP forwarding

In order to set up Internet connection sharing, you need to enable IP forwarding on the Linux box with a kernel parameter. Startup kernel parameters are stored in /etc/sysctl.conf.

Open this file, and locate a line that says # net.ipv4.ip_forward = 0. Remove hash mark (i.e., uncomment it), and set the value to 1. It should look like the following:

net.ipv4.ip_forward = 1

You may also activate IP forwaring at run time by the following command, but this change does not survive reboots:

$ sudo sysctl -w net.ipv4.ip_forward=1
$ sudo sysctl -p

2. NAT configuration

Another important part of Internet connection sharing is NAT configuration which can be done using iptables command. iptables maintains four firewall tables:

In this tutorial we will use only two tables: FILTER and NAT tables.

First, flush all active firewall rules.

$ sudo iptables -X
$ sudo iptables -F
$ sudo iptables -t nat -X
$ sudo iptables -t nat -F

On the INPUT table, you have to set chain FORWARD to ACCEPT target, so all packets passed through the box will be processed correctly.

$ sudo iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -I FORWARD  -m state --state RELATED,ESTABLISHED -j ACCEPT

On the NAT table, you have to enable IP masquerading for your WAN interface. We assume that the WAN interface is ppp0. To enable IP masquerading on ppp0 interface, you can use the following command:

$ sudo iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE

3. Configuring a private IP address

After all configuration is completed on the Linux box, you have to configure the DNS server and default gateway of other devices (Linux/Windows PC, laptop), so that they point to the Linux box. Note that you don't need to set up a DNS server on the Linux box. Every DNS request from other devices are automatically forwarded by the Linux box to your upstream ISP.

If you are using Linux on the other devices, you can use the following command to change their default gateway and DNS servers. I assume that you are using 192.168.1.0/24 private IP address segment, and that 192.168.1.1 is the IP address assigned to the Linux box.

$ sudo ip route del default
$ sudo ip route add default via 192.168.1.1
$ sudo sh -c "echo 'nameserver 192.168.1.1' > /etc/resolv.conf"

If you have other Linux devices, you can repeat the command above on other devices.

If you have a Windows device, you can change the default gateway and the DNS server via network connection properties on the control panel.

4. The complete script

Here is the complete script which sets up Internet connection sharing on the Linux box. The WAN interface (ppp0) needs to be replaced according to your environment.

$ sudo vi /usr/local/bin/ishare
#!/bin/bash

## Internet connection shating script

sysctl -w net.ipv4.ip_forward=1
sysctl -p
iptables -X
iptables -F
iptables -t nat -X
iptables -t nat -F
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE

Save the above script to /usr/local/bin/ishare, and then change the executable bit by the following command.

$ sudo chmox +x /usr/local/bin/ishare

If you want the script executed every startup, you can register the script to /etc/rc.local. Open /etc/rc.local, and add the following line before statement exit 0.

/usr/local/bin/ishare

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal (Credit Card) or Bitcoin (1M161JGAkz3oaHNvTiPFjNYkeABox8rb4g).

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean