Gateways and NAT (Unix Power Tools, 3rd Edition)

46.11. Gateways and NAT

For two separate networks to communicate, a gateway is needed. A gateway has two network interfaces (two network cards, a network card and a modem, or so forth) and routes packets between the two networks as appropriate. Routers and cable modems both function as gateways.

Unix machines can also function as gateways. There are several reasons to use your Unix machine as your gateway: it is generally more flexible than the built-in gateways in cable modems and DSL routers; it can function as a firewall (Section 46.12); and if you have a limited number of IP addresses, it can perform Network Address Translation (NAT) for you.

NAT allows the machines on your LAN to use private addresses, that is, the address ranges set out in RFC1918 as reserved for private networks. These include 192.168.0.0 with netmask 255.255.0.0 (also known as 192.168.0.0/16), 172.16.0.0 with netmask 255.240.0.0 (also known as 172.16.0.0/12), and 10.0.0.0 with netmask 255.0.0.0 (also known as 10.0.0.0/8). Within the private network, you can have as many IP addresses as you need. The gateway runs a NAT server, which translates all the private addresses into a single public address (the address of the public side of the gateway) on the way out and back into the correct private addresses on the way back in. If you use DHCP (Section 46.10) to configure your workstations, you can easily configure your gateway and NAT server to be your DHCP server also and hand out private addresses to your LAN.

Note that you can really only use private NAT for workstations. Servers that need to be externally accessible will need public IP addresses. If you are using a private network on your internal network, you can configure your NAT server to map a particular public address to a particular private address, allowing access to your server while still keeping the server behind your gateway/firewall. However, for a straightforward setup, each server will still need its own distinct public IP address, plus the main public IP address for the gateway. At the very least, you will need one public static IP address for the gateway; it is possible to configure natd to direct specific ports on the gateway to ports on private servers. This way you can have a private web server and a private mail server and direct incoming port 80 (HTTP) requests to the web server and incoming port 25 (SMTP) requests to the mail server. Read the natd documentation for more details on how to do complex configuration like this.

In FreeBSD, enabling gatewaying is as simple as putting the line gateway_enable="YES" in your /etc/rc.conf. Most Linux distributions provide a simple way to adjust the proper sysctl variable (net/ipv4/ip_forward) during startup as well. On other architectures you may need to recompile your kernel (Section 44.3) to turn on IP forwarding, or it may be on by default.

Generally all that's required to run natd is to add it to your startup files and tell it which network device it should consider to be the "outside world":

natd -interface rl0

Linux doesn't use natd for NAT. Instead, it uses IP masquerading. Read the masquerading HOWTO at http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/ for more information on how to deal with NAT on Linux.

-- DJPH