There are times you may want to set up a system to act as a go between for a network and the Internet.
This ‘go between’ is a system that acts as a router and is designated as a gateway for the systems on a network.
Let’s look at this in more detail.
We start with a regular layout of a network with one or more systems. We really don’t want to open the whole network up to the Internet, so we have a system that will act as a router between the two networks, the public and private one.
The private network is the local network with one or more systems. The public network is the Internet. We definitely do not want to make the local network part of the public network, which would open the systems up to ‘attack’ by any system on the Internet.
We add a system, the routing system, that will contain two Network Interface Cards (NIC). One card will be connected to the private network, and the other connects to the public network. We can see an example layout in Figure 1.
This article will help to set up the routing system. In later articles, we will go over adding more configuration, but this article will help you set up the basic system.
As usual, we can build this system using VirtualBox to help you set up a routing system with no physical system. By using VirtualBox, you can get practice making this system work.
If you look back at Figure 1, you can see that my Host Network is using the IP Network 10.1.0.0/8. My Bridged Network is using the IP Address of 192.168.1.159/24.
I set up another Host Network in VirtualBox under Files, Host Network Manager. Click on the ‘Create’ icon to create a new Host Network.
NOTE: The reason I did a new Host Network was that the existing one had addresses too similar to my local network. The Bridge Adapter gets an address from my local network. I did not want any confusion from the similar addresses.
Once the new Adapter is created, configure a new Adapter for the VirtualBox system. In my case, I set it’s addressing to 10.1.0.1 and 255.0.0.0. I then enabled the DHCP Server for this Adapter on the next tab. Here, I set the Server Address to 10.1.0.1. The DHCP lower address is 10.1.0.2 and the upper address is 10.1.0.254. The Subnet Mask is 255.0.0.0. Apply the changes and then click on ‘Close’.
In the Virtual Machine Settings, go under Network and select the Host Only Network. Choose the adapter that you created in the Host Network Manager. When started, the Virtual Machines should use the new IP Addresses that you just setup.
To test things, from the regular system, ping the address of the Bridged system. You should get a response. If you then ping an address on the Internet, such as 18.104.22.168, you should not get a response.
Setting Up the Routing System
If you want to do this on VirtualBox, then you only need two machines set up.
NOTE: These instructions work for both CentOS 7 and Ubuntu 18.04 for the LFCS Certification path you choose.
On the ‘router’ system, you can use the command ‘ip r’. The ‘r’ is for ‘route’. Here, you get a basic output of the networks that the virtual machine NICs are connected. The same line shows the local IP Address being used on that network. On the line is also listed the network adapter’s name. For a system that has a Gateway set up, we will list it on the very first line as ‘default via’. If no ‘default via’ line is present, then it has no Gateway. See Figure 2 for the output of the command ‘ip r’ from my ‘router’ system.
To see the difference, Figure 3 is from the regular host PC.
To check if we set the system as ‘router’, we need to view the contents of:
The contents of the file are ‘0’. This means that IP Forwarding is disabled. IP Forwarding is what a system does when it is sent a package meant for another network. The System will forward the packet to the next network.
To change the value to ‘1’, edit the file ‘/etc/sysctl.conf’. At the end of the file, add the line:
Save the file. At a prompt, you can make the changes take effect with the command ‘sudo sysctl -p’.
Now, if you ‘cat’ the file ‘ip_forward’ and it should contain a ‘1’.
The routing system should now be functional, we just need to have our regular systems use it as a Gateway.
Setting Up a Gateway
If you remember Figure 3, the regular system has no default gateway and has no way to access the Internet.
In my example network, in Figure 1, we need to set up the regular PCs to use the address ‘10.1.0.1’ as their Gateway.
To do this, we use the command:
sudo ip route add default via 10.1.0.1
If you run the command ‘ip r’, you should see that a Gateway has now been enabled. The problem is that this is only temporary until a reboot.
NOTE: I can ping devices on the network past the ‘router’ system on the network ‘192.168.1.0’, but not on the ‘next’ network. I can only reach devices on the network that the Gateway is directly connected. We’ll fix this in a moment.
To make the Gateway permanent, make a note of the network adapter name (enp0s8).
This part is different for Ubuntu and CentOS, so this next section is for Ubuntu:
Edit the file ‘/etc/netplan/01-network-manager-all.yaml’ and replace the contents with:
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
addresses: [22.214.171.124, 126.96.36.199]
Change your NIC Adapter Name, IP Address, Subnet, Gateway and DNS Servers as you need.
Save the file and run:
sudo netplan –debug generate
sudo netplan apply
Now you need to reboot the system for the changes to take effect. Once you reboot, you should be able to ping a device on the other side of the ‘router’ that is still on the same logical network.
For CentOS 7, you need to:
Now you can edit the file ‘ifcfg-enp0s8’ (or the adapter your system is using).
Change the line that is ‘DEFROUTE= “no”’ to ‘DEFROUTE= “yes”’. Also, add a line that is ‘GATEWAY=10.1.0.1’ (or the address for your router). Save the changes and reboot.
Now, we have everything set up except for Network Address Translation (NAT) for our ‘router’.
Network Address Translation (NAT)
Network Address Translation (NAT) is a process that allows multiple systems on a private network to access a public network using a single IP Address. All the systems will send a request from the private network to the ‘router’ at address 10.1.0.1. The ‘router’ will process these packets and send them out using its IP Address of ‘192.168.1.159’. When the packets come back from the destination system, it translated the address back to the private IP Addresses, and it sends them to the original PC.
All we need to do is turn on NAT and everything should work.
Perform the command ‘sudo iptables -L’ to list the existing rules for routing.
We can add a route to allow the system to ‘masquerade’ as other systems.
The command to add this rule is:
sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
The new table we are adding is for NAT, so it is listed as ‘nat’. We specify ‘POSTROUTING’, because the packets are meant for someone else other than the ‘router’. The network adapter we route that packets to is the ‘enp0s3’ adapter. Make sure you get the adapter correct. We use MASQUERADE to allow the ‘router’ to act as the original sender of the packet. This will hide the original sender and its IP Address.
Once the command completes, you can run ‘sudo iptables -t nat -L’ to see the new rule.
Now, if you go to the system that is on the private network, you should be able to ping systems on the Internet.
You should have a basic understanding of setting up a Linux system as a router.
This process can be very handy for any network to help protect systems from the Internet. You can also connect two physical networks that both may be private, and allow them to communicate with one another.