Tag: ubuntu

In this example we have 2 private subnets 192.168.1.0/24 and 172.16.1.0/24 where only 192.168.1.xxx addresses can directly access the router at 192.168.1.1. We want to access the internet from both subnets.

We need a machine connected to both networks and allow IP forwarding from 172.16.1.0/24 to 192.168.1.0/24. Although probably better with 2 NICs it can be done usings network aliases using only 1 network interface.

Presuming you have a configured NIC with an address for eth0 on the 192.168.1.0/24 range and on eth0:1 an address from 172.168.1.0/24 we can start configuring the machine. This machine will act as the gateway for the 172.16.1.xxx range.

First check if packet forwarding is activated.
Step 1:
Check /etc/default/ufw and make sure DEFAULT_FORWARD_POLICY is set to ACCEPT.

DEFAULT_FORWARD_POLICY="ACCEPT"

Step 2:
Type the following to test for IP forwarding

cat /proc/sys/net/ipv4/ip_forward

If this returns 0 we need to turn it on. Edit /etc/ufw/sysctl.conf and uncomment

net.ipv4.ip_forward=1

Now to configure IP masquerading, network address translation
Edit the file /etc/ufw/before.rules and add the following code to the top.

*nat
:POSTROUTING ACCEPT [0:0]

#Forward traffic from the alias range 172.16.1.xxx through eth0
-A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE

COMMIT

To activate new firewall settings type

ufw disable
ufw enable

If ufw was not already enabled you may need to alter some rules as it may now be blocking some routes and ports. In this example we may need to add rules such as.

ufw allow from 192.168.1.0/24
ufw allow to 192.168.1.0/24
ufw allow from 172.16.1.0/24
ufw allow to 172.16.1.0/24

Tested with ubuntu server 11.10