Use iptables to Implement Packet Filtering and Configure Network Address Translation (NAT)
This article describes how to use iptables to implement packet filtering and configure Network Address Translation (NAT), with specific reference to the information needed for the RHCE EX300 certification exam.
Remember, the exams are hands-on, so it doesn’t matter which method you use to achieve the result, so long as the end product is correct.
To test this requirement we need two servers (rhce1 and rhce2). The first server has two ethernet adapters. One allows connections to the internet, while the other is part of a private network. The second server has a single ethernet adapter on the private network. The aim is to allow rhce2 to connect to the internet via rhce1.
Make sure rhce1.localdomain : eth0 192.168.0.190 - Connects to the internet. eth1 192.168.1.190 - Private network. rhce2.localdomain : eth0 192.168.1.191 - Private network.
Edit the “/etc/sysctl.conf” file on rhce1, amending the “net.ipv4.ip_forward” entry as follows.
net.ipv4.ip_forward = 1
Run the following command to make the change take effect.
# /sbin/sysctl -p
Make sure the gateway on rhce2 is set to the private network address of rhce1 and that rhce2 can resolve names.
# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.1.190 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 1 0 0 eth0 # # nslookup oracle.com Server: 192.168.0.4 Address: 192.168.0.4#53 Non-authoritative answer: Name: oracle.com Address: 220.127.116.11 #
Configure the firewall on rhce1 to allow forwarding of packets between the networks and allow NAT to access the adapter with external access.
# iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT # iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT # iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE # service iptables save
The rhce2 machine should now have access to the internet via the rhce1 box.
For more information see: