Network Address Translation is a technique by witch several machines can access the Internet trough a single shared network connection. To the outside world the cluster of machines will look like a single machine with a single IP address.
For NAT to work you need two or more network interfaces in your machine.
For this example we will assume a setup of two computers, but the procedure is essentially the same when connecting the Firewall to a network hub that then connects to several computers. We are also assuming that the external device is a network card, but a modem or ISDN will work too.
If all hardware is set up correctly, enabling NAT should be very easy and only take a few minutes.
The Firewall/Gateway machine connected to the Internet will have two network cards and the client machine will have one.
The first network card in the FW machine will be the one physically connected to the Internet. This card is usually automatically configured with DHCP. The second network card in the FW machine will be connected to the client machine with a twisted pair Ethernet cable. If you are placing a hub between the client and FW machine(s) the cable should be a straight Ethernet cable.
There are many ways to configure a network interface, depending on the distribution you use. Red Hat Linux ships with a simple tool called netconfig and a more sophisticated graphical tool called redhat-config-network. redhat-config-network works better with multiple network cards in the same machine, so I recommend you use it for the gateway machine.
No matter how you configure the network cards, this is how you should set them up:The external device (usually eth0):
Any changes you make will take effect after a reboot, or (more elegantly) after a restart of the network services (run "/etc/init.d/network restart" as root in Red Hat for example).
Set the network adapter of the client to the following settings:
Restart the network and you're done.
The two computers should now be connected and the hardware level configuration complete. To test that everything is ok, try pinging the gateway from the client and vice versa.
Enter the following at the firewall machine console to test that the gateway can reach the client:
Similarly, ping 192.168.0.1 (the FW machine) from the client.
If it is not working you know that the problem lies with the hardware configuration. Perhaps you messed up the default gateway setting, so double check it.At this point:
Run Firestarter on the gateway/firewall machine and start up the wizard. On the third page of the wizard, the Internet Connection Sharing one, select "Enable Network Address Translation". Make sure that the internal network device was detected correctly (usually eth1) and complete the wizard.
Note that you should not give a internal network range manually just because you can. The autodetection is virtually foolproof.
Everything should now be working. The clients should now be able to reach the Internet and advanced features like port forwarding will be accessible in Firestarter.[Back to Index]