Firestarter

Firestarter Manual

[Back to Index]

NAT - Internet Connection Sharing

Network Address Translation is a technique by witch several machines can access the Internet trough a single shared network connection. To the outside world the cluster of machines will look like a single machine with a single IP address.

For NAT to work you need two or more network interfaces in your machine.

For this example we will assume a setup of two computers, but the procedure is essentially the same when connecting the Firewall to a network hub that then connects to several computers. We are also assuming that the external device is a network card, but a modem or ISDN will work too.

If all hardware is set up correctly, enabling NAT should be very easy and only take a few minutes.

The Physical Setup

A complex NAT setup

The Firewall/Gateway machine connected to the Internet will have two network cards and the client machine will have one.

The first network card in the FW machine will be the one physically connected to the Internet. This card is usually automatically configured with DHCP. The second network card in the FW machine will be connected to the client machine with a twisted pair Ethernet cable. If you are placing a hub between the client and FW machine(s) the cable should be a straight Ethernet cable.

A simple NAT setup

Configuring the Gateway

There are many ways to configure a network interface, depending on the distribution you use. Red Hat Linux ships with a simple tool called netconfig and a more sophisticated graphical tool called redhat-config-network. redhat-config-network works better with multiple network cards in the same machine, so I recommend you use it for the gateway machine.

No matter how you configure the network cards, this is how you should set them up:

The external device (usually eth0): The internal device (usually eth1):

Any changes you make will take effect after a reboot, or (more elegantly) after a restart of the network services (run "/etc/init.d/network restart" as root in Red Hat for example).

Configuring the Client

Red Hat netconfig

Set the network adapter of the client to the following settings:

Restart the network and you're done.

Testing the Setup

The two computers should now be connected and the hardware level configuration complete. To test that everything is ok, try pinging the gateway from the client and vice versa.

Enter the following at the firewall machine console to test that the gateway can reach the client:

[bash]$ ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) from 192.168.0.1 : 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=255 time=1.37 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=255 time=0.635 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=255 time=0.638 ms

--- 192.168.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2010ms
rtt min/avg/max/mdev = 0.635/0.882/1.375/0.349 ms
[bash]$

Similarly, ping 192.168.0.1 (the FW machine) from the client.

If it is not working you know that the problem lies with the hardware configuration. Perhaps you messed up the default gateway setting, so double check it.

At this point:

Enabling NAT in Firestarter

Configuring NAT in the wizard

Run Firestarter on the gateway/firewall machine and start up the wizard. On the third page of the wizard, the Internet Connection Sharing one, select "Enable Network Address Translation". Make sure that the internal network device was detected correctly (usually eth1) and complete the wizard.

Note that you should not give a internal network range manually just because you can. The autodetection is virtually foolproof.

Everything should now be working. The clients should now be able to reach the Internet and advanced features like port forwarding will be accessible in Firestarter.

[Back to Index]