Using a Linux Box to share Internet Access

So recently i had to setup my linux server to be able to dialup to the internet and act as a internet sharing box for the other pc’s on the network. This is how i did it.

This guide is written for Ubuntu, but most things will work on other flavors.

All the commands herein require root access (i believe), you can either add sudo before them, login as root, use sudo or sudo su to get a root shell.

IP Forwarding Using IPTables

First thing to to is enable ip forwarding in the config

net.ipv4.ip_forward = 1

Then we need to enable it in the kernel (otherwise a reboot is needed)

echo 1 >  /proc/sys/net/ipv4/ip_forward

And to see the current state of ip forwarding you can use

cat /proc/sys/net/ipv4/ip_forward

Now we need to setup forwarding rules. First we need to setup a rule to forward data.

iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
(where ppp0 is your internet connection)

Next we need to accept data from the intranet that is going to be forwarded

iptables -A FORWARD -t filter -i eth0 -j ACCEPT
(where eth0 is your local network)

And the last rule needed is to block all packets from the internet that were not established from the intranet.
Note that ESTABLISHED and RELATED are states where the connection was initiated from the intranet, so we block everything else (namely INVALID,NEW,UNTRACKED).

iptables -A INPUT -t filter -i ppp0 -m state --state INVALID,NEW,UNTRACKED -j DROP
(where ppp0 is your internet connection)

If you want to open some internet ports for use, such as running a ssh server you can use the following.
Here we use -I to insert the rule at the top (above the previous one) so this will accept the connecion before the above rule drops the connection.

iptables -I INPUT -t filter -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
(change 22 to the port you need)

Now we have iptables setup, we need to save the configuration.

iptables-save > /etc/iptables.up.rules
(the location of this file will depend on your flavor of linux)

DNS method 1: Bind Forwarding Server

If you havent installed bind, you can use this to install it under ubuntu/debian

apt-get install bind9

To setup dns forwarding, simply add this to the dns config

forward first;
forwarders {;
(change to your isp's dns server)

You can use OpenDNS as your forwarding server, these can really speed up dns requests (leading to faster browsing).

Now issue the restart command to bind to reload the configuration and it sholud be working

/etc/init.d/bind9 restart

DNS Method 2: DNSMasq

DnsMasq (short for DNS masquerade), is a combined dns forwarder and dhcp server, and will consume far less memory than bind. This is found on many linux modem/routers (i.e. Linksys WRT54GL).

Installation is similar to bind

apt-get install dnsmasq

But unlike bind, you dont need to setup dns servers, it will use the ones defined in /etc/resolve.conf (useful if your using a direct internet connection)

if you have bind running you will have to stop it with

/etc/init.d/bind9 stop
(optionally to disable bind startup)
update-rc.d -f bind9 remove

DnsMasq can then be started with /etc/init.d/dnsmasq start

Client Configuration

You will need to configure clients to use your new router, to do this point their dns and gateway server to the ip address of your new router.

Thats all folks

Thanks for reading, hope you found this useful!

Bookmark the permalink.

Leave a Reply

Your email address will not be published.