How to setup a Debian gateway for your home network

NAT (Network Address Translation) is what allows several computers to share a single internet connection across a network. Each computer requires its own IP address, but you only have one IP address which is valid on the Internet - that which is assigned to you by your ISP. All your other machine's IP addresses are not valid for use on the Internetr because they are within one of the three private ranges of IP addresses reserved for use on a local area network.

NAT runs on your gateway (the system connected to both networks) and works around the lack of unique IP addresses by rewriting the destination IP addresses of packets intended for machines on your local area network as they cross the gateway. We use the IPTables firewall that is built in to the linux 2.4 kernel to do this. IP Masquerading

On Debian we can get get NAT up and running quickly and easily using the the ipmasq package, which sets everything up for us:

apt-get install ipmasq

You can configure ipmasq at /etc/ipmasq/modules. Uncomment the lines as shown below will enable all modules:

##
# Sample to load all the ip_masq_ modules
all

you can then go ahead and configure each of your clients to use your Debian server as their default gateway. On Debian Linux machines this setting is found at /etc/networking/interfaces. On Windows systems, you can set this within the properties of the TCP/IP protocol for your local area network adapter.

At this point your clients should have a connection, allowing them for instance to ping an IP address, but they will probably be unable to resolve any hostnames to IP addresses. To provide this service you require a DNS server of one sort or another. For now I suggest you Install dnsmasq to setup a simple caching dns forwarder on your system. This will simply forward any queries your clients make to the DNS servers your local system is configured to use:

apt-get install dnsmasq

You can then go ahead and configure your clients to use your Debian Gateway as their dns server. On Windows machines you can do this within the properties of the TCP/IP protocol for your local area network adapter. For Debian linux machines, you should adjust /etc/resolv.conf.

Port forwarding can be setup using the iptables command as shown below:

iptables -t nat -I PREROUTING -p tcp -d your.ip.address.here --dport 113 -j DNAT --to 192.168.0.2:113
iptables -I FORWARD -p tcp -d 192.168.0.2 --dport 113 -j ACCEPT

I use the no-ip dynamic DNS service so I can connect to my system using a non-changing hostname, even though my IP address changes every once in a while.

Theres a client in the testing distribution, which I install as follows having setup apt-pinning:

apt-get install no-ip -t testing

You might also be interested in my Debian Peer Guardian for IPTables howto, which is on the way but not ready quite yet. Check back soon! Also see my Shorewall firewall HOWTO.