How To Setup an Internet Gateway using Ubuntu
Setting up an Internet Gateway using Ubuntu is pretty straight forward. In order to do so, you will need:
- A computer with two network interfaces. One hooked to your WAN connection, the other one to your LAN.
- The computer needs Ubuntu installed with a minimum of software installed.
- Copy the script below to your gateway machine in /etc/network/if-up.d/00-my-gateway. Make sure that the script has the execute permission.
- Update the LAN and WAN variables in the script. For example, if eth0 is your WAN interface and eth1 is your LAN interface, then set WAN=eth0 and LAN=eth1.
- Reboot.
This script configures the Ubuntu Firewall to forward LAN traffic to the Internet but drops all unsolicited incoming traffic from the Internet. Your network will be stealth. You can use the online tool ShiedlsUP! at https://www.grc.com to test it.
#!/bin/bash
PATH=/usr/sbin:/sbin:/bin:/usr/bin
# Interfaces
LAN=lan
WAN=wan
#
# Delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i $LAN -j ACCEPT
iptables -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow connections from the $LAN to the $WAN.
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# Enable masquerading.
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# No forwarding from the $WAN to the $LAN.
iptables -A FORWARD -i $WAN -o $WAN -j DROP
# Drop everything else from the WAN ... Stealth mode.
iptables -A INPUT -i $WAN -j DROP