This post documents how to build a Linux gateway using Ubuntu Server 18.04. The gateway connects an internal network to an external network - basically, performing Network Address Translation (NAT) for hosts on the internal network. It is exceptionally similar to what your ISP supplied home router does. To achieve this, an Ubuntu Linux server is configured as a DHCP server and also to provide NAT using iptables.

Contents

Introduction

This tutorial is written when building a blueprint for VMWare vRealize, but the instructions lend to any virtualization, or normal, system. The gateway connects to an external network named vlan25_Profile which provides Internet access, and a second network, InternalNetwork, which is an isolated network. While host1 only connects to the InternalNetwork. The vRealize blueprint for the network is displayed below.

vRealize blueprint

Configure Network Interface Cards

The server only has one primary requirement: two Network Interface Cards (NICs). Start by listing the NICs that are available on the system:

ls /sys/class/net/

If one, or no, NICs are present more need to be added in the hardware configuration for the virtual machine. In the case of a normal machine, one or two physical NICs are required. Another example of the network architecture is displayed below. This time, the NIC interface names have been supplied:

vRealize blueprint with network interface names

Now we know the names of the two NICs, we can edit the networking configuration file. Open the interfaces file using the vim editor, or another text editor of your choice (e.g., nano):

sudo vim /etc/network/interfaces

In the following instructions, the two NICs that will be configured are ens160 and ens192. The ens160 NIC is connected to the outside world and will receive an IP address configuration from an external DHCP server. The ens192 NIC is the internal interface that is connected to the same network that the internal hosts are on. Given the preceding network setup, the following configuration is specified:

auto ens160
iface ens160 inet dhcp

auto ens192
iface ens192 inet static
    address 192.168.100.10
    netmask 255.255.255.0
    gateway 192.168.100.1

Restart networking on the system so that the new configuration is applied:

sudo systemctl restart networking

Install DHCP server

We are going to use Dynamic Host Configuration Protocol (DHCP) to supply IP addresses to any host on the internal network. Install the default package supplied by the Ubuntu repositories:

sudo apt install isc-dhcp-server

Edit the server configuration file:

sudo vim /etc/default/isc-dhcp-server

The only change required here is to put the internal (ens192) interface in the file:

INTERFACES="ens192"

Now, edit the DHCP configuration:

sudo vim /etc/dhcp/dhcpd.conf

Add the following configuration for the DHCP server.

option domain-name-servers 8.8.8.8, 8.8.8.4;

option subnet-mask 255.255.255.0;
option broadcast-address 192.168.100.255;
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.20 192.168.100.100;
option routers 192.168.100.10;
}

A good resource for DHCP options is the dhcp-options man page from die.net. The first line of the configuration above specifies DNS settings. This allows translation of computer-friendly IP addresses to human-friendly domain names; for example: google.com corresponds to 172.217.25.142. If you want, you can specify a domain-name option as well, but this is not required. However, make sure to include the domain-name-servers option with valid IP addresses from DNS servers. You can use the free Google DNS server using the value 8.8.8.8 or 8.8.8.4, or use any other DNS server that you wish.

The remaining options specified above are for IP address allocation. This configuration is for the IP range 192.168.100.0\24, or from 192.168.100.0 to 192.168.100.254. The range option specifies the range of addresses to provide for lease, in this case, it is limited to 80 addresses, from 192.168.100.20 to 192.168.100.100. This can be modified to suit. Finally, the routers option, specifies the address of the gateway machine, which has a static IP address of 192.168.100.10. The routers option has the IP address of the gateway because this is the machine that forwards traffic from the internal network to external networks.

Save the file, then restart service:

sudo service isc-dhcp-server restart

Configure Network Address Translation

Enable IPv4 forwarding:

sudo vim /etc/sysctl.conf

Uncomment the following line:

net.ipv4.ip_forward=1

Check forwarding worked using:

sysctl net.ipv4.ip_forward
OR
cat /proc/sys/net/ipv4/ip_forward

Add a NAT forwarding rule using iptables:

sudo iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE

Save the iptables configuration:

sudo apt install iptables-persistent
sudo su
sudo iptables-save > /etc/iptables/rules.v4
exit

Ensure the rules load at boot:

vim /etc/rc.local 

Add the following line:

/sbin/iptables-restore < /etc/iptables/rules.v4

Configuring Internal Hosts: Linux

With the gateway setup to provide DHCP and NAT services, a Linux host on the internal network can be configured to acquire an IP address from the gateway, and have all traffic routed through the gateway. The only configuration required on a Linux client is to edit the network configuration file and set the NIC of the client to DHCP.

List the NICs that are available on the system:

ls /sys/class/net/

Open the network interfaces file:

vim /etc/network/interfaces

In the following instructions, the NICs on the Linux client is named ens160. Configure the NIC to receive an IP address from the gateway:

auto ens160
iface ens160 inet dhcp

Make sure to restart the networking service to make sure the new configuration is applied:

sudo systemctl restart networking

Configuring Internal Hosts: Windows

A full tutorial on configuring DHCP is beyond the scope of this post. Instead, I recommend checking out the excellent tutorial provided by Microsoft that covers how to configure a NIC for DHCP in Windows 10, 8.1, and 7. When configured you can open a Command Prompt and use the following command to check the configuration is working.

ipconfig

Check Network Connectivity

The overall network configuration is completed and hosts should be able to get IP addresses from the gateway DHCP server. Furthermore, the gateway will forward any traffic from the hosts to the outside world (Internet) and have DNS support. A summary of the IP addresses for each machine and NIC is displayed in the figure below:

vRealize blueprint with network configuration

You can check the DHCP leases on the gateway machine using the following command:

cat /var/lib/dhcp/dhcpd.leases

From host1, or any other hosts on the internal network, it would be useful to check the connectivity by first pinging the DHCP allocated address:

ping 192.168.100.20

Then ping the IP address of the gateway internal-facing interface:

ping 192.168.100.10

Then finish it off with pinging any Internet DNS name:

ping google.com

If all these tests pass, the configuration was successful!