The Best Ubuntu NAT Tutorial

It is my goal here to wade through all the BS and get straight to things that work. I looked at numerous tutorials and spent a few hours on this, but I can confidently say I know the right method to get simple NAT working with ubuntu Server.

Assuming both the NAT router and the ubuntu host have been installed and updated, we have to set the network configuration on the NAT router. Edit /etc/network/interfaces to reflect below.

(eth0 is your WAN connection to ISP and eth1 is your LAN connection to your hosts)

auto eth0

iface eth0 inet dhcp 

pre-up iptables-restore < /etc/iptables.rules

auto eth1

iface eth1 inet static

address 192.168.10.1

netmask 255.255.255.0

network 192.168.10.0

broadcast 192.168.10.255

The pre-up line restores the iptables rules you define in /etc/iptables.rules upon reboot. Otherwise you will lose them and NAT will cease to function.

Edit /etc/sysctl.conf and uncomment:

 

net.ipv4.ip_forward=1

 

Now: 

sudo iptables -A FORWARD -o eth0 -i eth1 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE

The first rule allows forwarded packets (initial ones). The second rule allows forwarding of established connection packets (and those related to ones that started). The third rule does the NAT. 

Next we copy the working iptable NAT rule to the file that will be run when eth0 comes up.

sh -c "iptables-save > /etc/iptables.rules"

Reboot.

On the client side I just edited /etc/network/interfaces and gave eth0 an IP address on the same subnet as eth1 on the NAT router. You can use DHCP if you like. This was a test. I will be posting my entire configuration once I get this working as my main router. I just did it in vmware workstation for now.

Quick Update

Ok so I am working towards hurricane electric's IPv6 certification but it is a long road that I hope to master a variety of technologies along the way. Starting out, I was to work with a webserver, but I found that I lacked on of the fundamental underlays of web pages and the way they work, that being DNS. DNS is already an important part of the certification, but before moving to IPv6 & DNS, which I feel will be an exciting adventure seeing how DNS in IPv6 is such a critical element, but it will also help me to master BIND9. To do this I will be testing a potential decommission of pfsense, for ubuntu to act as my primary NAT, packet filter, and edge router, as well as endpoint for HE.net to provide IPv6. Many opportunities are available upon this path, things like finally learning iptables syntax since I will not be relying on GUI firewall rules. Testing this involves virtual networking with VMWARE workstation creating a primary NAT ROUTER in ubuntu 64-bit, as well as using "host only" networking to provide another "host" ubuntu server machine to test IPv6 connectivity, router advertisements (perhaps using QUAGGA), DNS connectivity and results, and many other things down the line. More details are to come, hopefully running though all the progress of turning the machine into a NAT router and getting BIND9 working.

Getting Ubuntu Server going with IPv6

I set up a Ubuntu Server in VMware workstation to test things like Quagga, Apache and BIND9. Setting it up in and of itself took a little doing. First, a shot of my virtual networking since for some reason I could not get the typical "Bridged Networking" configuration to work.


So VMnet2 is just bridged to a different adapter than the one supplying my physical machine TCP/IP access. That seemed to solve all the problems I ran into, primarily ubuntu not being able to ping the default gateway.

Then you can just add this below your initial IPv4 configuration in your /etc/network/interfaces file:
iface eth1 inet6 static
pre-up modprobe ipv6
address 2607:f0d0:2001::10
netmask 64
gateway 2607:f0d0:2001::1

Traditionally we put our DNS entries in /etc/resolv.conf but I guess that file now gets overwritten.

You should add your DNS entries to the following file: /etc/resolvconf/resolv.conf.d/base

I use OpenDNS IPv4 & IPv6 Servers:

nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 2620:0:ccc::2
nameserver 2620:0:ccd::2

Then you can run: sudo /etc/init.d/resolvconf restart
 

 

pfsense with Hurricane Electric IPv6 Tunnel

Most of the guides that I followed to set up pfsense with a tunnelbroker left me feeling a little confused so I am going to attempt to write a comprehensive guide here that avoids confusion.
First off I am assuming you have all of the initial configuration done, pfsense is installed, you have changed to HTTPS, changed your password, you have WAN connectivity, etc. You have to get the right version of pfsense, which is actually a beta since revamping pfsense for IPv6 apparently turned out to be more of a task than the team anticipated. Change these settings then go back to the "Manual Update" tab, enable it and begin the update. The firewall will reboot.

The following version worked for me. Note that it says that there is an update available, but when I updated it further it broke everything. I didn't even have normal IPv4 connectivity to my ISP anymore.

Now let us go ahead and make sure Hurricane Electric can ping us. If they can't the tunnel will not work:

66.220.2.74 is the address you need to create a rule for. If you do nslookup or dig you will see it resolves to arc.he.net. Moving on, let us create a generic interface for our Tunnel between pfsense and the tunnelbroker. We do this just like we are adding any other physical, GRE or VLAN interface to pfsense:

At this point you might want to bring up your HE.net Tunnel Details and go from there:

Please note: If you lose power, unplug your modem, or change your public IPv4 address, you WILL have to go into the HE.net page shown above and change the "Client IPv4" address to reflect your new public IPv4 address.
Now we can go ahead and add the newly created GIF interface so pfsense can use it. I already have mine added, but I am showing it being added here:

Next go under "System" and "Routing" to configure our Tunnel as a Gateway for IP traffic to use.
My gateway is already there but I will show how I set it up.







Now we can go to our interface list, and enable the GIF interface we created before (I named mine HETUNNEL) and tell it to use the gateway we just created. If you are doing this in order just choose the gateway you just created. It isn't in the screenshot below, but it should be in a drop-down box. Mine would be HEipv6GW as that is what I named it above.





Now we should have a working tunnel. You can check under status > gateways. Should say online. Possible problems would be you input the wrong IPv6 addresses when setting things up, you forgot the firewall rule to allow the tunnelbroker to ping pfsense on the WAN side, or you forgot to put in your public IPv4 address into the tunnel details on the HE.net site. Now all we have to do it set up things on the LAN side.

Don't forget a default IPv6 Firewall rule!

Should be good to go then. I do not use DHCPv6 since I have maybe 3 hosts that need to use IPv6 for testing BIND and APACHE with IPv6 so I am not going to write about that here. 

If you have a dynamic IP on the WAN connecting the tunnel, you can use the "HE.net Tunnelbroker" DynDNS type to update it when your IP changes.
To set that up:

• Go to Services > DynDNS
• Click +
• Set the type to "HE.net Tunnelbroker"
• Select the proper interface
• For "hostname" enter your numeric Tunnel ID from he.net
• Enter your username and password
• Enter a description if you want one
• Save

Enjoy browsing and testing with IPv6!