How to forward traffic using iptables rules?
Emily Wong 
I am new to iptables and I have been doing Google searches for a few days now without finding a good solution to this problem.
I have computer A with a public ip address (say 192.0.2.1) that can access the Internet unrestricted. I have another computer B with a private ip address (192.168.1.1) that can only access computer A. How do I use iptables to forward network traffic from B through A to the Internet? I need to use http, ftp, and https in order to use apt-get with sudo.
Both computers run Ubuntu linux. I have tried using Squid but I think it is far too complicated for what I need to do.
65 Answers
I think this will do what you want, assuming that the network is like this:
Internet <----> Computer A <----> Computer B
Notes:<external interface> is the interface (like eth0, p1p1, etc) that is connected to the Internet on Computer A. <internal interface> is the interface on Computer A that is connected to Computer B.
These commands need to be run as root (in su -) on Computer A (the one with Internet access).
EXT=<external interface>
INT=<internal interface>
echo 1 > /proc/sys/net/ipv4/ip_forward #Tell the system it is OK to forward IP packets
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
iptables -A FORWARD -i $EXT -o $INT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $INT -o $EXT -j ACCEPT
ip addr show $INTIn the output of the ip addr command, find the line that starts with inet (or inet6 if you are using IPv6). Use the IP address on that line in the following command, as root, on Computer B:
ip route add default via <put ComputerA's internal IP address here>Now, see if it works by running ping google.com on Computer B, or simply by attempting to load a web page in the browser.
If you want to save the changes on Computer A, run these commands as root:
apt-get install iptables-persistent
/etc/init.d/iptables-persistent saveNow I don't know exactly how to restore the saved rules on boot, can anybody else suggest something? It should work to do /etc/init.d/iptables-persistent reload (as root) every time after you boot, but that would be a pain.
To make Computer B always use Computer A as the default gateway would require installing DHCP on Computer A, which I don't want to go into in this answer.
1Now I don't know exactly how to restore the saved rules on boot, can anybody else suggest something? It should work to do /etc/init.d/iptables-persistent reload (as root) every time after you boot, but that would be a pain.
just add the changes in /etc/rc.local or similar
To make Computer B always use Computer A as the default gateway would require installing DHCP on Computer A, which I don't want to go into in this answer.
Set addresses up statically
I used squid to do this, it a powerful complicated beast but Squid is really for caching. Then youd be using host1 as a caching proxy host and although you could use that its missing the point. I have done what your trying to do before with IPTABLES (back just after ipchains!). IIRC it involved writing a rule to forward incoming matching packet on to the other route. Lots of info here (if above link hasnt got enuf info).
I dont beleive using a VPN is a simple solution really, but misses the point of what your trying to do, so id do it the proper way first. VPN is good for encrypting traffic to another host.
0Acting as a gateway between private IP addresses and public IP addresses requires that you do Network Address Translation (NAT). There are plenty of tutorials online about how to use iptables to do NAT, with or without iproute2 (which is another common Linux software package that can do NAT).
Try this
Or use the "simple" way and use an VPN.
1
