A GNU/Linux machine has routing in the kernel. The only thing you need to do is enable it. Therefor you need to adjust /proc/sys/net/ipv4/ip_forward.
appel:~# cat /proc/sys/net/ipv4/ip_forward 0
With the following command you turn on routing:
appel:~# echo 1 > /proc/sys/net/ipv4/ip_forward appel:~# cat /proc/sys/net/ipv4/ip_forward 1
To make sure the setting is also set after a reboot adjust /etc/network/options:
ip_forward=yes
Put in /etc/network/options:
spoofprotect=yes
Put in /etc/network/options:
syncookies=no
[META]
When you use IP-addresses of the private range on your internal network, like:
then no connection to the Internet from your local net will succeed, although you have turned on routing. The reason for this is that no private range address is allowed on the Internet, so they are filtered. To solve this you need NAT, or as it is called in the GNU/Linux world: masquerading
There are two types of NAT: Source NAT and Destination NAT.
In the case of private IP addresses that may not occur on the Internet we use Source NAT to hide them. If you have a 2.4.x kernel installed use iptables to set masquerading:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
We assume that ppp0 is you Internet interface. For 2.2.x kernels you might want to use ipchains:
ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0 -i ppp0
With the above lines one has a basic system. You internal network is connected to the Internet. You have a router, but no firewall yet.
The otherway around is Destination NAT, meaning that a destination IP address is translated. Maybe later versions of this document will contain more info on this.
To setup a firewall, and a complete discription of how to do it, is a lot of work. For now we are gonna close every incoming connection from the Internet, just to be sure (this also closes our SSH connection):
iptables -A INPUT -s 0/0 -p tcp --syn -j DROP -i ppp0
For more info on iptables read the documentation of Rusty Russel:
http://netfilter.samba.org/unreliable-guides/ packet-filtering-HOWTO/ Post-installation