SNAT with one NIC

Yeah, this is possible (I have this set up on a SheevaPlug).

In my case, I have a block of routable IP addresses from my ISP, but I have more devices than IP addresses and not everything needs a routable IP address.

So, instead of getting more IP addresses, I decided to do DHCP and NAT for some things.

In my current set up I'm actually doing DHCP, DNS and NAT on the SheevaPlug _and_ using it as a firewall.

Here I'll just show how to do the NAT part.

Getting started

Let's say you have the following network configuration:

External network  : 172.16.0.0/12
Internal network  : 192.168.1.0/24
Router IP address : 172.16.1.254

Set up your network interface. e.g

# ip link set dev eth0 up
# ip addr add 172.16.1.1/12 brd + dev eth0
# ip addr add 192.168.1.1/24 brd + dev eth0

Add a default route to your router.

# ip route add default via 172.16.1.254 dev eth0

Set up NAT

Clear iptables and set default policies.

# iptables -F
# iptables -t nat -F
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD DROP

Configure Source NAT

# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.16.1.1

# iptables -A FORWARD -i eth0 -o eth0 -s 192.168.1.0/24 -j ACCEPT
# iptables -A FORWARD -i eth0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Let the packets flow

Enable IP forwarding

# echo 1 > /proc/sys/net/ipv4/ip_forward

Disable ICMP redirects

# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

Andrew Clayton; Sun Oct 16, 2011