Ubuntu IP Masquerading

Server guide documentation

Masquerade Mask

pbombaert / Getty Images

The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the internet through the machine doing the masquerading. Traffic from your private network destined for the internet must be manipulated for replies to be routable back to the machine that made the request.

To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus "masqueraded" as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.

On Ubuntu, you have two options to set up IP Masquerading. They both use the same underlying technology, the iptables kernel firewall, but UFW is simpler to set up and use. The other option is to write rules directly to iptables. It's just as effective, but it is more complicated to use and manage.

Initial Setup

Whichever route you choose, you'll need to start by enabling packet forwarding. Packet forwarding allows your computer to send packets from one connection to another, which is essential to IP masquerading.

  1. Open a terminal window, either by selecting the icon from your applications menu or with the Ctrl+Alt+T hotkey.

  2. Open the sysctl configuration file with your text editor of choice. The simplest one is Nano.

    sudo nano /etc/sysctl.conf
    
  3. Scroll through the file and locate:

    #net.ipv4.ip_forward=1
    

    Remove the # at the beginning of the line to uncomment it, enabling packet forwarding. Then, find:

    #net.ipv6.conf.all.forwarding=1
    

    Do the same thing there too. Altogether, they should look like:

    net.ipv4.ip_forward=1
    net.ipv6.conf.all.forwarding=1
    Ubuntu enable packet forwarding
  4. Press Ctrl+X on your keyboard to exit. Press y to confirm the save. Then, press Enter to write to the same file.

  5. Now, reload the configuration file with the following command:

    sudo sysctl -p
    
    Ubuntu sysctl apply rules

UFW for IP Masquerading

UFW stands for Uncomplicated Firewall, and it is considerably less complicated than raw iptables. That's why it's become a favorite on Ubuntu, Debian, and their relatives. It's still a command line application, but it offers significantly less complex syntax than the underlying iptables system it interacts with.

Because of UFW's friendlier nature, it's an ideal option for both IP masquerading and general firewall use on Ubuntu.

  1. Start by installing UFW. If your terminal isn't still open, open it back up, and run the following command.

    sudo apt install ufw
    
  2. Use your text editor to open the default UFW configuration file at /etc/default/ufw.

    sudo nano /etc/default/ufw
    
  3. Scroll through the file and locate:

    DEFAULT_FORWARD_POLICY="DROP"
    

    Change it to read:

    DEFAULT_FORWARD_POLICY="ACCEPT"
    
    Ubuntu UFW forward policy
  4. Press Ctrl+X on the keyboard to exit. Then,confirm the save with y followed by Enter.

  5. There's another configuration file that you'll need to modify next. Use your text editor to open /etc/ufw/before.rules.

    sudo nano /etc/ufw/before.rules
    
  6. Just below the initial block of comments and before the line that begins with:

    *filter
    

    Add the following block to tell UFW to redirect your traffic from your current local connection to the eth0 interface. Now, the output interface may not be eth0 on your computer, so check that first.

    # nat IP masquerade table
    *nat
    :POSTROUTING ACCEPT [0:0]

    # Forward traffic from existing local connection to eth0
    -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

    # Commit the rules to be processed - DO NOT DELETE
    COMMIT
    Ubuntu UFW masquerade rules
  7. Now, restart UFW for the changes to take effect.

    sudo ufw disable && sudo ufw enable
    

Iptables for IP Masquerading

UFW is actually just a wrapper interface for iptables intended to simplify management. That said, in case you prefer iptables directly or you're working in a situation where you can't use UFW, you can still set up IP masquerading with relatively minimal effort.

  1. Make sure you don't have UFW or anything similar running:

    sudo ufw disable
    
  2. Check your iptables rules, if any:

    sudo iptables -S
    
    Ubuntu iptables rules list
  3. Run the following command to set up IP masquerading. Like before, the command assumes that your local network range is 192.168.0.0/24 and you're looking to route to eth0. Modify it to fit your configuration.

    sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
    

    That can be a lot to take in at once. Here's the breakdown of what's going on:

    • -t nat - The rule is to go into the nat table.
    • -A POSTROUTING - The rule is to be appended (-A) to the POSTROUTING chain.
    • -s 192.168.0.0/24 - The rule applies to traffic originating from the specified address space.
    • -o eth0 - The rule applies to traffic scheduled to be routed through the specified network device
    • -j MASQUERADE - Traffic matching this rule is to "jump" (-j) to the MASQUERADE target to be manipulated as described above.
  4. When the command is entered, you can check that the rule is applied again with:

    sudo iptables -S
    
  5. Iptables has a nasty habit of forgetting rules. On Ubuntu, there's a simple way to make sure that it remembers each time you start your computer. Install the iptables-persistent package:

    sudo apt install iptables-persistent
    
  6. The screen will shift to ask you if you want to save your existing IPv4 rules followed by your IPv6 rules. Answer Yes both times. From now on, iptables will load your rules at startup.

    Ubuntu iptables persistent
  7. As you go, if you want to add or change your iptables rules, do it normally. Then, you can save the updated rules with:

    sudo netfilter-persistent save