{"id":14075,"date":"2026-04-29T01:01:00","date_gmt":"2026-04-29T05:01:00","guid":{"rendered":"https:\/\/www.both.org\/?p=14075"},"modified":"2026-04-24T21:03:34","modified_gmt":"2026-04-25T01:03:34","slug":"making-your-linux-box-into-a-router","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=14075","title":{"rendered":"How to Make your Linux Box Into a Router"},"content":{"rendered":"<div class=\"pld-like-dislike-wrap pld-template-1\">\r\n    <div class=\"pld-like-wrap  pld-common-wrap\">\r\n    <a href=\"javascript:void(0)\" class=\"pld-like-trigger pld-like-dislike-trigger  \" title=\"\" data-post-id=\"14075\" data-trigger-type=\"like\" data-restriction=\"cookie\" data-already-liked=\"0\">\r\n                        <i class=\"fas fa-thumbs-up\"><\/i>\r\n                <\/a>\r\n    <span class=\"pld-like-count-wrap pld-count-wrap\">    <\/span>\r\n<\/div><\/div>\n<p>Three things are required to make a Linux box into a router. From a hardware standpoint you need two or more NICs. Each NIC must be connected to a different network segment. Then you need both masquerading (NAT) and forwarding enabled. All of the network configuration except installing the hardware for a second NIC can be accomplished without rebooting.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IP Forwarding<\/h2>\n\n\n\n<p>This turns on IP Forwarding so that packets can be forwarded from one NIC to another, or in level 3 parlance, from one network or subnet to another. Usually from an internal network to an external network such as the Internet.<\/p>\n\n\n\n<p>You can turn on IP Forwarding immediately by changing the content of the ip_forward file in the \/proc filesystem from 0 to 1 using the command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># <strong>echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/strong><\/code><\/pre>\n\n\n\n<p>To make sure that IP Forwarding is persistent after a reboot, change one line in \/etc\/sysctl.conf from 0 to 1. Change the line:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>net.ipv4.ip_forward = 0<\/code><\/pre>\n\n\n\n<p>to<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>net.ipv4.ip_forward = 1<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Masquerading<\/h2>\n\n\n\n<p>Masquerading modifies the packets coming from the internal network so that the return address is the same as the external NIC. IP Tables maintains an internal table with the ID of the packet transmitted out and the true source address of the packet. When the remote host, such as cnn.com, sends the response packet it has the destination address of the external NIC. IP Tables replaces that destination address with that of the true source of the original packet on the internal network and sends it on to that host.<\/p>\n\n\n\n<p>Configure IPTables for masquerading. Add the following command to your \/etc\/sysconfig\/iptables file in the POSTROUTING section of the NAT table. Be sure to use the Network IP address CIDR notation for your own network.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-A POSTROUTING -s 192.168.0.0\/24 -j MASQUERADE<\/code><\/pre>\n\n\n\n<p>We also need to add a line to the FORWARD chain of the FILTER table. This assumes that the internal network interface, specified using the -i option, is enp2s0. You would of course use the NIC name appropriate for your host.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-A FORWARD -i enp2s0 -j ACCEPT<\/code><\/pre>\n\n\n\n<p>Save the revised file and activate the change using the following command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># <strong>cd \/etc\/sysconfig\/ ; iptables-restore iptables<\/strong><\/code><\/pre>\n\n\n\n<p>This line in the postrouting chain of the NAT table in IP Tables causes all packets from the 192.168.0.0 subnet to be masqueraded when they are passed to the external subnet.<\/p>\n\n\n\n<p>You now have configured your Linux box as a router.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Making your Linux box into a router is easy. Here&#8217;s how.<\/p>\n","protected":false},"author":2,"featured_media":7668,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[5,274,967],"tags":[326,968,369,969],"class_list":["post-14075","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-networking","category-router","tag-networking","tag-router","tag-routing","tag-routrouting-table"],"modified_by":"David Both","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/14075","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14075"}],"version-history":[{"count":4,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/14075\/revisions"}],"predecessor-version":[{"id":14090,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/14075\/revisions\/14090"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/7668"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14075"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14075"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14075"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}