Private Subnet with Ubuntu as Router

Suppose we have the following setup:

  • A Computer with Ubuntu installed and two physical network interfaces (might also be virtual, but that's advanced)
  • We have an internet connection on this computer set up and working. Internet traffic goes out (and in) on the network interface eth2
  • We want to create a private subnet
  • The private subnet shall be connected to the computer via the other interface. Here this interface is called eth3.
  • The private subnet shall have the IP subnet
  • We want to assign IP adresses to any computer on that subnet via our Ubuntu computer.

This can be done as described here:

Install dnsmasq (DHCP and DNS server)

(Starting with Ubuntu 12.04, you have to disable network managers' instance of dnsmasq to get your own up and running. Comment out the line dns=dnsmasq in the file /etc/NetworkManager/NetworkManager.conf and restart network manager using sudo restart network-manager)

Install dnsmasq

sudo apt-get install dnsmasq

Change its configuration using sudo vi /etc/dnsmasq.conf, to make it look like (where eth3 is the name of the interface where you want to assign IP adresses via dnsmasq in the range defined by the other line):


Restart dnsmasq:

sudo service dnsmasq restart

Get the firewall configuration right

with the ufw firewall

Allow all communication on the interface eth3:

sudo ufw allow in on eth3 to any
sudo ufw allow out on eth3 to any

Alternatively you can allow DNS and DHCP services (names as set in /etc/services) and allow the subnet:

sudo ufw allow domain
sudo ufw allow bootps

Now setup the NAT masquerading. This is done here as described for the Ubuntu Fire Wall - ufw on Add this new line in the first lines of /etc/ufw/before.rules:


In addition you need to edit the ufw defaults with sudo vi /etc/default/ufw and set DEFAULT_FORWARD_POLICY="ACCEPT". Also you change sudo vi /etc/ufw/sysctl.conf and comment in net.ipv4.ip_forward=1

And restart ufw using sudo ufw disable && sudo ufw enable.

Port forwarding – If you want to forward a port to a computer on the subnet, read this post on and add (one) more line(s) to /etc/ufw/before.rules:

# My DNAT rules
-A PREROUTING -i <iface> -p tcp --dport <port> -j DNAT --to-destination <addr>[:port]
-A PREROUTING -i <iface> -p udp --dport <port> -j DNAT --to-destination <addr>[:port]

After all beginning of the file /etc/ufw/before.rules should look like this:

# nat Table rules

# Forward traffic from to the outer world via the interface eth2

# My DNAT rules: forward incoming tcp&udp connections on eth2 to port 1999 to the port 80 on machine
-A PREROUTING -i eth2 -p tcp --dport 1999 -j DNAT --to-destination
-A PREROUTING -i eth2 -p udp --dport 1999 -j DNAT --to-destination

# don't delete the 'COMMIT' line or these nat table rules won't be processed

with iptables as firewall

Or with naked iptables as described here (in German). These settings will be gone after a reboot!:

sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -o eth2 -i eth1 -s -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -o eth2 -s -m conntrack --ctstate NEW -j ACCEPT

For port forwarding see

Debug Dnsmasq

Make sure dnsmasq listens to the addresses 53 (domain / dns) and 67 (bootps / dhcp) using

sudo netstat -lntup | grep dnsmasq

Add the following options to /etc/dnsmasq.conf:


Watch the firewall log for rejected packages and the syslog for dnsmasq-dhcp entries:

tail -f /var/log/ufw.log
tail -f /var/log/syslog | grep dnsmasq-dhcp