Advanced Networking: How to Configure a Linux Router with IP Masquerading.

Want to share internet one apartment, one flat, one bill?

I had this exact problem last month. Two roommates, three phones, one smart-TV, four laptops, and a single cable modem.
Every single packet leaving the house exposed our gadgets to the open web.
That had to stop. So I turned an old Dell OptiPlex into our own Fort Knox-like router with **IP masquerading**.
Took me one Saturday afternoon. Here’s how you can do it too.

0. The big picture (in plain English)

Your house now has **one public face** (your ISP’s modem) and **one private face** (your laptops, phones, fridge, whatever).
You’re about to park an Ubuntu box between them.
Like a bouncer at a club:

• devices inside can still dance on the internet floor
• strangers outside can’t even see the dance floor exists

1. Grab a spare PC and two cables

You need two physical network ports. One cable to the modem, one cable to your switch or Wi-Fi access point.
Any Pin-sized Ethernet-to-USB dongle works if the box only has one built-in.

Boot into Ubuntu 22.04 LTS.

2. Check you actually have two interfaces

ip a

You’ll spot eth0 (WAN, the modem side) and eth1 (LAN, the house side).
Memorise the names—your monster cable is now eth0.

3. Flip the Linux forwarding switch

Linux is shy by default. Tell it to move packets between the two cards:

sudo nano /etc/sysctl.conf

Uncomment the line or add fresh:

net.ipv4.ip_forward = 1

sudo sysctl -p

Done. Linux can now forward traffic.

4. Hide everything behind one IP

Time for IP **masquerading**: inside devices get private addresses (192.168.1.x), the outside world sees only your public IP.
One line of rules:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Allow handshakes:

sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT  
sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

To make the rules survive reboots:

sudo apt install iptables-persistent  
sudo netfilter-persistent save

5. Give your LAN side a fixed address

Ubuntu 22.04 uses netplan:

sudo nano /etc/netplan/00-installer-config.yaml

Paste under the ethernet section:

eth1:
  addresses: [192.168.1.1/24]
  dhcp4: no

sudo netplan apply

6. Let devices grab IPs automatically

sudo apt install dnsmasq

sudo nano /etc/dnsmasq.conf

interface=eth1  
dhcp-range=192.168.1.100,192.168.1.200,255.255.255.0,24h  
dhcp-option=option:router,192.168.1.1

sudo systemctl restart dnsmasq

You just became a mini-ISP.

7. Does it actually work?

Plug a laptop into eth1 via any cheap switch. You should pick up an IP like **192.168.1.154**.
Try:

ping 8.8.8.8

ping google.com

If she pings, you nailed it.

8. When Murphy hits the fan

• No internet: did sysctl net.ipv4.ip_forward still say 1? Re-run sudo sysctl -p.
• No DHCP lease: systemctl status dnsmasq will tell you if it’s dead.
• Captain, my rules vanished: you forgot netfilter-persistent save.

9. Nail the door shut

Block all unsolicited visitors from the internet:

sudo iptables -I INPUT -i eth0 -m state --state NEW,INVALID -j DROP

Keep current packages:

sudo apt update && sudo apt full-upgrade

10. Want open ports later?

Your NAS lives at 192.168.1.10 and needs the world to see its snazzy Plex page on port 32400?

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 32400 -j DNAT --to 192.168.1.10:32400

11. Bonus round

• QoS: spare the game ping from the roommate’s 4G video-call chaos with tc
• VPN: spin up WireGuard so you can phone home safely from the café

One weekend later we’re streaming Netflix while the router sits humming under the desk.
No data left the house uninvited. That’s peace of mind you can’t buy off a shelf. Now go turn that dusty PC into your **personal gatekeeper**.