Setting up a Gateway
General Idea
If you only have one machine, then the whole idea of a gateway will be very uninteresting, but if you have several machines, each with an ethernet card connected to a hub, then a gateway might be just what you are looking for.
A gateway is a properly configured server that acts as a portal to the rest of the Internet for the machines in another network domain. This is typically a Local Area Network or LAN.
Once the gateway has been properly set up, any machine on the LAN can access any other machine on the LAN and in addition, can access any other named machine on the Internet! While this process puts additional loads on the server machine, the costs are often well worth the benefits of total connectivity.
The following pages provide the details of configuring the kernel, setting up a name server, and putting the routing information together so that access by the machines on the LAN is seamless and straight forward.
The example system used in the following discussion consists of 3 machines. Dwarf actually owns these machines and has set them up as detailed in the following pages. They consist of one Intel machine (a rather ancient machine running a P90) which runs the latest Debian release; a second Intel machine that runs Windows 98; and an Ultra Sparc running the latest Debian GNU/Linux. The Ultra (ultra.dwarf.net) is the gateway at IP address 10.1.1.1; fox.dwarf.net is the Windows machine with IP address 10.1.1.20; and dwarf.dwarf.net is the Debian development box at 10.1.1.10. The following pages will detail the steps taken to configure all three machines to have access to the Internet through the Ultra.
Configuring the Kernel
The first step is to make sure the kernel supports the needs of a gateway.
When describing kernel versions in this section, only the 2.0.X and the 2.2.X kernels will be considered. Each of these version sets deal with a gateway in a slightly different fashion, but the principles are basically the same.
The first step is to build and install a kernel with the features needed for a gateway . These items are set up during the configuration portion of the kernel build (see the previous section on building a custom kernel), and must include the following feature items in order for the gateway to work properly.
In the main configuration menu (using make menuconfig), under Networking Options the following options must be enabled:
network firewalls
IP: firewalling
IP: masquerading
IP: ICMP masquerading

When IP: masquerading is chosen, some kernels will just tell you that the required support drivers will be built as kernel modules, while other kernels will provide an additional list of modules you should select, in order for features like FTP to work correctly.
Once these options have been enabled and the resulting kernel has been built and is is installed and running, the server is ready to be set up as a gateway.
Getting the Routing Straight
Depending upon which kernel you are running, almost all of your routing needs for the gateway can be handled with one of two programs. For the 2.0.X kernels, the program is ipfwadm and is delivered in the netbase package. For the 2.2.X kernels, the program is ipchains and is also delivered in the netbase package. The 2.2 release of Debian delivers the 2.2.17 Linux kernel so the discussion will be limited to this kernel. The minor differences between ipfwadm and ipchains can be worked out by reading the fine documentation for these programs.
There is an additional package that makes all of this work correctly whichever kernel you happen to be running. The ipmasq package installs a set of scripts into the init process which insert the proper ipfwadm/ipchains commands to the kernel. Both of the questions asked during installation of ipmasq should be answered yes. You do want the rules recomputed when the pppd daemon raises or lowers the external connection, and you really do want ip masquerading turned on for the gateway system.
Before these scripts will work correctly your system will need to be configured properly, with the PPP connection established. This means a proper /etc/hosts file, a correct /etc/init.d/networks file and a proper /etc/resolv.conf file.
On Dwarf's gateway the hosts file looks like:
127.0.0.1	localhost
10.1.1.1	ultra.dwarf.net	ultra

# The following lines are desirable for IPv6 capable hosts
# (added automatically by netbase upgrade)

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Notice the additional entries made by the netbase upgrade, which provide functionality for ip6 addresses. Of importance to our gateway effort are the first two lines, declaring the local host and the gateway machine.
The /etc/resolv.conf file on ultra looks like:
search dwarf.net
nameserver 10.1.1.1

Note: All other Linux boxes should have the same resolv.conf file. 
While the /etc/init.d/network file on ultra looks like:
#! /bin/sh
ifconfig lo 127.0.0.1
route add -net 127.0.0.0
IPADDR=10.1.1.1
NETMASK=255.255.255.0
NETWORK=10.1.1.0
BROADCAST=10.1.1.255
GATEWAY=10.1.1.1
ifconfig eth0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST}
route add -net ${NETWORK}
[ "${GATEWAY}" ] && route add default gw ${GATEWAY} metric 1

# (added automatically by netbase upgrade)
#
# In new Debian installations, this file is deprecated in favour of
# the ifup/ifdown commands (invoked from /etc/init.d/networking), which
# can be configured from the file /etc/network/interfaces.
#
# If you are receiving SIOCADDRT errors, they can be avoided by adding
# a netmask and interface to your "route add -net" lines. eg,
#      route add -net 127.0.0.0
# becomes:
#      route add -net 127.0.0.0 netmask 255.0.0.0 lo
#
# Alternatively, these lines can simply be deleted if you don't use 2.0.x 
# series kernels.

With these files properly set up, the ipmasq package will handle the configuration needs of the gateway. At this point the gateway should be up and running, however the only way members of the LAN can access the Internet is via numeric IP addresses.  To get names resolved into IP addresses automatically, it is best to configure BIND to satisfy these needs.
Setting up Bind
Bind is the package in Debian that provides a name server for your Linux installation. If this package is not installed, the next step is to install it before attempting any further configuration.
Once you have BIND installed, there are several configuration tasks to be considered. First we need name resolution for targets on the external Internet, and somewhat less, we need to resolve names within the LAN. While the LAN addresses can be solved for Linux machines with proper entries in the hosts file, the non-Linux/Unix machines may not be able to resolve these local addresses themselves, so it will probably be better to create a BIND zones file for the LAN. Then all machines on the LAN only need point to the gateway machine for complete name resolution.
Getting to the outside Internet is the simpler of the two tasks. BIND is controlled by the file /etc/bind/named.conf which contains the following lines in the options section of the file:
	//forwarders {
	//	0.0.0.0;
	//	};

Removing the comments (//) and replacing the null address with the name resolvers provided by your ISP produces the following replacement lines on Dwarf's gateway:
	forwarders {
		207.217.120.83;
		207.217.77.83;
	};

Now BIND can resolve names that exist externally on the Internet. To get the same capability for the LAN will require making new a zones file for dwarf.net and adding a reference to it in the named.conf file. This may require some study of the BIND documentation in order to understand zones properly, but the following example shows how this is done for Dwarf's LAN.
; BIND data file for dwarf.net LAN

@	IN	SOA	ultra.dwarf.net. (
			1		; Serial
			8H		; Refresh
			2H		; Retry
			1W		; Expire
			1D )		; Default TTL

dwarf.net.	IN	TXT		"dwarf.net network"
		IN	NS		ultra.dwarf.net.
		IN	MX	100	ultra.dwarf.net.

; some convenient internal CNAMEs

www		IN	CNAME	ultra
ftp		IN	CNAME	ultra
mail		IN	CNAME	ultra
news		IN	CNAME	ultra

dwarf		IN	A	10.1.1.10
		IN	TXT	"dwarf - P90, 32MB, 20GB"
		IN	MX	100	dwarf.dwarf.net.

fox		IN	A	10.1.1.20
		IN	TXT	"fox - Compaq p650, 128MB, 14GB"
		IN	MX	100	fox.dwarf.net.

sonya		IN	A	10.1.1.40
		IN	TXT	"sonya - Compaq 1245 Laptop"
		IN	MX	100	sonya.dwarf.net.

ultra		IN	A	10.1.1.1
		IN	TXT	"ultra - Ultra-SPARC Gateway"
		IN	MX	100	ultra.dwarf.net.

localhost	IN	A	127.0.0.1
		IN	TXT	"local machine"

These lines, placed in the file /etc/bind/db.dwarf.net  on the gateway machine will allow any machine on the LAN using that gateway to specify any other machine by name.
Hopefully the previous pages have given a fairly clear idea of the details involved in setting up a gateway. Since the examples provided may not speak to your specific needs, Dwarf recommends the BIND documentation for nameserver issues, and the ipmasq documentation for the gateway functions. When all else fails there is always the debian-user mailing list to fall back on for answers.