Skip to content

NAT / firewall (share internet) as configurable option

Instead of storing local configurations, we want to ask about NAT on interfaces.

Here is a tested "forward.sh" script:

#!/bin/bash

sysctl -w net.ipv4.ip_forward=1

# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp6s0 -j ACCEPT

# Accept incoming packets from the WAN if the router initiated the connection.
iptables -A INPUT -i enp7s4 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT

# Forward LAN packets to the WAN.
iptables -A FORWARD -i enp6s0 -o enp7s4 -j ACCEPT

# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i enp7s4 -o enp6s0 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT

# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o enp7s4 -j MASQUERADE

# rc.local needs to exit with 0
exit 0

A yaml file for networkd and netplan for the "internet" interface to run DHCP:

network:
  version: 2
  renderer: networkd
  ethernets:
    enp7s4:
      dhcp4: true
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information