Skip to main content

Tutorial: Enable routing and NAT on Linux

Abstract

The scripts generated for the various Linux distributions for Network Connectors already have the commands included for enabling NAT and routing. These instructions are mainly for informational purposes.

The scripts generated for the various Linux distributions for Network Connectors already have the commands included for enabling NAT and routing. These instructions are mainly for informational purposes.

Routing on Linux

Note

The templates and scripts used for deploying Connectors on Linux, IaaS, and Virtual Private Servers from the Administration Portal include the needed commands for NAT and IP forwarding by default.

To enable IPv4 forwarding, use the following commands on the command line:

sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sysctl -p 

To enable IPv6 forwarding

sudo sed -i 's/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/g' /etc/sysctl.conf
sudo sysctl -p 

This will enable forwarding in the Linux kernel.

NAT on Linux

Note

The templates and scripts used for deploying Connectors on Linux, IaaS, and Virtual Private Servers from the Administration Portal include the needed commands for NAT and IP forwarding by default.

Use the following commands on the command line:

sudo apt install iptables-persistent
IF=`ip route | grep default | awk '{print $5}'`
sudo iptables -t nat -A POSTROUTING -o $IF -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables/rules.v4
sudo ip6tables -t nat -A POSTROUTING -o $IF -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables/rules.v6 

The iptables rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the external networking Device (-o $IF). The variable ‘IF’ stores the default interface. POSTROUTING allows packets to be altered as they are leaving the Connector instance. The -j MASQUERADE target is specified to mask the private IP address of a node with the IP address assigned to the default interface.

The above is sufficient if you are fine with all traffic being NATted. However, if you need Hosts on the Network to distinguish between different WPC clients or Connectors, you need to use “! -d xx.xx.xx.xx/xx” in the NAT rule where xx.xx.xx.xx/xx is the subnet of the target LAN subnet, otherwise traffic to that subnet will also be NATted. The example below shows how to use the iptables command so that NAT is not used if the destination is in the 10.10.0.0/16 subnet.

sudo iptables -t nat -A POSTROUTING -o $IF ! -d 10.10.0.0/16 -j MASQUERADE