Tutorial: Enable routing and NAT on Linux
The scripts generated for the various Linux distributions for Network Connectors already have the commands included for enabling NAT and routing. These instructions are mainly for informational purposes.
The scripts generated for the various Linux distributions for Network Connectors already have the commands included for enabling NAT and routing. These instructions are mainly for informational purposes.
Routing on Linux
Note
The templates and scripts used for deploying Connectors on Linux, IaaS, and Virtual Private Servers from the Administration Portal include the needed commands for NAT and IP forwarding by default.
To enable IPv4 forwarding, use the following commands on the command line:
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf sudo sysctl -p
To enable IPv6 forwarding
sudo sed -i 's/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/g' /etc/sysctl.conf sudo sysctl -p
This will enable forwarding in the Linux kernel.
NAT on Linux
Note
The templates and scripts used for deploying Connectors on Linux, IaaS, and Virtual Private Servers from the Administration Portal include the needed commands for NAT and IP forwarding by default.
Use the following commands on the command line:
sudo apt install iptables-persistent IF=`ip route | grep default | awk '{print $5}'` sudo iptables -t nat -A POSTROUTING -o $IF -j MASQUERADE sudo iptables-save | sudo tee /etc/iptables/rules.v4 sudo ip6tables -t nat -A POSTROUTING -o $IF -j MASQUERADE sudo iptables-save | sudo tee /etc/iptables/rules.v6
The iptables rule uses the NAT packet matching table (-t nat)
and specifies the built-in POSTROUTING
chain for NAT (-A POSTROUTING)
on the external networking Device (-o $IF)
. The variable ‘IF’ stores the default interface. POSTROUTING
allows packets to be altered as they are leaving the Connector instance. The -j MASQUERADE
target is specified to mask the private IP address of a node with the IP address assigned to the default interface.
The above is sufficient if you are fine with all traffic being NATted. However, if you need Hosts on the Network to distinguish between different WPC clients or Connectors, you need to use “! -d xx.xx.xx.xx/xx
” in the NAT rule where xx.xx.xx.xx/xx
is the subnet of the target LAN subnet, otherwise traffic to that subnet will also be NATted. The example below shows how to use the iptables command so that NAT is not used if the destination is in the 10.10.0.0/16
subnet.
sudo iptables -t nat -A POSTROUTING -o $IF ! -d 10.10.0.0/16 -j MASQUERADE