NAT for use with OpenVPN

Phil Staub phil at staub.us
Wed Nov 13 21:12:30 UTC 2019 

On Wed, Nov 13, 2019 at 3:45 PM Phil Staub <phil at staub.us> wrote:

> I believe I'm getting close.
>
> I found a tutorial at
>
> https://www.howtoforge.com/nat_iptables
>
> ... that gives identifies a couple rules to enable IP Forwarding and
> Masquerading:
>
> iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
> iptables --append FORWARD --in-interface eth1 -j ACCEPT
>
> This results in the following:
>
> # iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  anywhere             anywhere
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> GUSTER     tcp  --  anywhere             anywhere             tcp dpt:80
> GUSTER     tcp  --  anywhere             anywhere             tcp dpt:443
> ACCEPT     all  --  anywhere             anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain GUSTER (2 references)
> target     prot opt source               destination
> #
>
> I'm not sure about the ACCEPT rule. I think it might be too general, but I'll do some more research on that.
>
> I am now able to ping 8.8.8.8 from my phone, and I used 'whatismyip.com' to verify that it sees my router's public IP address.
>
> I also have a handle on where to put this so that it survives a router reboot.
>
> One of the comments in another tutorial I was reading says that the MASQUERADE rule is resource intensive, but if I understand it correctly, the only alternative would be to put a specific rule in place for each client. I don't think I want to do that
>
> Comments?
>
> Phil
>
>
> Update:

I don't thnk the second rule (--append FORWARD) is necessary. I removed
that rule and the client phone can still access the internet via my
router's IP (as indicated by 'whatismyip.com").

Also, I re-read the part about MASQUERADE and found out that it can be
replaced by SNAT if the public address is static. In my case, that's not
true. It has changed several times as my ISP makes changes to the system,
or when we have an outage.

So I'm going to see if I can add this rule to the startup and get it to
persist over a reboot.

Phil

_______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>
>

More information about the freebsd-pf mailing list