~~META:
date created = 2017-04-01 09:00
~~
====== Linux Packet Forwarding ======

===== Basic outgoing masquerding script =====
<code bash>
#!/bin/bash
network=192.168.3.0/24
ext_if=eth0
ext_ip=$(ip address show $ext_if | awk -F "[ /]" '/inet / { print $6 }')

# Turn off forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# Create NAT rule
iptables -t nat -I POSTROUTING -s $network -o $ext_if -j SNAT --to-source $ext_ip
# Create FW rules to allow traffic
iptables -I FORWARD -s $network -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Turn on forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
</code>

===== Incoming port forwarding =====
<code bash>
#!/bin/bash
port=80
host=192.168.3.80
iptables -t nat -A PREROUTING -m tcp -p tcp --dport $port -j DNAT --to-destination $host:$port
</code>

{{tag>kb linux network iptables}}