#echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -w net.ipv4.ip_forward=1 cp -pi /etc/sysctl.conf /etc/sysctl.conf.dist vi /etc/sysctl.conf net.ipv4.ip_forward = 1 sysctl -p
also increase the icmp error rate for a heavy-duty router
sysctl -w net.ipv4.icmp_ratelimit = 100
and this hotfix
net.ipv4.conf.default.arp_filter = 1
in case you got firewalling rules in place from above, you first need to allow forwarding
# NAT --> accept
chain forward {
type filter hook forward priority 0; policy accept;
}
static front-facing address
table ip nat
flush table ip nat
table ip nat {
# SNAT
chain postrouting {
type nat hook postrouting priority srcnat;
ip saddr INTERNAL-CIDR oif FACING-INTERFACE snat FACING-IP;
}
}
–or– dynamic front-facing address
table ip nat
flush table ip nat
table ip nat {
# MASQ
chain postrouting {
type nat hook postrouting priority srcnat;
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 oif eth0 masquerade;
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 oif wlan0 masquerade;
}
}
note the negation possibly helps in case you have a single nic.
you can also define the subnets you wanna SNAT more precisely while masquerading
ip saddr 192.168.122.0/24 oif wlan0 masquerade
table ip nat
flush table ip nat
table ip nat {
# DNAT
chain prerouting {
type nat hook prerouting priority dstnat;
iif $nic tcp dport 80 dnat x.x.x.x
#iif $nic tcp dport 80 dnat x.x.x.x:ALTERNATE-PORT
}
}
nice tool for a quick overview of the NAT usage
http://www.tweegy.nl/projects/netstat-nat/index.html
https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
[FR] https://www.it-connect.fr/chapitres/configurer-le-nat-sous-nftables/
https://superuser.com/questions/985800/complete-masquerading-nat-example-using-nftables-on-linux
https://unix.stackexchange.com/questions/283275/how-to-do-masquerading-with-nftables
https://serverfault.com/questions/895611/nftables-dnat-forwarding-is-not-working-properly