#echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -w net.ipv4.ip_forward=1 cp -pi /etc/sysctl.conf /etc/sysctl.conf.dist vi /etc/sysctl.conf net.ipv4.ip_forward = 1 sysctl -p
also increase the icmp error rate for a heavy-duty router
sysctl -w net.ipv4.icmp_ratelimit = 100
in case you got firewalling rules in place from above, you first need to allow forwarding
# NAT --> accept chain forward { type filter hook forward priority 0; policy accept; }
static front-facing address
table ip nat flush table ip nat table ip nat { # SNAT chain postrouting { type nat hook postrouting priority 100; ip saddr INTERNAL-CIDR oif FACING-INTERFACE snat FACING-IP; } }
–or– dynamic front-facing address
table ip nat flush table ip nat table ip nat { # MASQ chain postrouting { type nat hook postrouting priority srcnat; ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 oif eth0 masquerade; ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 oif wlan0 masquerade; } }
note the negation possibly helps in case you have a single nic.
you can also define the subnets you wanna SNAT more precisely while masquerading
ip saddr 192.168.122.0/24 oif wlan0 masquerade
# DNAT chain prerouting { type nat hook prerouting priority dstnat; iif $nic tcp dport 80 dnat x.x.x.x; #iif $nic tcp dport 80 dnat x.x.x.x:ALTERNATE-PORT; }
nice tool for a quick overview of the NAT usage
http://www.tweegy.nl/projects/netstat-nat/index.html
https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
[FR] https://www.it-connect.fr/chapitres/configurer-le-nat-sous-nftables/
https://superuser.com/questions/985800/complete-masquerading-nat-example-using-nftables-on-linux
https://unix.stackexchange.com/questions/283275/how-to-do-masquerading-with-nftables
https://serverfault.com/questions/895611/nftables-dnat-forwarding-is-not-working-properly