[systemd-devel] How to replace iptables nat rule in systemd networkd

[cmp]

We have a bastion host at work which is like several others we have. It has OpenVPN and OpenSSH which we’re allowed to access. The machine acts as a gateway to access several other private subnets. It uses an iptables rule like this

iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -i ens3 -j MASQUERADE

Last night we setup a new host with WireGuard using systemd-networkd v241 and wanted to setup these masquerade rules, but we couldn’t actually figure out how to do them.

We stumbled across RouteRulePolicy, but I have a feeling is we don’t really understand how to do what we did in iptables in iproute2 so we kept banging our heads and eventually I gave up and simply ran the iptables commands myself and it worked, but I’d like to actually do this correctly inside systemd networkd.

Is there anything someone can do to shed some light here or someone who has done this already?