[systemd-devel] How to replace iptables nat rule in systemd networkd

[Mantas Mikulėnas]

On Thu, Mar 14, 2019 at 3:58 PM cmp <me at cmp.is> wrote:

> We have a bastion host at work which is like several others we have. It
> has OpenVPN and OpenSSH which we’re allowed to access. The machine acts as
> a gateway to access several other private subnets. It uses an iptables rule
> like this
>
> iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -i
> ens3 -j MASQUERADE
>
> Last night we setup a new host with WireGuard using systemd-networkd v241
> and wanted to setup these masquerade rules, but we couldn’t actually figure
> out how to do them.
>
> We stumbled across RouteRulePolicy, but I have a feeling is we don’t
> really understand how to do what we did in iptables in iproute2 so we kept
> banging our heads and eventually I gave up and simply ran the iptables
> commands myself and it worked, but I’d like to actually do this correctly
> inside systemd networkd.
>

Policy routing rules are not firewall rules.

You can enable masquerading using IPMasquerade=yes in ens3.network, but
that's the only iptables feature that networkd ever configures. It does not
support adding arbitrary iptables rules.

-- 
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20190314/51009843/attachment.html>