home       inleiding       sysadmin       services       links       bash       werk       nothing      

use systemctl to autostart an iptables nat-router at boot

In this example we use /etc/iptables/iptables.sh, a script to transform a host with two network cards into a NAT-router.
 

1. our network config
    
   $ cat /etc/network/interfaces

   # interfaces(5) file used by ifup(8) and ifdown(8)
   auto lo
   iface lo inet loopback
    
   ### the outside interface
   auto enp0s3
   iface enp0s3 inet static
   address 192.168.5.101
   netmask 24
   gateway 192.168.5.1
   dns-nameservers 8.8.8.8
    
   ### the private inside interface
   auto enp0s8
   iface enp0s8 inet static
   address 192.168.0.101
   netmask 24
   #enp0s3    Link encap:Ethernet  HWaddr 08:00:27:1c:e9:21  
   #          inet addr:192.168.5.101  Bcast:192.168.5.255  Mask:255.255.255.0
   #enp0s8    Link encap:Ethernet  HWaddr 08:00:27:db:24:9d  
   #          inet addr:192.168.0.101  Bcast:192.168.0.255  Mask:255.255.255.0

    

2. the iptables script : router-on
    
   $ cat /etc/iptables/iptables.sh

   #!/bin/sh
   #
   #  ip masquerading with a protected router
   #
   #  bvdb (29/5/2008 - 2017)
   #
   #############################################
    
   # configure this machine as a router with ip4 forwarding
   #
   echo 1 > /proc/sys/net/ipv4/ip_forward
    
   ### Clear iptables
   ###
    
   # flush iptables and delete non standard chains
   #
   iptables -vF
   iptables -vX
    
   # flush nat-tables and non standard nat chains
   iptables -vt nat -F
   iptables -vt nat -X
    
   ## Mangle is used to modify the TCP Header. The chain's function is
   ## Modification of the TCP packet quality of service bits before routing
   ## occurs
    
   # flush mangle-tables and non standard mangle chains
   iptables -vt mangle -F
   iptables -vt mangle -X
    
   iptables -P INPUT ACCEPT
   iptables -P OUTPUT ACCEPT
   iptables -P FORWARD ACCEPT
    
   ### implement NAT routing
   ###
    
   ## the real thing: NAT routing - enp3s0 is on your outside and unprotected
   #  network, in our case the static ip-address is 192.168.5.101 (outside address)
   #
   iptables -vt nat -A POSTROUTING -o enp0s3 -j SNAT --to 192.168.5.101
    
    
   ### PRINT iptables configuration
   ###
   iptables -n -L
   iptables -t nat -L
   echo "routing set: " `cat /proc/sys/net/ipv4/ip_forward`

    

3. create a unit-service-file in systemd
    
   $ sudo vim /etc/systemd/system/iptables-test.service

   [Unit]
   Description=start up iptables-test
    
   [Service]
   Type="simple"
   ExecStart="/etc/iptables/iptables.sh"
    
   [Install]
   WantedBy=multi-user.target

    

4. enable and start the service
    
   enable:
   $ sudo systemctl enable iptables-test.service
Created symlink from /etc/systemd/system/multi-user.target.wants/iptables-test.service to /etc/systemd/system/iptables-test.service.
    
   start:
   $ sudo systemctl start iptables-test.service
    
   check:
   $ sudo systemctl status iptables-test.service

   ● iptables-test.service - "start up iptables-test"
   Loaded: loaded (/etc/systemd/system/iptables-test.service; enabled; vendor pr
   Active: inactive (dead) since Tue 2017-05-09 11:54:33 CEST; 9s ago
   Process: 2633 ExecStart=/etc/iptables/iptables.sh (code=exited, status=0/SUCCE
   Main PID: 2633 (code=exited, status=0/SUCCESS)
    
   May 09 11:54:33 mint18-00 iptables.sh[2633]: Chain PREROUTING (policy ACCEPT)
   May 09 11:54:33 mint18-00 iptables.sh[2633]: target     prot opt source         
   May 09 11:54:33 mint18-00 iptables.sh[2633]: Chain INPUT (policy ACCEPT)
   May 09 11:54:33 mint18-00 iptables.sh[2633]: target     prot opt source         
   May 09 11:54:33 mint18-00 iptables.sh[2633]: Chain OUTPUT (policy ACCEPT)
   May 09 11:54:33 mint18-00 iptables.sh[2633]: target     prot opt source         
   May 09 11:54:33 mint18-00 iptables.sh[2633]: Chain POSTROUTING (policy ACCEPT)
   May 09 11:54:33 mint18-00 iptables.sh[2633]: target     prot opt source         
   May 09 11:54:33 mint18-00 iptables.sh[2633]: SNAT       all  --  anywhere       
   May 09 11:54:33 mint18-00 iptables.sh[2633]: routing set:  1

    
   doublecheck:
   $ sudo iptables -L -t nat

   Chain PREROUTING (policy ACCEPT)
   target     prot opt source               destination         
    
   Chain INPUT (policy ACCEPT)
   target     prot opt source               destination         
    
   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination         
    
   Chain POSTROUTING (policy ACCEPT)
   target     prot opt source               destination         
   SNAT       all  --  anywhere             anywhere             to:192.168.5.101

    

5. restart your machine to test service at startup ...
    
   do a system restart, and test:
    
   check:
   $ sudo systemctl status iptables-test.service

   doublecheck:
   sudo iptables -L -t nat
    

6. if it doesn't work ..
    
   • systemctl status can be interesting
   • /var/log/syslog is often an answer
   • check for syntax errors in the service file
   • does your script work when executed directly as sudo
   • did you chmod +x your script iptables.sh