#!/bin/bash # external network : this is the address provided by Mediacom Cable : "173.29.124.66/21 brd 173.29.127.255" : "UPDATE on 2020 Dec 15th mediacom issued new lease before old expired 173.31.30.236/21 and the internet on the other computers went 'out' to fix it the nat needs to forward packets using the new address wes added a new rule for iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to-source 173.31.30.236; then it did not work, but this is because there were two rule for the same thing iptables -t nat -L --line-numbers then look for the line number of the previous matching rule then delete it iptables -t nat -D POSTROUTING 1 " # local network : this is a random number that matches the SurfBoard Modem : "local address inet 192.168.100.10/24" # Hardware : "ethernet adapter" "enp6s0 b8:70:f4:a6:62:e8" : "unused wifi adapter" "wlp7s0 92:01:0f:e1:90:20" # STEP 1 : "# add network addresses computer" " ip addr add 192.168.100.10/24 dev enp6s0; ip addr add 173.29.124.66/21 dev enp6s0; " # STEP 2 : "# add a route to the internet gateway" " ip route add default via 173.29.120.1 dev enp6s0; " # STEP 3 : "# add NAT" " iptables -F; # this actually removes previous rules iptables -t nat -F; iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD DROP; " # STEP 4 : "# add the LAN side of NAT" " iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to-source 173.29.124.66; iptables -A FORWARD -i enp6s0 -o enp6s0 -s 192.168.100.0/24 -j ACCEPT; iptables -A FORWARD -i enp6s0 -o enp6s0 -m state --state ESTABLISHED,RELATED -j ACCEPT; " # STEP 5 : "# enable kernel forwarding module" " echo 1 >/proc/sys/net/ipv4/ip_forward; " # STEP 5.5 : "# enable pptp for soheyl's Synology VPN" " ## probably needs conntrack installed.... ## this adds conntection tracking to outbound Msft GRE (invalid tcp) ## packets and converts them into ESTABLISHED,RELATED iptables -t nat -A OUTPUT -p tcp --dport 1723 -j CT --helper pptp " ### TROUBLESHOOTING : "test if forwarding is enabled (1 is enabled, 0 not)" " sysctl net.ipv4.ip_forward " : "MS PPTP stuff" " ### [!] actually ignore this, use the instructions for pptp above ### # modprobe the following: # ip_nat_pptp -> alias for nf_nat_pptp # ip_conntrack_pptp (probably not needed loaded as dep for above) # ip_gre (probably not needed loaded as dep for above) # install conntrack software # sudo apt install conntrack # Kernel 4.7 and net.netfilter.nf_conntack_helper = 0 is default # someone decided that nf_conntrack_helper should not be enabled # edit /etc/sysctl.conf add: # net.netfilter.nf_conntrack_helper = 1 # then reload: sysctl -p " : "MS PPTP part II" " it turns out that the nf_conntrack_helper module enables too many security issues and the consensus is to turn off the shotgun and instead enable security issues on a one-by-one basis, for PPTP: iptables -t raw -A OUTPUT -p tcp --dport 1723 -j CT --helper pptp "