1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 |
- #!/bin/bash
- # external network
- : this is the address provided by Mediacom Cable
- : "173.29.124.66/21 brd 173.29.127.255"
- : "UPDATE on 2020 Dec 15th mediacom issued new lease before old expired
- 173.31.30.236/21 and the internet on the other computers went 'out'
- to fix it the nat needs to forward packets using the new address
- wes added a new rule for
- iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to-source 173.31.30.236;
- then it did not work, but this is because there were two rule for the same thing
- iptables -t nat -L --line-numbers
- then look for the line number of the previous matching rule
- then delete it
- iptables -t nat -D POSTROUTING 1
- "
- # local network
- : this is a random number that matches the SurfBoard Modem
- : "local address inet 192.168.100.10/24"
- # Hardware
- : "ethernet adapter" "enp6s0 b8:70:f4:a6:62:e8"
- : "unused wifi adapter" "wlp7s0 92:01:0f:e1:90:20"
- # STEP 1
- : "# add network addresses computer" "
- ip addr add 192.168.100.10/24 dev enp6s0;
- ip addr add 173.29.124.66/21 dev enp6s0;
- "
- # STEP 2
- : "# add a route to the internet gateway" "
- ip route add default via 173.29.120.1 dev enp6s0;
- "
- # STEP 3
- : "# add NAT" "
- iptables -F; # this actually removes previous rules
- iptables -t nat -F;
- iptables -P INPUT ACCEPT;
- iptables -P OUTPUT ACCEPT;
- iptables -P FORWARD DROP;
- "
- # STEP 4
- : "# add the LAN side of NAT" "
- iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to-source 173.29.124.66;
- iptables -A FORWARD -i enp6s0 -o enp6s0 -s 192.168.100.0/24 -j ACCEPT;
- iptables -A FORWARD -i enp6s0 -o enp6s0 -m state --state ESTABLISHED,RELATED -j ACCEPT;
- "
- # STEP 5
- : "# enable kernel forwarding module" "
- echo 1 >/proc/sys/net/ipv4/ip_forward;
- "
- # STEP 5.5
- : "# enable pptp for soheyl's Synology VPN" "
- ## probably needs conntrack installed....
- ## this adds conntection tracking to outbound Msft GRE (invalid tcp)
- ## packets and converts them into ESTABLISHED,RELATED
- iptables -t nat -A OUTPUT -p tcp --dport 1723 -j CT --helper pptp
- "
- ### TROUBLESHOOTING
- : "test if forwarding is enabled (1 is enabled, 0 not)" "
- sysctl net.ipv4.ip_forward
- "
- : "MS PPTP stuff" "
- ### [!] actually ignore this, use the instructions for pptp above ###
- # modprobe the following:
- # ip_nat_pptp -> alias for nf_nat_pptp
- # ip_conntrack_pptp (probably not needed loaded as dep for above)
- # ip_gre (probably not needed loaded as dep for above)
- # install conntrack software
- # sudo apt install conntrack
- # Kernel 4.7 and net.netfilter.nf_conntack_helper = 0 is default
- # someone decided that nf_conntrack_helper should not be enabled
- # edit /etc/sysctl.conf add:
- # net.netfilter.nf_conntrack_helper = 1
- # then reload: sysctl -p
- "
- : "MS PPTP part II" "
- it turns out that the nf_conntrack_helper module enables too many security issues
- and the consensus is to turn off the shotgun and instead enable security issues
- on a one-by-one basis, for PPTP:
- iptables -t raw -A OUTPUT -p tcp --dport 1723 -j CT --helper pptp
- "
|