From 212f9b6f9dfb973ad545577a9fd9b3823d1c9f94 Mon Sep 17 00:00:00 2001 From: Datong Sun Date: Mon, 20 Sep 2021 04:15:55 -0700 Subject: [PATCH] docs(readme) add iptables config guide --- README.md | 45 +++++++++++++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 6a2f3ec..4710581 100644 --- a/README.md +++ b/README.md @@ -9,12 +9,16 @@ Table of Contents * [Latest release](#latest-release) * [Overview](#overview) * [Usage](#usage) - * [Enable Kernel IP forwarding](#enable-kernel-ip-forwarding) - * [Add required firewall rules (using nftables as an example)](#add-required-firewall-rules-using-nftables-as-an-example) + * [1. Enable Kernel IP forwarding](#1-enable-kernel-ip-forwarding) + * [2. Add required firewall rules](#2-add-required-firewall-rules) * [Client](#client) + * [Using nftables](#using-nftables) + * [Using iptables](#using-iptables) * [Server](#server) - * [Run Phantun binaries as non-root (Optional)](#run-phantun-binaries-as-non-root-optional) - * [Start](#start) + * [Using nftables](#using-nftables) + * [Using iptables](#using-iptables) + * [3. Run Phantun binaries as non-root (Optional)](#3-run-phantun-binaries-as-non-root-optional) + * [4. Start Phantun daemon](#4-start-phantun-daemon) * [Server](#server) * [Client](#client) * [MTU overhead](#mtu-overhead) @@ -58,13 +62,14 @@ NIC address and Phantun's TUN interface address. [Back to TOC](#table-of-contents) -## Enable Kernel IP forwarding +## 1. Enable Kernel IP forwarding Edit `/etc/sysctl.conf`, add `net.ipv4.ip_forward=1` and run `sudo sysctl -p /etc/sysctl.conf`. [Back to TOC](#table-of-contents) -## Add required firewall rules (using nftables as an example) +## 2. Add required firewall rules + ### Client @@ -73,6 +78,10 @@ one that can be used on the physical network. This can be done simply with masqu Note: change `eth0` to whatever actual physical interface name is +[Back to TOC](#table-of-contents) + +#### Using nftables + ``` table inet nat { chain postrouting { @@ -84,6 +93,14 @@ table inet nat { [Back to TOC](#table-of-contents) +#### Using iptables + +``` +iptables -t nat -A POSTROUTING -i tun0 -o eth0 -j MASQUERADE +``` + +[Back to TOC](#table-of-contents) + ### Server Server needs to DNAT the TCP listening port to Phantun's TUN interface address. @@ -91,6 +108,10 @@ Server needs to DNAT the TCP listening port to Phantun's TUN interface address. Note: change `eth0` to whatever actual physical interface name is and `4567` to actual TCP port number used by Phanton server +[Back to TOC](#table-of-contents) + +#### Using nftables + ``` table ip nat { chain prerouting { @@ -102,7 +123,15 @@ table ip nat { [Back to TOC](#table-of-contents) -## Run Phantun binaries as non-root (Optional) +#### Using iptables + +``` +iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination 192.168.201.2 +``` + +[Back to TOC](#table-of-contents) + +## 3. Run Phantun binaries as non-root (Optional) It is ill-advised to run network facing applications as root user. Phantun can be run fully as non-root user with the `cap_net_admin` capability. @@ -115,7 +144,7 @@ sudo setcap cap_net_admin=+pe phantun_client [Back to TOC](#table-of-contents) -## Start +## 4. Start Phantun daemon ### Server