My layout is:
My goal is to ping the Internet from eth0 through enp45s0 and wlo1.
The commands below works well in ubuntu 18.04, 22.04 but not in 20.04(unable ping the Internet like google.com, DNS).
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo iptables --table nat --append POSTROUTING --out-interface wlo1 -j MASQUERADE
$ sudo iptables --append FORWARD --in-interface enp45s0 -j ACCEPT
Instead of using the commands above, I have to use the commands below to make it work in 20.04.
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -F
sudo iptables -F -t nat
sudo iptables -A FORWARD -o wlo1 -i enp45s0 -s 192.168.1.10/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE
Could someone help me understand the reason why I have to make these changes?
Hi Doug Smythies,
I do not have 18.04 and 22.04 environment currently, so we may focus on the reason that the first set of commands not working in 20.04. Please check the default iptable seetings below.
---------------------------------------------
$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 357 packets, 265671 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 49 packets, 4116 bytes)
pkts bytes target prot opt in out source destination
49 4116 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
49 4116 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 370 packets, 36494 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/ 0
49 4116 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
49 4116 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
---------------------------------------------
sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 57 packets, 4958 bytes)
pkts bytes target prot opt in out source destination
1 254 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 1 packets, 254 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 68 packets, 5655 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 68 packets, 5655 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
---------------------------------------------
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.223.114 0.0.0.0 UG 600 0 0 wlo1
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp45s0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp45s0
192.168.223.0 0.0.0.0 255.255.255.0 U 600 0 0 wlo1
---------------------------------------------
