Masquerade rule with netfilter-persistent

Question

I use netfilter-persistent to manage a firewall.

I would like to share a connection between two interfaces using masquerading (example, or another). When I run those operations by invoking iptables it works.

But if I try to update firewall rules stored in /etc/iptables/rules.v4 adding such a line:

-t nat -A POSTROUTING -o wlan0 -j MASQUERADE

Lines starting with -t make netfilter-persistent fail to run and the firewall is not updated:

Nov 16 11:51:32 helena systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE
Nov 16 11:51:32 helena systemd[1]: Failed to start netfilter persistent configuration.

So I am wondering if it is possible to store this kind of rules with netfilter-persistent or

• Is it a known limitation?
• Is there a good reason why it cannot work?
• Is there a hack to make it work?

Answer 1

You're probably adding a rule intended for the nat table in the filter table block suitable for iptables-restore, and with inappropriate syntax.

Until you know how to edit /etc/iptables/rules.v4 directly (by studying the output of iptables-save), you should do this instead:

• be careful, since the rule will be applied immediately,

• change the current running firewall rules with:

  iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
  

• study the results: are they worth changing the configuration?

• if worthy, ask netfilter-persistent to save the rules. It will in turn run iptables-persistent's plugins which will use iptables-save under the hood.

  netfilter-persistent save
  

You will notice that the new configuration file (a file suitable for use by iptables-restore) now has a block for the nat table with your rule (and without -t nat), separate from the filter table block.