====== Firewall configuration ======
===== Source NAT =====
First enable IPv4 packet forwarding by editing ''/etc/sysctl.conf'', uncomment (or add) the following line:
<code bash>
net.ipv4.ip_forward=1
</code>
Apply by ''sudo sysctl -p''

Then add the following lines to ''/etc/rc.local'' (so the rule is enabled on reboot):
<code bash>
# source NAT
# alter the source address of the packets from the internal network
Ext_IF="eth0"
Ext_IP="1.1.1.1"
Int_IF="eth1"
Int_Net="192.168.1.0/24"
iptables -t nat -A POSTROUTING -s $Int_Net -o $Ext_IF -j SNAT --to-source $Ext_IP
iptables -A FORWARD -s $Int_Net -o $Ext_IF -j ACCEPT
iptables -A FORWARD -d $Int_Net -i $Int_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
</code>

===== Destination NAT =====
<code bash>
# destination NAT
# forward ssh to Int_IP if the external IP Ext_IP_2 was used 
Ext_IP_2="1.1.1.2"
Int_IP="192.168.1.2"
iptables -t nat -I PREROUTING -p tcp -d $Ext_IP_2 --dport 22 -j DNAT --to-destination $Int_IP:22
iptables -A FORWARD -i $Ext_IF -o $Int_IF -p tcp --dport 22 -j ACCEPT
</code>



===== Monitoring =====
<code bash>
sudo iptables -t nat -L
</code>



===== References =====
  * [[https://help.ubuntu.com/10.04/serverguide/C/firewall.html]]
  * [[https://www.networkreverse.com/2020/06/how-to-build-linux-router-with-ubuntu.html]]