1.8.3.2 Manual NAT

As root or superuser, run the following commands from a shell as required. $ext_if is the external, physical network card to NAT to and $int_if is the internal, tap device created by the TME configuration. To learn these, use "ifconfig -a" or "ip addr show" and note the names to use here.

Linux/IPTABLES NAT Configuration (tme-0.9)

1. modprobe iptables_nat
2. echo 1 > /proc/sys/net/ipv4/ip_forward
3. iptables -F FORWARD (Optional; it flushes the FORWARD chain of the filter table; this is to ensure that there are no rules that will block the NAT from working. You may or may not need to do this depending on your setup. If you omit this step and find that there are problems communicating to the external net, e.g., DNS is not working, this is probably why. This is the case, e.g., with the default iptables config on Fedora Linux.)
4. iptables -t nat -A POSTROUTING -o $ext_if -j MASQUERADE
5. iptables -A FORWARD -i $ext_if -o $int_if -m state –state RELATED,ESTABLISHED -j ACCEPT
6. iptables -A FORWARD -i $int_if -o $ext_if -m state -j ACCEPT

Be sure you know what you are doing here, or consult your nearest system administrator or guru. There’s a lot of documentation for IPTABLES available on the web and in manual pages. Unfortunately, IPTABLES does not have a public API with a stable interface for programming, although many have reported success with programming it using the undocumented API. But, this is just a very basic setup to get you going with connecting your TME instance to the Internet.

BSD/PF NAT Configuration

1. ({Free,DragonFly}BSD) kldload pf
2. ({Open,Free,DragonFly}BSD) sysctl net.inet.ip.forwarding=1 (NetBSD) sysctl -w net.inet.ip.forwarding=1
3. pfctl -F rules (Optional depending on your setup. It simply flushes the rules modifier to ensure that nothing gets blocked; it’s usually not required. If there are problems with communicating to the external net, this might be why.)
4. ({Net,Free,DragonFly}BSD) echo "pass from $int_if:network to any keep state" | pfctl -f- (OpenBSD) echo "pass out on $ext_if from $int_if:network to any nat-to $ext_if" | pfctl -f-
5. ({Net,Free,DragonFly}BSD) echo "nat on $ext_if from $int_if:network to any -> ($ext_if)" | pfctl -f-
6. ({Net,Free,DragonFly}BSD) pfctl -e

Your mileage may vary; this is what worked for me, but you may have a different setup/needs, so use your own discretion and consult who and whatever documentation is required. Again, there is much documentation on PF available. There are also other NAT solutions available on the BSDs, but this seems to be the most flexible and stable. It also has a stable ioctl API for directly programming the rules into a program. I’m also looking into using the new NPF facility in NetBSD, which seems to have an even nicer, functional programming API for direct integration into the tool.

Note that OpenBSD requires only two steps (2 & 4). Again, the goal here is to get the user up and running as quickly as possible with minimal fuss, so this is by no means a comprehensive way to do IP forwarding with NAT. Much documentation exists to assist you there, but hopefully we will have a minimal function built into the tool itself so that these steps won’t be required to be done outside the tool.

After NAT is setup, make sure your routes are set correctly in your guests. In particular, make sure the default gateway is set to the ip address of the tap device. Also, if you want to access the external network or Internet, you will have to set up DNS. Usually, you fill in the /etc/resolv.conf with the "nameserver xx.xx.xx.xx" line where xx.xx.xx.xx. is the ip address of the nameserver - usually the same as the host machine’s. This is usually all done as part of the process of installing or configuring the guest OS; refer to the guest OS documentation for more details. It is basically the same as setting it up for an internal network as specified by the TME configuration.