Skip to content

Commit

Permalink
Updated guide to forwarding traffic
Browse files Browse the repository at this point in the history
  • Loading branch information
Pavel Sklenar committed Dec 20, 2021
1 parent b2fe4d7 commit fc31381
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions content/posts/extend-local-network-to-cloud-with-nebula/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ sudo iptables -L -v -n | grep "Chain FORWARD"

If the previous command shows `policy ACCEPT`, you only need to add POSTROUTING rule:
```bash
# All traffic to local network will be hidden behind IP of the enp3s0 interface (similar to SNAT)
sudo iptables -t nat -A POSTROUTING -o nebula1 -j MASQUERADE
```

Expand All @@ -59,6 +60,7 @@ If the default `FORWARD` policy is `DENY`, you need to enable forward traffic be
```bash
sudo iptables -A FORWARD -i nebula1 -o enp3s0 -j ACCEPT
sudo iptables -A FORWARD -i enp3s0 -o nebula1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# All traffic to local network will be hidden behind IP of the enp3s0 interface (similar to SNAT)
sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
```
The previous commands enable any traffic from the cloud server to any IP in a local network.
Expand All @@ -67,6 +69,14 @@ To enable specific traffic from cloud server only, run instead of the first comm
# If you want to enable to call port 80 on IP 172.16.100.184 only
sudo iptables -A FORWARD -i nebula1 -p tcp -o enp3s0 -d 172.16.100.184 --dport 80 -j ACCEPT
```
If the default `FORWARD` policy is `DENY`, you need to enable ongoing forwarded traffic from the local network to the nebula network as well:
```bash
sudo iptables -A FORWARD -i enp3s0 -o nebula1 -j ACCEPT
sudo iptables -A FORWARD -i nebula1 -o enp3s0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Not needed, if run the following command, all traffic comes from any IP in the local network will be visible in nebula network as traffic from IP of the nebula1 interface
sudo iptables -t nat -A POSTROUTING -o nebula1 -j MASQUERADE
```

### Generate Nebula certificate
When generating Nebula certificate for local server, you need include `-subnets` argument with your local network CIDR, for example:
```bash
Expand Down

0 comments on commit fc31381

Please sign in to comment.