I recently upgraded f40->f42. Had issues (see my earlier thread) which I "fixed"...
While dealing with that other issue I found that while the server was working just fine, other machines (on a wired connection) still cannot access the internet.
After looking everywhere, and digging into my iptables rules and such, I discovered that NAT is not being set up.
I added a rule to my firewall script iptables-legacy -t nat -A POSTROUTING -o eth1 -j MASQUERADE eth0 is the local network, eth1 sees the internet. Things work now.
In f40 NAT was always being set up automatically. Is it a network manager issue?
One day I will learn how to set up firewall rules in the "new way".
On Fri, 2025-06-06 at 20:45 +1000, fedora@eyal.emu.id.au wrote:
After looking everywhere, and digging into my iptables rules and such, I discovered that NAT is not being set up.
I added a rule to my firewall script iptables-legacy -t nat -A POSTROUTING -o eth1 -j MASQUERADE eth0 is the local network, eth1 sees the internet. Things work now.
In f40 NAT was always being set up automatically. Is it a network manager issue?
So far as I'm aware, NAT has never been set up automatically, you always had to set it up in some way. When I had dial-up, I used to have a command somewhat like yours in my iptables firewall script, also with an command line to turn on IP forwarding.
Now, Network Manager has some options for sharing a connection. Though I find it far from straight-forward.
Instead of sharing out your connection with your internet service, you enable sharing on the interface facing the rest of your LAN. Which begs the question: What sets up the source parameters for the connection that it is sharing? Does it simply assume the /other/ connection? And what would happen if you had more than two real interfaces?
Previously, you'd have set up IP forwarding and NAT on the internet facing connection. *It* is the one that needs special adjustments for this role.
It also insists on setting up the shared connection with a different IP range than what I'd want to use, meaning I'd have to reconfigure everything else on my LAN (there's a new trend that NAT clients end up on a 192.168.42 or .43 or .44 subnet). And probably involves a bunfight with my existing DHCP server on the same machine.
This is supposed to tell you how to do it: https://fedoramagazine.org/internet-connection-sharing-networkmanager/
Tim:
So far as I'm aware, NAT has never been set up automatically, you always had to set it up in some way.
Joe Zeff:
If you really need NAT, you probably need a router, and that's one of the things are good at.
In general, I'd agree it's the simplest way to do things. But, you can find that various affordable domestic routers are quite awful when it comes to features. Such as customising their DHCP server, doing name resolution for local hostnames, having a better DNS server than the ISP's, controlling port-forwarding n their NAT if you run servers. So, in my case I switch off those features and do them on my server.
I hadn't done NAT since I left the dial-up world for broadband. And yes it is normally a lot easier with a router (when it works). For the last few months I've been lumbered with using my mobile phone for my internet, USB tethering it to a PC, using it as a WiFi access point for other things. It's quite a pain.
I have messed with setting up NAT on the PC it's connected to, but there's always something that doesn't want work with that. The MAC next to me is fine with it. A Fedora box elsewhere on the same LAN refuses to play ball.
On 7/6/25 09:23, Barry wrote:
On 6 Jun 2025, at 11:45, fedora@eyal.emu.id.au wrote:
eth0 is the local network, eth1 sees the internet.
You are aware that those names can swap which NIC they represent? To be reliable you can have the system use stable NIC naming.
Yes I know. The old ifcfg-ethX allows me to set the if name based on the MAC which always worked.
Barry
On 7/6/25 05:17, Tim wrote:
On Fri, 2025-06-06 at 20:45 +1000, fedora@eyal.emu.id.au wrote:
After looking everywhere, and digging into my iptables rules and such, I discovered that NAT is not being set up.
I added a rule to my firewall script iptables-legacy -t nat -A POSTROUTING -o eth1 -j MASQUERADE eth0 is the local network, eth1 sees the internet. Things work now.
In f40 NAT was always being set up automatically. Is it a network manager issue?
So far as I'm aware, NAT has never been set up automatically, you always had to set it up in some way. When I had dial-up, I used to have a command somewhat like yours in my iptables firewall script, also with an command line to turn on IP forwarding.
This was already in the commands set as it was already working until f40.
Now, Network Manager has some options for sharing a connection. Though I find it far from straight-forward.
Instead of sharing out your connection with your internet service, you enable sharing on the interface facing the rest of your LAN. Which begs the question: What sets up the source parameters for the connection that it is sharing? Does it simply assume the /other/ connection? And what would happen if you had more than two real interfaces?
Previously, you'd have set up IP forwarding and NAT on the internet facing connection. *It* is the one that needs special adjustments for this role.
It also insists on setting up the shared connection with a different IP range than what I'd want to use, meaning I'd have to reconfigure everything else on my LAN (there's a new trend that NAT clients end up on a 192.168.42 or .43 or .44 subnet). And probably involves a bunfight with my existing DHCP server on the same machine.
This is supposed to tell you how to do it: https://fedoramagazine.org/internet-connection-sharing-networkmanager/
Thanks, I will look at this. I expect this to be painful.
On 6/6/25 3:45 AM, fedora@eyal.emu.id.au wrote:
I recently upgraded f40->f42. Had issues (see my earlier thread) which I "fixed"...
While dealing with that other issue I found that while the server was working just fine, other machines (on a wired connection) still cannot access the internet.
After looking everywhere, and digging into my iptables rules and such, I discovered that NAT is not being set up.
I added a rule to my firewall script iptables-legacy -t nat -A POSTROUTING -o eth1 -j MASQUERADE eth0 is the local network, eth1 sees the internet. Things work now.
In f40 NAT was always being set up automatically. Is it a network manager issue?
One day I will learn how to set up firewall rules in the "new way".
I use a Fedora system as server/router/gateway/etc. I recently switched to using firewalld. It was a bit complicated but that's only because the network setup is complicated. For a simple gateway with two interfaces, use "firewall-config" to enable masquerading on the zone that's on the outgoing interface (probably should be the "public" zone) and in network manager, set the internal network interface to be "shared to other computers" as the IPv4 config.
-
Barry -
fedora@eyal.emu.id.au -
Joe Zeff -
Samuel Sieb -
Tim