chromeos-base/chromeos-nat-init/files/nat.conf

# Copyright 2017 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# Installed by the chromeos-nat-init ebuild.

description     "Enables NAT and IP forwarding"
author          "chromium-os-dev@chromium.org"

start on starting system-services
stop on stopping system-services

pre-start script
  sysctl net.ipv4.ip_forward=1

  # Only packets marked with a 1 will be forwarded. A service depending on
  # this should then set up a rule to mark its packets. For example, to mark
  # all packets from interface br0:
  # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1 -w
  iptables -A FORWARD -m mark --mark 1 -j ACCEPT -w
  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -w
  iptables -t nat -A POSTROUTING -m mark --mark 1 -j MASQUERADE -w
end script # pre-start

post-stop script
  iptables -D FORWARD -m mark --mark 1 -j ACCEPT -w
  iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -w
  iptables -t nat -D POSTROUTING -m mark --mark 1 -j MASQUERADE -w

  sysctl net.ipv4.ip_forward=0
end script # post-stop