ConfigServer Community Forum

We're trying to build a Centos Gateway for our cloud host server. This is actually easier than I first thought with iptables using the following command to set-up NAT masquerading:
/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
Having already set-up IP Forwarding, this command pretty much allows the guests to use the Centos Gateway to connect to the Internet and works well.
We would like to use CSF instead of iptables since we are not iptables "experts" and prefer the CSF GUI.. Apparently from what I've read, we should use csfpre.sh and/or csfpost.sh to achieve this. Using the full path /sbin/iptables.... in csfpre.sh or csfpost.sh we can run the above command with CSF and MASQUERADE appears in the POSTROUTING section the same as with iptables.

However, the NAT gateway no longer works with CSF. Does anybody know how to correct this issue?

Is there a better way to do this with CSF?

Turns out all we had to do was include the following in csfpost.sh (or csfpre.sh) for the gateway to work for our internal guest VMs.
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

However, we are also using the gateway for IPSEC VPNs with libreswan and this has also stopped working after installing CSF. What little documentation there is for libreswan and iptables seems to suggest we need to do either:
1. /sbin/iptables -t nat -I POSTROUTING -s 192.168.XXX.0/24 -d 192.168.YYY.0/24 -j RETURN # for local and remote subnets or
2. /sbin/iptables -A FORWARD -i 192.168.XXX.0/24 -o 192.168.YYY.0/24 -j ACCEPT # an error is returned or
3. /sbin/iptables -t nat -A POSTROUTING -s 192.168.XXX.0/24 -d 192.168.YYY.0/24 -j MASQUERADE # for local and remote subnets

None of these options work.
1. the RETURN option seems the most likely option - apparently this is supposed to prevent the IPSEC traffic being natted again.

However, libreswan seems to work fine before CSF is installed with a simple set-up of iptables.

Any assistance greatly appreciated.