Would it be logical or truthful to suggest adding a toggle switch in the server-manager console that implements an nftables route or masq or iptables script?
or just a philosophically sound suggestion?
Sound but has to be balanced with practicality...
I haven't seen people clamouring for this as a feature... !
First we use iptables, not nftables
Next, as the FAQ at Opensim says :
"Many DSL routers/modems prevent loopback connections as a security feature."
So it may be opening you up to other issues. I think personally I'd ask Opensim to change their code, but hey ho.
Finally there is an example script for iptables rules at opensim - DON'T use it on SME as you will break your firewall. This is a guide so you can see the sort of rules that need templating to make it work. And then you need to write a server panel entry for it....
#!/bin/bash
#
# vvvvv - Fix these! - vvvvv
IPTABLES=/usr/sbin/iptables
LAN_NETWORK=192.168.0.0/24
SERVER_IP=192.168.0.2
INTERNET_IP=100.100.100.100
REMOTING_PORT=8895
REGION_PORT=9000
# ^^^^^ - Fix these! - ^^^^^
# First, the Destination NAT, anything going to the external address on our ports, we redirect to the server
# Note, if you have a double NAT running and this router doesn't actually have the internet IP address, you'll
# need another set of PREROUTING-DNAT lines with the --destination (-d) set to the internet facing private address
$IPTABLES -t nat -I PREROUTING -d $INTERNET_IP -p tcp --dport $REMOTING_PORT --jump DNAT --to-destination $SERVER_IP
$IPTABLES -t nat -I PREROUTING -d $INTERNET_IP -p udp --dport $REGION_PORT --jump DNAT --to-destination $SERVER_IP
$IPTABLES -t nat -I PREROUTING -d $INTERNET_IP -p tcp --dport $REGION_PORT --jump DNAT --to-destination $SERVER_IP
# Second, the Source NAT, we need this so that returning packets to our LAN clients go back through the router first,
# otherwise, the server will try to talk directly to the client and the client will reject them
$IPTABLES -t nat -I POSTROUTING -s $LAN_NETWORK -d $SERVER_IP -p tcp --dport $REMOTING_PORT --jump SNAT --to-source $INTERNET_IP
$IPTABLES -t nat -I POSTROUTING -s $LAN_NETWORK -d $SERVER_IP -p udp --dport $REGION_PORT --jump SNAT --to-source $INTERNET_IP
$IPTABLES -t nat -I POSTROUTING -s $LAN_NETWORK -d $SERVER_IP -p tcp --dport $REGION_PORT --jump SNAT --to-source $INTERNET_IP
Sounds like we need Stephane on the job
Yes, it might be nice to have, but the security implications need to be considered as we don't mess with firewalls lightly. It will also take a bit of coding to implement and we don't have a massive amount of resources to dedicate to a request that seems a bit of a one off.
You are more than welcome add a NFR bug, and to code it yourself
B. Rgds
John