# 1. Make the Pi a router (kernel forwarding)
sudo sysctl -w net.ipv4.ip_forward=1
# 2. Clear any existing nftables state (safe on a Pi)
sudo nft flush ruleset
# 3. NAT table: masquerade traffic going out to the phone
sudo nft add table ip nat
sudo nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
sudo nft add rule ip nat postrouting oif "usb0" masquerade
# 4. Filter table: allow forwarding between LAN and phone
sudo nft add table ip filter
sudo nft add chain ip filter forward { type filter hook forward priority 0 \; }
sudo nft add rule ip filter forward iif "eth0" oif "usb0" accept
sudo nft add rule ip filter forward iif "usb0" oif "eth0" ct state established,related accept
===============================
Raspberry Pi USB-Tether Router
===============================
ASSUMPTIONS
-----------
- Android phone provides internet via USB tethering
- On the Pi:
usb0 = upstream (phone)
eth0 = downstream (LAN / TP-Link / NUC)
- Temporary routing + NAT has already been tested and works
--------------------------------
1. ENABLE IP FORWARDING (PERMANENT)
--------------------------------
echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/99-ipforward.conf
sudo sysctl --system
--------------------------------
2. ENSURE NFTABLES IS INSTALLED & ENABLED
--------------------------------
sudo apt update
sudo apt install -y nftables
sudo systemctl enable --now nftables
--------------------------------
3. WRITE PERSISTENT NFTABLES RULESET
--------------------------------
sudo tee /etc/nftables.conf >/dev/null <<'EOF'
#!/usr/sbin/nft -f
flush ruleset
# NAT table: masquerade traffic going out to the phone
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
oifname "usb0" masquerade
}
}
# Filter table: allow forwarding between LAN and phone
table ip filter {
chain forward {
type filter hook forward priority 0;
iifname "eth0" oifname "usb0" accept
iifname "usb0" oifname "eth0" ct state established,related accept
}
}
EOF
--------------------------------
4. LOAD RULES NOW (WITHOUT REBOOT)
--------------------------------
sudo nft -f /etc/nftables.conf
sudo systemctl restart nftables
--------------------------------
5. VERIFICATION (OPTIONAL BUT SANE)
--------------------------------
# On the Pi:
sysctl net.ipv4.ip_forward
nft list ruleset
# From a downstream machine (e.g. NUC):
# ping 192.168.1.1
# ping 1.1.1.1
--------------------------------
END
--------------------------------
Raspberry Pi USB-Tether Router
(Android phone → Pi → LAN)
PERSISTENT CONFIG
===============================ASSUMPTIONS
-----------
- Android phone provides internet via USB tethering
- On the Pi:
usb0 = upstream (phone)
eth0 = downstream (LAN / TP-Link / NUC)
- Temporary routing + NAT has already been tested and works
--------------------------------
1. ENABLE IP FORWARDING (PERMANENT)
--------------------------------
echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/99-ipforward.conf
sudo sysctl --system
--------------------------------
2. ENSURE NFTABLES IS INSTALLED & ENABLED
--------------------------------
sudo apt update
sudo apt install -y nftables
sudo systemctl enable --now nftables
--------------------------------
3. WRITE PERSISTENT NFTABLES RULESET
--------------------------------
sudo tee /etc/nftables.conf >/dev/null <<'EOF'
#!/usr/sbin/nft -f
flush ruleset
# NAT table: masquerade traffic going out to the phone
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
oifname "usb0" masquerade
}
}
# Filter table: allow forwarding between LAN and phone
table ip filter {
chain forward {
type filter hook forward priority 0;
iifname "eth0" oifname "usb0" accept
iifname "usb0" oifname "eth0" ct state established,related accept
}
}
EOF
--------------------------------
4. LOAD RULES NOW (WITHOUT REBOOT)
--------------------------------
sudo nft -f /etc/nftables.conf
sudo systemctl restart nftables
--------------------------------
5. VERIFICATION (OPTIONAL BUT SANE)
--------------------------------
# On the Pi:
sysctl net.ipv4.ip_forward
nft list ruleset
# From a downstream machine (e.g. NUC):
# ping 192.168.1.1
# ping 1.1.1.1
--------------------------------
END
--------------------------------
No comments:
Post a Comment