NetworkManager commands on a Raspberry Pi 3 – Setting up a RPI3 as a router

I am discovering that NetworkManager on RPI3 (more specifically the nmcli commands). RPI3 with iptables, routing and nmcli make apoweful gateway for ethernet lan devices to use a RPI3 to connect to a 4G hotspot or upstream WISP.

Turn on IP routing:

/etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4

net.ipv4.ip_forward=1

Iptables:

Create an entry in the /etc/rc.local file to copy iptables required depending on if 4G or WISP connection (if going out / hiding behind a different WIFI connection) e.g. RPI3 Wifi or USB EW-7822-UAC dongle.

Used for restoring iptables on boot for 4g phone to act as internet GWY and RPI3 to act as NAT RTR

Save the iptables and copy to iptables.sav to be used in rc.local

sudo iptables-save | sudo tee /etc/iptables.sav

#Reload saved iptables o boot for 4G modem setup rpi as FW for NAT

### For use with inbuilt RPI3 WIFI ###

#iptables-restore < /etc/iptables.sav

### For Use with EW-7822UAC Dongle Wifi ###

iptables-restore < /etc/iptables.ew7822uac.sav

iptable example for NAT ethernet behind WIFI:

pi@pypagerx-rpi3:/etc $ cat iptables.ew7822uac.sav

# Generated by iptables-save v1.6.0 on Wed Oct 25 12:23:07 2017

*raw

:PREROUTING ACCEPT [21597:15184731]

:OUTPUT ACCEPT [120:17663]

COMMIT

# Completed on Wed Oct 25 12:23:07 2017

# Generated by iptables-save v1.6.0 on Wed Oct 25 12:23:07 2017

*mangle

:PREROUTING ACCEPT [21599:15184811]

:INPUT ACCEPT [184:24077]

:FORWARD ACCEPT [21415:15160734]

:OUTPUT ACCEPT [124:18239]

:POSTROUTING ACCEPT [21489:15176973]

COMMIT

# Completed on Wed Oct 25 12:23:07 2017

# Generated by iptables-save v1.6.0 on Wed Oct 25 12:23:07 2017

*nat

:PREROUTING ACCEPT [538:109749]

:INPUT ACCEPT [5:619]

:OUTPUT ACCEPT [26:1976]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o wlx74da385d4193 -j MASQUERADE

COMMIT

# Completed on Wed Oct 25 12:23:07 2017

# Generated by iptables-save v1.6.0 on Wed Oct 25 12:23:07 2017

*filter

:INPUT DROP [31:13490]

:FORWARD DROP [50:2000]

:OUTPUT ACCEPT [88:10511]

-A INPUT -i enxb827eb73d760 -j ACCEPT

-A INPUT -i wlx74da385d4193 -p tcp -m tcp –dport 22 -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 192.168.88.0/24 -i enxb827eb73d760 -m conntrack –ctstate NEW -j ACCEPT

-A FORWARD -d 192.168.88.0/24 -i wlx74da385d4193 -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

COMMIT

# Completed on Wed Oct 25 12:23:07 2017

Example of manual script that could be run at runtime:

pi@pypagerx-rpi3:/etc $ cat iptables.ew7822uac.sh

#!/bin/sh

# Flush default policies

sudo iptables -F

sudo iptables -X

sudo iptables -t nat -F

sudo iptables -t nat -X

sudo iptables -t mangle -F

sudo iptables -t mangle -X

sudo iptables -t raw -F

sudo iptables -t raw -X

# Set default policies

sudo iptables -P INPUT DROP

sudo iptables -P OUTPUT ACCEPT

sudo iptables -P FORWARD DROP

# Allow loopback traffic

sudo iptables -I INPUT -i lo -j ACCEPT

# Allow incoming SSH

sudo iptables -I INPUT -i wlx74da385d4193 -p tcp –dport 22 -j ACCEPT

sudo iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming traffic on enxb827eb73d760

sudo iptables -I INPUT -i enxb827eb73d760 -j ACCEPT

sudo iptables -A FORWARD -i enxb827eb73d760 -s 192.168.88.0/255.255.255.0 -m conntrack –ctstate NEW -j ACCEPT

sudo iptables -A FORWARD -i wlx74da385d4193 -d 192.168.88.0/255.255.255.0 -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -t nat -F POSTROUTING

sudo iptables -t nat -A POSTROUTING -o wlx74da385d4193 -j MASQUERADE

make sure to save

sudo iptables-save

Configure nmcli and the interface so you can connect to a 4g hotspot:

Using EW-7822-UAC for 4G tethering:

sudo nmcli -p connection add type wifi con-name wlan-ew7822uac-note8-4g ifname wlx74da385d4193 ssid “NOTE8 PHONE SSID”

sudo nmcli con mod wlan-ew7822uac-note8-4g wifi-sec.key-mgmt wpa-psk wifi-sec.psk “NOTE8 password”

sudo nmcli connection up wlan-ew7822uac-note8-4g