# Accept any packet being forwarded from eth0->tun1, from 172.0.0.x, which is#

1. # Accept any packet being forwarded from eth0->tun1, from 172.0.0.x, which is
2. # initiating a new outbound connection.
3. $ iptables -A FORWARD -i eth0 -o tun1 -s 172.0.0.0/24 -m
4. conntrack --ctstate NEW -j ACCEPT
5.  
6. # Accept any forwarded packet that's part of a connection that we already
7. # set up during the rule above.
8. $ iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
9.  
10. # Make all outbound packets use this router's IP as the source address.
11. $ iptables -A POSTROUTING -t nat -j MASQUERADE