Server Guide says to use rc.local for masquerading config, but that doesn't seem to work in xenial

Yes, we know. Xenial has not been released yet, nor has the 16.04 serverguide, which needs to be completly overhauled for systemd.

Actually, rc.local seems to still work fine on m y test 16.04 server.

As a test, I created a script that simply sends a message to dmesg:

doug@s15:~$ cat doug_test.sh
#!/bin/bash

echo "doug test message..." >> /dev/kmsg

Then I edited /etc/rc.local and added a call to that script:

doug@s15:~$ cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

/home/doug/doug_test.sh

exit 0

Then I looked at dmesg after a boot:

doug@s15:~$ dmesg | grep -B 5 -A 5 doug
[ 15.587166] cgroup: new mount options do not match the existing superblock, will be ignored
[ 16.720267] cgroup: new mount options do not match the existing superblock, will be ignored
[ 16.804082] r8169 0000:03:00.0 enp3s0: link up
[ 16.804569] br0: port 1(enp3s0) entered forwarding state
[ 16.804575] br0: port 1(enp3s0) entered forwarding state
[ 21.767286] doug test message...
[ 22.080244] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 22.509391] nf_conntrack version 0.5.0 (65536 buckets, 262144 max)
[ 23.733566] audit_printk_skb: 9 callbacks suppressed
[ 23.733569] audit: type=1400 audit(1458402069.319:15): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/lxc-start" pid=1816 comm="apparmor_parser"
[ 23.898393] audit: type=1400 audit(1458402069.487:16): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="lxc-container-default" pid=1819 comm="apparmor_parser"

But notice, how and because my server has virtualization installed, there is some ip_tables stuff right after my message, which might clobber anything I did for iptables in rc.local.

I'm not sure there is a serverguide documentation issue here, although I admit I wouldn't do it that way.

Thanks for looking into it but I didn't say rc.local didn't work. I said configuring IP masquerading in there as the server guide says doesn't work. We shouldn't recommend it if it doesn't work by default.

An alternative is to configure IP masquerading in /etc/network/interfaces so having something like this in the stanza of the interface in question:

up /etc/init.d/masquerading-script start

or something.

fair enough. By the way, I call my iptables script from my interfaces file:

# interfaces file for smythies.com 2016.01.30
# attempt to set local DNS herein, as the method
# used with the old 12.04 server no longer works.
#
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
pre-up /home/doug/init/doug_firewall
dns-nameservers 127.0.0.1

# The primary interface (d-link PCI card)
auto enp4s0
iface enp4s0 inet dhcp

# Local network interface (uses built in ethernet port)
auto enp2s0
iface enp2s0 inet static
  address 192.168.111.1
  network 192.168.111.0
  netmask 255.255.255.0
  broadcast 192.168.111.255