How to share network connection easily with NetworkManager

TL;DR, to quickly share an IPv4 connection via Ethernet:

1. Create an Ethernet connection in NetworkManager, for example using nm-connection-editor. You can name it however you want - I use eth-share.
2. Assign the connection to the device which will be sharing the connection - through which your client devices will connect - if the connectivity is at eth0 and you want to share to eth1, then write eth1.
3. Set its IPv4 method to Shared, and IPv6 method to Ignore.
4. Then, manually add an IPv4 address from a private address range (RFC 1918) with a mask (for example, 192.168.94.1, mask 24). The addresses offered to the clients will be in this range (I am unsure whether they can be limited further (easily (from the GUI))).
   Leave gateway empty.
5. Save and activate your new connection.

When you activate such connection (with nmcli con up eth-share, for example) , NetworkManager will perform at least these things:

• Assigns the IP 192.168.94.1/24 to the interface eth1,
• Enables IP forwarding on the interfaces,
• Adds an iptables masquerade rule - a Source-NAT, which will rewrite addresses from range 192.168.94.0/24 to the interface that has external connectivity,
• Starts up dnsmasq DHCP server and DNS forwarder on the eth1 interface. This DHCP server will point to 192.168.94.1 as the default gateway and DNS for the clients.

For added security, you might want to manually block input from the interface eth1. You can do that with your firewall in the INPUT chain, but please note that you want to keep DHCP and DNS ports open on that interface.

For wireless sharing, the instructions would actually be pretty similar, only that you need to create a Wi-Fi connection, where you set an SSID, a password, and the wireless mode would be “AP” (as opposed to normal “station”).

And that is, in a nutshell, what NetworkManager does for you, when you ask it to create a hotspot:

nmcli d wifi hotspot ifname <wifi_iface> ssid <ssid> password <password>