11

My PC is equipped with two net interfaces, wlan0 & eth0, and I want to use WiFi port as an access point on wlan0.

  • I used hostapd facility and it works properly in routing mode within the local network; users can connect to the access point and DHCP works properly in both segments.
  • The PC with hostapd does not have any firewalls or iptables rules (iptables and firewalls disabled), as I want to only use the built-in firewall of the ADSL router.

My net config is as follows:

  • PC with hostapd -> cable connection -> ADSL router
  • wlan0 -> eth0 <-> 192.168.0.1 <-> internet
  • 192.168.10.1 -> 192.168.0.7 -> static routing to 192.168.10.X

PC ifconfig:

eth0  Link encap:Ethernet  HWaddr 00:12:3F:F2:31:65
      inet addr:192.168.0.7  Bcast:192.168.0.255  Mask:255.255.255.0
      inet6 addr: fe80::212:3fff:fef2:3165/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:2169539 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1008097 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:3056198487 (2.8 GiB)  TX bytes:72727161 (69.3 MiB)
      Interrupt:16

lo    Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:65536  Metric:1
      RX packets:3398 errors:0 dropped:0 overruns:0 frame:0
      TX packets:3398 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:495444 (483.8 KiB)  TX bytes:495444 (483.8 KiB)

mon.wlan0  Link encap:UNSPEC  HWaddr 00-14-A5-04-94-3C-90-F0-00-00-00-00-00-00-00-00
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:151 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:17092 (16.6 KiB)  TX bytes:0 (0.0 b)

wlan0 Link encap:Ethernet  HWaddr 00:14:A5:04:94:3C
      inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
      inet6 addr: fe80::214:a5ff:fe04:943c/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1502 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:0 (0.0 b)  TX bytes:279392 (272.8 KiB)

How do I configure a simple NAT iptables config to it on the PC?

  • I want all users connected to the network via hostapd (network 192.168.10.X) to have access to and from internet
  • I dont want to filter any traffic, just only NAT.

I cannot get a connection to the internet from the WiFi segment:

  • The client connected to WiFi has DHCP address 192.168.10.48, and the only traffic is on eth0 from address: 
    16:50:14.671587 ARP, Request who-has 192.168.0.48 tell 192.168.0.1, length 46

    Note: The address is 192.168.0.48 not 192.168.10.48, so Masquerade seams to work.

  • I can no longer ping 192.168.0.1 [ADSL router], which was possible before.
  • What about access from the internet to the WIFI Users? Of course I will setup in ADSL router, forwarding particular IP port pooling from Internet to particular IP address of such WiFi user.

EDIT 1:

  • systemctl shows iptables as: 
    iptables.service          loaded active exited

    Even though I ran:

    systemctl enable iptables.service
systemctl start iptables.service

EDIT 2:

  • It works, but each time I boot the computer, is it normal to have to manually add the following via a startup script? 
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
JW0914
  • 9,096
mackowiakp
  • 219

2 Answers2

8

I wrote a firewall for all occasions. Please read the README and the SCRIPT before using it. I included the necessary rules for HOSTAP

Essential Parts:

HostAP

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

HostAP requires the lines below to both be ACCEPT to function

iptables -A INPUT -j ACCEPT >> /dev/null 2>&1 
iptables -A OUTPUT -j ACCEPT >> /dev/null 2>&1

https://github.com/diveyez/fw.sh

Community
  • 1
Ricky Neff
  • 205
7

In the simplest form:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That will allow all WiFi users access to the Internet.

Of course assuming your other routing setup is already done, namely:

  1. Forwarding enabled in the kernel

    sysctl net.ipv4.ip_forward=1

  2. Forwarding enabled in iptables:

    iptables -P FORWARD ACCEPT
iptables -F FORWARD

Use tcpdump -nn -i eth0 to watch the traffic on eth0 in case of problems to see if it gets NATed properly, if the response is coming back, etc.

EDIT: "I have to add manually each time i boot computer (from startup script)..." It depends on what Linux distribution you have. Sadly pretty much each distro has its own Firewall tool - in the end they're only calling iptables but for some reason the authors believe that obfuscating the way iptables work is what the users want.

To answer your question - the most likely your firewall can be configured to add this NAT rule automatically. The exact way however varies between Linux distros for no good reason. Sad but true.

MLu
  • 246