Newbie
I have 2 Interfaces wlan0 and wlan1, 2 routers, [192.168.0.1 (lan) and 192.168.1.1 (Internet)].
I would like to configure iptables to do the following.
Connect to the lan with wlan0
Connect to the Internet with wlan1
Share the wlan1 Internet connection with other computers on the lan.
Use modem dial up (interface ppp0) as an Internet backup.
I have had a problem with dialup ppp before. To get it to work, I had to delete the default gateway from the kernel routing table before launching the ppp daemon and then restart all the network interfaces when finished with dialup.
I never liked that kludge and like to avoid that problem if possible.
Thanks for any help.
Bill
Programming Professional
I am assuming you are trying to create a classfull network and that both of these interfaces are on the same linux machine? If so the 192.168.0.0/24 network would be assigned to the wlan0 interface, and then 0.0.0.0 (general address for anything else) would be assigned to your wlan1 interface. You could also just add the 192.168.1.1 as your default gateway and assign that specific address to the wlan1 interface. This would do the same as giving it a 0.0.0.0 address.
Not sure of a good way to get around the dial issue. Whenever we have a default gateway assigned, any ip packet not specifically routed to the dial connection is going to be routed to the default gateway (or in this case the 0.0.0.0 address. You may have to add some conditional logic that checks to see if packets are making it to the internet on the wlan1 interface and reroutes the traffic to the dial connection if the packets are not making it through. If you come up w/ a good solution to this let me know. Hope this helps a bit
Newbie
Both interfaces are on the same machine.Originally Posted by gaylo565
I don't know what classfull network means?
The way it currently works is:If so the 192.168.0.0/24 network would be assigned to the wlan0 interface, and then 0.0.0.0 (general address for anything else) would be assigned to your wlan1 interface. You could also just add the 192.168.1.1 as your default gateway and assign that specific address to the wlan1 interface. This would do the same as giving it a 0.0.0.0 address.
wlan0 -> 192.168.0.121
wlan1 -> 192.168.1.144
default gateway -> 192.168.0.1
can ping:
192.168.0.1/24 and computers on this subnet
can ping:
192.168.1.1 and 192.168.1.144 but no other computers on this subnet or the DNS server.
Internet access does not work.
The default gateway appears to be getting all the traffic except 192.168.1.1 and 192.168.1.144
Here is the output of `ip addr ls` and `ip route ls`:
ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:19:db:69:1a:c7 brd ff:ff:ff:ff:ff:ff
3: wmaster0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ieee802.11 00:09:f3:72:04:18 brd ff:ff:ff:ff:ff:ff
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:09:f3:72:04:18 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.121/24 brd 192.168.0.255 scope global wlan0
inet6 fe80::209:f3ff:fe72:418/64 scope link
valid_lft forever preferred_lft forever
5: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:0c:03:3a:71 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.144/24 brd 192.168.1.255 scope global wlan1
inet6 fe80::240:cff:fe03:3a71/64 scope link tentative
valid_lft forever preferred_lft forever
6: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:76:62:6e:65:74 brd ff:ff:ff:ff:ff:ff
ip route ls
192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.144
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.121
169.254.0.0/16 dev wlan0 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.0.1 dev wlan0
Bill
Programming Professional
The first thing I see here is that your default gateway needs to be set to the interface of the router connecting to the internet. That way any traffic that isn't being sent to an address listed in your routing table (anything not on your lans) will be sent to this interface of the correct router. Also be sure that the routers are set up correctly. This all depends on what sort of routers you are using, but if changing the default gateway doesn't get you online, check the routing tables of your routers to see if they are forwarding packets to the internet.
As far as not being able to ping other devices on the 192.168.1.0/24 network I am not sure what is going on. The network appears to be set up properly in your routing table on your computer which would lead me to believe that the problem is in your router's routing table and not the one on the computer. Look at the routers table and make sure it is properly set up to forward all local traffic locally and everything else out the internet interface.
Without getting too in depth a classfull network means that all of the subnets are using /24, /16, or /8 subnets (which it appears you are.)
Hope this helps a bit. Changing the default gateway should help, but you need to make sure that the router on that lan is correctly configured (it sounds like its not.)
Newbie
With just wlan1 active:
ip route ls
192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.144
169.254.0.0/16 dev wlan1 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev wlan1
Internet access works without problems. I can ping Internet addresses.
After adding wlan0:
ip route ls
192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.144
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.121
169.254.0.0/16 dev wlan1 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev wlan1
The Internet connection stops working. I can ping 192.168.0 subnet.
Just changing the default gateway is not the solution.
I think this problem has to be solved using iptables to route the traffic correctly, I just don't know how to do it (yet). I also think that is the way to avoid the ppp0 kludge and to route Internet access through this computer to the local lan.
I am not really interested in being able to ping local computers on the 192.186.1 subnet. It will be for internet access only.As far as not being able to ping other devices on the 192.168.1.0/24 network I am not sure what is going on.
Bill
Programming Professional
iptables will definitely work for your multiple internet connection issue, but it is a fairly complicated process being as it actually changes the headers in your packets for rerouting rather than a much simpler routing lookup process.
As for having two lans connected to one device and using it to share the internet connection from one lan to the other; this should be able to be done w/out iptables (I would recommend not using them if at all possible.) You would be better served if you had a router for this process, since that is what you are asking the computer to do anyhow. If this isn't a viable solution it sounds as though something about the setup of your machine is keeping it from working as your routing table is ok.
Newbie
It does not appear to be that complicated. Here is my current firewall
-------------
*filter
:INPUT DROP [1956:130146]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [972602:1376127870]
-A INPUT -p icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
-A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
--------------
This is the Frugalware Linux default firewall with the dport 22 line added by me. That line restricts ssh service to my local lan.
From my research (not tested yet), adding Internet routing to my lan does not appear to be too complicated:
Assuming wlan1 connected to Internet router and wlan0 connected to lan router. I need to add these 2 lines to my firewall:
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
Gateway has to be the address of the Internet router.
ip forwarding is on:
cat /proc/sys/net/ipv4/ip_forward
returns 1,
so something in the fire wall must have turned it on (maybe the :FORWARD ACCEPT [0:0] line).
It looks like the ppp0 issue can be resolved using 2 routing tables with rules about when to use which one. This document has a detailed example which I have not studied carefully yet but conceptually it seems the right way to go.
Bill
Newbie
I got the Gateway part of the problem solved. Below are the commands to generate the filewall firewall (most is from the Frugalware default firewall). Still working on the ppp problem.
#Clear iptables
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
iptables -X
# Default policy drop input, accept output and forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Only allow ssh on local lan
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
# Accept everything for loopback and lan, plus anything ESTABLISHED or RELATED
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i wlan0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable some icmp traffic
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# Comment next line out to prevent responding to pings
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
# Internet shared with lan (wlan0 - lan, wlan1 - wan)
# Translate traffic from lan to wan
iptables -t nat -A POSTROUTING -o wlan1 -s 192.168.0.0/24 -j MASQUERADE
# Only allow forwarded traffic from wan to lan if it is ESTABLISHED or RELATED
iptables -A FORWARD -i wlan1 -m state --state NEW,INVALID -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
Bill
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Bookmarks