I have 2 Interfaces wlan0 and wlan1, 2 routers, [192.168.0.1 (lan) and 192.168.1.1 (Internet)].

I would like to configure iptables to do the following.

Connect to the lan with wlan0
Connect to the Internet with wlan1
Share the wlan1 Internet connection with other computers on the lan.
Use modem dial up (interface ppp0) as an Internet backup.

I have had a problem with dialup ppp before. To get it to work, I had to delete the default gateway from the kernel routing table before launching the ppp daemon and then restart all the network interfaces when finished with dialup.

I never liked that kludge and like to avoid that problem if possible.

Thanks for any help.

Bill

Hi.
I have an iptables script that I use on most of my gateways with a little modification. If you're interested I can send it to you with some explanation. Well, it doesn't need much explanation because it's commented and pretty straight forward.

Regards,
Odinn Burkni

I would like to see that script. I have made some progress but am not done yet.

My firewall started with:

-------------
*filter
:INPUT DROP [1956:130146]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [972602:1376127870]
-A INPUT -p icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT

-A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
--------------

It is the default Frugalware Linux firewall with the --dport 22 lined added by me for ssh on the local lan.

I have now added:

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
iptables -A INPUT -i wlan0 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o wlan1 -j MASQUERADE

I can ping the Linux router (using wlan0 address:192.168.0.1) from other computers on my lan, I can also ping its wlan1 address: 192.168.1.144 assigned by the cable router (DHCP). ssh works on my lan and the Linux router has Internet access.

I cannot successfully ping the cable router (192.168.1.1) or any Internet address from other computers on my lan. I have a Dlink router that is functioning as a hub for my lan.

Linux router routing table is:

ip route ls

192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.144
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.1
169.254.0.0/16 dev wlan1 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev wlan1

The default gateway points to the cable router.

I used wireshark to watch the progress of packets through the Linux router. When I ping the cable router from my lan, the ping request gets a reply and it appears to be routed correctly but the ping reply fails to get to the originating computer.

Below is a sample of the wireshark output.

No. Time Source Destination Protocol Info
6 1.374607 192.168.0.50 192.168.1.1 ICMP Echo (ping) request

Frame 6 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src: 192.168.0.50 (192.168.0.50), Dst: 192.168.1.1 (192.168.1.1)
Internet Control Message Protocol

No. Time Source Destination Protocol Info
7 1.374644 192.168.1.144 192.168.1.1 ICMP Echo (ping) request

Frame 7 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src: 192.168.1.144 (192.168.1.144), Dst: 192.168.1.1 (192.168.1.1)
Internet Control Message Protocol

No. Time Source Destination Protocol Info
8 1.383860 192.168.1.1 192.168.1.144 ICMP Echo (ping) reply

Frame 8 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.144 (192.168.1.144)
Internet Control Message Protocol

No. Time Source Destination Protocol Info
9 1.383885 192.168.1.1 192.168.0.50 ICMP Echo (ping) reply

Frame 9 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.50 (192.168.0.50)
Internet Control Message Protocol

No. Time Source Destination Protocol Info
10 1.383890 192.168.1.1 192.168.0.50 ICMP Echo (ping) reply

Frame 10 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.50 (192.168.0.50)
Internet Control Message Protocol

Bill

I got the Gateway part of the problem solved. Below are the commands to generate the firewall (most is from the Frugalware default firewall). Still working on the ppp problem.

#Clear iptables
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
iptables -X

# Default policy drop input, accept output and forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Only allow ssh on local lan
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

# Accept everything for loopback and lan, plus anything ESTABLISHED or RELATED
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i wlan0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable some icmp traffic
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# Comment next line out to prevent responding to pings
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

# Internet shared with lan (wlan0 - lan, wlan1 - wan)
# Translate traffic from lan to wan
iptables -t nat -A POSTROUTING -o wlan1 -s 192.168.0.0/24 -j MASQUERADE
# Only allow forwarded traffic from wan to lan if it is ESTABLISHED or RELATED
iptables -A FORWARD -i wlan1 -m state --state NEW,INVALID -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

Bill