n00b question: Simple routing of traffic does not work

runee · 11-01-2015, 02:59 PM

Hi,

This is probably really basic. I've tried googling everything, but I can't find an answer, which leads me to believe that either something is wrong and it should be as simple as I thought (thus noone is explaining it, because it is obvious) or I totally misunderstood something and what I am trying to do makes no sense.

Quick background: I have only very rudimentary knowledge of networks. I want to play around on my network (primary goal is to get intimate with iptables for a home-project) but first things first.

I have set up a fresh install of a debian linux and it is on my wireless network (if: wlan0). At the moment, by home router is on 192.168.1.1 and the linux box is 192.168.1.50 (/24). What I want to achieve is to have the network traffic going through my linux box. There is just this one interface on it (do I *have* to have two nics to route?!). I am trying to route on same nic - basically forwarding all traffic:

client -> linux(with iptables) -> home-router-> Internet

So basically injecting my linux box in the mix, so I can play with traffic using iptables.

What I have done:

Enabled ip forwarding on the linux:
> echo 1 > /proc/sys/net/ipv4/ip_forward
(This is temporary, I know)

Then changed my clients default gateway to 192.168.1.50 (linux box. Which has the gateway as 192.168.1.1 and internet is working).

Iptables has ACCEPT on all three chains.

So, nothing advanced, I haven't started to play with iptables yet or anything, as I just wanted to start with traffic going through my box - yet, there's no internet connection on the client.

So - is this not possible? As I said, my network knowledge is rudimentary at best, so it might not make sense what I am trying to do. Or is there some configuration I am missing?

I hope someone can help

Ser Olmy · 11-01-2015, 04:26 PM

You don't need two NICs in order to route, but you should at least have two different IP networks.

I think the main problem with your setup is that it introduces asymmetric routing, which means that outbound packets will take a different path than the return traffic:

Outbound: (PC on your network) -> (Linux box) -> (Router) -> (host on the Internet)
Return path: (host on the Internet) -> (Router) -> (PC on your network)

As you can see, the return path doesn't include the Linux box, since the router can reach the PCs on your network directly. Asymmetric routing is not necessarily a problem in and by itself, but when an iptables firewall is involved, seeing only half the traffic flow will confuse the iptables state engine.

Nevertheless, if the FORWARD chain is empty and has an ACCEPT policy, I would have expected it to work anyway. You could see if perhaps iptables -t nat -I POSTROUTING -j MASQUERADE makes a difference; it will make the Linux box perform NAT on outbound traffic, hence forcing the router to pass return traffic to it.