[SOLVED] Need Help on Simple IPTables Router/Firewall

dmlinton · 09-10-2010, 10:35 PM

My first post!

I recently had a go at setting up a WiFi Hotspot using wifidog. This, of course, entails creating a router and I chose to use iptables as this is what wifidog uses anyhow. Hitherto, I had only a vague idea of what iptables is and even less of an idea how to use it. Now, having executed endless Googles and howtos with close to zero success I am breaking down and asking for help.

My setup is: wireless AP (DHCP on) -> NIC eth0 -> HP 486 w/Debian Lenny/5 -> NIC eth1 -> wireless router (DHCP on) -> DSL modem -> ... the world

At this point I have no idea what the stumbling block is. I did actually get a simple iptables router working once and I got wifidog working once but both cases broke without my having changed anything (at least that's my story and I'm sticking to it). When wifidog starts up, there is a 'failed' on every line ouput to the terminal as wifidog sets up its iptables rules. It is almost as if something is missing on my system but all the checks I can find, like lsmod | grep ip, which shows 11 modules, seem to indicate that everything is present.

Now, I do not know what question to ask and therein lies my dilemma. One thing that would be helpful to know is whether the syntax is different among the various NIXs. What would be really helpful is a shell script that works to set up a very fundamental router that basically connects two network interfaces and lets all traffic go in both directions (easy for me to figure out the logic) - I found a reference here to there being one in "the Security section" but I cannot seem to find my way there.

So there it is, not only do I need answers, I need the questions too. Please help if you can as I have come to the end my rope. Any insights offered will be most appreciated.

Best regards,
Dennis

dmlinton · 09-11-2010, 12:05 AM

I found a brain dead simple two liner at http://www.cyberciti.biz/tips/linux-...-line-etc.html that is supposed to setup a simple router and goes like this (I added the flushing lines):

Code:

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

My /etc/network/interfaces is like this:

Code:

iface lo inet loopback

# eth1 connects to router connected to DSL modem
# it is shown as dynamic but router (192.168.1.1) reserves 192.168.1.196 for eth1
auto eth1
allow-hotplug eth1
iface eth1 inet dhcp

# eth0 is the internal network (hotspot network)
auto eth0
allow-hotplug eth0
iface eth0 inet static
  address 192.168.2.254
  netmask 255.255.255.0
  network 192.168.2.0
  broadcast 192.168.2.255
  dns-nameservers 192.168.1.196

route gives:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth1

iptables -L -v returns:

Code:

Chain INPUT (policy ACCEPT 3503 packets, 553K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 2709 packets, 581K bytes)
 pkts bytes target     prot opt in     out     source               destination

... but I cannot get anywhere - cannot ping 192.168.1.196 or 192.168.1.1 from a computer on the 192.168.2.0 network.
Any ideas?
Regards,
Dennis

dmlinton · 09-11-2010, 10:00 AM

Fixed it.

It seems that the problem may have been a single line missing:

Code:

iptables -X

Having finally found an example script that worked (http://www.debian-administration.org/articles/23), I went through line by line to find the "magic" bullet. The only common difference I could find relative to scripts that did not work was the iptables -X line.

BTW, I stowed the working firewall script in /etc/network/if-up.d as instructed in the page at the above noted link.

Regards,
Dennis