[SOLVED] Help with creating Access Point for mobile phone
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been trying to create an access point on my netbook so that a mobile phone (Nokia Lumia 530) can access the internet via the USB modem.
I have installed hostapd-2.3 from Slackbuilds.org. The contents of /etc/hostapd/hostapd.conf are:
I use NetworkManager to connect to the internet with my USB modem and it appears as device wwan0.
As root,
i) I enable IP forwarding with 'sh /etc/rc,d/rc.ip_forward start'
ii) tell NetworkManager not to manage wifi with 'nmcli nm wifi off'
iii) assign an IP address to the wireless interface with 'ifconfig wlan0 192.168.0.1 up' (May need 'rfkill unblock wifi' first).
iv) start hostapd with 'sh /etc/rc.d/rc.hostapd start'
v) start dnsmasq with '/etc/rc.d/rc.dnsmasq start' with the following settings in /etc/dnsmasq.conf
All of the above seems to be working as the phone sees the access point and when connected (after entering the passphrase), the gateway and DNS server addresses appear as the expected 192.168.0.1.
The problem is that the phone then fails to connect to the internet.
When I capture a connection session with 'tcpdump -i any -w dump3.dmp' and then view with 'tcpdump -r dump3.dmp' I see:
It is likely that I have a problem with firewall rules. This is the content of the firewall script.
Code:
IPTABLES=/usr/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
EXTIF="wwan0"
echo " External Interface: $EXTIF"
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{print $2;exit}'`"
echo " External IP: $EXTIP"
echo " ---"
UNIVERSE="0.0.0.0/0"
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT
echo -e "\n - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m conntrack --ctstate \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p all -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o wlan0 -d 192.168.0.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
$IPTABLES -A POSTROUTING -t nat -s 192.168.0.0/24 -d $UNIVERSE -j MASQUERADE
echo -e "\nDone.\n
The masquerading seems to be working for DNS requests, but the masquerading seems to be failing for direct connections to external IP addresses.
If anybody has bothered reading this far, I feel like I am close, but have hit a spot where I am failing to see the wood for the trees. Help would be much appreciated.
PS - I have also tried bridging, but so far that has not been successful for me.
Thanks for the responses.
Especially thanks for the fresh eyes on the problem from Labinnah, as initialising the FORWARD chain seems to be the answer.
With this updated firewall script, all works as expected.
Code:
IPTABLES=/usr/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
EXTIF="wwan0"
echo " External Interface: $EXTIF"
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{print $2;exit}'`"
echo " External IP: $EXTIP"
echo " ---"
UNIVERSE="0.0.0.0/0"
HOSTAPD_LAN="192.168.0.0/24"
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT
echo -e "\n - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m conntrack --ctstate \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o wlan0 -d $HOSTAPD_LAN -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
$IPTABLES -A FORWARD -i wlan0 -j ACCEPT
$IPTABLES -A FORWARD -o wlan0 -j ACCEPT
$IPTABLES -A POSTROUTING -t nat -s $HOSTAPD_LAN -d $UNIVERSE -o $EXTIF -j MASQUERADE
echo -e "\nDone.\n"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.