iptables ipforwarding
 

I have a Fedora Box with chillispot loaded for a captive protal wifi network. I am needing my office lan to connenct to a controller on the WIFI network. I have tried many different firewall rules and have only momentarly able to ping something on the other network. here's some configuration info and my firewall rules that I thought should work.

FC 4

ETH0 - WAN (office lan 192.168.24.201/24)
ETH1 - LAN (brought up as 192.168.10.1/24)
tun0 - chilli 192.168.240.1

ETH1 is brought up as 192.168.10.1 and chilli brings up tun0 as 192.168.240.1/24/. I cant get my 192.168.24.0 to talk to either .10.0 or the 240.0 network. As you can see by my script I have other services running on this machine also, mail, radius, web, etc.... I commented out my rules drop forwards tried accepting with $IPTABLES -A FORWARD -i $EXTIF -j ACCEPT, #$IPTABLES -A FORWARD -o $EXTIF -j ACCEPT. That failed so I commented out and added $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT. Below is the whole script. I have ran iptables -F prior to running the script. I have also verified ip_forward is 1. My router for 24.0 net has a static route for 192.168.240.0 and 192.168.10.0 to the eth0. when I tracert 192.168.10.187 from 192.168.24.X it does trace back to the FC box and stops...

I hope I have explained everything right.... any help is appreciated.

Hi,

I am somewhat familiar with iptables rules but not with tunnel devices (if that is even the right thing to call things like tun0). I don't immediately see anything wrong with your rules, but maybe I can give you some troubleshooting tips that will help you figure out what is going on.

If you use the -v option when listing out iptables rules you can see how many packets (and how many bytes) have matched each rule. (I like to use iptables -nvL for listing.) So for example, you can check to see if you have packets matching your DROP rule at the end of the INPUT chain. If you see such and you want more information about what is getting dropped, you can add a rule (prior to the DROP rule!) to log such packets using the -j LOG target.

If this doesn't give you enough information to figure things out, you might look into using a packet sniffer such as tcpdump or Wire Shark. You can get fairly elaborate (if you need to) in the matching criteria you use and I think you should be able to use them on any interface, including tun0. Hopefully between iptables' packet counts, logging, and packet sniffing you can figure out where packets are disappearing and why. If you can figure out where they are disappearing but not why, maybe I can give your some more help with the iptables rules.

Good luck.

can you give us the output of:
iptables-save
ifconfig
route -n
cat /proc/sys/net/ipv4/ip_forward

UPDATE - Sorry it took so long I worked on it remotely got it working but stopped the captive portal, so I commented out all the stuff I was testing with and to make it work till I could get on property and work on it. long story short I got it working with config below. But I still have a problem. I don't want my 240.x network to talk to my 24.x net (except gateway) But I need my 24.0 net to talk to a single host of 192.168.240.254. Below is my current configs and outputs requested. I appreciate the help guys :-)


Firewall script
iptables-save
ifconfig
route -n

If you change the policy of your FORWARD chain to drop, this will work if you add it in to the forward section of your firewall script:
At the moment 166584 packets have matched your default forward policy of accept, so changing the policy to DROP may have unintended consequences. If you do not want to change the default policy, add this instead of the above rules: