Hello friends ,

The following is my setup.



wireless server (ip of this server is 192.168.1.1) -- target board ( wireless client [ip of this is got for wireless server is 192.168.1.3 ] , bridge (192.168.36.1) )-- linux pc ( 192.168.36.3)

as show above i have target board for that i have a wireless interface and a linux pc is connected to target board

now the ips are like this for linux pc 192.168.36.3
and my target board bridge ip s 192.168.36.1

my wireless interface got ip from another server like 192.168.1.3 ,now if i do ping on my target board for 192.168.1.1 it goes through wireless interface to the 192.168.1.1 wireless server.

but when i do the same from target board connected linux pc its not pinging


from linux pc i could able to ping to 192.168.1.3 but not 192.168.1.1

So any ideas..?

your help will be hightly appreciated

I think i need to write a iptable rule properly on my target board to forward the 192.168.1.* packtes to wireless interface.

regards
RamaKanth

Can you show your current rules pls..?

If you have box with two or more interfaces, you need to allow FORWARD between them. You can simply change default rule to ACCEPT and put "1" to /proc/sys/net/ipv4/ip_forward.

ip_forward is already "1"

as for as rules is concerned i need to keep the rules now .

my interfaces are as below

br0 ( target board 192.168.48.1 ip)

ath0 ( my wireless interface 192.168.1.3 ip )

linux ip connected to targe bord ( ip is 192.168.48.2)


my idea is to write in the nat table pre routing forward the packtes to ath0.

Then i think ath0 should send to wireless server ( 192.168.1.1)

by the by ath0 is not in the bridge ..

In bridge br0 only eth0 is there to which my linux pc is connected.

so from linux pc --> eth0 of target board --> br0 of target board -->
from there to forward this packets to ath0 .

is it right

regards

You need to either enable SNAT on the wireless interface, or set up a static route on the wireless router telling it that the 192.168.1.0/24 network is reached via 192.168.1.3.

Use this for the NAT (if you want to do that):

I have done following packet capturing using tcpdump

1. put ping on my linux board ( connected with target board )
2. capture the packetrs coming ath0 interface ( wireless ).
here the result is it is receving packets from my linux pc .
Conclusion is packets are forwarded to ath0

3. capture the packets ont the wireless router ( i.e 192.168.1.1 )

Hers the result is , replieing with "udp port 137 unreachable"

So i guess i need to do the SNAT on my target board wireless interface

as like coming with ip 192.168.48.0/24 snat to 192.168.1.3

is it right..?

regards

i have added following rules

# iptables -t filter -nvL FORWARD
Chain FORWARD (policy DROP 2984 packets, 242K bytes)
pkts bytes target prot opt in out source destination
1517 126K ACCEPT all -- br0 ath0 0.0.0.0/0 192.168.1.0/24


# iptables -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 559 packets, 35090 bytes)
pkts bytes target prot opt in out source destination
802 65907 SNAT all -- * ath0 192.168.48.0/24 192.168.1.0/24 to:192.168.1.3

now i want to write dnat rule so that packet reaches to linux pc ..?

any ideas how to write this ..?

You should not need a DNAT rule unless you want to allow traffic back in from the wireless. You will need to add in another rule to FORWARD accepting incoming traffic.
Please enclose any output in [code] tags, as it is very difficult to read without fixed width fonts.

Thank you very much.

It indeed helped me.

What does this do basically ..?

and why should i add or should not add DNAT can you please explain..?

regards

I was going to say google it but I tried, and found nothing really informative...

--DNAT (Destination NAT) is for changing the destination of a packet.
Common Usage: If you only have an external IP address (66.66.66.66) and you want people to be able to connect to a webserver you have on an internal LAN address (10.1.1.20). You would change any packets that come to the 66.66.66.66 address on port 80 so that they get routed to the internal address. It is commonly called port forwarding with consumer routers.

-- SNAT (Source NAT) is for changing the source address of a packet.
Common Usage: If you have a LAN with many computers on private IP addresses, and you want them to be able to use the internet through one public IP address. You get your router to change the source address of packets coming from the LAN so that they match the outside IP address. This way when the computer that your LAN computers are communicating with get the packet, it will know where to send it (to your public IP)

thanks ,

do i have any log facility for iptables , where i can know that specific rule got hit by so and so rule .


regards

If you want to watch the rules count up as they hit use Otherwise you will need to research the LOG target.

Iam having my setup as told in my previous threads.

Iam having an issue here , except ping or dig i cannot do anything from my linux ip this is because my rules where very specific to the ip address.

Iam now trying to write a dynamic rule in forward chain , such a way that it should send all traffic which has not satisfied in br0 to the ath0

(what i mean is like , it should first see if any of the bridge satisifies the request or else , if first rule fails then it has to goto ath0 ).

while doing snat also it should be like , what ever ath0 ip we get it
should be my snat ip .

So that i can browse , ftp etc from linux machine

regards

To help your cause, it might be a good idea to create a rule that logs everything that is dropped. So anything not allowed...is dropped.
THis helps a great deal when troubleshooting.


An example being...

As in my above setup with above rules added

*raw
:PREROUTING ACCEPT [22065:2573617]
:OUTPUT ACCEPT [18572:3407839]
-A PREROUTING -j raw_adv_notrack_pre_filter
-A OUTPUT -j raw_adv_notrack_out_filter
COMMIT
# Completed on Wed Jun 23 05:28:40 2010
# Generated by iptables-save v1.4.2 on Wed Jun 23 05:28:40 2010
*nat
:PREROUTING ACCEPT [906:69921]
:POSTROUTING ACCEPT [1421:85870]
:OUTPUT ACCEPT [1426:87510]
-A POSTROUTING -j LOG --log-prefix "[ATH0_LOG] " --log-level 7
-A POSTROUTING -o ath0 -j SNAT --to-source 192.168.1.3
COMMIT
# Completed on Wed Jun 23 05:28:40 2010
# Generated by iptables-save v1.4.2 on Wed Jun 23 05:28:40 2010
*mangle
:PREROUTING ACCEPT [22070:2573877]
:INPUT ACCEPT [21358:2424629]
:FORWARD ACCEPT [642:132100]
:OUTPUT ACCEPT [18577:3408552]
:POSTROUTING ACCEPT [19234:3545572]
COMMIT
# Completed on Wed Jun 23 05:28:40 2010
# Generated by iptables-save v1.4.2 on Wed Jun 23 05:28:40 2010
*filter
:INPUT ACCEPT [21358:2424629]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [18577:3408552]
-A FORWARD -i br0 -o ath0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

but iam not able to figure out why my linux system is failing to browse any sites.

I can able to do ping to any of url i get the reply but no browsing.

Can any body give me some leads.

I tried to put logs , but iam not able to find out any thing usefull from here

regards