So, I've got a little machine with both wired and wireless NICs in it, where I've installed Linux. The wireless NIC connects the machine to my LAN--all is working fine there. On the wired NIC, I set up a subnet so that I can connect another device to that and have the little machine's internet connection shared over that port. I found some great directions for setting that up and that's working quite well too.
The directions I found offered a set of iptables rules that allow NAT'ing between the two interfaces and, as I mentioned, that's working. But the directions envisioned what is the wifi NIC in my set-up as being an internet-facing interface, so it added some additional rules that would block most ports connecting through it (only port 22 was opened). That part of the directions has gotten me into a bit of trouble because, since this machine is on an internal LAN, I don't really need the port blocking stuff--all I need is the NAT'ing stuff.
I already had to explicitly open port 80 on the little machine, since I run a web server on it that needs to be accessible on my LAN. Now I think I'm running into another problem with those rules, since I am now trying to get access to this machine from my LAN on another port and cannot. So, what I want to do is, like I said, keep the NAT'ing rules but get rid of the port blocking rules. Since my iptables-fu is sketchy at best, I wanted to ask here for some help in implementing the right rules for this scenario.
So, the current rules are implemented as follows:
Code:
root #iptables -F
root #iptables -t nat -F
root #iptables -P INPUT ACCEPT
root #iptables -P OUTPUT ACCEPT
root #iptables -P FORWARD DROP
root #export wired=eth0
root #export wifi=wlan0
root #iptables -I INPUT 1 -i ${wired} -j ACCEPT
root #iptables -I INPUT 1 -i lo -j ACCEPT
root #iptables -A INPUT -p UDP --dport bootps ! -i ${wired} -j REJECT
root #iptables -A INPUT -p UDP --dport domain ! -i ${wired} -j REJECT
root #iptables -A INPUT -p TCP --dport ssh -i ${wifi} -j ACCEPT
root #iptables -A INPUT -p TCP --dport 80 -i wlan0 -j ACCEPT
root #iptables -A INPUT -p TCP ! -i ${wired} -d 0/0 --dport 0:1023 -j DROP
root #iptables -A INPUT -p UDP ! -i ${wired} -d 0/0 --dport 0:1023 -j DROP
root #iptables -I FORWARD -i ${wired} -d 192.168.0.0/255.255.0.0 -j DROP
root #iptables -A FORWARD -i ${wired} -s 192.168.0.0/255.255.0.0 -j ACCEPT
root #iptables -A FORWARD -i ${wifi} -d 192.168.0.0/255.255.0.0 -j ACCEPT
root #iptables -t nat -A POSTROUTING -o ${wifi} -j MASQUERADE
root #echo 1 > /proc/sys/net/ipv4/ip_forward
root #for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
root #/etc/init.d/iptables save
I believe, but want to double check here, that something like the following might actually do what I need:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
/etc/init.d/iptables save
Can anyone confirm for me whether I'm on the right track in reformulating these rules and whether using these might result in NAT continuing to work between these two interfaces, but without any port blocking?