Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 12-08-2015, 08:38 PM   #1
Registered: Oct 2004
Distribution: Debian/Ubuntu, Arch, Gentoo, Void
Posts: 138

Rep: Reputation: 24
iptables rules help request

So, I've got a little machine with both wired and wireless NICs in it, where I've installed Linux. The wireless NIC connects the machine to my LAN--all is working fine there. On the wired NIC, I set up a subnet so that I can connect another device to that and have the little machine's internet connection shared over that port. I found some great directions for setting that up and that's working quite well too.

The directions I found offered a set of iptables rules that allow NAT'ing between the two interfaces and, as I mentioned, that's working. But the directions envisioned what is the wifi NIC in my set-up as being an internet-facing interface, so it added some additional rules that would block most ports connecting through it (only port 22 was opened). That part of the directions has gotten me into a bit of trouble because, since this machine is on an internal LAN, I don't really need the port blocking stuff--all I need is the NAT'ing stuff.

I already had to explicitly open port 80 on the little machine, since I run a web server on it that needs to be accessible on my LAN. Now I think I'm running into another problem with those rules, since I am now trying to get access to this machine from my LAN on another port and cannot. So, what I want to do is, like I said, keep the NAT'ing rules but get rid of the port blocking rules. Since my iptables-fu is sketchy at best, I wanted to ask here for some help in implementing the right rules for this scenario.

So, the current rules are implemented as follows:
root #iptables -F 
root #iptables -t nat -F 
root #iptables -P INPUT ACCEPT 
root #iptables -P OUTPUT ACCEPT 
root #iptables -P FORWARD DROP 
root #export wired=eth0
root #export wifi=wlan0
root #iptables -I INPUT 1 -i ${wired} -j ACCEPT 
root #iptables -I INPUT 1 -i lo -j ACCEPT 
root #iptables -A INPUT -p UDP --dport bootps ! -i ${wired} -j REJECT 
root #iptables -A INPUT -p UDP --dport domain ! -i ${wired} -j REJECT 
root #iptables -A INPUT -p TCP --dport ssh -i ${wifi} -j ACCEPT 
root #iptables -A INPUT -p TCP --dport 80 -i wlan0 -j ACCEPT 
root #iptables -A INPUT -p TCP ! -i ${wired} -d 0/0 --dport 0:1023 -j DROP 
root #iptables -A INPUT -p UDP ! -i ${wired} -d 0/0 --dport 0:1023 -j DROP 
root #iptables -I FORWARD -i ${wired} -d -j DROP 
root #iptables -A FORWARD -i ${wired} -s -j ACCEPT 
root #iptables -A FORWARD -i ${wifi} -d -j ACCEPT 
root #iptables -t nat -A POSTROUTING -o ${wifi} -j MASQUERADE 
root #echo 1 > /proc/sys/net/ipv4/ip_forward 
root #for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done 
root #/etc/init.d/iptables save
I believe, but want to double check here, that something like the following might actually do what I need:
 echo 1 > /proc/sys/net/ipv4/ip_forward 
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE 
iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT 
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done 
/etc/init.d/iptables save
Can anyone confirm for me whether I'm on the right track in reformulating these rules and whether using these might result in NAT continuing to work between these two interfaces, but without any port blocking?

Last edited by jamtat; 12-09-2015 at 01:02 AM.
Old 12-09-2015, 01:27 AM   #2
Registered: Oct 2004
Distribution: Debian/Ubuntu, Arch, Gentoo, Void
Posts: 138

Original Poster
Rep: Reputation: 24
Found a couple of additional resources touching in this matter. First one is at and, adapted to my scenario, it looks like the rules would be something like the following:
 echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
Another one I found at is similar. Adapted to my scenario, the rules should probably be implemented in a manner like the following:
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -m state -–state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
Comparing the two, the differences are really only the order of the rules and transposition of some words. And both are essentially like the example I included at the end of my OP. So perhaps I'm on the right track there. In any case, input will be appreciated.

PS So wlan0 is the wifi interface that connects the little machine to the LAN, while eth0 is the wired interface on which the subnet for some other wired device to be hooked there gets established.
Old 12-09-2015, 04:47 AM   #3
Senior Member
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
The order you mention in your second post dos not matter cause you not only use a different chain POSTROUTING but also another filter -t nat. Not sure where you actually want to insert the new rules good practice is to get the --state ESTABLISHED,RELATED rule quite high in the chain. This releaves iptables of walking down all the way to hit it. Also iptables rules below numbers of 1000 should not effect latency at all.
What I'm missing from your new rules is the new port you wanted to be opened...

Maybe you could use some self created chains to order the rules by wired and wireless interface?
iptables -N wireless
iptables -A INPUT -i ${wifi} -j wireless
iptables -A wireless -p UDP -j DROP
Your FORWARD rules might block connections between your wired LAN and wifi LAN if you have the ip range in use.
Also the MASQUERADE rule after them might not be what you want. It changes every sender ip that goes out to the wifi LAN to use the address of the little box. Normaly you would use MASQUERADE if you go out to the internet (WAN).

Maybe you can draw a quick diagram of you network and describe what connections you want to allow and which ones to deny. Also if you want to have a LAN on the wired interface of the little box maybe get another wired interface. This way you could seperate the WAN (internet), LAN and WLAN networks.
Old 12-09-2015, 12:41 PM   #4
Registered: Oct 2004
Distribution: Debian/Ubuntu, Arch, Gentoo, Void
Posts: 138

Original Poster
Rep: Reputation: 24
Thanks for your input, zhjim, and apologies for the unclarity. To be clear, I want no port blocking at all to be happening between the two interfaces: all traffic should flow freely on all ports. I'd rather not have to create any more addition iptables rules and manually open any more ports: both machines are on a private LAN and port blocking is not needed.

Here's a crude diagram that may help depict what I'm intending to do:
               ((((( + )))  ((( + ))))
                     |          |
                     |          |
                     +          +
                   |wired/wifi     |
                   |  router/AP    |
                   |               |
                      |                     ((( + )))
<---------------------+                         |
 connection to internet                         |
                                            | wlan0 connects to |
                                            | router            |
                                            |little machine     |
                                            |               eth0|<------------------------+
                                            +-------------------+                         |
                                                                        |                   |
                                                                        | other device      |
                                                                        |                   |
                                                                        |                   |
                                                                         connects to little
                                                                        machine's eth0 & shares
                                                                        its connection to internet
Old 12-10-2015, 02:00 PM   #5
LQ Newbie
Registered: Jan 2009
Posts: 24

Rep: Reputation: 3
If what you want is to simply share your wifi connection, why block anything at all? You should try to just NAT everything with your wlan adapter (Provided that you have different subnets on each interface). To do so, you are on the right track:

To enable forwarding each time you boot up your machine:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
And the iptables rules you need:
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
That establishes an ACCEPT policy on the FORWARD chain of the Filter table and adds a rule to NAT everything going out of your wlan0 interface to your local LAN.

Don't forget to set your default gateway via the wlan0 subnet router!

Hope it helps!


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I tell if these iptables rules already exist? iptables -P INPUT ACCEPT iptabl abefroman Linux - Security 1 10-21-2013 04:00 PM
[SOLVED] during system startup, iptables rules not loaded from /etc/sysconfig/iptables danyim Linux - Security 3 04-13-2013 03:09 AM
Restore iptables Rules that have been saved with iptables-save tiuz Linux - Security 4 08-14-2010 06:50 PM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM
request for link to rules more visible titanium_geek LQ Suggestions & Feedback 3 06-23-2005 02:34 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:13 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration