-   Linux - Networking (
-   -   Need Help on Simple IPTables Router/Firewall (

dmlinton 09-10-2010 10:35 PM

Need Help on Simple IPTables Router/Firewall
My first post!

I recently had a go at setting up a WiFi Hotspot using wifidog. This, of course, entails creating a router and I chose to use iptables as this is what wifidog uses anyhow. Hitherto, I had only a vague idea of what iptables is and even less of an idea how to use it. Now, having executed endless Googles and howtos with close to zero success I am breaking down and asking for help.

My setup is: wireless AP (DHCP on) -> NIC eth0 -> HP 486 w/Debian Lenny/5 -> NIC eth1 -> wireless router (DHCP on) -> DSL modem -> ... the world

At this point I have no idea what the stumbling block is. I did actually get a simple iptables router working once and I got wifidog working once but both cases broke without my having changed anything (at least that's my story and I'm sticking to it). When wifidog starts up, there is a 'failed' on every line ouput to the terminal as wifidog sets up its iptables rules. It is almost as if something is missing on my system but all the checks I can find, like lsmod | grep ip, which shows 11 modules, seem to indicate that everything is present.

Now, I do not know what question to ask and therein lies my dilemma. One thing that would be helpful to know is whether the syntax is different among the various NIXs. What would be really helpful is a shell script that works to set up a very fundamental router that basically connects two network interfaces and lets all traffic go in both directions (easy for me to figure out the logic) - I found a reference here to there being one in "the Security section" but I cannot seem to find my way there.

So there it is, not only do I need answers, I need the questions too. Please help if you can as I have come to the end my rope. Any insights offered will be most appreciated.

Best regards,

dmlinton 09-11-2010 12:05 AM

More info....
I found a brain dead simple two liner at that is supposed to setup a simple router and goes like this (I added the flushing lines):

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

My /etc/network/interfaces is like this:

iface lo inet loopback

# eth1 connects to router connected to DSL modem
# it is shown as dynamic but router ( reserves for eth1
auto eth1
allow-hotplug eth1
iface eth1 inet dhcp

# eth0 is the internal network (hotspot network)
auto eth0
allow-hotplug eth0
iface eth0 inet static

route gives:

Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface    *      U    0      0        0 eth0    *      U    0      0        0 eth1
default        UG    0      0        0 eth1

iptables -L -v returns:

Chain INPUT (policy ACCEPT 3503 packets, 553K bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    all  --  eth0  any    anywhere            anywhere           

Chain OUTPUT (policy ACCEPT 2709 packets, 581K bytes)
 pkts bytes target    prot opt in    out    source              destination

... but I cannot get anywhere - cannot ping or from a computer on the network.
Any ideas?

dmlinton 09-11-2010 10:00 AM

Fixed it.

It seems that the problem may have been a single line missing:

iptables -X
Having finally found an example script that worked (, I went through line by line to find the "magic" bullet. The only common difference I could find relative to scripts that did not work was the iptables -X line.

BTW, I stowed the working firewall script in /etc/network/if-up.d as instructed in the page at the above noted link.


All times are GMT -5. The time now is 08:04 AM.