LinuxQuestions.org - [SOLVED] Need Help on Simple IPTables Router/Firewall

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Need Help on Simple IPTables Router/Firewall (https://www.linuxquestions.org/questions/linux-networking-3/need-help-on-simple-iptables-router-firewall-831494/)

Need Help on Simple IPTables Router/Firewall

My first post!

I recently had a go at setting up a WiFi Hotspot using wifidog. This, of course, entails creating a router and I chose to use iptables as this is what wifidog uses anyhow. Hitherto, I had only a vague idea of what iptables is and even less of an idea how to use it. Now, having executed endless Googles and howtos with close to zero success I am breaking down and asking for help.

My setup is: wireless AP (DHCP on) -> NIC eth0 -> HP 486 w/Debian Lenny/5 -> NIC eth1 -> wireless router (DHCP on) -> DSL modem -> ... the world

At this point I have no idea what the stumbling block is. I did actually get a simple iptables router working once and I got wifidog working once but both cases broke without my having changed anything (at least that's my story and I'm sticking to it). When wifidog starts up, there is a 'failed' on every line ouput to the terminal as wifidog sets up its iptables rules. It is almost as if something is missing on my system but all the checks I can find, like lsmod | grep ip, which shows 11 modules, seem to indicate that everything is present.

Now, I do not know what question to ask and therein lies my dilemma. One thing that would be helpful to know is whether the syntax is different among the various NIXs. What would be really helpful is a shell script that works to set up a very fundamental router that basically connects two network interfaces and lets all traffic go in both directions (easy for me to figure out the logic) - I found a reference here to there being one in "the Security section" but I cannot seem to find my way there.

So there it is, not only do I need answers, I need the questions too. Please help if you can as I have come to the end my rope. Any insights offered will be most appreciated.

Best regards,
Dennis

I found a brain dead simple two liner at http://www.cyberciti.biz/tips/linux-...-line-etc.html that is supposed to setup a simple router and goes like this (I added the flushing lines):

Code:

iptables -F

iptables -F -t nat

iptables -F -t mangle

iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

iptables --append FORWARD --in-interface eth0 -j ACCEPT

My /etc/network/interfaces is like this:

Code:

iface lo inet loopback



# eth1 connects to router connected to DSL modem

# it is shown as dynamic but router (192.168.1.1) reserves 192.168.1.196 for eth1

auto eth1

allow-hotplug eth1

iface eth1 inet dhcp



# eth0 is the internal network (hotspot network)

auto eth0

allow-hotplug eth0

iface eth0 inet static

  address 192.168.2.254

  netmask 255.255.255.0

  network 192.168.2.0

  broadcast 192.168.2.255

  dns-nameservers 192.168.1.196

route gives:

Code:

Kernel IP routing table

Destination    Gateway        Genmask        Flags Metric Ref    Use Iface

192.168.2.0    *              255.255.255.0  U    0      0        0 eth0

192.168.1.0    *              255.255.255.0  U    0      0        0 eth1

default        192.168.1.1    0.0.0.0        UG    0      0        0 eth1

iptables -L -v returns:

Code:

Chain INPUT (policy ACCEPT 3503 packets, 553K bytes)

 pkts bytes target    prot opt in    out    source              destination        



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target    prot opt in    out    source              destination        

    0    0 ACCEPT    all  --  eth0  any    anywhere            anywhere            



Chain OUTPUT (policy ACCEPT 2709 packets, 581K bytes)

 pkts bytes target    prot opt in    out    source              destination

... but I cannot get anywhere - cannot ping 192.168.1.196 or 192.168.1.1 from a computer on the 192.168.2.0 network.
Any ideas?
Regards,
Dennis

Fixed it.

It seems that the problem may have been a single line missing:

Code:

iptables -X

Having finally found an example script that worked (http://www.debian-administration.org/articles/23), I went through line by line to find the "magic" bullet. The only common difference I could find relative to scripts that did not work was the iptables -X line.

BTW, I stowed the working firewall script in /etc/network/if-up.d as instructed in the page at the above noted link.

Regards,
Dennis