Hi,

I am new to firewall and am trying out a setup which doesn't seem to work. I am trying to simulate a linux firewall using IP tables where my wifi AP is behind the firewall and it needs to have a public IP address.

I have the following setup:

Mobile<----Wifi Access <---------> Linux server <-------------> Internet
!!!!!!!!!!!!!!!!!!point
!!!!!!!!!!!!!!!!!!!!!!!AP-Int<----->|eth3######eth2|<-------->gw-int

AP-Int - [PublicIP1]
eth3 - [dummy IP]
eth2 - [PublicIP2]
gw-int - [PublicIP3]

*Note* - dummy IP used at Linux server is for allowing communication with the Wifi AP. That IP has not been allocated for me. It is simply used for connectivity.

All the Public IPs(PublicIP1,2,3) are in the same subnet. Linux server has IP forwarding enabled.

I am able to ping my gateway interface[PublicIP3] from linux server but when I try pinging the same from the wifi accesspoint(Int 1) I don't get any reply. I am able to see ICMP request packets in tcpdump being ran at eth2 interface of linux server. What could be the problem here?

Thanks.

What do your IP tables rules look like? Run:

iptables -nvL
and
iptables -t nat -nvL


When you run a tcpdump on eth2 where are you pinging from? Your diagram is a little confusing to me. You are showing public IP's behind your linux/iptables firewall. Everything at that point should be on private IP's, only your ISP's GW will have a public IP. Everything from the linux server back should be on private subnet ranges.

I think you are missing the point. My requirement is that I want public IP on the WiFi AP. There should not be natting. And I am yet to configure Iptables. First my setup should work before I can introduce iptable rules.

When I ping from the WiFi AP to say 4.2.2.2 (dns server), I can see the requests reaching "eth2" and eth2 forwards it to the next hop. But I dont see reply coming back even on eth2 or even any arp requests from the ISP's gateway.

Sorry if I misunderstood you. So what happens if you traceroute from the Linux server to 4.2.2.2? Does it get all the way to the dns server or does it drop somewhere along the way? Can you get to anywhere past the gw from your ISP from either the Linux server or the Wireless AP?

yeah .. i am able to ping 4.2.2.2 from my linux server and i get an answer back. But I ping from my wifi AP, the ICMP request packets go via the linux server to the ISP gw, but i dont get any reply back and i am sure the packet reaches the ISP gw. I have no idea what happens after that.

Since you've confirmed that the outbound packets from the wireless AP are getting at least as far as the ISP gw, the best thing I can suggest is to try to ping another Linux server out on the internet on a different ISP connection and run tcpdump on that linux server and see if it gets to that machine and what the packets look like coming into the external server.

If the public address from the wireless AP doesn't lead back to your ISP's gw to you, then the packets are being routed to the owner of that public IP. That still wouldn't explain why it works from the Linux server, but being able to tcpdump from an external server should reveal that easily enough.