47

So I have a linux box with two wireless interfaces, one is a station and the other an AP.

wlan0 (station) - Connected to the internet connection

wlan1 (AP) - Other clients connect to it.

I would like for clients connected to wlan1 to be able to access the internet on wlan0. And I'd like to do this with iptables as my kernel doesn't have bridging support...

Here's what I've tried so far with iptables but it's not working:

iptables -A FORWARD -i wlan0 -o wlan1 -j ACCEPT
iptables -A FORWARD -i wlan1 -o wlan0 -j ACCEPT

I'd appreciate any help.

broody
  • 583
  • 1
  • 5
  • 8
  • 2
    IPTABLES is a stateful packet-filter, it permits/drops/mangles packets. It is not a router, or bridge. Your commands adjust the firewall to permit the traffic, but they do not do anything to actually forward it. – Zoredache Sep 25 '12 at 01:19
  • So replace the kernel with one that has the features you need. It is "a linux box," after all. – Michael Hampton Sep 25 '12 at 01:21
  • Can I achieve what I'm trying to do with 'route'? I'll look into rebuilding the kernel with bridge support as well but wondering if there are other options. – broody Sep 25 '12 at 01:39
  • 1
    Route tells it where to go once it's enabled. Michael told you what you need to do to support routing. THEN you need to turn it on via sysctl. – Magellan Sep 25 '12 at 02:04

1 Answers1

72

First, to enable hosts connecting on your private interface to go out to the internet, you don't need bridging the interfaces, you need to route packets coming in on one interface, to the other one, where they go out to the wild.

To do that, you only need to:

  1. Enable forwarding on your linux box:
  2. Allow specific (or all of it) packets to traverse your router
  3. As someone stated, as netfilter is a stateless firewall, allow traffic for already established connections

  4. Change the source address on packets going out to the internet

    echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i wlan1 -o wlan0 -j ACCEPT
iptables -A FORWARD -i wlan0 -o wlan1 -m state --state ESTABLISHED,RELATED \
         -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

That should do it.

iBug
  • 1,048
  • 2
  • 9
  • 21
Torian
  • 2,314
  • 18
  • 10
  • 1
    I think that you probably mean: `echo 1 >/proc/sys/net/ipv4/ip_forward` for the first line – Jason Tan Sep 25 '12 at 04:04
  • that's it ... don't know what happened to the last part of that line ... corrected. – Torian Sep 25 '12 at 04:06
  • I think you'd also have to set the clients to use the linux box as their gateway. – Jason Tan Sep 25 '12 at 04:06
  • 2
    And to make the forwarding persist through reboots you want to do this: 'echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf' – Jason Tan Sep 25 '12 at 04:08
  • I guessed that was out of the question, if the clients where connected via wifi to this so called router. – Torian Sep 25 '12 at 04:08
  • Do you need to set those `iptables` rules if `ip_forward`ing is turned on in the kernel? – StudentsTea Jun 28 '18 at 03:53
  • 1
    @StudentsTea Yes, you do, unless your `iptables`' `FORWARD` table is set to a globally accepting policy. You'd still need the `nat` table rules either way though. – Thomas Ward Jul 06 '18 at 18:42
  • How might this be different if I wanted to only forward connections on a select port? (e.g. port 2222 on wlan1 to port 3333 on wlan0)? – sherrellbc Nov 27 '19 at 09:41
  • how do you make this a permanent change? – FalcoGer Feb 24 '20 at 14:06
  • Great answer! `--state ESTABLISHED,RELATED` is a good way to prevent simple spoofing, but a well-crafted package can go through pretty easily. Anything for more sophisticated spoofing protection? – rth Oct 03 '21 at 16:17