How do I forward eth0 to wlan0?

I tried to forward eth0 to wlan0 on my Raspberry Pi B+ using NAT on iptables with the following commands:

echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD --in-interface eth0 -j ACCEPT iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

But it didn't work, when I tried to ping google.com I got ping: unknown host google.com on my laptop which is connected to the eth0 port on my Raspberry Pi B+. On my Raspberry Pi B+, I just have normal internet access from wlan0. The IP adresses on my wifi network are looking so: 192.168.1.xxx.

wb9688

Posted 2015-11-28T09:03:28.520

Reputation: 121

try to ping an IP, not a hostname. hostname resolve needs DNS too. 2) You say you have access on your RPI from Wlan. Then the in interface is the wifi, and out is eth0, isn't it? ( http://www.revsys.com/writings/quicktips/nat.html )

– Apache – 2015-11-28T10:19:21.217

If I ping an IP, I get host not reachable – wb9688 – 2015-11-28T10:22:39.517

Okay then, how about those interfaces then? Which is input, which is output? Wlan0 is where you connect the internet, right? "On my Raspberry Pi B+, I just have normal internet access from wlan0." – Apache – 2015-11-28T10:23:17.533

@Shiki Yes, wlan0 is connected to the internet – wb9688 – 2015-11-28T10:24:17.887

What is the routing table on your laptop? ip route show. – MariusMatutiae – 2015-11-28T10:44:49.120

Answers

At least shown commands look correct. If this isn't a complete firewall configuration you've using on Raspberry Pi, i.e. if you have have other rules or have changed default forwarding policy (it is ACCEPT by default, changed with iptables -P), you also probably need to enable reply traffic, by adding state match:

iptables -I FORWARD 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

This will enable connection tracker to detect reply packets as belonging to the same connection originated on the inside interface and accept them.

I cant't remember for sure, if Raspberry Pi kernel hasn't enabled conntrack match, you have to use (old, deprecated) state extension instead:

iptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

You have to enter only one of these. I prefer to adding this as first rule in the chain.

The eth0 interface on Raspberry Pi and your computer behind it should have addresses from another network. For example, you can use 192.168.10.1/24 (or /255.255.255.0 which is the same) on RasPi and 192.168.10.2 on target host.

On the target host you set eth0 address of RasPi (192.168.10.1 in previous example) as the default gateway, and DNS servers to the same as set on your RasPi. You can inspect which servers RasPi uses by issuing on it: cat /etc/resolv.conf, and look to 'nameserver' entries. Or you can just set up google public DNS (8.8.8.8, 8.8.4.4).

Nikita Kipriyanov

Posted 2015-11-28T09:03:28.520

Reputation: 505

iptables allows you to filter traffic, and set up the NAT translations as you've done, but it doesn't actually have anything to do with setting up your device as a router to forward traffic between two interfaces. The only command that actually does anything related to that is the ip_forward one. The rest is all down to your IP setup on both the Pi and your laptop.

(to clarify, your second line does tell iptables to permit traffic coming in on eth0 and FORWARDed to anywhere but the Pi itself, but it doesn't actually permit traffic flowing the other way so its useless by itself, and it's only relevant if you've set iptables to drop all FORWARD traffic by default)

So if the Pi itself has internet access, the real questions you need to address are:

what is the IP setup on the eth0 side of your network, does everything line up so your laptop can communicate normally with the Pi, and is your laptop using the Pi's eth0 address as a gateway?
If you have changed iptables enough to default deny all FORWARD traffic and only the rules above are in effect, you rule above ensures packets can get out but no reply can get back, so what do you actually want iptables to filter?

Radhil

Posted 2015-11-28T09:03:28.520

Reputation: 266

That commands were what I found somewhere on the internet. I never changed some iptables settings. What do I have to set up on the eth0 side? – wb9688 – 2015-12-01T18:48:02.507

@wb9688 - A different local network than what the wlan0 side has, so that the Pi can tell the two apart, should be all that's needed. Your laptop should have a different IP on the same network, and have a gateway that is the Pi's address. The nat table with the MASQ target should prevent you from needing more. Details would depend on the IPs that are assigned (or in wlans case, obtained from whatever access point) now, on both sides of the Pi and the laptop, So comment that in or add it to your question please. – Radhil – 2015-12-01T23:33:09.737