Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

2 Ethernet + WiFi NAT
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
yuoXBsLVX6OUsgTtPCTjlYbw0
n00b
n00b


Joined: 17 Nov 2020
Posts: 2
PostPosted: Tue Nov 17, 2020 6:33 pm    Post subject: 2 Ethernet + WiFi NAT Reply with quote
I'm using the Gentoo Wiki page https://wiki.gentoo.org/wiki/Home_router#NAT_.28a.k.a._IP-masquerading.29 to try and set up NAT for one of my 2 ports, and I'm not sure if it's all set up correctly.
I have the following network setup right now:

eth0 - motherboard interface 1
eth1 - motherboard interface 2, needs to have NAT access through wlan0 along with tapX
lo - ?
br0 - bridge for interface 1
brX - bridge for interface 2
tapFS0 - virtual machine adapter, needs to go out of eth0
tapDC0 - virtual machine adapter, needs to go out of eth0
wlan0 - wireless interface
tapX - virtual machine adapter, needs to be connected to eth1 but go out of wlan0 through NAT

lo - 127.0.0.1/8,
br0 - 192.168.4.4/21, network bridge with eth0 and tapFS0 and tapDC0
brX - 192.168.8.1/24, network bridge with eth1 and tapX
wlan0 - DHCP, needs to provide access to wireless network to brX and things connected to brX

The stuff on brX and br0 must be kept separate, both the host ports and the ports for devices connected to those bridges. So eth0 traffic shouldn't be able to come out of the wlan0 connection, and wlan0 stuff shouldn't be able to connect to tapFS0 virtual machine etc.
Here's my current script based on the Wiki details, but I'm pretty sure it's all wrong because the Wiki only talks about one interface and I'm not sure how forwarding and masquerading works.
And also I'm not sure how I'm supposed to block forwarding from br0 to wlan0, since the MASQUERADE line only specified that output is wlan0? The command didn't accept -i brX to restrict it to brX traffic.

Code:

#default from wiki
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#allow existing bridge traffic (not sure if needed)
iptables -I FORWARD -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -o wlan0 -j DROP
iptables -A FORWARD -i wlan0 -o br0 -j DROP
iptables -I INPUT 1 -i eth0 -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 1 -i br0 -j ACCEPT
#forwarding?
iptables -A FORWARD -i wlan0 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i wlan0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i brX -s 192.168.8.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
Back to top
View user's profile Send private message
DespLock
n00b
n00b


Joined: 27 Jul 2020
Posts: 65
PostPosted: Mon Nov 30, 2020 1:42 pm    Post subject: Reply with quote
Hi yuoXBsLVX6OUsgTtPCTjlYbw0,
in case you haven't found a solution yet, here are some hints:

First of all:
Code:
https://www.booleanworld.com/depth-guide-iptables-linux-firewall/

This site has a good overview for iptables.

Now to your setup:

1) lo - loopback device: virtual device for your device to communicate with itself, needed for diagnostics/troubleshooting and server on that machine. Should be allowed:
Code:

-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT


2) Forwarding from an interface to wlan0 and from wlan0 to br0 (like yours):
Code:

-A FORWARD -i br0 -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

2nd rule will allow packets which are based on already existing traffic only and block all traffic coming unrelated from outside.


3) Masquerading
The ip address within a masqueraded packet will be replaced with the ip of the outgoing interface, in your case wlan0. So you need only 1 line for it to work. Iptables will automatically add the correct ip for incoming packets later and send it to the associated device. This will make sure that you don't have to alter your routers routing tables / iptables since it thinks all traffic is coming from wlan0.
Faster than Masquerading is SNAT but this requires a static ip for your wlan0.
Code:

iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE


4) Bridging:
That's the trickiest part.
A bridge act as an ethernet device itself. If you need to filter/block traffic on a bridge you'll need ebtables.
Another solution is to separate the physical devices (eth0/eth1) from the virtual devices (tunX) through different bridges (if needed). More exactly: just put the virtual devices into a separate bridge and then create iptables rules to handle traffic.



Greetings,
Desp
Back to top
View user's profile Send private message
yuoXBsLVX6OUsgTtPCTjlYbw0
n00b
n00b


Joined: 17 Nov 2020
Posts: 2
PostPosted: Mon Dec 07, 2020 6:14 pm    Post subject: Reply with quote
Ok so I don't actually need to do anything with iptables on the bridge and the DROP command on the FORWARD table won't stop packets from transferring between the bridge interfaces?
I probably only really need to have ACCEPT commands for the brX and wlan0 interfaces in the FORWARD table then, since everything else should just get dropped from that "policy" in the first wiki part.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy