Complicated routing setup

Hi,

I'm setting up a wireless network for my house and have a question concerning
what iptables commands to use in this situation:

+------------------+ +--------------+
| Linux box | wi-fi | My Linux box |
| 192.168.1.100 wlan0 <- - - -> wlan0 | 192.168.1.1 |
+------------------+ | 192.168.0.1 |
+---------eth1-+
|
+----------ea0-+
| Another comp |
| 192.168.0.3 |
+--------------+

i.e. 'Another comp' connects to My Linux box via ethernet (this is the
192.168.0.x subnet). My Linux box then connects to 'Linux box' via wi-fi
which has the actual internet connection (via USB, wi-fi subnet is
192.168.1.x).

I need to know how to access the internet from 'Another comp'. The packets
will have to be sent to My Linux box, and then forwarded to 'Linux box'
in order to reach the internet. I have set the gateway on 'Another comp'
to 192.168.0.1 so packets reach My Linux box, but I don't know how to then
forward these over the wireless network.

My Linux box successfully can access the internet as its default gateway
is 192.168.1.100 and masquerading is working on 'Linux box'.

Any help would he appreciated!

Thanks,

Marc

Marc Warne wrote:
> Hi,
>
> +------------------+ +--------------+
> | Linux box | wi-fi | My Linux box |
> | 192.168.1.100 wlan0 <- - - -> wlan0 | 192.168.1.1 |
> +------------------+ | 192.168.0.1 |
> +---------eth1-+
> |
> +----------ea0-+
> | Another comp |
> | 192.168.0.3 |
> +--------------+
>
> i.e. 'Another comp' connects to My Linux box via ethernet (this is the
> 192.168.0.x subnet). My Linux box then connects to 'Linux box' via wi-fi
> which has the actual internet connection (via USB, wi-fi subnet is
> 192.168.1.x).
>
> The packets
> will have to be sent to My Linux box, and then forwarded to 'Linux box'
> in order to reach the internet.
>

I'm new to iptables, but this should work (I hope )
iptables -N forward -A input ALLOW -d 192.168.1.100
to set on "My Linux Box"
if this isn't correct, I have to check
http://www.linuxguruz.com/iptables/h...s-HOWTO-6.html again.
You should do too

--
Bernhard | theEdge
---
http://www.alf.at.tc
Austrian Linux Forum

Bernhard Kastner wrote:

> Marc Warne wrote:
>
>> Hi,
>>
>> +------------------+ +--------------+
>> | Linux box | wi-fi | My Linux box |
>> | 192.168.1.100 wlan0 <- - - -> wlan0 | 192.168.1.1 |
>> +------------------+ | 192.168.0.1 |
>> +---------eth1-+
>> |
>> +----------ea0-+
>> | Another comp |
>> | 192.168.0.3 |
>> +--------------+
>>
>> i.e. 'Another comp' connects to My Linux box via ethernet (this is the
>> 192.168.0.x subnet). My Linux box then connects to 'Linux box' via wi-fi
>> which has the actual internet connection (via USB, wi-fi subnet is
>> 192.168.1.x).
>>
>> The packets
>> will have to be sent to My Linux box, and then forwarded to 'Linux box'
>> in order to reach the internet.
>
>
> I'm new to iptables, but this should work (I hope )
> iptables -N forward -A input ALLOW -d 192.168.1.100
> to set on "My Linux Box"
> if this isn't correct, I have to check
> http://www.linuxguruz.com/iptables/h...s-HOWTO-6.html again.
> You should do too
>

Haha, completely wrong ^^
there is already a built-in chain called Forward, which has a polica os
DROP, which means that it doesn't let any packet through, that doesn't
fit another rule in your chain.
To override this, there is an option in the iptables module, set
forward=1 and, hmm, let's see ^^

--
Bernhard | theEdge
---
http://www.alf.at.tc
Austrian Linux Forum

> i.e. 'Another comp' connects to My Linux box via ethernet (this is the
> 192.168.0.x subnet). My Linux box then connects to 'Linux box' via wi-fi
> which has the actual internet connection (via USB, wi-fi subnet is
> 192.168.1.x).
>
> I need to know how to access the internet from 'Another comp'. The packets
> will have to be sent to My Linux box, and then forwarded to 'Linux box'
> in order to reach the internet. I have set the gateway on 'Another comp'
> to 192.168.0.1 so packets reach My Linux box, but I don't know how to then
> forward these over the wireless network.
>
> My Linux box successfully can access the internet as its default gateway
> is 192.168.1.100 and masquerading is working on 'Linux box'.

Default gw is pointing 'linux box', good. Now, if you need to make sure that
you have
the IP forwarding has been enabled in 'my linux box', easies way to check it
is to run :

$ cat /proc/sys/net/ipv4/ip_forward

If it says 1 it's enabled, if not enable it by

$ echo "1" > /proc/sys/net/ipv4/ip_forward

You also have to make sure that iptables allow your traffic to/from 'another
comp'.
If you are doing the firewalling in 'linux box' that you can probably pretty
safely do the
following in 'my linux box':

$ iptables -F FORWARD
$ iptables -P FORWARD ACCEPT

This will clear all the rules from FORWARD chain and set the default to
ACCEPT - thus all traffic will be allowed.

If you have the route for 192.168.0.0/24 (I assume that this is whole class
C, correct?) in
the routing table of 'linux box' then everything should work.

If 'linux box' doesn't have route, you can add it by:

$ route add -net 192.168.0.0/24 gw 192.168.1.1

If it's not possible to add that route, you can always do the masquerade in
'my linux box', just run

$ iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE

>
> Any help would he appreciated!
>
> Thanks,
>
> Marc

Marc Warne wrote:
>
> +------------------+ +--------------+
> | Linux box | wi-fi | My Linux box |
> | 192.168.1.100 wlan0 <- - - -> wlan0 | 192.168.1.1 |
> +------------------+ | 192.168.0.1 |
> +---------eth1-+
> |
> +----------ea0-+
> | Another comp |
> | 192.168.0.3 |
> +--------------+

iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
on "My Linux Box"
finally, dude, this should work ^^

--
Bernhard | theEdge
---
http://www.alf.at.tc
Austrian Linux Forum

Marc Warne <(E-Mail Removed)> wrote:

> I'm setting up a wireless network for my house and have a question
> concerning what iptables commands to use in this situation:

> +------------------+ +--------------+
> | Linux box | wi-fi | My Linux box |
> | 192.168.1.100 wlan0 <- - - -> wlan0 | 192.168.1.1 |
> +------------------+ | 192.168.0.1 |
> +---------eth1-+
> |
> +----------ea0-+
> | Another comp |
> | 192.168.0.3 |
> +--------------+

> i.e. 'Another comp' connects to My Linux box via ethernet (this is the
> 192.168.0.x subnet). My Linux box then connects to 'Linux box' via wi-fi
> which has the actual internet connection (via USB, wi-fi subnet is
> 192.168.1.x).

> I need to know how to access the internet from 'Another comp'. The packets
> will have to be sent to My Linux box, and then forwarded to 'Linux box'
> in order to reach the internet. I have set the gateway on 'Another comp'
> to 192.168.0.1 so packets reach My Linux box, but I don't know how to then
> forward these over the wireless network.

> My Linux box successfully can access the internet as its default gateway
> is 192.168.1.100 and masquerading is working on 'Linux box'.

I'd try masquerading the 192.168.0.0/24 network on 'My Linux box' so
that the outbound packets to the Internet from 'Another comp' sent to
'My Linux box' are resent to 'Linux box' with the "return IP address"
of 'My Linux box,' 192.168.1.1. I don't know why double masquerading
this way shouldn't work, but if you try it then I'd appreciate knowing
the outcome - either way it goes.

I really don't know iptables as well as I'd like to, but was able to adapt
this script to create a PPP-connection firewall with single masquerading
for computers on a private network without much trouble:

http://iptables-tutorial.frozentux.n...c.firewall.txt
(or http://www.faqs.org/docs/iptables/ex...UDE.RCFIREWALL)

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* On Linux be root, on Windows reboot.
-Josef Müllers */