Author Topic: hostapd and iptable (Read 13077 times)

cwongcpa · « **on:** February 04, 2013, 10:23:42 PM »

I have a wired router, a Tiny Linux computer and a wireless lan card. Now I need my Tiny Linux Computer as wireless router to share internet connection to my mobile phone.

IP as follows :
Wired Router : 192.168.1.1
Tiny Linux eth0 : 192.168.1.2
Tiny Linux wlan0 : 192.168.1.3
Mobie phone : 192.168.1.4

After runing hostapd, I can connect to Tiny Linux from my mobile phone but unable to get the internet connection. I think it is a problem about Iptables. Can any one help me to set up. Many Many thanks in advance.

My iptables rules as follows:

sudo iptables -F
sudo iptables -F -t nat
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

Rich · « **Reply #1 on:** February 04, 2013, 10:49:59 PM »

Hi cwongcpa
Did you follow the instructions in the info file?

Code: [Select]

		Copy /usr/local/etc/hostapd.conf.sample somewhere, and 
		run as:
		sudo hostapd /path/to/conf

If you disable iptables, can you connect then?

hiro · « **Reply #2 on:** February 05, 2013, 12:02:23 AM »

you also need
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

cwongcpa · « **Reply #3 on:** February 05, 2013, 12:32:47 AM »

Yes, I can connect without firewall.

I've also executed sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

My script is
sudo mkdir /lib/firmware/
sudo rsync -a /mnt/sda1/rt73.bin /lib/firmware/rt73.bin
sudo rsync -a /mnt/sda1/hostapd.conf /usr/local/etc/hostapd.conf

sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

sudo iptables -F -t nat
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

sudo hostapd -B /usr/local/etc/hostapd.conf

Thanks for your reply (Rich and Hiro)

Rich · « **Reply #4 on:** February 05, 2013, 07:21:25 AM »

Hi cwongcpa
Maybe

Quote

Wired Router : 192.168.1.1
Tiny Linux eth0 : 192.168.1.2

need to be in a different subnet than

Quote

Tiny Linux wlan0 : 192.168.1.3
Mobie phone : 192.168.1.4

althalus · « **Reply #5 on:** February 05, 2013, 06:58:01 PM »

I agree with Rich - what you're doing could be a lot simpler and easier to set up if wlan0 and connected devices were using a different subnet (say 192.168.2.x).

cwongcpa · « **Reply #6 on:** February 05, 2013, 10:58:46 PM »

Thank you Rich and althalus!

I've tried but not success.

I changed the code as follows but still no luck:

sudo mkdir /lib/firmware/
sudo rsync -a /mnt/sda1/rt73.bin /lib/firmware/rt73.bin
sudo rsync -a /mnt/sda1/hostapd.conf /usr/local/etc/hostapd.conf
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

sudo ifconfig wlan0 192.168.2.97 netmask 255.255.255.0

sudo iptables -F -t nat
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo hostapd -B /usr/local/etc/hostapd.conf

My mobile phone :
IP 192.168.2.4
netmask 255.255.255.0
Gateway 192.168.2.3

Result from iptables -L

tc@Server:/mnt/sda1$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.1.0/24 anywhere ctstate NEW
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Result from iptable -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Result from : ifconfig
eth0 Link encap:Ethernet HWaddr 00:0E:A6:36:80:DC
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1974652 errors:0 dropped:0 overruns:0 frame:0
TX packets:2492374 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1266109382 (1.1 GiB) TX bytes:2339410646 (2.1 GiB)
Interrupt:18

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:123 errors:0 dropped:0 overruns:0 frame:0
TX packets:123 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7884 (7.6 KiB) TX bytes:7884 (7.6 KiB)

mon.wlan0 Link encap:UNSPEC HWaddr 00-23-CD-B7-86-9D-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1250 (1.2 KiB) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 00:23:CD:B7:86:9D
inet addr:192.168.2.3 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:6 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1140 (1.1 KiB) TX bytes:1284 (1.2 KiB)

Would you mind telling me any mistake of mine. I'm not a computer man and not familiar with network concept. Many Many Thanks in advance!

Rich · « **Reply #7 on:** February 05, 2013, 11:07:28 PM »

Hi cwongcpa
I think you might also need a route command.
Try Googling hostapd iptables for some examples on how to set up a wireless access point.

cwongcpa · « **Reply #8 on:** February 05, 2013, 11:13:20 PM »

Hi Rich,

I've also try route command today but also no luck.

sudo route add -net 192.168.2.3 netmask 255.255.255.0 gw 192.168.1.2

Rich · « **Reply #9 on:** February 06, 2013, 07:28:13 AM »

Hi cwongcpa
Have you read this:
http://code.google.com/p/quickanddirty/wiki/CreatingWirelessHotspotWithLinux#Alternative:_Internet_Sharing_with_iptables
It might give you a better idea of what the sequence of events should be. You probably also need dnsmasq.tcz.

hiro · « **Reply #10 on:** February 06, 2013, 07:46:51 AM »

how did you set the route on your mobile phone?

tinypoodle · « **Reply #11 on:** February 06, 2013, 10:04:56 AM »

Quote from: Rich on February 06, 2013, 07:28:13 AM

http://code.google.com/p/quickanddirty/wiki/CreatingWirelessHotspotWithLinux#Alternative:_Internet_Sharing_with_iptables
It might give you a better idea of what the sequence of events should be. You probably also need dnsmasq.tcz.

Also, interface used must be configured in ap/master mode which that method omits to mention.

coreplayer2 · « **Reply #12 on:** February 06, 2013, 11:33:16 PM »

Just my observation here. And this might not be a factor in the Forward chain as you only have the two rules but AIUI using the -A option is often counter productive in amending the iptables as the rules get applied after the packets get dropped by some earlier rule. using -I option inserts the rule at the top of the list and allows the packets to be handled as desired, then if these rules do not apply are then dropped by the deny all rule.

sudo iptables -I FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -i wlan0 -o eth0 -j ACCEPT

If you need these rules to be applied first then use the -I option. This is how I add rules (in my limited experience with them) which works for me. actually have never used the -A option which appends to the bottom of the chain.

Perhaps there is some other issue here but hope that helps

coreplayer2 · « **Reply #13 on:** February 07, 2013, 01:09:23 AM »

Also your FORWARD iptables entry doesn't specify the inbound pkt source IP like " -s 0/0 " (means any) Am not 100% sure but I think you have to specify otherwise no packet will meet the rule.

iptables -I FORWARD -s 0/0 -i eth0 -d 192.168.1.160 -o eth1 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT

this means insert at TOP of list a rule for pkt's that match this rule from ANY source on input interface eth0 to be routed to machine with IP address 192.168.1.160 via output interface eth1 from TCP source port range 1024 to 65535 and destination port 80 then jump to this chain if the pkt's meet this criteria

This only allows already established connections

Quote

sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Also a rule needs to allow the initial connection to the firewall via port 80 which should be in INPUT, as it stands from the above iptables in post #6 nothing is allowed access to the firewall.

iptables -I INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT

Hope that helps

cwongcpa · « **Reply #14 on:** February 08, 2013, 02:17:08 AM »

Thank you everyboby,

Rich, I'll try to do so. It is likely dnsmasq is the same as dhcpd. I put the IP address manually should not need dnsmasq. But anyway, I will try in next week.

Hiro,

Quote from: hiro on February 06, 2013, 07:46:51 AM

how did you set the route on your mobile phone?

Do you mean, IP, netmask and gateway?

I've already try difference combination.

Coreplayer2:

I've try "-I" but not success.

MANY MANY THANKS.

Tiny Core Linux

News:

Author Topic: hostapd and iptable (Read 13077 times)

cwongcpa

hostapd and iptable

Rich

Re: hostapd and iptable

hiro

Re: hostapd and iptable

cwongcpa

Re: hostapd and iptable

Rich

Re: hostapd and iptable

althalus

Re: hostapd and iptable

cwongcpa

Re: hostapd and iptable

Rich

Re: hostapd and iptable

cwongcpa

Re: hostapd and iptable

Rich

Re: hostapd and iptable

hiro

Re: hostapd and iptable

tinypoodle

Re: hostapd and iptable

coreplayer2

Re: hostapd and iptable

coreplayer2

Re: hostapd and iptable

cwongcpa

Re: hostapd and iptable