Tiny Core Linux
Tiny Core Extensions => TCE Talk => Topic started by: cwongcpa on February 04, 2013, 10:23:42 PM
-
I have a wired router, a Tiny Linux computer and a wireless lan card. Now I need my Tiny Linux Computer as wireless router to share internet connection to my mobile phone.
IP as follows :
Wired Router : 192.168.1.1
Tiny Linux eth0 : 192.168.1.2
Tiny Linux wlan0 : 192.168.1.3
Mobie phone : 192.168.1.4
After runing hostapd, I can connect to Tiny Linux from my mobile phone but unable to get the internet connection. I think it is a problem about Iptables. Can any one help me to set up. Many Many thanks in advance.
My iptables rules as follows:
sudo iptables -F
sudo iptables -F -t nat
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
-
Hi cwongcpa
Did you follow the instructions in the info file?
Copy /usr/local/etc/hostapd.conf.sample somewhere, and
run as:
sudo hostapd /path/to/conf
If you disable iptables, can you connect then?
-
you also need
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
-
Yes, I can connect without firewall.
I've also executed sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
My script is
sudo mkdir /lib/firmware/
sudo rsync -a /mnt/sda1/rt73.bin /lib/firmware/rt73.bin
sudo rsync -a /mnt/sda1/hostapd.conf /usr/local/etc/hostapd.conf
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
sudo iptables -F -t nat
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo hostapd -B /usr/local/etc/hostapd.conf
Thanks for your reply (Rich and Hiro)
-
Hi cwongcpa
Maybe
Wired Router : 192.168.1.1
Tiny Linux eth0 : 192.168.1.2
need to be in a different subnet than
Tiny Linux wlan0 : 192.168.1.3
Mobie phone : 192.168.1.4
-
I agree with Rich - what you're doing could be a lot simpler and easier to set up if wlan0 and connected devices were using a different subnet (say 192.168.2.x).
-
Thank you Rich and althalus!
I've tried but not success.
I changed the code as follows but still no luck:
sudo mkdir /lib/firmware/
sudo rsync -a /mnt/sda1/rt73.bin /lib/firmware/rt73.bin
sudo rsync -a /mnt/sda1/hostapd.conf /usr/local/etc/hostapd.conf
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
sudo ifconfig wlan0 192.168.2.97 netmask 255.255.255.0
sudo iptables -F -t nat
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo hostapd -B /usr/local/etc/hostapd.conf
My mobile phone :
IP 192.168.2.4
netmask 255.255.255.0
Gateway 192.168.2.3
Result from iptables -L
tc@Server:/mnt/sda1$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.1.0/24 anywhere ctstate NEW
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Result from iptable -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Result from : ifconfig
eth0 Link encap:Ethernet HWaddr 00:0E:A6:36:80:DC
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1974652 errors:0 dropped:0 overruns:0 frame:0
TX packets:2492374 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1266109382 (1.1 GiB) TX bytes:2339410646 (2.1 GiB)
Interrupt:18
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:123 errors:0 dropped:0 overruns:0 frame:0
TX packets:123 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7884 (7.6 KiB) TX bytes:7884 (7.6 KiB)
mon.wlan0 Link encap:UNSPEC HWaddr 00-23-CD-B7-86-9D-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1250 (1.2 KiB) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 00:23:CD:B7:86:9D
inet addr:192.168.2.3 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:6 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1140 (1.1 KiB) TX bytes:1284 (1.2 KiB)
Would you mind telling me any mistake of mine. I'm not a computer man and not familiar with network concept. Many Many Thanks in advance!
-
Hi cwongcpa
I think you might also need a route command.
Try Googling hostapd iptables for some examples on how to set up a wireless access point.
-
Hi Rich,
I've also try route command today but also no luck.
sudo route add -net 192.168.2.3 netmask 255.255.255.0 gw 192.168.1.2
-
Hi cwongcpa
Have you read this:
http://code.google.com/p/quickanddirty/wiki/CreatingWirelessHotspotWithLinux#Alternative:_Internet_Sharing_with_iptables
It might give you a better idea of what the sequence of events should be. You probably also need dnsmasq.tcz.
-
how did you set the route on your mobile phone?
-
http://code.google.com/p/quickanddirty/wiki/CreatingWirelessHotspotWithLinux#Alternative:_Internet_Sharing_with_iptables
It might give you a better idea of what the sequence of events should be. You probably also need dnsmasq.tcz.
Also, interface used must be configured in ap/master mode which that method omits to mention.
-
Just my observation here. And this might not be a factor in the Forward chain as you only have the two rules but AIUI using the -A option is often counter productive in amending the iptables as the rules get applied after the packets get dropped by some earlier rule. using -I option inserts the rule at the top of the list and allows the packets to be handled as desired, then if these rules do not apply are then dropped by the deny all rule.
sudo iptables -I FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -i wlan0 -o eth0 -j ACCEPT
If you need these rules to be applied first then use the -I option. This is how I add rules (in my limited experience with them) which works for me. actually have never used the -A option which appends to the bottom of the chain.
Perhaps there is some other issue here but hope that helps
-
Also your FORWARD iptables entry doesn't specify the inbound pkt source IP like " -s 0/0 " (means any) Am not 100% sure but I think you have to specify otherwise no packet will meet the rule.
iptables -I FORWARD -s 0/0 -i eth0 -d 192.168.1.160 -o eth1 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT
this means insert at TOP of list a rule for pkt's that match this rule from ANY source on input interface eth0 to be routed to machine with IP address 192.168.1.160 via output interface eth1 from TCP source port range 1024 to 65535 and destination port 80 then jump to this chain if the pkt's meet this criteria
This only allows already established connections
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Also a rule needs to allow the initial connection to the firewall via port 80 which should be in INPUT, as it stands from the above iptables in post #6 nothing is allowed access to the firewall.
iptables -I INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
Hope that helps
-
Thank you everyboby,
Rich, I'll try to do so. It is likely dnsmasq is the same as dhcpd. I put the IP address manually should not need dnsmasq. But anyway, I will try in next week.
Hiro, how did you set the route on your mobile phone?
Do you mean, IP, netmask and gateway?
I've already try difference combination.
Coreplayer2:
I've try "-I" but not success.
MANY MANY THANKS.
-
I mean gateway, yes.
And did you also put the address of some reasonable DNS server on the phone?
-
I thought the most likely problem was not having any INPUT rule..? Have never created a router from scratch before but without an INPUT rule do you have access to the router at all?