1

I have the following iptables rules:

*nat -A POSTROUTING -o wlan0 -j MASQUERADE COMMIT *filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i wlan1 -p tcp -m state --state NEW --dport 22 -j ACCEPT -A INPUT -j DROP COMMIT

wlan0 is attached to the public network.

wlan1 is attached to a private network.

SSH is permitted to the router from the private network.

The goal is for traffic that originates on the network attached to wlan1 to appear to originate from the router, hence the MASQUERADE.

I don't want anything to be able to make a connection on the public interface; the final INPUT rule is to drop all incoming connections to the router itself.

However, the drop rule on the INPUT chain appears to be dropping the traffic that should be bound for the network attached to wlan1.

If I remove the drop rule on the INPUT chain - it seems to work, however doing so allows connections to the router.

Update:

The same apparent network configuration works normally on Centos, but on Raspbian nothing is forwarded and the INPUT drop rule continues to count up.

NB The policy on all chains in this test environment is set to ACCEPT, hence the FORWARD rules in the accepted answer are not necessary in this case.

Improve this question

1 Answer 1

Reset to default
0

If you want the system to route traffic from wlan1 to wlan0, you must enable forwarding. To do that, the first step is to enable the master switch of forwarding:

sysctl net.ipv4.ip_forward=1

(To make this persistent, add net.ipv4.ip_forward=1 to /etc/sysctl.conf.)

Then you'll need some iptables FORWARD rules that will dictate what happens to any forwardable traffic:

iptables -A FORWARD -i wlan1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -j DROP
Improve this answer
0

You must log in to answer this question.