Linux News
The world is talking about GNU/Linux and Free/Open Source Software

Login

If you don't have an account yet, visit the registration page to sign up.

If you already have an account, you may login here:

Today's Big Story

Winamp Media Player Goes Open Source

LXer Features

My Linux Laptop

Laptop Dual Boot Project: Part 2

Laptop Dual Boot Project

Lenovo Laptop Love..Not!

Attempting to install Linux on a new laptop, a follow-up

Attempting to install Linux on a new laptop

Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

Publish it here.

DaniWeb Linux Community
An exciting professional discussion group about software development, php, shell scripting, networking, ruby, and more.

Latest Discussions

Tracepath

Seems like Sparky KDE 2024.05 has KVM Hypervisor setup broken

Wrong headline

Uhhh

this time, it's an ad

Calamares 3.3.5 vs Ubuntu 24.04 Desktop installer

Virt-manager vs Cockpit Web Console on Fedoras 40 Beta,39,38 and other Linux Flavors

KDE Plasma 6.0.2 on Manjaro Testing branch

Wonderfull app

How to contact editorial board of Lxer.com in private ?

More...

Site Menu

Other News

- LWN.net
Their weekly coverage of Linux news is unmatched in this community.

- LinuxGizmos.com
Excellent news for embedded Linux.

- LinuxQuestions.org
Discussion forums for Linux users.

LinuxQuestions.org is a friendly and active Linux Community with forums, reviews, a hardware compatibility list, a wiki, tutorials, a download site, a podcast and more.

ethernet bridging/iptables question

Forum: Linux

Total Replies: 0

Author	Content
tuxchick Jan 17, 2007 7:00 PM EDT	yo homies, This is driving me crazy. I am trying to build a combination DSL router/ wireless access point with Pyramid Linux on a WRAP board. It looks like this: dsl modem - router/WAP - switch - LAN The router has an Atheros tri-mode wireless card, and two wired Ethernet ports in use. The configs are like this: LAN IP = 192.168.1.25 br0 = ath0 bridged to eth0 WAN IP = 22.33.44.55 eth1 What's driving me nuts is all LAN hosts, both wired and wireless have Internet, and wired hosts can ping each other, but wireless hosts cannot ping wired, or the reverse. All of them can ping the router. I'm running an iptables firewall on this little beast. With the firewall turned off, everything works. I've tried all different kinds of rules until I'm ready to chuck the whole works out the window. The speedbump seems to be the forwarding chain. I set a default policy of FORWARD DROP, and should be able to write some forwarding rules for the bridge, but nothing I've tried works. So- I seek wisdom. What do I have to do get my wired and wireless PCs talking to each other? #!/bin/sh #iptables firewall script for sharing a cable or DSL Internet #connection, with no public services #define variables ipt="/sbin/iptables" mod="/sbin/modprobe" LAN_IFACE="br0" WAN_IFACE="eth1" #load kernel modules $mod ip_tables $mod iptable_filter $mod iptable_nat $mod ip_conntrack $mod ipt_LOG $mod ipt_limit $mod ipt_state $mod iptable_mangle $mod ipt_MASQUERADE $mod ip_nat_ftp $mod ip_nat_irc $mod ip_conntrack_ftp $mod ip_conntrack_irc # Flush all active rules and delete all custom chains $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -X $ipt -t nat -X $ipt -t mangle -X #Set default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT #this line is necessary for the loopback interface #and internal socket-based services to work correctly $ipt -A INPUT -i lo -j ACCEPT #AlLow incoming SSH from the LAN only to the gateway box $ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT #Enable IP masquerading #$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 12.169.163.241 #Enable unrestricted outgoing traffic, incoming #is restricted to locally-initiated sessions only $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Accept ICMP echo-request and time-exceeded $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT #Reject connection attempts not initiated from inside the LAN #$ipt -A INPUT -p tcp --syn -j DROP

Author

Content

tuxchick

Jan 17, 2007
7:00 PM EDT

yo homies,

This is driving me crazy. I am trying to build a combination DSL router/ wireless access point with Pyramid Linux on a WRAP board. It looks like this:

dsl modem - router/WAP - switch - LAN The router has an Atheros tri-mode wireless card, and two wired Ethernet ports in use. The configs are like this:

LAN IP = 192.168.1.25 br0 = ath0 bridged to eth0

WAN IP = 22.33.44.55 eth1

What's driving me nuts is all LAN hosts, both wired and wireless have Internet, and wired hosts can ping each other, but wireless hosts cannot ping wired, or the reverse. All of them can ping the router.

I'm running an iptables firewall on this little beast. With the firewall turned off, everything works. I've tried all different kinds of rules until I'm ready to chuck the whole works out the window. The speedbump seems to be the forwarding chain. I set a default policy of FORWARD DROP, and should be able to write some forwarding rules for the bridge, but nothing I've tried works.

So- I seek wisdom. What do I have to do get my wired and wireless PCs talking to each other?

#!/bin/sh #iptables firewall script for sharing a cable or DSL Internet #connection, with no public services

#define variables ipt="/sbin/iptables" mod="/sbin/modprobe" LAN_IFACE="br0" WAN_IFACE="eth1"

#load kernel modules $mod ip_tables $mod iptable_filter $mod iptable_nat $mod ip_conntrack $mod ipt_LOG $mod ipt_limit $mod ipt_state $mod iptable_mangle $mod ipt_MASQUERADE $mod ip_nat_ftp $mod ip_nat_irc $mod ip_conntrack_ftp $mod ip_conntrack_irc

# Flush all active rules and delete all custom chains $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -X $ipt -t nat -X $ipt -t mangle -X

#Set default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT

#this line is necessary for the loopback interface #and internal socket-based services to work correctly $ipt -A INPUT -i lo -j ACCEPT

#AlLow incoming SSH from the LAN only to the gateway box $ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT

#Enable IP masquerading #$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 12.169.163.241

#Enable unrestricted outgoing traffic, incoming #is restricted to locally-initiated sessions only $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Accept ICMP echo-request and time-exceeded $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

#Reject connection attempts not initiated from inside the LAN #$ipt -A INPUT -p tcp --syn -j DROP

You cannot post until you login.

Linux NewsThe world is talking about GNU/Linux and Free/Open Source Software