iptables question regarding NAT and routing

jank

ok not sure if this should go in networking or somewhere else but anyway, im on a red hat 9 box and im after installing a netgear ma311 wireless card to act as an access point with the driver hostap

i have a wired connection on my LAN on the eth0 interface and i want wireless clients to be able to connect to the internet via a dhcp server(from the wlan0 interface)

im on a college lan so i suppose any traffic going on the lan will be routed to the college LAN gateway eg here


192.168.1.10 (a wireless client) --> 192.168.1.1(wireless access point) -->157.190.181.57(ethernet card address)-->157.190.181.1
(college LAN which i have no control over)

would something like this work

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE


iptables --append FORWARD --in-interface wlan0 -j ACCEPT
________________________________________
echo 1 > /proc/sys/net/ipv4/ip_forward

- Enables packet forwarding by kernel

route add -net 192.168.1.0 netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev wlan0

Where XXX.XXX.XXX.XXX is the internet gateway defined by my LAN(not sure if this is my computer or the gateway of my computer!?)

so what do ye think am i missing anything at all!?

surely there is more or does that look right
ill be testing it 2morrow but wondering am i going about it the right way

sorry again if posted in the wrong place and if too long!

nadir

XXX.XXX.XXX.XXX is the address of the machine you are routing through

like in my case where 192.168.0.1 is online.

route add default gw 192.168.0.1

---

for the table lsiting, erm play around with it, but I would use something like this.

iptables -A INPUT -d 10.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -m state --state NEW,INVALID -i eth0 -j DROP
iptables -A INPUT -p tcp --syn -i eth0 -j DROP
iptables -A FORWARD -i wlan0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

iptables -I INPUT 1 -p tcp -m multiport --dport whateverportnumbers -j ACCEPT

---

Now Im pretty sure that wil need some(alot) tweeking, but hopefully it will put you on the right track, and not confuse you more.

jank

ok well i can reach my site on the apache server from a wireless client but can seem to route traffic onto the net at all

ive tried different gateways and iptables setting but none seem to work at all
"
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward"

thats fine but i cant seem to route any trafic at all onto the college lan and then onto the net

i have sniffers working on the two interfaces and the eth0 picks up nothing while the wlan0 picks up traffic routed to my site but little else

when i enter a domain address eg like www.yahoo.com all i get is an error message straight away no traffic is routed at all
do i have to set name servers!?
ill post up my route -n if its of anyhelp
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0
157.190.181.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 wlan0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 157.190.181.57 0.0.0.0 UG 0 0 0 eth0
default 157.190.181.1 0.0.0.0 UG 0 0 0 eth0

i know i have 2 default gateways but i put in
route default gateway 157.190.181.57 and that came up

nadir

yea , well you should only have one default gw to the router 157.190.181.57
so route del -net 157.190.181.1 netmask whatever dev eth0 or somthing like that.

But it does look ok, all i can think of is this.

1. can you ping googles ip address for example, rather than the google.com - if so then set /etc/resolv.conf to the local dns server.
nameserver xxx.xxx.xxx.xxx

2. If its in college is there some firewall blocking you, im not sure what sniffer you are using, but tcpdump gives very verbose info, good for debugging.