search

lakinduakash / linux-wifi-hotspot

Feature-rich wifi hotspot creator for Linux which provides both GUI and command-line interface. It is also able to create a hotspot using the same wifi card which is connected to an AP already ( Similar to Windows 10).
BSD 2-Clause "Simplified" License
3.36k stars 309 forks source link

firewalld support #166

Open nahil1 opened 3 years ago

nahil1 commented 3 years ago

The following commands are needed to allow traffic when firewalld is being used.

sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o <ap_iface> -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i <internet_iface> -o <ap_iface> -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i <ap_iface> -o <internet_iface> -m state --state RELATED,ESTABLISHED -j ACCEPT
tubbadu commented 2 years ago

what should <ap_iface> and <internet_iface> be substitute with?

lakinduakash commented 2 years ago

@tubbadu check the ui dropdowns

Luciogi commented 2 years ago

Edit : This solution is NOT working, GOTO

Screenshot_20220408_193540

Just add adapter name in variables(wifi_iface and internet_iface[In my case export wifi_iface=wlan0 export internet_iface=wlan0 ]) then execute commands

export wifi_iface=
export internet_iface=
sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o $wifi_iface -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $internet_iface -o $wifi_iface -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $wifi_iface -o $internet_iface -m state --state RELATED,ESTABLISHED -j ACCEPT
lakinduakash commented 2 years ago

@Luciogi Thanks I'll add those and test them soon.

Luciogi commented 2 years ago

@lakinduakash this solution is not working

Luciogi commented 2 years ago

Working Solution:

I am using Fedora 35 for testing, firewalld has default zone FedoraWorkstation. My approach is enable masquerade in zone trusted and FedoraWorkstation, and add interface ap0 to trusted zone executing following command block will allow internet access and ip allocation via hotspot

sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade
sudo firewall-cmd --zone=trusted --add-masquerade
sudo firewall-cmd --zone=trusted --add-interface=ap0

Edit: Please test it and give feedback

lakinduakash commented 2 years ago

Thanks @Luciogi for testing it. Please test someone, currently I don't have a Fedora environment.

NHellFire commented 2 years ago

This will allow clients to connect and have internet access (tested on Ubuntu 22.04 with firewalld 1.1.1) without allowing them access to other services on the host:

firewall-cmd --permanent --new-zone=hotspot
firewall-cmd --permanent --zone=hotspot --add-service=dhcp
firewall-cmd --permanent --zone=hotspot --add-service=dns
firewall-cmd --permanent --zone=hotspot --add-interface=ap0

# Ensure the DNS ports are forwarded
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="tcp" to-port="5353" destination address="192.168.12.1"'
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="udp" to-port="5353" destination address="192.168.12.1"'

# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --zone=public --add-masquerade

firewall-cmd --permanent --new-policy hotspot-forwarding
firewall-cmd --permanent --policy hotspot-forwarding --add-ingress-zone hotspot
# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --policy hotspot-forwarding --add-egress-zone public
# If you want to restrict what ports clients can access on the internet, you can remove this
firewall-cmd --permanent --policy hotspot-forwarding --set-target ACCEPT
# And add specific services instead
#firewall-cmd --permanent --policy hotspot-forwarding --add-service http

firewall-cmd --reload

These rules will persist after a reboot, so you shouldn't need to touch them again unless you want to allow more zones to be used for internet.

lxwulf commented 1 year ago

Working Solution:

I am using Fedora 35 for testing, firewalld has default zone FedoraWorkstation. My approach is enable masquerade in zone trusted and FedoraWorkstation, and add interface ap0 to trusted zone executing following command block will allow internet access and ip allocation via hotspot

sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade
sudo firewall-cmd --zone=trusted --add-masquerade
sudo firewall-cmd --zone=trusted --add-interface=ap0

Edit: Please test it and give feedback

  • fwd firewall works without any problem

Sadly, this doesn't work somehow…

Are there some special settings which I missed? I got an IP address with my phone, but no internet connection.

IP of Phone: 192.168.12.13 Gateway of Phone: 192.168.12.1 Gateway of ap0: 192.168.12.1

I have a virtual interface as LAN device, but this shouldn't generate any problems, right?

Ethernet port enp1s0: IP: 192.168.12.103 Gateway: 192.168.12.1

Normally this would be 192.168.3.3 with Gateway 192.168.3.1 I have internet in my VM, but not on the hotspot. When I missed something to mention just ask, I try to deliver.

Greets LxWulf

Edit: Yes, I use Fedora 37 with the newest updates.

Luciogi commented 1 year ago

@lxwulf Are you using Fedora 37 on VM?

lxwulf commented 1 year ago

@Luciogi Yes, exactly!

It does work with a LAN PCI pass through, but not with virtual devices, at least on my side.

Luciogi commented 1 year ago

@lxwulf I guess, VM can't directly access all wifi card capabilites , It uses bridge or NAT connection coming from Host OS May be usb wifi adapter might work

lxwulf commented 1 year ago

@Luciogi Yes, worth trying, but at moment have no USB dongle, but I'll keep this in mind for later.

tubbadu commented 1 year ago

This will allow clients to connect and have internet access (tested on Ubuntu 22.04 with firewalld 1.1.1) without allowing them access to other services on the host:

firewall-cmd --permanent --new-zone=hotspot
firewall-cmd --permanent --zone=hotspot --add-service=dhcp
firewall-cmd --permanent --zone=hotspot --add-service=dns
firewall-cmd --permanent --zone=hotspot --add-interface=ap0

# Ensure the DNS ports are forwarded
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="tcp" to-port="5353" destination address="192.168.12.1"'
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="udp" to-port="5353" destination address="192.168.12.1"'

# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --zone=public --add-masquerade

firewall-cmd --permanent --new-policy hotspot-forwarding
firewall-cmd --permanent --policy hotspot-forwarding --add-ingress-zone hotspot
# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --policy hotspot-forwarding --add-egress-zone public
# If you want to restrict what ports clients can access on the internet, you can remove this
firewall-cmd --permanent --policy hotspot-forwarding --set-target ACCEPT
# And add specific services instead
#firewall-cmd --permanent --policy hotspot-forwarding --add-service http

firewall-cmd --reload

These rules will persist after a reboot, so you shouldn't need to touch them again unless you want to allow more zones to be used for internet.

I'm on Fedora37, and with these settings my android device is "connected without internet access"

Luciogi commented 1 year ago

@tubbadu Please test this https://github.com/lakinduakash/linux-wifi-hotspot/issues/166#issuecomment-1105388859

mxvin commented 1 year ago

We need proper support for firewalld. Something nice like @NHellFire script translating existing regular iptables rules. For fast and easy way already discussed here, that is masquerade+add ap0 to zones

KronosTheLate commented 1 year ago

On Debian 12 with firewalld enabled, the problem was fixed by only the first three lines. Namely:

sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

But yes, given that firewalld is enabled by default on deveral distros (Including Debian), this should probably be done automatically.

If nothing else, just check if sudo firewall-cmd --state returns running, and if it does, print something during installation along the lines of "You have firewalld running. This may require explicitly adding some rules for allowing network traffic. Please visit if you face issues.

EDIT: Even though I could not connect to the network, I could not use mDNS to resolve the hostname. I ended up disabling firewalld, and expect to be using something that is not as obstructive in the future.

poopsicles commented 10 months ago

Edit : This solution is NOT working, GOTO

Screenshot_20220408_193540

Just add adapter name in variables(wifi_iface and internet_iface[In my case export wifi_iface=wlan0 export internet_iface=wlan0 ]) then execute commands

export wifi_iface=
export internet_iface=
sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o $wifi_iface -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $internet_iface -o $wifi_iface -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $wifi_iface -o $internet_iface -m state --state RELATED,ESTABLISHED -j ACCEPT

this works for me on fedora 39

poopsicles commented 10 months ago

Working Solution:

I am using Fedora 35 for testing, firewalld has default zone FedoraWorkstation. My approach is enable masquerade in zone trusted and FedoraWorkstation, and add interface ap0 to trusted zone executing following command block will allow internet access and ip allocation via hotspot

sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade
sudo firewall-cmd --zone=trusted --add-masquerade
sudo firewall-cmd --zone=trusted --add-interface=ap0

Edit: Please test it and give feedback

* **fwd** firewall works without any problem

is there a way to make this permanent? would adding --permanent work?

Luciogi commented 10 months ago

is there a way to make this permanent? would adding --permanent work?

No idea, I am not using firewalld and fedora anymore, I forgot whether these commands make permanent rules

lxwulf commented 10 months ago

I use Fedora Linux since version 30, and now I'm on version 39. I can confirm that the firewall-cmd command with option --permanent does work to have permanent settings. After this, you can reload the firewall to take the new settings in => firewall-cmd --reload.

All changes without the --permanent option are temporary and are lost when firewall gets reloaded firewall-cmd --reload or system rebooted.