Sharing internet access via eth0 in addition to wlan0

[pavelsr]

Hello Sergio,

Thanks for nice project, I set up my RPi as router in one command, that's very convenient :)

But now I need to modify your image, cause it's not fully satisfy my needs. The problem is that I have device which doesn't have WiFi, only ethernet port. And I need to use RPi as Internet gate for this device too.

To share Internet access from eth1 to eth0 without rpi-hostap container I need to do following steps:

1) uncomment net.ipv4.ip_forward=1 at /etc/sysctl.conf and apply changes, sysctl -p (seems like you do same but with /proc/sys/net/ipv4 )

2) setup NAT in iptables: sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

3) add default gateway: sudo route add default gw 192.168.8.1 (192.168.8.1 is IP addres of eth1)

4) (optional) setup static IP address for eth0 at /etc/dhcpcd.conf:

interface eth0
static ip_address=192.168.0.3/24
static routers=192.168.0.3

I forked your repository and make some changes in wlanstart.sh, but after running container from newly built image there is no effect.

Could you please guide me what could be wrong ?

Also I don't undestand some strings in your wlanstart.sh:

1) What does the following string do?

iptables -D FORWARD -i ${int} -o ${INTERFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT > /dev/null 2>&1 || true

I haven't found option --state in iptables man/help, at least in version v1.6.0

2) Why do you delete same rule before adding it again?

iptables -t nat -D POSTROUTING -s ${SUBNET}/24 -o ${int} -j MASQUERADE > /dev/null 2>&1 || true
iptables -t nat -A POSTROUTING -s ${SUBNET}/24 -o ${int} -j MASQUERADE

[pavelsr]

UPD. I fixed one error - seems like instead of ETHERNET_IP there must be ETHERNET_SUBNET, because packet source isn't only ETHERNET_IP. But new container is still not working as expected, аt least eth0 port of RPi is still configured to get IP address via DHCP.

[sdelrio]

1 --state RELATED,ESTABILSHED Is for tcp packet that already did they sync, for example when you do the first sync, the packet that comes back will match the rules. This way you identify the packets that cames back from inside NAT to an external IP

2 just delete it it and write again to move to the last of the rules check for that chain.

[pavelsr]

Problem solved. Thanks for reply. Just was needed to carefully read man iptables and man ip.

Below is explanation of iptables options that are used:

-o, --out-interface - Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains)

-s, --source - Source  specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address

-i, --in-interface name - Name of an interface via which a packet was received

-m, --match match
    Specifies  a match to use, that is, an extension module that tests for a specific property.

MASQUERADE - (from Wikibooks) - This is a special, restricted form of SNAT for dynamic IP addresses, such as most Internet service providers provide for modems or DSL. Rather than change the SNAT rule every time the IP address changes, this calculates the source IP address to use by looking at the IP address of the outgoing interface when a packet matches this rule. In addition, it remembers which connections used MASQUERADE, and if the interface address changes (such as reconnecting to the ISP), all connections NATted to the old address are forgotten.

Here is a brief summary what I did:

1) In my wlanstart.sh I setup for eth0 same rules as for $INTERFACE:

• Added masquerading (source IP address will be replaced to IP address of USB modem, GATEWAY_IP) for all outgoing packets from $ETHERNET_SUBNET to all interfaces, marked as outgoing, $OUTGOINGS :

iptables -t nat -A POSTROUTING -s ${ETHERNET_SUBNET} -o ${int} -j MASQUERADE

• Allowed forwarding incoming tcp packets that cames back from external IP in response of request of IP address inside NAT. Rule applied for all interfaces, marked as outgoing, or any if $OUTGOINGS, variable is not set.

iptables -A FORWARD -i ${int} -o ${ETHERNET} -m state --state RELATED,ESTABLISHED -j ACCEPT

• Allowed forwarding all packets that was captured on interface, related to $ETHERNET_SUBNET to all interfaces, marked as outgoing, or any if $OUTGOINGS, variable is not set.

iptables -A FORWARD -i ${ETHERNET_SUBNET} -o ${int} -j ACCEPT

2) Added default route: ip route add default via ${GATEWAY_IP} dev ${ETHERNET}

[pavelsr]

Also I migrated to officially supported arm32v6/alpine base image.

You are welcome to use and PR my fork :)

https://github.com/pavelsr/rpi-hostap2

[sdelrio]

Nice, thanks for the info I didn't know about arm32v6/alpine

[sdelrio]

I would suggest to add a 2nd usb ethernet port if you are going to use it as a router without wifi. And start a container from scratch since you won't need all Wireless thingns I add to this project, since the hostap is used for use the rpi as an Access Point.

I used this to just learn myself, there is lot of things out there with more options:

• https://github.com/billz/raspap-webgui for AP
• https://www.instructables.com/id/Raspberry-Pi-Firewall-and-Intrusion-Detection-Syst/