Closed pavelsr closed 5 years ago
UPD. I fixed one error - seems like instead of ETHERNET_IP
there must be ETHERNET_SUBNET
, because packet source isn't only ETHERNET_IP
. But new container is still not working as expected, аt least eth0
port of RPi is still configured to get IP address via DHCP.
1 --state RELATED,ESTABILSHED Is for tcp packet that already did they sync, for example when you do the first sync, the packet that comes back will match the rules. This way you identify the packets that cames back from inside NAT to an external IP
2 just delete it it and write again to move to the last of the rules check for that chain.
Problem solved. Thanks for reply. Just was needed to carefully read man iptables
and man ip
.
Below is explanation of iptables
options that are used:
-o, --out-interface - Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains)
-s, --source - Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address
-i, --in-interface name - Name of an interface via which a packet was received
-m, --match match
Specifies a match to use, that is, an extension module that tests for a specific property.
MASQUERADE - (from Wikibooks) - This is a special, restricted form of SNAT for dynamic IP addresses, such as most Internet service providers provide for modems or DSL. Rather than change the SNAT rule every time the IP address changes, this calculates the source IP address to use by looking at the IP address of the outgoing interface when a packet matches this rule. In addition, it remembers which connections used MASQUERADE, and if the interface address changes (such as reconnecting to the ISP), all connections NATted to the old address are forgotten.
Here is a brief summary what I did:
1) In my wlanstart.sh I setup for eth0
same rules as for $INTERFACE
:
GATEWAY_IP
) for all outgoing packets from $ETHERNET_SUBNET
to all interfaces, marked as outgoing, $OUTGOINGS
: iptables -t nat -A POSTROUTING -s ${ETHERNET_SUBNET} -o ${int} -j MASQUERADE
$OUTGOINGS
, variable is not set.iptables -A FORWARD -i ${int} -o ${ETHERNET} -m state --state RELATED,ESTABLISHED -j ACCEPT
$ETHERNET_SUBNET
to all interfaces, marked as outgoing, or any if $OUTGOINGS
, variable is not set.iptables -A FORWARD -i ${ETHERNET_SUBNET} -o ${int} -j ACCEPT
2) Added default route: ip route add default via ${GATEWAY_IP} dev ${ETHERNET}
Also I migrated to officially supported arm32v6/alpine
base image.
You are welcome to use and PR my fork :)
Nice, thanks for the info I didn't know about arm32v6/alpine
I would suggest to add a 2nd usb ethernet port if you are going to use it as a router without wifi. And start a container from scratch since you won't need all Wireless thingns I add to this project, since the hostap is used for use the rpi as an Access Point.
I used this to just learn myself, there is lot of things out there with more options:
Hello Sergio,
Thanks for nice project, I set up my RPi as router in one command, that's very convenient :)
But now I need to modify your image, cause it's not fully satisfy my needs. The problem is that I have device which doesn't have WiFi, only ethernet port. And I need to use RPi as Internet gate for this device too.
To share Internet access from
eth1
toeth0
without rpi-hostap container I need to do following steps:1) uncomment
net.ipv4.ip_forward=1
at/etc/sysctl.conf
and apply changes,sysctl -p
(seems like you do same but with/proc/sys/net/ipv4
)2) setup NAT in iptables:
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
3) add default gateway:
sudo route add default gw 192.168.8.1
(192.168.8.1 is IP addres of eth1)4) (optional) setup static IP address for eth0 at
/etc/dhcpcd.conf
:I forked your repository and make some changes in wlanstart.sh, but after running container from newly built image there is no effect.
Could you please guide me what could be wrong ?
Also I don't undestand some strings in your wlanstart.sh:
1) What does the following string do?
I haven't found option
--state
in iptables man/help, at least in versionv1.6.0
2) Why do you delete same rule before adding it again?