Add iptables FORWARD rules

sdelrio / rpi-hostap

Transform your PI into a Wireless Router (DHCP and WPA2 already insisde)

76 stars 65 forks source link

Add iptables FORWARD rules #4

Closed kiurchv closed 6 years ago

kiurchv commented 6 years ago

In some cases, iptables FORWARD chain has DROP policy, and any packets from WiFi interface will never get to outgoing interface and vice versa. Adding FORWARD rules explicitly should fix this issue.

sdelrio commented 6 years ago

Then won't be better to do a check first before adding that rules or flush on the chain to remove that DROP policy? or you want to keep that drop policy?

Could you paste a sample of the case you found?

kiurchv commented 6 years ago

Drop policy on the FORWARD chain is a reasonable default:

# iptables -S FORWARD
-P FORWARD DROP

But we need to make an exception to this rule in order to make possible package forwarding between WiFi and outgoing interface:

# iptables -S FORWARD
-P FORWARD DROP
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT

sdelrio commented 6 years ago

Ok, I will merge.

I think that I will probably make a commit later to remove all the iptables created at the end of the script.