24
submitted 1 year ago* (last edited 1 year ago) by jcg@halubilo.social to c/selfhosted@lemmy.world

I have an Ubuntu server with two network interfaces - an ethernet and a WiFi network let's call eth0 and wlan0. So far I've been able to set it up as a router by enabling packet forwarding and then doing some iptables trickery. These are my iptable commands:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

If I'm understanding correctly, the first command says "if you receive packets from a device, do NAT and then forward them with your IP", the second one says to forward packets from eth0 to eth0, and the last line says "if you get packets back, only accept them if a connection has already been previously established". This Ubuntu server is connected to a router which is connected to a modem that actually has internet access. I've set it up so that my router uses my Ubuntu server as the default gateway during DHCP requests. This works fine, I'm able to use devices to connect to the internet, and if I do a trace route, it first goes to the Ubuntu server, then to the router, then out into the great beyond.

Now, I've run:

iptables -D FORWARD -i eth0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Which, if I'm understanding correctly, should forward packets through to the WiFi interface instead, but it isn't working. I'm still able to access other devices on the network but not the open internet. I also tried doing iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE which as far as I can tell is unnecessary, but that didn't do anything. When I do trace route this time, it is able to get to the Ubuntu server but no further. I've also tried doing iptables -L -v but neither the wlan0 -> eth0 rule or the reverse have any packet count. I also tried doing iptables -A FORWARD -i lan0 -o wlan0 -j LOG --log-prefix "FORWARD: " to just log it first, but nothing shows up in /var/log/syslog even if I try to connect to the internet from a device.

I'm at a loss here so any help even debugging or if I'm going about this wrong would be greatly appreciated. My ultimate goal is to set up a failover so that if the LAN interface doesn't have a connection, it'll start sending packets through the WiFi interface which will be connected to a different internet connection.

top 7 comments
sorted by: hot top controversial new old
[-] Max_P@lemmy.max-p.me 9 points 1 year ago

Those rules only allows forwarding, it doesn't cause forwarding. That is dictated by the routing table: that's why we put that in POSTROUTING as well.

You need to make it so the packers are also routed to the right place. This can be done by changing the default gateway to be wlan0, or creating a secondary routing table, adding a rule to route eth0 packets through it. By default there's only one, so if your server is configured to use eth0 as the default gateway, it's where things will be masqueraded to.

This may help: http://www.allgoodbits.org/articles/view/24

[-] jcg@halubilo.social 1 points 1 year ago

Thanks, this is very helpful!

[-] BobaFett26@lemmy.world 4 points 1 year ago

Any reason you don’t want to use something like OPNsense?

[-] jcg@halubilo.social 0 points 1 year ago

Well, my Ubuntu server is already running a whole bunch of things so I don't want to take it down and rebuild it on a different OS.

[-] BobaFett26@lemmy.world 2 points 1 year ago

Not really sure what your use case is here, but from a security perspective (and speaking as a network engineer), I would highly suggest you run a firewall/router on a separate device.

[-] Haui@discuss.tchncs.de 1 points 1 year ago

I sadly don’t know a lot about router setups but there is an !ubuntuserver@discuss.tchncs.de community you could crosspost to if you want to. :) good luck.

Also relevant: https://wiki.archlinux.org/title/Internet_sharing

Important to note from that article: docker (the "docker" one, but not podman) edits iptables rules so you have to run different iptables commands if you want it to work right.

this post was submitted on 24 Sep 2023
24 points (92.9% liked)

Selfhosted

40330 readers
155 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS