Pages

Sunday, April 20, 2014

IP forward and masquerading

Today I was in the challenge to setup a router. We ware at a meeting with a small wireless router connected to the internet and a couple of hardware with copper interfaces only. We didn't had physical access to the wireless router. We just saw the ESSID to connect to. Luckily I had my notebook running Slackware with a wireless and a copper NIC. The situation was like:
 

So I setup a small router with my notebook.
The first thing you need to check is that IP forwarding is acitve. I did that by checking the kernel value net.ipv4.ip_forward with sysctl:

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0


The above 0 in the output indicates that IP forwarding is disabled. To enable it set net.ipv4.ip_forward to 1 and check again:

# sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1


With IP forwarding enabled you need to set a few iptables rules where wlan0 is my external interface an eth0 is my internal interface:

# iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
# iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT


After that any hardware connected to the internal interface eth0 must set the notebooks IP as default gateway eg.:

# route del default
# route add default gw 192.168.1.21


Where 192.168.1.21 is the IP of my notebook. After that all internal clients had access to the wireless router, could setup DNS (resolv.conf) etc.