IP Masquerading setup? [SOLVED]

Message

cwr · Post by **cwr** » Sat May 20, 2017 3:22 pm

I've been trying to connect a Raspberry Pi to the internet
via a laptop, and failing completely. The last time I did
this it was pretty straightforward, but I must have forgotten
some of the details, because I can't make it work now.

On the laptop I have usb0, 192.168.4.10, and wlan0, 192.168.4.20.
The RPi is on usb0, with an address of 192.168.4.9. I can ping
the RPi and the internet from the laptop, and the laptop from
the RPi, but not the internet from the RPi.

I've set up forwarding through /proc/sys/net/ipv4/ip_forward
and loaded all the relevant modules, but I can't get a iptables
policy which connects usb0 and wlan0. I think the problem
must be in the routing table, which is:

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.4.1     0.0.0.0         UG    0      0        0 wlan0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 usb0

Thanks for any ideas - Will

Telemin · Post by **Telemin** » Sat May 20, 2017 4:35 pm

You have enabled forwarding but need to set rules to actually make sure packets get forwarded between interfaces on the laptop. In addition you can't just forward packets and expect them to get delivered as the rest of your network, specifically your router, has no knowledge of the RPi and no rules to route traffic to it - you will need to NAT.

Something like the following is the usual recipe:

Code: Select all

iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i usb1 -o wlan0 -j ACCEPT

The MASQUERADE rule performs address rewriting so that the rest of the network thinks that the laptop is communicating with them, rather than the RPi (hence the name), and the FORWARD rules actually make sure the packets pass between adapters.

-Telemin-

Post by **NeddySeagoon** » Sat May 20, 2017 5:15 pm

cwr,

If you use ppp from the laptop to the pi. then

Code: Select all

#!/bin/bash
#
# ipaqnet       Control script for iPAQ USBNet connection
#
# Author: Michel Stempin
# Creation: 11/08/2002

# additional comments and minor tweaks
# Roy Bamford 6 Dec 2003

PC_ADDR=192.168.100.201
IPAQ_ADDR=192.168.100.202
IPAQ_NET=192.168.100.0/24

# WARNING:usb0 is hard coded in some places
UPLINK_IF=usb0

start() {
    # load the usb networking module
    /sbin/modprobe usbnet
    
    # bring up the PC end of the link with IP addr PC_ADDR
    # exit if it fails for some reason
    /sbin/ifconfig usb0 inet $PC_ADDR up
    if [ $? -ne 0 ]; then
        echo "Could not set up usb0"
        echo "Is the iPaq connected and switched on?"
        exit 1
    fi
 
    # set up proxy_arp for our usb interface 
    echo "1" >/proc/sys/net/ipv4/conf/usb0/proxy_arp
    UPLINK=`/sbin/ifconfig $UPLINK_IF >/dev/null 2>&1`
    # exit if it fails for some reason
    if [ $? -ne 0 ]; then
        echo "Could not set up proxy_arp for usb0"
        exit 1
    fi
 
    # set up proxy_arp for eth0, so this better be our
    # internet connection
    echo "1" >/proc/sys/net/ipv4/conf/eth0/proxy_arp

    # turn on IP forwarding
    echo "1" >/proc/sys/net/ipv4/ip_forward

    # delete the unwanted route via usb0
    # its wrong anyway
    /sbin/route del -net $IPAQ_NET dev usb0

    # add the route we really want
    /sbin/route add $IPAQ_ADDR dev usb0
}

stop() {
    /sbin/ifconfig usb0 down
    # rmmod -r usbnet
}
case "$1" in
    start|add)
        start
        ;;
    stop|remove)
        stop
        ;;
    *)
        echo $"Usage: $0 {start|stop|add|remove}"
        exit 1
esac

running on the laptop will do what you want. No extra firewall rules required.

The script was originally used for an iPaq.

cwr · Post by **cwr** » Sun May 21, 2017 1:36 pm

Thanks - I've been trying iptables setups very like those Telemin, and so I'll go back
and try again. It's been a long day of frustration, so just to know that I wasn't dreaming
when I last set it up and that it can work is nice.

I'll also tinker with Neddy Seagoon's script - the RPi is communicating via usb OTG,
so networking, from that point of view, is pretty standard.

In hope - Will

UPDATE
Telemin's setup was one I'd tried; where I'd apparently failed was in not enabling
the usb0 proxy_arp according to Neddy Seagoon's script.

Many, many thanks - Will