hardly
n00b
Joined: 30 Jan 2010
Posts: 26
|
 Posted: Thu Apr 05, 2012 6:01 pm Post subject: Adjacent hosts of Gentoo AP unavailable to clients. |
 |
|
http://i.imgur.com/8ni9N.png
PROBLEM
Host A can access external web but is unable to ping my terrible WRT54G2 or any other hosts attached to the router (Host B)
If I turn on wifi on the WRT54G2, everything is accessible, but that access point goes down periodically and requires a power cycle, so I don't want to use it.
Also the range is blah blah blah.
Hence, I am using my Gentoo server as a wireless access point with some difficulty.
dhcpd stuff
| Code: | # Contents of /etc/conf.d/dhcpd
DHCPD_IFACE="wlan0"
# Contents of /etc/dhcp/dhcpd.conf
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.100 192.168.2.200;
option domain-name "test";
option domain-name-servers 192.168.2.1;
option routers 192.168.2.1;
option broadcast-address 192.168.2.255;
default-lease-time 10000;
max-lease-time 20000;
} |
iptables stuff
| Code: | # Removes old rules
iptables -F
iptables -t nat -F
#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Set variables for interfaces
LAN=wlan0 # Client side
WAN=eth0 # External
#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT
#(Optional) Allow access to our (services) from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport ssh -i ${LAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 443 -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 25565 -i ${WAN} -j ACCEPT
iptables -A INPUT -p UDP --dport 25565 -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 25565 -i ${LAN} -j ACCEPT
iptables -A INPUT -p UDP --dport 25565 -i ${LAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 7777 -i ${WAN} -j ACCEPT
iptables -A INPUT -p UDP --dport 7777 -i ${WAN} -j ACCEPT
#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
#Add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
iptables -t nat -A POSTROUTING -o ${LAN} -j MASQUERADE
#Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
#This is so when we boot we don't have to run the rules by hand
/etc/init.d/iptables save
rc-update add iptables default |
Route info.
| Code: | # ip route show
default via 192.168.1.1 dev eth0
default via 192.168.1.1 dev eth0 metric 2
127.0.0.0/8 via 127.0.0.1 dev lo
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.5
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.1 |
Feel free to rip this post apart.
Should I be using interface bridging, instead of iptables nat?
Any suggestions or admonishments welcome and appreciated. |
|
Networking & Security
