# problems with dnsmasq on nat router/firewall (SOLVED)

## 59729

I posted this a week ago but deleted the thread quickly as there were some things I wanted to try. Im still stuck

If i set the input chain to drop , my computers or wifi accesspoint connected interface eno1 will not get an IP, my mobile phone says connecting->connected->getting ip adress but nothing happens.

With input to accept dnsmasq works as intended

Complete ruleset below that doesn't work below, any help appreciated as I don't really know what to do next as I think the corresponding ports are open "bootps/bootpc/domain" @ lan-services

```

nuc lappen # nft list ruleset

table ip nat {

        chain prerouting {

                type nat hook prerouting priority 0; policy accept;

                iif enp0s20u3 tcp dport 20000 dnat 192.168.0.202

        }

        chain postrouting {

                type nat hook postrouting priority 100; policy accept;

                oif enp0s20u3 masquerade random,persistent

        }

}

table ip filter {

        chain input {

                type filter hook input priority 0; policy drop;

                ct state established,related accept

                iif lo accept

                ip protocol icmp accept

                ip saddr 192.168.0.0/24 jump lan-services

                jump public-services

        }

        chain output {

                type filter hook output priority 0; policy accept;

        }

        chain lan-services {

                tcp dport { ssh, bootps, domain, bootpc} accept

                udp dport { bootpc, domain, bootps} accept

                tcp dport 3005 accept

                udp dport { 32414, 32413, 32410, 32412} accept

        }

        chain public-services {

                tcp dport 32400 accept

        }

}

```

```

nuc lappen # ifconfig

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.1  netmask 255.255.255.0  broadcast 192.168.0.255

        ether c0:3f:d5:62:2b:3d  txqueuelen 1000  (Ethernet)

        RX packets 50964317  bytes 31539661512 (29.3 GiB)

        RX errors 0  dropped 110523  overruns 0  frame 0

        TX packets 72698934  bytes 89371496623 (83.2 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory 0xf7c00000-f7c20000

enp0s20u3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet WANIP  netmask 255.255.240.0  broadcast WANIP

        ether XXXXXXXXXX  txqueuelen 1000  (Ethernet)

        RX packets 76074542  bytes 84999229889 (79.1 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 38776965  bytes 13502112873 (12.5 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        loop  txqueuelen 1  (Local Loopback)

        RX packets 1471319  bytes 392972955 (374.7 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 1471319  bytes 392972955 (374.7 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

Last edited by 59729 on Sat Nov 19, 2016 10:18 am; edited 1 time in total

----------

## szatox

 *Quote:*   

> ip saddr 192.168.0.0/24 jump lan-services

 

DHCP requests from new clients will not match this rule because a new client doesn't have an IP yet.

If you have multiple interfaces, it would be best to simply use one of them as the local one and accept traffic based on the interface, just like you did with

loopback.

If you don't, it's a bad pick for a router, but you can still try accepting packets sent from IP 0.0.0.0 to 255.255.255.255 (or more lax rule)

----------

## brendlefly62

did you do this?

```
echo 1 > /proc/sys/net/ipv4/ip_forward
```

Much more help here:  https://wiki.gentoo.org/wiki/Home_Router

cheers

----------

## 59729

 *brendlefly62 wrote:*   

> did you do this?
> 
> ```
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ```
> ...

 

Yup

 *szatox wrote:*   

>  *Quote:*   ip saddr 192.168.0.0/24 jump lan-services 
> 
> DHCP requests from new clients will not match this rule because a new client doesn't have an IP yet.
> 
> If you have multiple interfaces, it would be best to simply use one of them as the local one and accept traffic based on the interface, just like you did with
> ...

 

Finally it works, and a great explanation why, thank you  :Smile: 

```
iif eno1 jump lan-services
```

----------

