# iPhone/iOS 11 tether via USB - no packets routed [SOLVED]

## Punchcutter

I'm trying to tether my iPhone 5s/iOS 11.1.2 to my Gentoo laptop via USB (I had been trying to use wifi, but ran into other troubles and gave up when I realized I could maybe do it with an actual wire). I followed instructions found on the wiki and it all went very smoothly and seems fine from a kernel perspective. I won't bother showing you the evidence of that  :Smile: 

I've got a new interface created and made an node for it in /etc/init.d in the usual way. Personal Hotspot is turned on. I learned that I needed to turn off LTE on the phone in order to fix the fact that I wasn't seeing any DHCP server. Turning off LTE fixed that and then I got what looks like a proper IP address and everything seems in order. The phone shows a blue bar at the top that says "Personal Hotspot: 1 connection":

```
# /etc/init.d/net.enp0s26f7u3c4i2 start

 * Bringing up interface enp0s26f7u3c4i2

 *   dhcp ...

 *     Running dhcpcd ...

DUID 00:01:00:01:20:b2:0a:20:00:1d:72:8c:87:29

enp0s26f7u3c4i2: IAID 02:05:65:25

enp0s26f7u3c4i2: soliciting a DHCP lease

enp0s26f7u3c4i2: offered 172.20.10.2 from 172.20.10.1 `MyPhone'

enp0s26f7u3c4i2: probing address 172.20.10.2/28

enp0s26f7u3c4i2: leased 172.20.10.2 for 85536 seconds

enp0s26f7u3c4i2: adding route to 172.20.10.0/28

enp0s26f7u3c4i2: adding default route via 172.20.10.1

forked to background, child pid 11811                                   [ ok ]

 *     received address 172.20.10.2/28                                   [ ok ]

# ifconfig

enp0s26f7u3c4i2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 172.20.10.2  netmask 255.255.255.240  broadcast 172.20.10.15

        ether 0a:74:02:05:65:25  txqueuelen 1000  (Ethernet)

        RX packets 36  bytes 4944 (4.8 KiB)

        RX errors 0  dropped 7  overruns 0  frame 0

        TX packets 103  bytes 14974 (14.6 KiB)

        TX errors 10  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        loop  txqueuelen 1  (Local Loopback)

        RX packets 329410  bytes 35177370 (33.5 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 329410  bytes 35177370 (33.5 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         172.20.10.1     0.0.0.0         UG        0 0          0 enp0s26f7u3c4i2

172.20.10.0     0.0.0.0         255.255.255.240 U         0 0          0 enp0s26f7u3c4i2
```

The problem is that it's not working   :Laughing:   If I try to access the Net, say ping someplace on the outside like 8.8.8.8 (Google's DNS server, which does respond to ping), I get

```
# ping 8.8.8.8 | head -20

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

From 172.20.10.2 icmp_seq=1 Destination Host Unreachable

From 172.20.10.2 icmp_seq=1 Destination Host Unreachable

From 172.20.10.2 icmp_seq=1 Destination Host Unreachable

From 172.20.10.2 icmp_seq=1 Destination Host Unreachable

From 172.20.10.2 icmp_seq=1 Destination Host Unreachable

From 172.20.10.2 icmp_seq=1 Destination Host Unreachable

From 172.20.10.2 icmp_seq=1 Destination Host Unreachable

From 172.20.10.2 icmp_seq=1 Destination Host Unreachable

```

Same deal if I try to ping 172.20.10.1, which is supposed to be my gateway and DNS server. Needless to say, no other access, like web sites, works.

If I'm not mistaken, this IP is in a private address range, right? But that shouldn't indicate anything wrong, I think, because it's just a private net between my phone and laptop.

Any clues to help fix this will be very much appreciated.Last edited by Punchcutter on Thu Jan 11, 2018 10:14 pm; edited 1 time in total

----------

## Punchcutter

Gack.... ok that problem was caused by the firewall #smh.  I should have figured that out quicker. But I'm going to leave this thread open a bit longer to see if I can get any help with the following...

So now... packets can route to the phone side, and there's no apparent problem with DNS, but.... now there's still no response from the outside world. I can try to load pages in the browser, and they eventually time out. So it's like I'm talking to the world, but no one is answering. Aaaugh! I know... the farther this gets from being a straightforward technical problem, the less chance anyone will have a clue that can help me, but... I'll grasp at straws a bit and hope. Thanks.

(I did neglect to mention that I am running a VPN on the phone, but that shouldn't cause any trouble because the phone itself can access the web just fine, and I tried testing with the VPN turned off and of course it didn't make a difference.)

----------

## bunder

if this were iptables, it still sounds like fw/routing... eg

```
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate NEW -i "$LAN" -o "$WAN" -j ACCEPT

```

i don't suppose you would have an android device to try tethering against?

----------

## Punchcutter

 *bunder wrote:*   

> if this were iptables, it still sounds like fw/routing... eg
> 
> i don't suppose you would have an android device to try tethering against?

 

No... no Android device, but..... I can ping the phone at the other end of the private network. Does that not mean that there's no longer a f/w issue at the laptop end?

I'm running Shorewall, not writing iptables directly (although I'm learning how to do that and may replace Shorewall soon  :Smile: ). The Shorewall config is pretty simple and all I did was add the new i/f name to the interfaces it recognizes to get it to pass packets.

----------

## bunder

 *Punchcutter wrote:*   

> Does that not mean that there's no longer a f/w issue at the laptop end?

 

I was thinking the phone might have one...  sorry for not making that more clear.   :Embarassed: 

----------

## Zucca

 *Punchcutter wrote:*   

> I'm running Shorewall, not writing iptables directly (although I'm learning how to do that and may replace Shorewall soon :)).

 I'd suggest you to learn nftables instead. IMO it's more human-readable than several lines of iptables commands. Also you never know when the iptables is going to be deprecated by nftables.

"Be seeing you..."

----------

## Punchcutter

 *bunder wrote:*   

> I was thinking the phone might have one...  sorry for not making that more clear.  

 

Seems very unlikely... it's an iPhone, not a Linux box   :Cool: Last edited by Punchcutter on Thu Dec 21, 2017 10:23 pm; edited 1 time in total

----------

## Punchcutter

 *Zucca wrote:*   

>  *Punchcutter wrote:*   I'm running Shorewall, not writing iptables directly (although I'm learning how to do that and may replace Shorewall soon ). I'd suggest you to learn nftables instead. IMO it's more human-readable than several lines of iptables commands. Also you never know when the iptables is going to be deprecated by nftables.

 Thanks for the tip.

 *Quote:*   

> "Be seeing you..."

   :Very Happy: 

----------

## Punchcutter

OK, so I've discovered that although browsers keep spinning and spinning and eventually time out, I can telnet to a web server, and GET a page that way. So now this seems to make little sense to me. The following yields results:

```
telnet www.foo.com 80

GET /

```

but accessing www.foo.com in a browser does not.

Does this make sense to anyone?

----------

## Punchcutter

So, long story short, I've spent hours on this problem since the last post... and many many minutes over a few different calls with Apple support, and also once the engineering dept of my cell provider....... and last night it finally started to work for "no apparent reason". But I figured out what the trigger was.

When I first tried this tether, the laptop was not getting an IP addr via DHCP. I googled about that. Someone on some forum suggested that this happens if you have "LTE" turned on on the phone. So I went into the iPhone cell data settings and turned off "Enable LTE". After that, DHCP worked fine. So I thought, "Ok, I need to keep LTE turned off."

But then I reached the abovementioned problem, whereby I could communicate across the tether with IP sites, including web servers and nameservers, but the only thing I could NOT do was receive web data back from a web server when the client doing the requesting looks like a browser. In other words, if I try to pull a web site using an actual browser, or curl, I can connect to the server side, but I then hang/timeout waiting while no data is returned. On the other hand, if I use telnet to do the same thing, I can get the page data back. Utterly bizarre.

Through all the time spent trying to debug THAT problem, I never went back and questioned the LTE thing, or tried flipping it back on during my testing. When I did finally turn it back on..... now suddenly DHCP still works, and tethering works fully and I can surf the web. Maybe the second strangest thing about this whole episode is why DHCP didn't work originally until I turned LTE off on the phone, but now it does work with LTE active.  In between those two events, I did (on advice from Apple support) do a hard reset on the phone. Maybe that "shook something loose". Geh. Problems like this are so frustrating. Just glad it finally works. BTW, I did go back and test again to see if having the LTE switch on or off really made the difference. Yep, LTE off, web page data does not flow back to browsers or curl, but does for telnet. LTE on, everything works fine. Go figure.

Hope this helps someone else.

----------

## babagau

It's a two year old post but I still want to say "thank you, it helped me". I factory restored only the networking of my iPhone5 and now wpa_supplicant works, can connect through the iphone to the internet. Punchcutter by the way I love your english.

----------

