# iptables : I gave up ! Please, help ! [SOLVED]

## jacques.bernardes

Hi Folks

After months trying to set up my SOHO wireless network (pppoe, dnsmasq and hostapd) I had to ask for help. The problem seems to be iptables. 

After typing  

#!/bin/sh

# iptables command

IPT='/sbin/iptables'

# Default policies: Accept  everything

for TABLE in `cat /proc/net/ip_tables_names`; do

        $IPT -F -t $TABLE

        $IPT -X -t $TABLE

        if [ $TABLE == filter ]; then

                $IPT -t filter -P INPUT ACCEPT

                $IPT -t filter -P FORWARD ACCEPT

                $IPT -t filter -P OUTPUT ACCEPT

        elif [ $TABLE == nat ]; then

                $IPT -t nat -P PREROUTING ACCEPT

                $IPT -t nat -P POSTROUTING ACCEPT

                $IPT -t nat -P OUTPUT ACCEPT

        elif [ $TABLE == mangle ]; then

                $IPT -t mangle -P PREROUTING ACCEPT

                $IPT -t mangle -P INPUT ACCEPT

                $IPT -t mangle -P FORWARD ACCEPT

                $IPT -t mangle -P OUTPUT ACCEPT

                $IPT -t mangle -P POSTROUTING ACCEPT

        fi

done

# Masquerading

$IPT -t nat -A POSTROUTING -o ra0 -j MASQUERADE 

I get ( iptables -L)

preto ~ # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Any ideas ?

Thanks in advance

JacquesLast edited by jacques.bernardes on Mon Feb 07, 2011 12:21 am; edited 1 time in total

----------

## Hu

First, never use iptables -L for sharing your configuration.  Use iptables-save -c.

Second, why do you think this configuration is wrong?  It is considerably more open than I would write, but I see nothing fundamentally incorrect about it.

----------

## s_bernstein

I had troubles with iptables too and found a nice way to solve it. I gave up on writing iptables rules myself and switched to shorewall firewall. After trying to get my config running with iptables alone for days, I've managed to set it up with shorewall in less than an hour and I am happy with it ever since. So maybe you should give it a try.

----------

## lxg

I agree with s_bernstein, if you have troubles with “raw” iptables, you could try one of the frontends. I'd recommend a look at FireHOL (although it appears to be unmaintained at the moment).

----------

## jacques.bernardes

Hi Folks !

Thanks for the replys.

Hu

The first question is that I cant see any rules after typing iptalbes -L. I expected to see the rules I've seted, after typing iptables -L. It shows nothing. And, above all, I not able to acces the internet from the intranet. When I ping www.google.com I receve the IP address, but no answer. http://www.google.com returns nothing.

I have another question : is that necessary add a route from wlan0 to ppp0 in order to access the internet or only the default route inserted by pppd is enought ?

Regards

Jacques

----------

## papahuhn

What you have set for the filter table, you see from the output. To see the other settings, use -t nat and -t mangle.

----------

## Hu

 *jacques.bernardes wrote:*   

> The first question is that I cant see any rules after typing iptalbes -L. I expected to see the rules I've seted, after typing iptables -L. It shows nothing.

 If you do not specify a table, then the filter table is listed.  You have not set any rules in the filter table, so there is nothing to show.

 *jacques.bernardes wrote:*   

> And, above all, I not able to acces the internet from the intranet. When I ping www.google.com I receve the IP address, but no answer. http://www.google.com returns nothing.

 The situation you describe might occur if the Gentoo machine is providing DNS service to internal machines, in which case the symptoms you describe indicate that the internal machines are not able to send any traffic to the outside world.  This could happen if you have not enabled IP forwarding.

 *jacques.bernardes wrote:*   

> I have another question : is that necessary add a route from wlan0 to ppp0 in order to access the internet or only the default route inserted by pppd is enought ?

 The default route is adequate.

----------

## zyprexa

Hello

A good way for me to first learn, then debug / use iptables is to : 

```
emerge ulogd

/etc/init.d/ulogd start

tail -f -n0 /var/log/ulogd_syslogemu.log
```

This way, you can quickly see what rule blocks and what goes through.

You can also use netcat to test some more special things.

Playing with port-knocking, nats, vpns and more were much easier.

----------

## jacques.bernardes

Thank you for all replies. I solved the problem.

Here are my config files, just in the case someone else is having headaches with pppoe, hostapd and iptables.

1) /etc/hostapd/hostapd.conf

interface=wlan0

#bridge=br0                         (optional, if you want bridging remove the #)

driver=nl80211

ssid=MyNet

hw_mode=b

channel=1

auth_algs=1

ignore_broadcast_ssid=0

debug=0

dump_file=/tmp/hostapd.dump

ctrl_interface=/var/run/hostapd

ctrl_interface_group=0

macaddr_acl=0

wpa=1

wpa_passphrase=MyPass

wpa_key_mgmt=WPA-PSK

wpa_pairwise=TKIP CCMP

accept_mac_file=/etc/hostapd/hostapd.accept

deny_mac_file=/etc/hostapd/hostapd.deny

2) /etc/conf.d/hostapd

# Space separated List of interfaces which needs to be started before

# hostapd

INTERFACES="ppp0 wlan0"

# Space separated list of configuration files

CONFIGS="/etc/hostapd/hostapd.conf"

# Extra options to pass to hostapd, see hostapd( :Cool: 

OPTIONS=""

3) /etc/dnsmasq.conf

listen-address=192.168.0.1

dhcp-range=192.168.0.4,192.168.0.9,255.255.255.0

dhcp-authoritative

4) /etc/conf.d/net

config_wlan0="192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255"

config_ppp0=( "ppp" )

link_ppp0="eth0"

plugins_ppp0=( "pppoe" ) 

username_ppp0='MyUser'

password_ppp0='MyPass'

pppd_ppp0=( "defaultroute" "usepeerdns" "debug")

5) iptables

#!/bin/sh

# iptables command

IPT='/sbin/iptables'

# Default policies: Accept  everything

for TABLE in `cat /proc/net/ip_tables_names`; do

        $IPT -F -t $TABLE

        $IPT -X -t $TABLE

        if [ $TABLE == filter ]; then

                $IPT -t filter -P INPUT ACCEPT

                $IPT -t filter -P FORWARD ACCEPT

                $IPT -t filter -P OUTPUT ACCEPT

        elif [ $TABLE == nat ]; then

                $IPT -t nat -P PREROUTING ACCEPT

                $IPT -t nat -P POSTROUTING ACCEPT

                $IPT -t nat -P OUTPUT ACCEPT

        elif [ $TABLE == mangle ]; then

                $IPT -t mangle -P PREROUTING ACCEPT

                $IPT -t mangle -P INPUT ACCEPT

                $IPT -t mangle -P FORWARD ACCEPT

                $IPT -t mangle -P OUTPUT ACCEPT

                $IPT -t mangle -P POSTROUTING ACCEPT

        fi

done

# Masquerading

$IPT -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

All the best !

Jacques

----------

## jacques.bernardes

One more thing :

If you are expecting erratic behavior in your web-surfing experience add 

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 

to your firewall rules.

That's all folks !

Jacques

----------

