# How to NAT  traffic between br0 and wlan0? [SOLVED]

## Kollin

Hello, my network consists of eth0+eth1 = br0 and wlan0 + hostapd.

Hostapd is working fine i'm able to connect to wlan0 with my phone, but i can't get any traffic between those 2 networks, br0 is working fine also (that is my my main internet connection)  :Sad: 

I tried http://www.gentoo.org/doc/en/home-router-howto.xm guide but iptables rules does not seem to work.

May be i have to use ebtables but how?

----------

## audiodef

Does this work?

```

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo "1" >/proc/sys/net/ipv4/ip_forward

```

If it works, then you just need to figure out how to make it happen automatically when you turn on your machines. When I need this, I just turn the above snippet into a script and ./run it. You could put it in your .xinitrc.

----------

## Kollin

 *audiodef wrote:*   

> Does this work?
> 
> ```
> 
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> ...

 

My eth0  is in bridge, can i expect that   *Quote:*   

>  iptables -t nat -A POSTROUTING -o br0  -j MASQUERADE 

 will behave in same way?

----------

## Kollin

Thank you dear audiodef, it worked in combination with all of the other stuff, don't know why  :Wink: 

```

First we flush our current rules

# iptables -F

# iptables -t nat -F

Setup default policies to handle unmatched traffic

# iptables -P INPUT ACCEPT

# iptables -P OUTPUT ACCEPT

# iptables -P FORWARD DROP

Copy and paste these exports

# export LAN=wlan0

# export WAN=br0

Finally we add the rules for NAT

# iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP

# iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT

# iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT

# iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

Tell the kernel that ip forwarding is OK

# echo 1 > /proc/sys/net/ipv4/ip_forward

# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

This is so when we boot we don't have to run the rules by hand

# /etc/init.d/iptables save

# rc-update add iptables default

# nano /etc/sysctl.conf

Add/Uncomment the following lines:

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

If you have a dynamic internet address you probably want to enable this:

net.ipv4.ip_dynaddr = 1

```

----------

## Hu

 *audiodef wrote:*   

> If it works, then you just need to figure out how to make it happen automatically when you turn on your machines. When I need this, I just turn the above snippet into a script and ./run it. You could put it in your .xinitrc.

 No.  First, .xinitrc will run under the uid of the user starting X.  Second, he may not start X.  Third, Gentoo provides initscripts to handle all this.  Use /etc/sysctl.conf if you want to change the /proc/sys setting at boot.  Use /etc/init.d/iptables to manage firewall state across reboots.

OP: it looks like your script is redundant.  You add a rule for br0 and another rule for ${WAN}, which is also br0.

----------

## Kollin

 *Hu wrote:*   

> 
> 
> OP: it looks like your script is redundant.  You add a rule for br0 and another rule for ${WAN}, which is also br0.

 

It does not work with ${WAN} , but works with br0   :Confused: 

I left  ${WAN} line just in case .

----------

