# [Iptables+dhcpd] Cannot connect from one network to another

## c0ba

Hi!

I'm having troubles in setting up routing via iptables from WiFi network to LAN and vice-versa.

Here is my Iptables setup script:

```
# Flush iptables, nat table

iptables -F

iptables -t nat -F

# Set the policy for the chain to the given target.

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# Define local interfaces

export LAN=eth1

export WAN=ppp0

export WLAN=wlan0

# Insert input rules to accept incoming connections from local interfaces

iptables -I INPUT 1 -i ${WLAN} -j ACCEPT

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

# Add rules to input table

iptables -A INPUT -p UDP --dport bootps -i ${WAN} -j REJECT

iptables -A INPUT -p UDP --dport domain -i ${WAN} -j REJECT

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport https -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport http -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP -i ${WAN} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP -i ${WAN} -d 0/0 --dport 0:1023 -j DROP

# Disable going to same subnetwork through server

iptables -I FORWARD -i ${LAN} -d 10.10.10.0/255.255.255.0 -j DROP

iptables -I FORWARD -i ${WLAN} -d 10.10.11.0/255.255.255.0 -j DROP

# Forward from LAN to WAN & WLAN and back

iptables -A FORWARD -i ${LAN} -s 10.10.10.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 10.10.10.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WLAN} -d 10.10.10.0/255.255.255.0 -j ACCEPT

# Forward from WLAN to WAN & LAN and back

iptables -A FORWARD -i ${WLAN} -s 10.10.11.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 10.10.11.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${LAN} -d 10.10.11.0/255.255.255.0 -j ACCEPT

# Enable masquerade

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
```

and dhcp configuration:

```
ddns-update-style none;

authoritative;

option domain-name "lan";

option domain-name-servers 10.10.10.1;

option subnet-mask 255.255.0.0;

option broadcast-address 10.10.255.255;

option routers 10.10.10.1;

option ntp-servers 10.10.10.1;

option netbios-name-servers 10.10.10.1;

option netbios-dd-server 10.10.10.1;

option netbios-node-type 8;

default-lease-time 21600;

max-lease-time 28800;

subnet 10.10.10.0 netmask 255.255.255.0 {

  range 10.10.10.10 10.10.10.254;

}

subnet 10.10.11.0 netmask 255.255.255.0 {

  range 10.10.11.10 10.10.11.254;

  option domain-name-servers 10.10.11.1;

  option routers 10.10.11.1;

  option ntp-servers 10.10.11.1;

  option netbios-name-servers 10.10.11.1;

  option netbios-dd-server 10.10.11.1;

}

```

I cannot open samba share from a notebook connected by wifi on a pc connected on lan.

I suppose i did not set up some needed routing with iptables, but cannot determine what I missed. 

Internet browsing works on both pc's (from LAN and WLAN)

Can anyone please help?

Thanks!

----------

## Hu

Is there any connectivity between LAN and WLAN?  Can you ping a machine on one from the other?  Can the gateway ping machines on both?  Can the gateway establish a TCP connection to the Samba server?  Have you verified that connecting from LAN to the Samba on WLAN results in a timeout, not some other type of failure?

----------

## c0ba

Hi!

With the config above the answer was from same PC that the host is unknown.

I've changed the dhcp config to this:

```
ddns-update-style none;

authoritative;

option domain-name "lan";

option domain-name-servers 10.10.10.1;

option subnet-mask 255.255.255.0;

option broadcast-address 10.10.10.255;

option routers 10.10.10.1;

option ntp-servers 10.10.10.1;

option netbios-name-servers 10.10.10.1;

option netbios-dd-server 10.10.10.1;

option netbios-node-type 8;

default-lease-time 21600;

max-lease-time 28800;

subnet 10.10.10.0 netmask 255.255.255.0 {

  range 10.10.10.10 10.10.10.254;

}

subnet 10.10.11.0 netmask 255.255.255.0 {

  range 10.10.11.10 10.10.11.254;

  option domain-name-servers 10.10.11.1;

  option routers 10.10.11.1;

  option ntp-servers 10.10.11.1;

  option netbios-name-servers 10.10.11.1;

  option netbios-dd-server 10.10.11.1;

  option broadcast-address 10.10.11.255;

}

host workstation {

  hardware ethernet 00:23:54:37:5E:F7;

  fixed-address 10.10.10.2;

}

host tv {

  hardware ethernet 00:90:3e:dc:f8:49;

  fixed-address 10.10.10.3;

}

host notebook-wifi {

  hardware ethernet 00:26:82:3A:AC:68;

  fixed-address 10.10.11.2;

}

host notebook-lan {

  hardware ethernet 00:26:22:D3:86:33;

  fixed-address 10.10.10.4;

}

host notebook-vmdev-lan {

  hardware ethernet 00:0c:29:69:8e:46;

  fixed-address 10.10.10.5;

}

host notebook-vmdev-wifi {

  hardware ethernet 00:0c:29:69:8e:46;

  fixed-address 10.10.11.5;

}

```

After changing dhcp masks I began recieveing the "timeount" while ping.

So currently I can successfully ping from server to 10.10.10.2 and to 10.10.11.2, and back from 10.10.10.2 and 10.10.11.2 to server.

But I do receive a timeout on pinging 10.10.10.2 from 10.10.11.2 and back.

If I add these two rules to iptables script (and launch it):

```
iptables -t nat -A POSTROUTING -o ${LAN} -j MASQUERADE

iptables -t nat -A POSTROUTING -o ${WLAN} -j MASQUERADE

```

Ping starts to work. Samba too (by ip). BUT that is not good. The routing MUST work with only FORWARD rules without MASQUERADE as far I know. 

And the question is why is doesn't. Or mnaybe I have to add some marking to the packets that are targeted to another network?

May it be some kernel options involved?

Thanks!

----------

