[TriLUG] Sharing WiFi through Ethernet

Kevin Hunter Kesling hunteke at earlham.edu
Fri Aug 15 22:11:41 EDT 2014 

At 6:13pm -0400 Fri, 15 Aug 2014, Brian McCullough wrote:
> On Fri, Aug 15, 2014 at 01:22:39PM -0700, Joseph Mack NA3T wrote:
> The environment:
>
> Laptop
> wlan0: 192.168.1.x -- talks to the outside world.
> eth0:  10.0.0.x -- talks to the subnet ( the target device )
> Has above iptables. Has ip_forward set to 1. Has dnsmasq configured
> to talk only to eth0.
> DNSMasq: serves addresses to eth0 subnet. Gives DNS addresses
> 8.8.4.4, 8.8.8.8. Shows eth0 address as gateway.
>
> Second device:
> on 10.0.0.0/24 network
> usually given 10.0.0.101 address
> Recognizes that it has IP address.
> Recognizes "local network"
> Fails to communicate with Internet.
>
> DNSMasq log on laptop shows DNS activity which seems reasonable for
> second device. ( appropriate addresses searched and returned )
>
> What else can I say?

As I look through this thread, I don't see that the gateway computer 
(Laptop) knows to _accept_ packets in the FORWARD chain.  This might be 
a problem if the default policy is to drop or reject packets.  Something 
like this:

     $ sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT

(Assuming that eth0 is connected to the client computers, and wlan0 is 
your wireless device connected to the internet.)

I also don't see connection tracking, meaning that you're sending 
packets through the wlan0 interface, but only way; how does the gateway 
know which packets are allowed to be sent back in and to where?  Thank 
goodness for Bash history for this one:

     $ sudo iptables -A FORWARD -m conntrack --ctstate \
         RELATED,ESTABLISHED -j ACCEPT

So, the complete sequence on the gateway might be something like this:

     $ sudo sysctl net.ipv4.ip_forward=1
     $ sudo iptables -t nat -F
     $ sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
     $ sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
     $ sudo iptables -A FORWARD -m conntrack --ctstate \
         RELATED,ESTABLISHED -j ACCEPT

It's been awhile since I last did this so I've also probably missed a 
step, but I hope the above helps.

Kevin

More information about the TriLUG mailing list