Setup of access point on Wi-Fi of the laptop with NAT th

Question

I want to configure a functional similar to a Wi-Fi router with NAT and port forwarding from a laptop with Ethernet and Wi-Fi , which will take the Internet from PPPoE (ppp0), which in turn receives it over Ethernet (enp0s10 ) and will distribute it over Wi-Fi (wlp5s0) having the ability to forward ports, that is, that some ports, such as http, would be visible on the Internet.

I use openSUSE Tumbleweed , SuseFirewall2 (later and directly iptables ), systemd-networkd , hostapd , dnsmesq .

Network configuring via systemd-networkd (wpa_supplicant stopped)

 [Match] Name=en* [Network] Description=Ethernet DHCP=yes DNS=8.8.8.8 DNS=8.8.4.4 IPForward=ipv4 #IPMasquerade=kernel [DHCP] RouteMetric=10 [Match] Name=ppp* [Network] Description=PPPoE IPForward=ipv4 #IPMasquerade=kernel [DHCP] RouteMetric=5 [Match] Name=wl* [Network] Description=Wi-Fi DHCP=no Address=192.168.1.1/24 IPForward=ipv4 #IPMasquerade=kernel [DHCP] #RouteMetric=20

In SuseFirewall2 I defined enp0s10 and ppp0 as external and wlp5s0 as internal, and ticked the network transfer resolution ( sudo sysctl net.ipv4.ip_forward=1 ) and ran it into the network settings of each interface ( IPForward=ipv4 ), because I read that systemd -networkd can override it.

sudo sysctl net.ipv4.ip_forward always gives 1

hostapd.conf

 interface=wlp5s0 driver=nl80211 ssid=ILYA utf8_ssid=1 country_code=RU hw_mode=g channel=0 macaddr_acl=0 auth_algs=1 wmm_enabled=1 wpa=2 wpa_passphrase=myPassword wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP wps_state=0 ipaddr_type_availability=17 hs20=1

dnsmasq.conf

 interface=wlp5s0 bind-interfaces dhcp-range=192.168.1.100,192.168.1.200,12h

The access point to clients is visible, they successfully connect to it and get IP.

 sudo hostapd /etc/hostapd.conf Configuration file: /etc/hostapd.conf wlp5s0: interface state UNINITIALIZED->COUNTRY_UPDATE ACS: Automatic channel selection started, this may take a bit wlp5s0: interface state COUNTRY_UPDATE->ACS wlp5s0: ACS-STARTED wlp5s0: ACS-COMPLETED freq=2412 channel=1 Using interface wlp5s0 with hwaddr 00:15:af:3d:8e:18 and ssid "ILYA" wlp5s0: interface state ACS->ENABLED wlp5s0: AP-ENABLED wlp5s0: STA 84:8e:df:f2:5a:d2 IEEE 802.11: authenticated wlp5s0: STA 84:8e:df:f2:5a:d2 IEEE 802.11: associated (aid 1) wlp5s0: AP-STA-CONNECTED 84:8e:df:f2:5a:d2 wlp5s0: STA 84:8e:df:f2:5a:d2 RADIUS: starting accounting session 42A5DC7C41F38F95 wlp5s0: STA 84:8e:df:f2:5a:d2 WPA: pairwise key handshake completed (RSN)

The services that are on the laptop customers see, but they do not receive the Internet from the laptop.

 ping 8.8.8.8 From 192.168.1.1: icmp_seq=1 Destination Protocol Unreachable ............................................................. sudo iptables -L FORWARD --line-numbers Chain FORWARD (policy DROP) num target prot opt source destination 1 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 2 forward_int all -- anywhere anywhere 3 forward_ext all -- anywhere anywhere 4 forward_ext all -- anywhere anywhere 5 forward_ext all -- anywhere anywhere 6 LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING " 7 DROP all -- anywhere anywhere

That is, the access point itself, it seems, is working fine (there are only strange settings in the configuration, that I cannot guarantee that everything is right there), and the problem seems to be in iptables/SuseFirewall2 , although I used to have a different computer with several ethernet same way lifted up NAT without any problems.

 sudo iptables-save # Generated by iptables-save v1.6.1 on Wed Jun 28 15:00:41 2017 *nat :PREROUTING ACCEPT [196917:16784076] :INPUT ACCEPT [171757:15131945] :OUTPUT ACCEPT [198314:26166793] :POSTROUTING ACCEPT [2533:203080] -A PREROUTING -p tcp -m tcp --dport 411 -j REDIRECT --to-ports 4111 -A PREROUTING -p udp -m udp --dport 411 -j REDIRECT --to-ports 4111 -A PREROUTING -p tcp -m tcp --dport 666 -j REDIRECT --to-ports 6666 -A PREROUTING -p udp -m udp --dport 666 -j REDIRECT --to-ports 6666 -A POSTROUTING -o enp0s10 -j MASQUERADE -A POSTROUTING -o enp0s16 -j MASQUERADE -A POSTROUTING -o ppp0 -j MASQUERADE -A POSTROUTING -o usbpn0 -j MASQUERADE COMMIT # Completed on Wed Jun 28 15:00:41 2017 # Generated by iptables-save v1.6.1 on Wed Jun 28 15:00:41 2017 *mangle :PREROUTING ACCEPT [2753595:607681905] :INPUT ACCEPT [2743047:606364372] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3194416:2062704411] :POSTROUTING ACCEPT [3194419:2062704603] -A PREROUTING -p tcp -m tcp --dport 411 -j MARK --set-xmark 0x1/0xffffffff -A PREROUTING -p udp -m udp --dport 411 -j MARK --set-xmark 0x1/0xffffffff -A PREROUTING -p tcp -m tcp --dport 666 -j MARK --set-xmark 0x1/0xffffffff -A PREROUTING -p udp -m udp --dport 666 -j MARK --set-xmark 0x1/0xffffffff COMMIT # Completed on Wed Jun 28 15:00:41 2017 # Generated by iptables-save v1.6.1 on Wed Jun 28 15:00:41 2017 *raw :PREROUTING ACCEPT [2753595:607681905] :OUTPUT ACCEPT [3194416:2062704411] -A PREROUTING -i wlp5s0 -j CT --notrack -A OUTPUT -o wlp5s0 -j CT --notrack COMMIT # Completed on Wed Jun 28 15:00:41 2017 # Generated by iptables-save v1.6.1 on Wed Jun 28 15:00:41 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [3131619:2047600227] :f2b-apache-auth - [0:0] :f2b-apache-badbots - [0:0] :f2b-apache-botsearch - [0:0] :f2b-apache-fakegooglebot - [0:0] :f2b-apache-nohome - [0:0] :f2b-apache-noscript - [0:0] :f2b-apache-overflows - [0:0] :f2b-apache-shellshock - [0:0] :f2b-dovecot - [0:0] :f2b-php-url-fopen - [0:0] :f2b-postfix-sasl - [0:0] :f2b-sshd - [0:0] :f2b-sshd-ddos - [0:0] :forward_ext - [0:0] :forward_int - [0:0] :input_ext - [0:0] :input_int - [0:0] :reject_func - [0:0] -A INPUT -p tcp -m multiport --dports 25,587,993,995 -j f2b-postfix-sasl -A INPUT -p tcp -m multiport --dports 25,587,993,995 -j f2b-dovecot -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-php-url-fopen -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-shellshock -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-fakegooglebot -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-botsearch -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-nohome -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-overflows -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-noscript -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-badbots -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-auth -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd-ddos -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -i wlp5s0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT -A INPUT -j input_ext -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options -A INPUT -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i wlp5s0 -j forward_int -A FORWARD -i enp0s10 -j forward_ext -A FORWARD -i enp0s16 -j forward_ext -A FORWARD -i ppp0 -j forward_ext -A FORWARD -i usbpn0 -j forward_ext -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options -A FORWARD -j DROP -A OUTPUT -o wlp5s0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A f2b-apache-auth -j RETURN -A f2b-apache-badbots -j RETURN -A f2b-apache-botsearch -j RETURN -A f2b-apache-fakegooglebot -j RETURN -A f2b-apache-nohome -j RETURN -A f2b-apache-noscript -j RETURN -A f2b-apache-overflows -j RETURN -A f2b-apache-shellshock -j RETURN -A f2b-dovecot -j RETURN -A f2b-php-url-fopen -j RETURN -A f2b-postfix-sasl -j RETURN -A f2b-sshd -j RETURN -A f2b-sshd-ddos -j RETURN -A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A forward_ext -i enp0s10 -o wlp5s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A forward_ext -i enp0s16 -o wlp5s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A forward_ext -i ppp0 -o wlp5s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A forward_ext -i usbpn0 -o wlp5s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A forward_ext -m comment --comment "sfw2.insert.pos" -m pkttype ! --pkt-type unicast -j DROP -A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -j DROP -A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A forward_int -i wlp5s0 -o enp0s10 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -A forward_int -i wlp5s0 -o enp0s16 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -A forward_int -i wlp5s0 -o ppp0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -A forward_int -i wlp5s0 -o usbpn0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -A forward_int -m comment --comment "sfw2.insert.pos" -m pkttype ! --pkt-type unicast -j DROP -A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -j reject_func -A input_ext -m pkttype --pkt-type broadcast -j DROP -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 80 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 443 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3030:3033 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 3030:3033 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 411 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 411 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 666 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 666 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 143 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 995 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 4046 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 4046 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 6600 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 6600 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 8000 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 23420 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 23420 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 25 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 587 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 22 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 9999 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 10000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 10000 -j ACCEPT -A input_ext -p udp -m udp --dport 3030:3033 -j ACCEPT -A input_ext -p udp -m udp --dport 411 -j ACCEPT -A input_ext -p udp -m udp --dport 666 -j ACCEPT -A input_ext -p udp -m udp --dport 23420 -j ACCEPT -A input_ext -p udp -m udp --dport 9999 -j ACCEPT -A input_ext -p udp -m udp --dport 10000 -j ACCEPT -A input_ext -p udp -m udp --dport 10001 -j ACCEPT -A input_ext -p udp -m udp --dport 10002 -j ACCEPT -A input_ext -m limit --limit 3/min -m mark --mark 0x1 -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-ACC-REDIR " --log-tcp-options --log-ip-options -A input_ext -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m mark --mark 0x1 -j ACCEPT -A input_ext -m comment --comment "sfw2.insert.pos" -m pkttype ! --pkt-type unicast -j DROP -A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -j DROP -A reject_func -p tcp -j REJECT --reject-with tcp-reset -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable -A reject_func -j REJECT --reject-with icmp-proto-unreachable COMMIT # Completed on Wed Jun 28 15:00:41 2017

I tried to specify the rules manually, but this only led to an even worse result.

 sudo iptables -F sudo iptables -t nat -F sudo iptables -t mangle -F sudo iptables -A FORWARD -i ppp0 -j ACCEPT sudo iptables -A FORWARD -o ppp0 -j ACCEPT sudo iptables -t nat -A POSTROUTING -o wlp5s0 -j MASQUERADE

After these commands, I lost the Internet on a laptop.

 sudo iptables-save # Generated by iptables-save v1.6.1 on Wed Jun 28 15:03:22 2017 *nat :PREROUTING ACCEPT [56:4021] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [25:3270] :POSTROUTING ACCEPT [25:3270] -A POSTROUTING -o wlp5s0 -j MASQUERADE COMMIT # Completed on Wed Jun 28 15:03:22 2017 # Generated by iptables-save v1.6.1 on Wed Jun 28 15:03:22 2017 *mangle :PREROUTING ACCEPT [283:31132] :INPUT ACCEPT [280:30736] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [114:12295] :POSTROUTING ACCEPT [114:12295] COMMIT # Completed on Wed Jun 28 15:03:22 2017 # Generated by iptables-save v1.6.1 on Wed Jun 28 15:03:22 2017 *raw :PREROUTING ACCEPT [2762306:609037401] :OUTPUT ACCEPT [3206332:2067813109] -A PREROUTING -i wlp5s0 -j CT --notrack -A OUTPUT -o wlp5s0 -j CT --notrack COMMIT # Completed on Wed Jun 28 15:03:22 2017 # Generated by iptables-save v1.6.1 on Wed Jun 28 15:03:22 2017 *filter :INPUT DROP [279:30688] :FORWARD DROP [0:0] :OUTPUT ACCEPT [112:11979] :f2b-apache-auth - [0:0] :f2b-apache-badbots - [0:0] :f2b-apache-botsearch - [0:0] :f2b-apache-fakegooglebot - [0:0] :f2b-apache-nohome - [0:0] :f2b-apache-noscript - [0:0] :f2b-apache-overflows - [0:0] :f2b-apache-shellshock - [0:0] :f2b-dovecot - [0:0] :f2b-php-url-fopen - [0:0] :f2b-postfix-sasl - [0:0] :f2b-sshd - [0:0] :f2b-sshd-ddos - [0:0] :forward_ext - [0:0] :forward_int - [0:0] :input_ext - [0:0] :input_int - [0:0] :reject_func - [0:0] -A FORWARD -i ppp0 -j ACCEPT -A FORWARD -o ppp0 -j ACCEPT COMMIT # Completed on Wed Jun 28 15:03:22 2017

I am not very good at iptables rules and ask for your help. And if the problem is not in the rules of iptables , then please help me figure out where to dig?

I tried to specify the rules manually - after that run $ sudo iptables-save and attach the output to the question.
@alexanderbarakin The proposed link proposes to enable nat like this sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE If I understand correctly, the address range is limited here, which I would not like to do in the rules and it also follows from this that in my commands above sudo iptables -A FORWARD -i ppp0 -j ACCEPT sudo iptables -A FORWARD -o ppp0 -j ACCEPT sudo iptables -t nat -A POSTROUTING -o wlp5s0 -j MASQUERADE are confused by external and internal interfaces.

Answer 1 · 2017-06-28T13:45:19

for the INPUT and FORWARD chains, you have DROP policies in the filter table:

 *filter :INPUT DROP [279:30688] :FORWARD DROP [0:0]

since you clear all the rules of netfilter , then you need to change the policies of these chains to ACCEPT , otherwise the packages will not go through these chains at all. general command syntax:

 iptables -t таблица -P цепочка политика

if the table is a filter , then you can omit it (implied by default). example:

 $ sudo iptables -P INPUT ACCEPT $ sudo iptables -P FORWARD ACCEPT

see the documentation for the program iptables - $ man iptables

more “right”, probably, still continue to use the manager of susefirewall (or remove it completely, so as not to interfere under your feet). then you need to configure it somehow so that it adds the rules you need to netfilter . I can’t tell you anything here - there are so many of these “ holey abstractions ” that supposedly make life easier, that it’s not possible to go into all these abstractions in all my life.

Thanks for the tip. Closer to the night I will try to do it. - Ilya Indigo

Setup of access point on Wi-Fi of the laptop with NAT th

1 answer 1

More articles: