[Techtalk] sharing mobile broadband on wired LAN

Carla Schroder carla at bratgrrl.com
Tue Nov 3 03:29:06 UTC 2015 

Hiho,

I had an idea today that I wanted to use my new AT&T Velocity mobile
hotspot like my old DSL modem, and share the incoming
wireless Internet with my wired LAN.

Velocity wifi > PC1 >         ethernet switch > PC2
192.168.1.1     192.168.1.25,                   192.168.2.15
                192.168.2.10 
 
PC1 has a wifi interface and wired Ethernet. PC2 has only wired
Ethernet. Wired net is 192.168.2.0. 

So I rolled out my trusty iptables script for sharing an internet
connection on PC1, my faithful script that has never failed. And it
failed. The two PCs on 192.168.2.0 see each other fine. But PC2 cannot
connect to the Velocity on 192.168.1.0. Yes, IPv4 forwarding is on PC1.
I fear strange magics in the Velocity.

This is my iptables script:

#!/bin/sh
#iptables firewall script for sharing a cable or DSL Internet
#connection, with no public services

#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth0"
WAN_IFACE="wlan0"

#load kernel modules
$mod ip_tables
$mod iptable_filter
$mod iptable_nat
$mod ip_conntrack
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod iptable_mangle
$mod ipt_MASQUERADE

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X

#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT

#Enable IP masquerading
$ipt -t nat -A POSTROUTING  -o $WAN_IFACE -j MASQUERADE

#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o
$WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Accept ICMP echo-request and time-exceeded
$ipt -A INPUT -p icmp --icmp-type echo-request  -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j DROP

I'm OK with missing something obvious.

thanks,
Carla
-- 
++++++++++++++++++++++++++++++++++++++++
Ace Linux guru                         +
carlaschroder.com                      +
There's a dance in the old dame yet    +
++++++++++++++++++++++++++++++++++++++++

More information about the Techtalk mailing list