[Techtalk] sharing mobile broadband on wired LAN

Lisa Kachold lisakachold at obnosis.com
Tue Nov 3 19:14:14 UTC 2015


Each line should start with $ipt (which is your variable that points to the
iptables binary with complete path).  This shows your second line starting
with "ESTABLISHED" & third line with "$WAN_IFACE".

Did you check your linefeeds and command formatting?

Alternately flush your tables and load each command manually to see
where/if you have script errors! Just cut/copy/paste each line into your
tables, then display the full recipe with "iptables_save" and/or pipe via
STOUT to a text file to compare or import at startup.  Depending on your
distro, iptables startup config and version, your templates might
conflict.  Many stock firewalls, VPN solutions and Virtualized servers use
bridging, TUN or null devices with DNAT/SNAT and or EBTABLES.

Just pulling partial iptables out of your scripts tool bin for use, while
replacing the complete startup UFW config firewall, might be a quick
solution, however security threats today demand that you use a complete
solution or build upon modern tools, like SHOREWALL:

Other appliance based SOHO firewalls include:
SMOOTHWALL: http://www.smoothwall.org
IPCOP: http://www.ipcop.org

Firewalld, OpenWall, IPWire, MonoWall, & Untangle are compared here:
Block and limit known attacks:

Also don't forget to check your kernel values!  In order to support
iptables in bridging mode (which you are not doing but might consider),
your Linux kernel needs to be compiled with CONFIG_BRIDGE_NETFILTER=1, and
your /etc/sysctl.conf file either needs to not contain any entries for the
following settings or have them set to “1”:

net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-ip6tables=0

Traditionally, Ubuntu and other Debian derivatives store network interface
configurations in the file /etc/network/interfaces. However, GNOME's
Network Manager system automatically configures any interface not
explicitly described in that file.

In theory, this should mean that if you specify interface and bridge
configurations in /etc/network/interfaces, you shouldn't have to worry
about Network Manager overriding or otherwise conflicting with those
settings. But in practice, most Admins agree, you're better off
*disabling* Network
Manager altogether in the System→Preferences→Startup Applications applet,
if you want to set up a bridged iptable configuration in

To *completely* disable Network Manager, you also need to open the
System→Preferences→Network Connections control panel and delete all
connection profiles under the Wired tab. Even if Network Manager is
disabled as a startup service, Ubuntu will read network configuration
information set by this control panel, resulting in strange interactions
with /etc/network/interfaces.

Even after disabling the Network Manager service, setting up
/etc/network/interfaces and stopping and restarting /etc/init.d/networking,
ethernet devices can show up in the routing table with the *same IP address* as
the bridge (which is why we asked you what your route was showing). You
must kill all processes and restart the Daemon.

Since most of us really need something "bigger" than say as SOHO router
(even something running a ddwrt /openwrt solution), I would suggest adding
a nice appliance instead?

This is a pretty tight solution:  REDWALL

More information about the Techtalk mailing list