• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

Debian Iptables question

B

blobster21

Joined
Oct 24, 2004
Messages
1,294 (0.17/day)
Hello !

I'm using my raspberry PI (powered by raspbian) as a wireless access point.
I have enabled ipv4 forwarding between my wireless (192.168.42.0/24) and my wired networks (192.168.1.0/24) with the following iptables rules :

Code: 
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

Everything works great, except for the WOL magic packets sent from my laptop, not reaching their destinations (from wlan0 to eth0)

Code: 
wakeonlan -i 192.168.1.2 -p 9 AA:BB:CC:DD:EE:FF

I tried to create an additionnal rule for UDP packets aimed at port 9 :

Code: 
sudo iptables -A FORWARD -i wlan0 -o eth0 -p udp -d 192.168.1.255 --dport 9 -j ACCEPT

but nothing happened.

As soon as i'm turning off my laptop's WiFI and switching to a wired connection, the previous wakeonlan command work as it should and the distant computer wake up....

Do you have some ideas i could try ? Am i wrong assuming the previous 2 iptables rules should be enough to route *anything* to and from my wireless & wired networks ?

thanks in advance for your help !
 
Last edited:
You should log all the traffic going through IP tables and try it again to see if it's even capturing the packet. You should be able to grep through the log file with relative ease if it grows fast. Also, is your default INPUT rule to DROP or REJECT? If the packet is finding its way there once you connect with a wire, it could be that it can't make the connection or that it's hanging. If your default INPUT rule is DROP, then it will hang until it times out and if you're plugging in the Ethernet before it times out, it will retry and succeed.
 
Totally make sense.

Also I knew something was fishy, because i noticed earlier that the INPUT section is empty :

Code: 
pi@raspberrypi ~ $ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
pi@raspberrypi ~ $

Just a guess : if there are no clear directives in this section, maybe the default behaviour is to drop packets ? (i must confess this : iptables is still an uncharted territory for me)
 
Default behavior is indeed to drop packets unless otherwise stated, so i have temporary enabled all * input/output traffic* :

Code: 
pi@raspberrypi ~ $ sudo iptables -L --line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination      
1    ACCEPT     all  --  anywhere             anywhere         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination      
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination      
1    ACCEPT     all  --  anywhere             anywhere    
   
pi@raspberrypi ~ $

Still no go :(

it looks like a forwarding problem, it tastes like a forwarding problem, but is it a forwarding problem :confused:
 
Last edited:
Update : it works !

I learned two things in the process of tracking down the issue :

1/ When forwarding packets beetween network A and network B, if FORWARD iptables rules have been properly set, then there is no need for additional INPUT/OUTPUT rules, as read in this french network security guide :
FORWARD: It filters the packets that pass from one network interface to another. Please note that packets of this type will never go through the INPUT and OUTPUT chains.

FORWARD : Elle filtre les paquets qui passent d'une interface réseau à l'autre. Notez au passage que les paquets de ce type ne passent jamais par les chaînes INPUT et OUTPUT.
Click to expand...

2/ When sending WOL requests from network A to network B, the WOL command MUST me crafted as an IP directed WOL request, ie :

Code: 
wakeonlan -i 192.168.1.1 AA:BB:CC:DD:EE:FF

not as an IP network broadcast :

Code: 
wakeonlan AA:BB:CC:DD:EE:FF

or else it fails. I tried a small utility called bcrelay hoping it would relay broadcast frames between wlan0 and eth0, but that didn't work as expected.

Anyway, it's working again, thanks for your inputs Aquinus !
 
You must log in or register to reply here.
Back
Top