0

I have successfully setup a raspberry pi to function as an access point. I have a pi connected via ethernet to my router, and am able to connect to the pi's wifi network and access other devices on that wifi network, as well as the external internet (via cable to router). I did so by following this guide: https://www.raspberrypi.com/documentation/computers/configuration.html#setting-up-a-routed-wireless-access-point

However, I am having trouble locking down this AP wifi network with iptables. What I want is a default deny policy for everything, with the exception of a static IP on this AP wifi which will have unrestricted access to connect to other machines on the AP network as well as to the internet.

Currently I have the following rules:

$ sudo iptables -L --line-numbers -v
Chain INPUT (policy DROP 579 packets, 78551 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      190 14054 ACCEPT     all  --  lo     any     anywhere             anywhere
2     3491  247K ACCEPT     all  --  any    any     Fruit.wlan           anywhere

Chain FORWARD (policy DROP 4599 packets, 315K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     7201  876K ACCEPT     all  --  any    any     Fruit.wlan           anywhere
2        1    68 ACCEPT     all  --  any    any     anywhere             Fruit.wlan

Chain OUTPUT (policy DROP 1437 packets, 103K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      184 13544 ACCEPT     all  --  any    lo      anywhere             anywhere
2     2357  231K ACCEPT     all  --  any    any     anywhere             Fruit.wlan

$ sudo iptables -L --line-numbers -v -t nat
Chain PREROUTING (policy ACCEPT 3171 packets, 275K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 1631 packets, 122K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1726 packets, 124K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 86 packets, 6578 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1069 70865 MASQUERADE  all  --  any    eth0    anywhere             anywhere

With these rules, I can still ssh into the pi (Access Point) from the Fruit.wlan machine, however I cannot access the internet. I think it is an issue with my forwarding rules, but I can't figure out what is blocking me.

pi access point IP is 192.168.10.1
upstream router IP is 192.168.0.1
Fruit.wlan IP is 192.168.10.123

ExecutionByFork
  • 101
  • 2
  • For linux systems to be able to route and/or NAT traffic any traffic at, the system tuneables `sysctl net.ipv4.ip_forward` resp. `net.ipv6.conf.all.forwarding` need to be enabled – HBruijn Jun 30 '23 at 10:20
  • IPv4 forwarding is already enabled. As I mentioned, everything works perfectly without any firewall rules in place. I am simply looking to now restrict all network activity besides the one IP I would like to allow – ExecutionByFork Jun 30 '23 at 14:26

0 Answers0