0

I am trying to apply some iptables forwarding rules in openwrt.

Here is my scenario -

My server has two cards ath0 and br-lan. br-lan is connected to internet and ath0 to private network.

The other machine in network also has ath0 that connects with this server's ath0 and they are able to ping each other.

Now, I want other machine in network to use internet using br-lan of server so I thought of using iptables forwarding rule-

Here is what I tried -

Server :

$ ping 1.1.1.6 // <ath0-ip of client> works fine
$ iptables -A FORWARD -i ath0 -o br-lan -j ACCEPT
$ /etc/init.d/firewall restart

Client :

$ ping 1.1.1.5 // <ath0-ip of server>  works fine
$ ping 132.245.244.60 // <br-lan ip of server> (not working)

I am new to iptables stuff and openwrt. What I am doing wrong here ??

Any other help if anyone could suggest for my scenario

johnbaltis
  • 103
  • 2
Udit Gupta
  • 111
  • 1
  • 2
  • 6

1 Answers1

2

At a guess, you've got 1 of 2 issues, or possibly both.

  1. Machine 2 doesn't have a default route (or any route) via Machine 1. You haven't mentioned the operating systems or subnets in use so I can't give you much more information about how to resolve that.

  2. You haven't actually enabled IP Forwarding on Machine 1:

    • sysctl -w net.ipv4.ip_forward=1

      or

    • echo 1 > /proc/sys/net/ipv4/ip_forward

Cory Knutson
  • 1,876
  • 13
  • 20
fukawi2
  • 5,396
  • 3
  • 32
  • 51
  • do we really need to add route.. as far i know if m/c1 is able to ping m/c2 then it will transfer its packet to m/c 2 and then firewall will just forward it to other interface. Why do we need to add route ?? Please see my edit for information about Actual IPs (IPs are different but with same class). Further I am new to this so do we need to run those commands to enable forwarding. Wouldn't iptables do it by default – Udit Gupta Oct 25 '13 at 02:22
  • also is it like i need to forward th e icmp packets also to enable ping – Udit Gupta Oct 25 '13 at 02:23
  • RE: routing, yes if you want to talk to the IP Address(es) on the "other side" of Machine 1. Without an appropriate route, Machine 2 has no idea where to send the traffic, or will send it to the wrong place (default route) RE: enabling forwarding, no iptables does not enable it automatically. – fukawi2 Oct 25 '13 at 06:01
  • okk .. got it .One more thing. You are assuming m/c 2 as server or client ?? . Please corrct me if am wrong but you want me to do something like this on server `ip route add 130.245.244.260 dev ath0` so that when request comes for `ath0` on server then it will check `route` and then forward the traffic based on `iptables rule` – Udit Gupta Oct 26 '13 at 15:27
  • No, the route needs to know the 'next hop': `ip route add 132.245.244.60 via 1.1.1.5` The command you posted tells the kernel that 132.245.244.60 is directly connected to ath0, which is is not, it's on the "other side" of 1.1.1.5 – fukawi2 Oct 27 '13 at 22:11
  • don't forget routes back or source natting ... – Goez Jul 12 '16 at 16:10