2

i've followed a tutorial (in german) on setting up a WiFi Router (Access Point) on a Raspberry Pi. Following the tutorial i had to add the following iptable rules:

iptables -A FORWARD -o eth0 -i wlan0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Unfortunately i dont have any experience with iptables and would like to know what the rules mean/do?

Darellon
  • 352
  • 1
  • 4
  • 14

1 Answers1

5

I go through the rules, and explain each at once: for understanding the flow, refer to the iptables chart

iptables -A FORWARD -o eth0 -i wlan0 -m conntrack --ctstate NEW -j ACCEPT

In the FORWARD chain, you appended a rule which says: if any packet comes newly, from wlan0 to eth0, the filter lets it pass, and tracks that connection as NEW (which means: follows its change of state).

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

For any packets coming, tracked as ESTABLISHED or RELATED, the filter lets it pass

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

For the NAT table (which contains the FORWARD chain), in the POSROUTING chain, any packet leaving eth0 forgets its inner IP address (so, stays behind a NAT), and gets the one of eth0: MASQUERADE stands for masking the address.

Ariel Otilibili
  • 260
  • 1
  • 6
  • 2
    There's more to MASQUERADE than that. It also gets a newly allocated port in addition to the address, and the tracker DOES NOT forget the original port and address. Instead, any packet that come back to the (newly allocated) port is rewritten to go back to the original port and address. – Chris Dodd Nov 24 '17 at 19:09
  • Well said, Chris Dodd: you raised an important fact on `MASQUERADE`. – Ariel Otilibili Nov 24 '17 at 19:12