forwarding and masquerading over a wireless link

From: Brian Seppanen (seppanen_at_chartermi.net)
Date: 02/01/04 

Date: Sat, 31 Jan 2004 23:26:53 -0500

I have a (overly)complex home network which I'm having some problems with.

I have a cable modem directly connected to a Linksys Wireless Router.
Everything there works fine. I have a PC directly connected to one of
the four ports on the Wireless Router Hub and that too works fine. I
have a wi-fi link with a PC in another place and that too works fine.

cable modem
     ||(PUB IP)
Linksys Wireless Router (192.168.1.1)
    | /|\
    | /|\
Directly Wireless
Connected Connected PC
PC (192.168.1.2)
(192.168.1.3) 2nd Ethernet
                Interface
                (192.168.2.2) <------> (192.168.2.1)WAN Interface
                                                     Router 2
                                                        |
                                                        |
                                                Directly Connected PC3
                                                (192.168.3.3)

I have a second ethernet card in the computer with the wi-fi connection
that goes to a second router's WAN interface. I then have a third PC
that is plugged into the Router. What I'm trying to do is get
192.168.3.3 access to the internet through an overly complicated network.

 From 192.168.3.3 I can ping 192.168.3.1, 192.168.2.1, 192.168.2.2 and
but I cannot ping 192.168.1.1, 192.168.1.2 or 192.168.1.3, from the
router I can ping all of 192.168.3.0, and 192.168.2.0 but nothing on
192.168.1.0, from my second PC i can ping all of 192.168.1.0,
192.168.2.0, and 192.168.3.0.

I have masquerading setup or so I thought I did...using
bastille-firewall as the primary means of creating the rules and then
tweaking. It seems that my Masquerading configuration is not working
otherwise. It would seem if masquerading were working that traffic
coming in on 192.168.2.0/28 would be forwarded to 192.168.1.0, and ping
would work from the router, and elsewhere.

First of all is it possible to set up forwarding over the wireless link.
   The wireless card has a proprietary driver and is an ADM8211 chip.
It works well enough. I've tried temporarily allowing all MAC's access
to the the wireless network, I was going to verify that worked and then
limit the macs again... I'm at a loss. I've tried to get it setup
for so long with so little success that I'm thinking that I'm trying to
accomplish the impossible.

Any assistance would be greatly appreciated. 

-- 
Brian E. Seppanen
seppanen@chartermi.net
No matter how cynical you get, it's impossible to keep up.

# Generated by iptables-save v1.2.8 on Sat Jan 31 22:47:49 2004
*mangle
:PREROUTING ACCEPT [208882:184334888]
:INPUT ACCEPT [208863:184333592]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [218374:17183042]
:POSTROUTING ACCEPT [218374:17183042]
COMMIT
# Completed on Sat Jan 31 22:47:49 2004
# Generated by iptables-save v1.2.8 on Sat Jan 31 22:47:49 2004
*nat
:PREROUTING ACCEPT [478:59955]
:POSTROUTING ACCEPT [326:19024]
:OUTPUT ACCEPT [399:24204]
-A POSTROUTING -s 192.168.2.0/255.255.255.240 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.3.0/255.255.255.240 -o eth1 -j MASQUERADE
COMMIT
# Completed on Sat Jan 31 22:47:49 2004
# Generated by iptables-save v1.2.8 on Sat Jan 31 22:47:49 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [44511:3764462]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
-A INPUT -s 192.168.2.1 -j ACCEPT
-A INPUT -s 192.168.3.0/255.255.255.240 -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/240.0.0.0 -j DROP
-A INPUT -d 192.168.2.0/255.255.255.240 -i eth1 -j DROP
-A INPUT -s 192.168.2.0/255.255.255.240 -i eth1 -j DROP
-A INPUT -d 192.168.3.0/255.255.255.240 -i eth1 -j DROP
-A INPUT -s 192.168.3.0/255.255.255.240 -i eth1 -j DROP
-A INPUT -i eth1 -j PUB_IN
-A INPUT -i eth0 -j INT_IN
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.3.0/255.255.255.240 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.240 -o eth1 -j ACCEPT
-A OUTPUT -o eth1 -j PUB_OUT
-A OUTPUT -o eth0 -j INT_OUT
-A INT_IN -p tcp -m tcp --dport 80 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 22 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 6000:6020 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 3306 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 901 -j PAROLE
-A INT_IN -p udp -m udp --dport 161 -j ACCEPT
-A INT_IN -p udp -m udp --dport 162 -j ACCEPT
-A INT_IN -p udp -m udp --dport 514 -j ACCEPT
-A INT_IN -p udp -m udp --dport 53 -j ACCEPT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_IN -d 192.168.1.0/255.255.255.0 -j DROP
-A PUB_IN -s 192.168.1.0/255.255.255.0 -j DROP
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
-A PUB_IN -p udp -m udp --dport 161 -j ACCEPT
-A PUB_IN -p udp -m udp --dport 162 -j ACCEPT
-A PUB_IN -p udp -m udp --dport 514 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 23 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 21 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 143 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 110 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 79 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 111 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 512 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 513 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 98 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p udp -m udp --dport 31337 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j DROP
-A PUB_OUT -j ACCEPT
COMMIT
# Completed on Sat Jan 31 22:47:49 2004

Relevant Pages

  • Re: Problems accessing Exchange Server from the VPN
    ... his wireless router was giving him the same exact ... simply go into network file shares and directly access your Exchange ... Server mailbox with Outlook like you would in the office. ... His home setup is a cable modem with a Linksys wireless router; ...
    (microsoft.public.exchange.connectivity)
  • Re: Problem setting up a home network
    ... >Windows XP, is connected to the internet directly to the ... >to set up a home network, but I having a problem with the ... >computer that is connected to the wireless router. ... a repair installation of Windows XP, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Connecting two internal networks to internet via Cable Modem
    ... The DLink Wireless Router and the Symantec firewall appliance are connected to two of the four Ethernet ports. ... Internet connectivity is sporadic to rare on both networks when they are both connected to the cable modem. ... If the D-Link router (and thus the entire Network 2) is disconnected from the cable modem, ...
    (alt.internet.wireless)
  • Re: Suggestions for a secure home network
    ... with PIX so, I would replace that with a running ... Cisco 871W all-in-one wireless router - has similar functionality to ... Suggestions for a secure home network ... Try Webroot's Spy Sweeper Enterprisefor 30 days for FREE with no ...
    (Security-Basics)
  • Re: Wireless Help Needed
    ... One connected to my cable modem and the other to a switch that connects the ... The Windows XP machines on the network acquire their ... I recently acquired a D-Link DI-624 wireless router. ...
    (comp.unix.bsd.freebsd.misc)