# Debian Iptables question



## blobster21 (Jan 22, 2015)

Hello !

I'm using my raspberry PI (powered by raspbian) as a wireless access point.
I have enabled ipv4 forwarding between my wireless (192.168.42.0/24) and my wired networks (192.168.1.0/24) with the following iptables rules :


```
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
```

Everything works great, except for the WOL magic packets sent from my laptop, not reaching their destinations (from wlan0 to eth0)


```
wakeonlan -i 192.168.1.2 -p 9 AA:BB:CC:DD:EE:FF
```

I tried to create an additionnal rule for UDP packets aimed at port 9 :


```
sudo iptables -A FORWARD -i wlan0 -o eth0 -p udp -d 192.168.1.255 --dport 9 -j ACCEPT
```

but nothing happened.

As soon as i'm turning off my laptop's WiFI and switching to a wired connection, the previous wakeonlan command work as it should and the distant computer wake up....

Do you have some ideas i could try ? Am i wrong assuming the previous 2 iptables rules should be enough to route *anything* to and from my wireless & wired networks ?

thanks in advance for your help !


----------



## Aquinus (Jan 22, 2015)

You should log all the traffic going through IP tables and try it again to see if it's even capturing the packet. You should be able to grep through the log file with relative ease if it grows fast. Also, is your default INPUT rule to DROP or REJECT? If the packet is finding its way there once you connect with a wire, it could be that it can't make the connection or that it's hanging. If your default INPUT rule is DROP, then it will hang until it times out and if you're plugging in the Ethernet before it times out, it will retry and succeed.


----------



## blobster21 (Jan 23, 2015)

Totally make sense.

Also I knew something was fishy, because i noticed earlier that the INPUT section is empty :


```
pi@raspberrypi ~ $ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
pi@raspberrypi ~ $
```

Just a guess : if there are no clear directives in this section, maybe the default behaviour is to drop packets ? (i must confess this : iptables is still an uncharted territory for me)


----------



## blobster21 (Jan 23, 2015)

Default behavior is indeed to drop packets unless otherwise stated, so i have temporary enabled all * input/output traffic* :


```
pi@raspberrypi ~ $ sudo iptables -L --line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination      
1    ACCEPT     all  --  anywhere             anywhere         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination      
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination      
1    ACCEPT     all  --  anywhere             anywhere    
   
pi@raspberrypi ~ $
```

Still no go 

it looks like a forwarding problem, it tastes like a forwarding problem, but is it a forwarding problem


----------



## blobster21 (Jan 23, 2015)

Update : it works !

I learned two things in the process of tracking down the issue :

1/ When forwarding packets beetween network A and network B, if FORWARD iptables rules have been properly set, then there is no need for additional INPUT/OUTPUT rules, as read in this french network security guide :


> *FORWARD*: It filters the packets that pass from one network interface to another. Please note that packets of this type will *never* go through the INPUT and OUTPUT chains.
> 
> *FORWARD* : Elle filtre les paquets qui passent d'une interface réseau à l'autre. Notez au passage que les paquets de ce type ne passent *jamais* par les chaînes INPUT et OUTPUT.



2/ When sending WOL requests from network A to network B, the WOL command MUST me crafted as an IP directed WOL request, ie :


```
wakeonlan -i 192.168.1.1 AA:BB:CC:DD:EE:FF
```

not as an IP network broadcast :


```
wakeonlan AA:BB:CC:DD:EE:FF
```

or else it fails. I tried a small utility called bcrelay hoping it would relay broadcast frames between wlan0 and eth0, but that didn't work as expected.

Anyway, it's working again, thanks for your inputs Aquinus !


----------

