NATed traffic being dropped by rule on INPUT chain












0















I have the following iptables rules:



*nat
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
*filter
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i wlan1 -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j ACCEPT
COMMIT


wlan0 is attached to the public network.



wlan1 is attached to a private network.



SSH is permitted to the router from the private network.



The goal is for traffic that originates on the network attached to wlan1 to appear to originate from the router, hence the MASQUERADE.



I don't want anything to be able to make a connection on the public interface; the final INPUT rule is to drop all incoming connections to the router itself.



However, the drop rule on the INPUT chain appears to be dropping the traffic that should be bound for the network attached to wlan1.



If I remove the drop rule on the INPUT chain - it seems to work, however doing so allows connections to the router.









share







New contributor




adpatter is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    0















    I have the following iptables rules:



    *nat
    -A POSTROUTING -o wlan0 -j MASQUERADE
    COMMIT
    *filter
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i wlan1 -p tcp -m state --state NEW --dport 22 -j ACCEPT
    -A INPUT -j DROP
    -A OUTPUT -j ACCEPT
    COMMIT


    wlan0 is attached to the public network.



    wlan1 is attached to a private network.



    SSH is permitted to the router from the private network.



    The goal is for traffic that originates on the network attached to wlan1 to appear to originate from the router, hence the MASQUERADE.



    I don't want anything to be able to make a connection on the public interface; the final INPUT rule is to drop all incoming connections to the router itself.



    However, the drop rule on the INPUT chain appears to be dropping the traffic that should be bound for the network attached to wlan1.



    If I remove the drop rule on the INPUT chain - it seems to work, however doing so allows connections to the router.









    share







    New contributor




    adpatter is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      0












      0








      0








      I have the following iptables rules:



      *nat
      -A POSTROUTING -o wlan0 -j MASQUERADE
      COMMIT
      *filter
      -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      -A INPUT -i wlan1 -p tcp -m state --state NEW --dport 22 -j ACCEPT
      -A INPUT -j DROP
      -A OUTPUT -j ACCEPT
      COMMIT


      wlan0 is attached to the public network.



      wlan1 is attached to a private network.



      SSH is permitted to the router from the private network.



      The goal is for traffic that originates on the network attached to wlan1 to appear to originate from the router, hence the MASQUERADE.



      I don't want anything to be able to make a connection on the public interface; the final INPUT rule is to drop all incoming connections to the router itself.



      However, the drop rule on the INPUT chain appears to be dropping the traffic that should be bound for the network attached to wlan1.



      If I remove the drop rule on the INPUT chain - it seems to work, however doing so allows connections to the router.









      share







      New contributor




      adpatter is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      I have the following iptables rules:



      *nat
      -A POSTROUTING -o wlan0 -j MASQUERADE
      COMMIT
      *filter
      -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      -A INPUT -i wlan1 -p tcp -m state --state NEW --dport 22 -j ACCEPT
      -A INPUT -j DROP
      -A OUTPUT -j ACCEPT
      COMMIT


      wlan0 is attached to the public network.



      wlan1 is attached to a private network.



      SSH is permitted to the router from the private network.



      The goal is for traffic that originates on the network attached to wlan1 to appear to originate from the router, hence the MASQUERADE.



      I don't want anything to be able to make a connection on the public interface; the final INPUT rule is to drop all incoming connections to the router itself.



      However, the drop rule on the INPUT chain appears to be dropping the traffic that should be bound for the network attached to wlan1.



      If I remove the drop rule on the INPUT chain - it seems to work, however doing so allows connections to the router.







      iptables





      share







      New contributor




      adpatter is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share







      New contributor




      adpatter is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share



      share






      New contributor




      adpatter is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 9 mins ago









      adpatteradpatter

      1




      1




      New contributor




      adpatter is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      adpatter is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      adpatter is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          adpatter is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500784%2fnated-traffic-being-dropped-by-rule-on-input-chain%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          adpatter is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          adpatter is a new contributor. Be nice, and check out our Code of Conduct.













          adpatter is a new contributor. Be nice, and check out our Code of Conduct.












          adpatter is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500784%2fnated-traffic-being-dropped-by-rule-on-input-chain%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Accessing regular linux commands in Huawei's Dopra Linux

          Can't connect RFCOMM socket: Host is down

          Kernel panic - not syncing: Fatal Exception in Interrupt