When you have a Linux machine acting as a wireless router with two interfaces - one connected to the internet (wlan0 in station mode) and another broadcasting an AP (wlan1) - you need proper packet forwarding rules. This setup is common when creating a wireless hotspot or sharing an existing connection.
First, ensure IP forwarding is enabled in the kernel:
echo 1 > /proc/sys/net/ipv4/ip_forward
For permanent setting, add this to /etc/sysctl.conf:
net.ipv4.ip_forward=1
Your initial rules only handle the FORWARD chain. Here's a more complete solution:
# Flush existing rules
iptables -F
iptables -t nat -F
# Set default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Allow established connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forwarding rules between interfaces
iptables -A FORWARD -i wlan1 -o wlan0 -j ACCEPT
iptables -A FORWARD -i wlan0 -o wlan1 -j ACCEPT
# NAT configuration for internet sharing
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
Clients on wlan1 will need IP addresses. Install and configure dnsmasq:
apt-get install dnsmasq
Edit /etc/dnsmasq.conf:
interface=wlan1
dhcp-range=192.168.10.100,192.168.10.200,255.255.255.0,24h
After applying all settings, test with:
iptables -L -v -n
ping -I wlan1 8.8.8.8
traceroute google.com
If connections fail, check:
- Interface IP addresses (ip addr show)
- Routing table (ip route show)
- Firewall logs (dmesg | grep iptables)
- Client DHCP assignment
To make rules persistent across reboots:
apt-get install iptables-persistent
netfilter-persistent save
In this scenario, we have a Linux machine with two wireless interfaces:
- wlan0: Station mode, connected to an upstream internet source
- wlan1: Access Point mode, hosting client connections
For proper forwarding between interfaces, we need to address these critical components:
- IP forwarding at kernel level
- NAT (Network Address Translation)
- Proper firewall rules
- Routing configuration
Here's the complete set of commands to enable forwarding:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Basic forwarding rules
iptables -A FORWARD -i wlan1 -o wlan0 -j ACCEPT
iptables -A FORWARD -i wlan0 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# NAT configuration
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
# Additional security measures
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
To make these changes survive reboots:
# For Debian/Ubuntu systems
apt install iptables-persistent
netfilter-persistent save
# Or manually save rules
iptables-save > /etc/iptables.rules
Add this to /etc/rc.local (before exit 0):
iptables-restore < /etc/iptables.rules
echo 1 > /proc/sys/net/ipv4/ip_forward
If connections still don't work:
# Check forwarding status
sysctl net.ipv4.ip_forward
# Verify NAT rules
iptables -t nat -L -n -v
# Test connectivity from client
ping 8.8.8.8
traceroute 8.8.8.8
# Check route tables
ip route show
For newer systems using nftables instead of iptables:
nft add table ip nat
nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; }
nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
nft add rule ip nat postrouting oifname "wlan0" masquerade