Skip to main content

IPTables - Forwarding Between LAN and WLAN

Add the following to /etc/udev/rules.d/10-network.rules, substitute LAN_MAC_ADDR and WLAN_MAC_ADDR with your Ethernet device and WLAN device MAC addresses for persistent network names:

SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="LAN_MAC_ADDR", NAME="ether0" 
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="WLAN_MAC_ADDR", NAME="wifi0"

Add the following to /etc/sysctl.d/30-ip_forward.conf:

net.ipv4.ip_forward=1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1
Add the following to /etc/iptables/iptables.rules:
*nat
:PREROUTING ACCEPT [783:65928]
:INPUT ACCEPT [73:9660]
:OUTPUT ACCEPT [6180:382480]
:POSTROUTING ACCEPT [18:1260]
-A POSTROUTING -o wifi0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [176:192839]
-A INPUT -i lo -m comment --comment "Inbound from loopback (lo)" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j NFLOG --nflog-group 1
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i wifi0 -j ACCEPT
-A FORWARD -i wifi0 -o ether0 -m comment --comment "ether0 <\- wifi0" -j ACCEPT
-A FORWARD -i ether0 -o wifi0 -m comment --comment "wifi0 -> ether0" -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT