Find the answer to your Linux question:
Results 1 to 6 of 6
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Controlling traffic through 2 NICs


    Hello,

    I have Debian Linux with two wireless network interface cards. One of them is built in to the computer and is currently my wlan0. The other one is a wireless interface that connects through my usb port and lets assume it will be wlan1.

    The computer does not have a monitor and the only time I use it is when I SSH to it through Putty (Windows) or JuiceSSH(Android).

    I would like to make it so that my SSH connection is always communicating on wlan0, but ALL other traffic should go through wlan1. wlan0 should only serve one purpose and that is to allow me to ssh into the computer. Any other traffic should always pass through wlan1, no exceptions. If anything even attempts going out through wlan0 (besides ssh connection) it should be blocked at the computer through some sort of iptables rule. wlan0 and wlan1 will be connecting to separate Wireless access points as well.

    Is this possible and how complicated would this be for a newbie? I'm studying for my Linux+ cert, but I honestly don't have much experience at the moment.

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    14,038
    This is where you need to know how to use the route command. Time to do some studying. It isn't hard, but it isn't simple. Read the man pages, and do some research on the Debian web site.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    I found out how to do it, but it is a bit buggy. So far I'm only passing port 80 and 53 through the second interface.

    #!/bin/bash

    ################################################## ###############################
    # Set the default policy for the chains in the filter table to drop all packets #
    ################################################## ###############################

    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    ################################################## ############################################
    # Append rules to the output and input chains to allow all traffic on the loopback interface #
    ################################################## ############################################

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    ################################################## ##############################################
    # Append rules to the output and input chains to allow SSH traffic on the wlan0 interface only #
    ################################################## ##############################################

    iptables -A INPUT -p tcp -i wlan0 --dport 43871 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -o wlan0 --sport 43871 -m state --state ESTABLISHED -j ACCEPT

    ################################################## #################
    # Create a new routing table entry for the second wireless device #
    ################################################## #################

    echo 1 WEP >> /etc/iproute2/rt_tables

    ################################################## ###############################################
    # Insert a default route to the access point associated with wlan1 into the newly created table #
    ################################################## ###############################################

    ip route add default via 192.168.1.1 dev wlan1 table WEP
    ip route add 192.168.1.0/24 dev wlan1 table WEP
    ip route add 192.168.1.0/24 dev wlan1 src 192.168.1.122

    ################################################## ##################################
    # Create a rule that directs all packets marked with 1 to go through the WEP table #
    ################################################## ##################################

    ip rule add fwmark 0x1 table WEP

    ################################################## ##################################################
    # Append rules to the output chain of the mangle table to mark all packets for the specified ports #
    ################################################## ##################################################

    iptables -A OUTPUT -t mangle -o wlan0 -p tcp --dport 80 -j MARK --set-mark 1
    iptables -A OUTPUT -t mangle -o wlan0 -p udp --dport 53 -j MARK --set-mark 1

    ################################################## ################################################## ####################################
    # Append rule to the postrouting chain of the nat table to re-direct all traffic intended for the specified port onto the IP specified #
    ################################################## ################################################## ####################################

    iptables -A POSTROUTING -t nat -o wlan1 -p udp --dport 53 -j SNAT --to-source 192.168.1.122
    iptables -A POSTROUTING -t nat -o wlan1 -p tcp --dport 80 -j SNAT --to-source 192.168.1.122

    ################################################## ##############################
    # Append rules to the output and input chains to allow certain traffic through #
    ################################################## ##############################

    iptables -A OUTPUT -o wlan1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i wlan1 -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -o wlan1 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i wlan1 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

    ###############################################
    # Set rp_filter to 2 for all ethernet devices #
    ###############################################
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f; done

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    14,038
    It seems you are making progress though. Keep at it. In no time, you will become a routing expert! "Give a person a fish, and they will eat for a day. Teach them to fish, and they will never go hungry!".
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  6. #5
    iptables -A OUTPUT -o wlan1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i wlan1 -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -o wlan1 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i wlan1 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT


    Those 4 lines break everything unless I remove the "-i" and "-o" commands and specify no interfaces. I'm not sure why though

  7. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,798
    -->
    I am going to assume your network layout is as follows:

    [HOME Network] <--> {wlan0}[Debian]{wlan1} <--> [Internet]

    That being the case I see issues with your setup as follows:
    Code:
    iptables -A OUTPUT -t mangle -o wlan0 -p tcp --dport 80 -j MARK --set-mark 1
    iptables -A OUTPUT -t mangle -o wlan0 -p udp --dport 53 -j MARK --set-mark 1
    You should mark these as they are coming into the machine
    Code:
    iptables -A INPUT -t mangle -i wlan0 -p tcp --dport 80 -j MARK --set-mark 1
    iptables -A INPUT -t mangle -i wlan0 -p tcp --dport 53 -j MARK --set-mark 1
    iptables -A INPUT -t mangle -i wlan0 -p udp --dport 53 -j MARK --set-mark 1
    DNS uses both TCP and UDP.

    Firewall rules:
    Code:
    iptables –A INPUT –m state –state ESTABLISHED,RELATED –j ACCEPT
    iptables –A OUTPUT –m state –state ESTABLISHED,RELATED –j ACCEPT
    iptables -A INPUT -i wlan0 -p tcp --dport 80 -m state --state NEW -j ACCEPT
    iptables -A INPUT -i wlan0 -p tcp --dport 53 -m state --state NEW -j ACCEPT
    iptables -A INPUT -i wlan0 -p udp --dport 53 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -o wlan1 -p tcp --dport 80 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -o wlan1 -p tcp --dport 53 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -o wlan1 -p udp --dport 53 -m state --state NEW -j ACCEPT
    You need to follow the logical flow of traffic. --dport 80 will only be for traffic that is going from your home network to the internet. Return traffic will have --sport 80 that is why the ESTABLISHED,RELATED rule is used and will ensure return traffic is allowed back.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •