I've enabled NAT as described in the wiki and configured iptables and it works. I enabled it on my wired interface to share the Internet connection from my wireless interface with my Raspberry Pi.
However, sometimes I use the wired interface to connect to the network in our dorm. If I leave NAT enabled, can anyone in my dorm now connect through my wired interface? I could see that happening if they specifically used my IP address as a route, but I hope that even then that would not be possible? We're having trouble with a "rogue router" as they call it, and I hope I'm not causing the problem.
To check for that I have run iptraf, and I don't see any connections that shouldn't be there (but I do see a lot of UDP packets from other people in my dorm - that shouldn't be a problem though, should it? I mean, I'm not catching those packets or doing any unruly sniffing, right? Just trying to rule out my PC is causing any trouble..)
These are my iptables rules.
-P INPUT DROP -P FORWARD ACCEPT -P OUTPUT ACCEPT -N TCP -N UDP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp-proto-unreachable -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i enp3s0 -o wlp2s0 -j ACCEPT
Last edited by krork (2016-01-25 07:10:10)
Use "iptables-save" to list all of your firewall rules in full and in order. Conspicuously missing from the rules you listed are the NAT rules, and without these it is hard to say. However, your FORWARD chain ACCEPT's all packets, so your machine will allow any packets to be routed between the interfaces. This should be fixed, but nobody should use this route as long as you do not advertise it with a DHCP server, which you should not be running when connected to the dorm network anyway.
Ah, of course. Thanks. This is the missing part:
# Generated by iptables-save v1.4.21 on Sat Jan 23 20:59:23 2016 *nat :PREROUTING ACCEPT [79913102:5662487103] :INPUT ACCEPT [2:168] :OUTPUT ACCEPT [6892:584630] :POSTROUTING ACCEPT [6990:588550] -A POSTROUTING -o wlp2s0 -j MASQUERADE COMMIT # Completed on Sat Jan 23 20:59:23 2016
I don't run a dhcp server, that would be madness, I guess. I saved the rules for when I will need them and deleted the FORWARD Chains. Thanks for that!
It's not the original question, but could running iptraf-ng be considered sniffing / be frowned upon by the admin? I do see lots of UDP packets, but I think those are just the DNS requests by the other students on the network. And they should reach their destination, even though I'm reading them, right?
I can't say whether or not sniffing packets would be frowned upon on your specific network. Normally it is ok, as anything sensitive should not be sent in the clear on a public network.
As to interfering with the normal operation of the network, sniffing should definately not cause a problem; it's just listening to whatever comes down the wire.