On Wed, Oct 25, 2023 at 07:33:52PM +0700, Max Nikulin wrote:
> On 25/10/2023 18:24, Martin wrote:
> > On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote:
> > >
> > > So packet forwarding should be enabled on the computer.
>
> sysctl net.ipv4.ip_forward
>
> almost certainly enabled since you have the docker0 network interface
You are right, it is enabled:
$ sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
> I hope, you have a DNS server running on this machine
>
> host debian.org 192.168.231.3
I did not had dig installed but host worked, alas it showed me that I do
not have installed DNS server. So I installed dnsmasq package and
wonders happened (without me editing any config files - just installing
dnsmasq) - on my mobile phone when I connected to 192.168.31.1 address
(default router address when I look from phone) It showed now green line
from router to internet.
But unfortunatelly phone does not connect to internet yet. I guess I will
need to issue some 'sudo route' command to add path from my router to
outside world (actually I do not have idea if this is the problem).
> Check that you do not have blocking rules in firewall
I do not use firewall anymore, since I stoped using wired home phone
(dialup modem) to connect to internet with ppp protocol. Since I am now
connected to internet via my weak antena which is connected to router(A)
and then to internet I know that distant router(A) is protected enough
(after all it uses only local address that i can see 192.168.0.1).
> and that masquerading
> is enabled for your downstream link enp3s0
>
> nft list ruleset
>
> should have something like
>
> table ip sharedconnection {
> chain postrouting {
> type nat hook postrouting priority srcnat; policy accept;
> ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
> }
> }
I did not add any masquerading rules by myself and output of command
'nft list ruleset' is showed below. It does not have anything like you
showed in section 'table ip sharedconnection'. I remember using iptables
command to make firewall and masquerading my computer while I was using
dialup modem internet connection. I do not set up use any iptable rules
manualy anymore.
So this is probably what I need to figure out how to use masquerading
and other firewall rules to enable my new router to connect to outside
internet. (I must admit that I forgot what rules should I use to enable
this setup - so I need your help)
Here is output of 'nft list ruleset' 'iptables -S' and 'iptables -L' command:
(I am not sure they provide different info, but here they are)
Thanks a lot
Martin
$ sudo nft list ruleset
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-7bfdce95ff27" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "wlxe8de27a5ab1c" ip saddr 10.1.1.0/24 counter packets
192 bytes 11818 masquerade
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0
bytes 0 masquerade
oifname != "br-7bfdce95ff27" ip saddr 172.18.0.0/16 counter
packets 0 bytes 0 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 7727 bytes 479748 jump
DOCKER
}
chain OUTPUT {
type nat hook output priority dstnat; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 3
bytes 196 jump DOCKER
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes
0 jump DOCKER-ISOLATION-STAGE-2
iifname "br-7bfdce95ff27" oifname != "br-7bfdce95ff27" counter
packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 27 bytes 1780 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-7bfdce95ff27" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 57740 bytes 51358193 accept
counter packets 25 bytes 1644 jump DOCKER-USER
counter packets 25 bytes 1644 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets
0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes
0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0
accept
oifname "br-7bfdce95ff27" ct state related,established counter
packets 0 bytes 0 accept
oifname "br-7bfdce95ff27" counter packets 0 bytes 0 jump DOCKER
iifname "br-7bfdce95ff27" oifname != "br-7bfdce95ff27" counter
packets 0 bytes 0 accept
iifname "br-7bfdce95ff27" oifname "br-7bfdce95ff27" counter
packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 25 bytes 1644 return
}
}
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -m comment --comment simple_rt -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-7bfdce95ff27 -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD -o br-7bfdce95ff27 -j DOCKER
-A FORWARD -i br-7bfdce95ff27 ! -o br-7bfdce95ff27 -j ACCEPT
-A FORWARD -i br-7bfdce95ff27 -o br-7bfdce95ff27 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-7bfdce95ff27 ! -o br-7bfdce95ff27 -j
DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-7bfdce95ff27 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* simple_rt */
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
