On Wed, Oct 25, 2023 at 07:33:52PM +0700, Max Nikulin wrote: > On 25/10/2023 18:24, Martin wrote: > > On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote: > > > > > > So packet forwarding should be enabled on the computer. > > sysctl net.ipv4.ip_forward > > almost certainly enabled since you have the docker0 network interface
You are right, it is enabled: $ sudo sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 > I hope, you have a DNS server running on this machine > > host debian.org 192.168.231.3 I did not had dig installed but host worked, alas it showed me that I do not have installed DNS server. So I installed dnsmasq package and wonders happened (without me editing any config files - just installing dnsmasq) - on my mobile phone when I connected to 192.168.31.1 address (default router address when I look from phone) It showed now green line from router to internet. But unfortunatelly phone does not connect to internet yet. I guess I will need to issue some 'sudo route' command to add path from my router to outside world (actually I do not have idea if this is the problem). > Check that you do not have blocking rules in firewall I do not use firewall anymore, since I stoped using wired home phone (dialup modem) to connect to internet with ppp protocol. Since I am now connected to internet via my weak antena which is connected to router(A) and then to internet I know that distant router(A) is protected enough (after all it uses only local address that i can see 192.168.0.1). > and that masquerading > is enabled for your downstream link enp3s0 > > nft list ruleset > > should have something like > > table ip sharedconnection { > chain postrouting { > type nat hook postrouting priority srcnat; policy accept; > ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade > } > } I did not add any masquerading rules by myself and output of command 'nft list ruleset' is showed below. It does not have anything like you showed in section 'table ip sharedconnection'. I remember using iptables command to make firewall and masquerading my computer while I was using dialup modem internet connection. I do not set up use any iptable rules manualy anymore. So this is probably what I need to figure out how to use masquerading and other firewall rules to enable my new router to connect to outside internet. (I must admit that I forgot what rules should I use to enable this setup - so I need your help) Here is output of 'nft list ruleset' 'iptables -S' and 'iptables -L' command: (I am not sure they provide different info, but here they are) Thanks a lot Martin $ sudo nft list ruleset # Warning: table ip nat is managed by iptables-nft, do not touch! table ip nat { chain DOCKER { iifname "docker0" counter packets 0 bytes 0 return iifname "br-7bfdce95ff27" counter packets 0 bytes 0 return } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname "wlxe8de27a5ab1c" ip saddr 10.1.1.0/24 counter packets 192 bytes 11818 masquerade oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade oifname != "br-7bfdce95ff27" ip saddr 172.18.0.0/16 counter packets 0 bytes 0 masquerade } chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; fib daddr type local counter packets 7727 bytes 479748 jump DOCKER } chain OUTPUT { type nat hook output priority dstnat; policy accept; ip daddr != 127.0.0.0/8 fib daddr type local counter packets 3 bytes 196 jump DOCKER } } # Warning: table ip filter is managed by iptables-nft, do not touch! table ip filter { chain DOCKER { } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 iifname "br-7bfdce95ff27" oifname != "br-7bfdce95ff27" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 counter packets 27 bytes 1780 return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter packets 0 bytes 0 drop oifname "br-7bfdce95ff27" counter packets 0 bytes 0 drop counter packets 0 bytes 0 return } chain FORWARD { type filter hook forward priority filter; policy drop; counter packets 57740 bytes 51358193 accept counter packets 25 bytes 1644 jump DOCKER-USER counter packets 25 bytes 1644 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state related,established counter packets 0 bytes 0 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept oifname "br-7bfdce95ff27" ct state related,established counter packets 0 bytes 0 accept oifname "br-7bfdce95ff27" counter packets 0 bytes 0 jump DOCKER iifname "br-7bfdce95ff27" oifname != "br-7bfdce95ff27" counter packets 0 bytes 0 accept iifname "br-7bfdce95ff27" oifname "br-7bfdce95ff27" counter packets 0 bytes 0 accept } chain DOCKER-USER { counter packets 25 bytes 1644 return } } $ sudo iptables -S -P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -A FORWARD -m comment --comment simple_rt -j ACCEPT -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o br-7bfdce95ff27 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-7bfdce95ff27 -j DOCKER -A FORWARD -i br-7bfdce95ff27 ! -o br-7bfdce95ff27 -j ACCEPT -A FORWARD -i br-7bfdce95ff27 -o br-7bfdce95ff27 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i br-7bfdce95ff27 ! -o br-7bfdce95ff27 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -o br-7bfdce95ff27 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN $ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere /* simple_rt */ DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (2 references) target prot opt source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere