Raspberry Pi Asked by Elior on October 11, 2020
I am really confuse about how to redirect.
I have 2 WLANs, one use to connect to the router(wln0) and one the I use as AP(wlan1).
My aim is to redirect traffic from one client connected to the AP that connecting to remote mqtt server to my local mqtt server.
I have tried those rules :
sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.4.7 --dport 49154 -j DNAT --to 192.168.0.10:8883
sudo iptables -A FORWARD -p tcp -d 192.168.4.7 --dport 49154 -j ACCEPT
but it dosen’t work, what I am doing wrong?
More information about my setup:
wlan0 – connected to the internet ,
wlan1 – used as a AP,
client – connected to wlan1 =>internet => mqtt server (IBMcloud)
my goal is to redirect the traffic from the cloud to my local (192.168.0.10:8883) mqtt server
pi@raspberrypi:~ $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether dc:a6:32:29:ba:5f brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether dc:a6:32:29:ba:60 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/24 brd 192.168.0.255 scope global dynamic noprefixroute wlan0
valid_lft 3019sec preferred_lft 2569sec
inet6 fe80::f656:1efc:bea8:463a/64 scope link
valid_lft forever preferred_lft forever
4: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0f:11:76:07:b5 brd ff:ff:ff:ff:ff:ff
inet 192.168.4.1/24 brd 192.168.4.255 scope global noprefixroute wlan1
valid_lft forever preferred_lft forever
inet6 fe80::bfbd:af2d:73eb:931a/64 scope link
valid_lft forever preferred_lft forever
pi@raspberrypi:~ $ ip route
default via 192.168.0.1 dev wlan0 proto dhcp src 192.168.0.10 metric 303
192.168.0.0/24 dev wlan0 proto dhcp scope link src 192.168.0.10 metric 303
192.168.4.0/24 dev wlan1 proto dhcp scope link src 192.168.4.1 metric 304
pi@raspberrypi:~ $ sudo iptables --list --verbose
Chain INPUT (policy ACCEPT 1470K packets, 291M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1482K packets, 1051M bytes)
pkts bytes target prot opt in out source destination
1606 101K ACCEPT tcp -- any any anywhere MAS8710BNC353.wlan state NEW,ESTABLISHED
Chain OUTPUT (policy ACCEPT 177K packets, 116M bytes)
pkts bytes target prot opt in out source destination
pi@raspberrypi:~ $ sudo iptables --table nat --list --verbose
Chain PREROUTING (policy ACCEPT 30024 packets, 2951K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 23499 packets, 2242K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2323 packets, 174K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth0 anywhere anywhere
13213 1270K MASQUERADE all -- any wlan0 anywhere anywhere
0 0 MASQUERADE all -- any wlan0 anywhere anywhere
0 0 tcp -- any wlan1 MAS8710BNC353.wlan 192.168.0.10 tcp spts:0:60000 dpt:8883
Chain OUTPUT (policy ACCEPT 9466 packets, 760K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:8883 to:192.168.0.10:1883
You only need one iptables rule. To have a clean starting point please completely flush your iptables with:
rpi ~$ sudo -Es
rpi ~# iptables --policy INPUT ACCEPT
rpi ~# iptables --policy FORWARD ACCEPT
rpi ~# iptables --policy OUTPUT ACCEPT
rpi ~# iptables --table nat --flush
rpi ~# iptables --table mangle --flush
rpi ~# iptables --table raw --flush
rpi ~# iptables --flush
rpi ~# iptables --delete-chain
rpi ~# exit
rpi ~$
Then we need the port where the remote mqtt server (IBMcloud) is listening. I can't find it in your question. For this example I will use the port 12345. This is the destination port that any client, connected to access point, will use to connect to the mqtt server. Now use this rule:
rpi ~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 12345 -j DNAT --to-destination 192.168.0.10:8883
This should work if your local mqtt server is also running on the RasPi. If it is running on another local server then it should be needed to have a masquerading (but haven't tested it):
rpi ~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
We have a Destination Net Address Translation (DNAT). That means only the destination ip address of the ip package is changed. So your local mqtt server sees inbound ip packages coming from 192.168.4.7 to 192.168.0.10:8883. So it will response to 192.168.4.7. This is not a problem on a local network in particular if the mqtt server is running on the RasPi, which is also the router and knows where to send the responses. I have tested it with ssh (don't have a mqtt server) and haven't needed a POSTROUTING rule.
References:
Answered by Ingo on October 11, 2020
The FORWARD rule is passing packages to the destination, but the packages returning to the source is probably dropped. You should post the complete listing of the rules to make a more precise answer.
So the rule:
sudo iptables -A FORWARD -p tcp -d 192.168.4.7 --dport 49154 -j ACCEPT
Should have these as well
-m state --state NEW,ESTABLISHED
So the complete rule is:
sudo iptables -A FORWARD -p tcp -d 192.168.4.7 --dport 49154 -m state --state NEW,ESTABLISHED -j ACCEPT
Answered by Mats Karlsson on October 11, 2020
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP