Weird entries in iptables and S-NAT not working

Hi there!

I am new to the ipfire community, have set up a miniPC with 4 interfaces (2 PCI Ethernet NICs and 2 USB NIC Adapters) and have started to play around with the thing.
Now for starters I do not want to do anything with green or orange interfaces other than allow my laptop on green to connect to the firewall by ssh and webGUI.
My first goal is to allow devices connected to my wifi access point to use the Internet. However, when I configured things like I thought they should work, nothing did.
When troubleshooting I found out that there were two weird entries in the iptables that did not make sense to me at all, one in the INPUT chain and one in the FORWARD chain - I will show them here with a leading line so you can see where they were added:

-A INPUT -j GUIINPUT
-A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT

-A FORWARD -j IPSECFORWARD
-A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD

As far as my knowledge of iptables goes, those entries were responsible for everything coming from the blue0 interface being dropped and also I thought those entries are not necessary, as connection tracking is done in the CONNTRACK chain already.
Well, I just went ahead and deleted the two entries from iptables, which resulted in less log entries but still no connectivity for my wifi devices.
I searched on and at the end of the iptables configuration found the following line:

-A NAT_SOURCE -s 10.10.10.0/24 -m policy --dir out --pol none -j SNAT --to-source 0.0.0.0

While the 10.10.10.0/24 is the network I set up for my wifi, the “to-source 0.0.0.0” baffled me. Because I would have expected to see the address of the firewall red0 interface there. Well, short story: I changed the address to the red0 one and hey, suddenly my wifi devices are on the internet.

Now of course I am curious if anyone can give me an explanation. I am willing to provide full configuration data of course but am not sure if just posting several 100 lines here would be sensible.

Best regards,
Loderunner

P.S.: And I would be thankful for a hint on how I can make my changes to the iptables permanent. I did the upgrade from Core 159 to Core 160 and voila - the weird entries returned …

Hi @loderunner

Welcome to the IPFire community.

When you were setting up the Blue interface did you also setup the Blue Access page as per the wiki
https://wiki.ipfire.org/configuration/firewall/accesstoblue

If you find things that don’t make sense I would recommend asking in the forum or, if the questions have a technical background, in the Development Mailing List, before considering deleting or modifying things in the iptables structural setup.

Yes, this will happen, also for some changes they will be replaced if you do a modification or a save of a WUI page.
I think you have asked this question in another post and it has been answered there.
https://community.ipfire.org/t/how-to-make-manual-iptables-changes-permanent/6424

1 Like

Hi @bonnietwin

Thanks for the friendly welcome and your answers to my posts. I will take into account your hints and links and will try once more to gain understanding what ipfire does in regard to the Blue interface, maybe I did not grasp the concept behind this special treatment for Wifi devices. It will take some time but I will be back here with more questions if I cannot figure out things on my own.

1 Like

There no really ‘special treatment’ for blue0. It serves just an access point, with (possible) restrictions on devices. If you want your blue0 network just working as your green0, allow the whole blue0 net (10.10.10.0/24).

Special iptables rules ( placed into firewall.local ) are in the responsibilty of the admin ( you ). They cannot checked for correctness or consistency.