Hello there!
I'm want to set up subj, but all is not as easy as it seems.
[laptop]<->[wifi hotspot]<->[android phone]<->[iptables nat]<->[openvpn tun]<->[internet]
What I did:
1) Start openvpn vpn
2) Switch on hotspot
3) Change iptables rules as follows
default:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N bw_FORWARD
-N bw_INPUT
-N bw_OUTPUT
-N bw_costly_rmnet_usb0
-N bw_costly_shared
-N bw_happy_box
-N bw_penalty_box
-N fw_FORWARD
-N fw_INPUT
-N fw_OUTPUT
-N natctrl_FORWARD
-N natctrl_tether_counters
-N oem_fwd
-N oem_out
-A INPUT -j bw_INPUT
-A INPUT -j fw_INPUT
-A FORWARD -j oem_fwd
-A FORWARD -j fw_FORWARD
-A FORWARD -j bw_FORWARD
-A FORWARD -j natctrl_FORWARD
-A OUTPUT -o rmnet_usb2 -p udp -m udp --dport 1900 -m comment --comment "Drop SSDP on WWAN" -j DROP
-A OUTPUT -o rmnet_usb1 -p udp -m udp --dport 1900 -m comment --comment "Drop SSDP on WWAN" -j DROP
-A OUTPUT -o rmnet_usb0 -p udp -m udp --dport 1900 -m comment --comment "Drop SSDP on WWAN" -j DROP
-A OUTPUT -j oem_out
-A OUTPUT -j fw_OUTPUT
-A OUTPUT -j bw_OUTPUT
-A bw_INPUT -m quota2 ! --name globalAlert --quota 2097152
-A bw_INPUT -i rmnet_usb0 -j bw_costly_rmnet_usb0
-A bw_INPUT -m owner --socket-exists
-A bw_OUTPUT -m quota2 ! --name globalAlert --quota 2097152
-A bw_OUTPUT -o rmnet_usb0 -j bw_costly_rmnet_usb0
-A bw_OUTPUT -m owner --socket-exists
-A bw_costly_rmnet_usb0 -j bw_penalty_box
-A bw_costly_rmnet_usb0 -m quota2 ! --name rmnet_usb0 --quota 9223372036854775807 -j REJECT --reject-with icmp-port-unreachable
-A bw_costly_shared -j bw_penalty_box
-A natctrl_FORWARD -j DROP
-A natctrl_tether_counters -i wlan0 -o rmnet_usb0 -j RETURN
-A natctrl_tether_counters -i rmnet_usb0 -o wlan0 -j RETURN
what I'm trying with:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -N bw_FORWARD
iptables -N bw_INPUT
iptables -N bw_OUTPUT
iptables -N bw_costly_rmnet_usb0
iptables -N bw_costly_shared
iptables -N bw_happy_box
iptables -N bw_penalty_box
iptables -N fw_FORWARD
iptables -N fw_INPUT
iptables -N fw_OUTPUT
iptables -N natctrl_FORWARD
iptables -N natctrl_tether_counters
iptables -N oem_fwd
iptables -N oem_out
iptables -A INPUT -j bw_INPUT
iptables -A INPUT -j fw_INPUT
iptables -A FORWARD -j oem_fwd
iptables -A FORWARD -j fw_FORWARD
iptables -A FORWARD -j bw_FORWARD
iptables -A FORWARD -j natctrl_FORWARD
iptables -A OUTPUT -j oem_out
iptables -A OUTPUT -j fw_OUTPUT
iptables -A OUTPUT -j bw_OUTPUT
#iptables -A bw_FORWARD -m quota2 ! --name globalAlert --quota 2097152
#iptables -A bw_INPUT -m quota2 ! --name globalAlert --quota 2097152
iptables -A bw_INPUT -i rmnet_usb0 -j bw_costly_rmnet_usb0
iptables -A bw_INPUT -m owner --socket-exists
#iptables -A bw_OUTPUT -m quota2 ! --name globalAlert --quota 2097152
iptables -A bw_OUTPUT -o rmnet_usb0 -j bw_costly_rmnet_usb0
iptables -A bw_OUTPUT -m owner --socket-exists
iptables -A bw_costly_rmnet_usb0 -j bw_penalty_box
#iptables -A bw_costly_rmnet_usb0 -m quota2 ! --name rmnet_usb0 --quota 9223372036854775807 -j REJECT --reject-with icmp-port-unreachable
iptables -A bw_costly_shared -j bw_penalty_box
iptables -A natctrl_FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -g natctrl_tether_counters
iptables -A natctrl_FORWARD -i wlan0 -o tun0 -m state --state INVALID -j DROP
iptables -A natctrl_FORWARD -i wlan0 -o tun0 -g natctrl_tether_counters
iptables -A natctrl_FORWARD -j DROP
iptables -A natctrl_tether_counters -i wlan0 -o tun0 -j RETURN
iptables -A natctrl_tether_counters -i tun0 -o wlan0 -j RETURN
Then I tried to simplify, just flush all and set
iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o tun0 -j MASQUERADE
no effect, whereas
iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o rmnet_usb0 -j MASQUERADE
worked fine
iprule list
-bash-4.3# iprule
0: from all lookup local
10000: from all fwmark 0xc0000 lookup 99
11000: from all iif tun0 lookup 97
12000: from all fwmark 0xc0065 lookup 243
12000: from all lookup 243
13000: from all fwmark 0x10063 lookup 97
13000: from all fwmark 0x10064 lookup 240
13000: from all fwmark 0x10065 lookup 243
13000: from all fwmark 0x10065 lookup 243
14000: from all lookup 240
14000: from all lookup 97
14000: from all lookup 243
15000: from all lookup 99
16000: from all lookup 98
17000: from all lookup 97
18000: from all iif wlan0 lookup 240
19000: from all fwmark 0x64 lookup 240
21000: from all fwmark 0x65 lookup 240
22000: from all lookup 240
23000: from all lookup main
32000: from all unreachable
-bash-4.3# route show table local
broadcast 10.139.228.172 dev rmnet_usb0 src 10.139.228.174
local 10.139.228.174 dev rmnet_usb0 src 10.139.228.174
broadcast 10.139.228.175 dev rmnet_usb0 src 10.139.228.174
broadcast 11.0.1.8 dev tun0 src 11.0.1.10
local 11.0.1.10 dev tun0 src 11.0.1.10
broadcast 11.0.1.11 dev tun0 src 11.0.1.10
broadcast 127.0.0.0 dev lo src 127.0.0.1
local 127.0.0.0/8 dev lo src 127.0.0.1
local 127.0.0.1 dev lo src 127.0.0.1
broadcast 127.255.255.255 dev lo src 127.0.0.1
broadcast 192.168.43.0 dev wlan0 src 192.168.43.1
local 192.168.43.1 dev wlan0 src 192.168.43.1
broadcast 192.168.43.255 dev wlan0 src 192.168.43.1
-bash-4.3# ip route show table 99
-bash-4.3# ip route show table 97
192.168.43.0/24 dev wlan0
-bash-4.3# ip route show table 243
-bash-4.3# ip route show table 240
-bash-4.3# ip route show table 98
-bash-4.3# ip route show table main
10.139.228.172/30 dev rmnet_usb0 src 10.139.228.174
11.0.1.8/30 dev tun0 src 11.0.1.10
94.25.128.74 via 10.139.228.173 dev rmnet_usb0 src 10.139.228.174
94.25.213.74 via 10.139.228.173 dev rmnet_usb0 src 10.139.228.174
192.168.43.0/24 dev wlan0 src 192.168.43.1
iplink:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
3: rmnet_smux0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
4: rmnet_smux1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
6: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
8: rmnet_usb0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/[530]
9: rmnet_usb1: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
10: rmnet_usb2: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
14: tun0: <POINTOPOINT,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
link/[65534]
Please help :silly:
I'm want to set up subj, but all is not as easy as it seems.
[laptop]<->[wifi hotspot]<->[android phone]<->[iptables nat]<->[openvpn tun]<->[internet]
What I did:
1) Start openvpn vpn
2) Switch on hotspot
3) Change iptables rules as follows
default:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N bw_FORWARD
-N bw_INPUT
-N bw_OUTPUT
-N bw_costly_rmnet_usb0
-N bw_costly_shared
-N bw_happy_box
-N bw_penalty_box
-N fw_FORWARD
-N fw_INPUT
-N fw_OUTPUT
-N natctrl_FORWARD
-N natctrl_tether_counters
-N oem_fwd
-N oem_out
-A INPUT -j bw_INPUT
-A INPUT -j fw_INPUT
-A FORWARD -j oem_fwd
-A FORWARD -j fw_FORWARD
-A FORWARD -j bw_FORWARD
-A FORWARD -j natctrl_FORWARD
-A OUTPUT -o rmnet_usb2 -p udp -m udp --dport 1900 -m comment --comment "Drop SSDP on WWAN" -j DROP
-A OUTPUT -o rmnet_usb1 -p udp -m udp --dport 1900 -m comment --comment "Drop SSDP on WWAN" -j DROP
-A OUTPUT -o rmnet_usb0 -p udp -m udp --dport 1900 -m comment --comment "Drop SSDP on WWAN" -j DROP
-A OUTPUT -j oem_out
-A OUTPUT -j fw_OUTPUT
-A OUTPUT -j bw_OUTPUT
-A bw_INPUT -m quota2 ! --name globalAlert --quota 2097152
-A bw_INPUT -i rmnet_usb0 -j bw_costly_rmnet_usb0
-A bw_INPUT -m owner --socket-exists
-A bw_OUTPUT -m quota2 ! --name globalAlert --quota 2097152
-A bw_OUTPUT -o rmnet_usb0 -j bw_costly_rmnet_usb0
-A bw_OUTPUT -m owner --socket-exists
-A bw_costly_rmnet_usb0 -j bw_penalty_box
-A bw_costly_rmnet_usb0 -m quota2 ! --name rmnet_usb0 --quota 9223372036854775807 -j REJECT --reject-with icmp-port-unreachable
-A bw_costly_shared -j bw_penalty_box
-A natctrl_FORWARD -j DROP
-A natctrl_tether_counters -i wlan0 -o rmnet_usb0 -j RETURN
-A natctrl_tether_counters -i rmnet_usb0 -o wlan0 -j RETURN
what I'm trying with:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -N bw_FORWARD
iptables -N bw_INPUT
iptables -N bw_OUTPUT
iptables -N bw_costly_rmnet_usb0
iptables -N bw_costly_shared
iptables -N bw_happy_box
iptables -N bw_penalty_box
iptables -N fw_FORWARD
iptables -N fw_INPUT
iptables -N fw_OUTPUT
iptables -N natctrl_FORWARD
iptables -N natctrl_tether_counters
iptables -N oem_fwd
iptables -N oem_out
iptables -A INPUT -j bw_INPUT
iptables -A INPUT -j fw_INPUT
iptables -A FORWARD -j oem_fwd
iptables -A FORWARD -j fw_FORWARD
iptables -A FORWARD -j bw_FORWARD
iptables -A FORWARD -j natctrl_FORWARD
iptables -A OUTPUT -j oem_out
iptables -A OUTPUT -j fw_OUTPUT
iptables -A OUTPUT -j bw_OUTPUT
#iptables -A bw_FORWARD -m quota2 ! --name globalAlert --quota 2097152
#iptables -A bw_INPUT -m quota2 ! --name globalAlert --quota 2097152
iptables -A bw_INPUT -i rmnet_usb0 -j bw_costly_rmnet_usb0
iptables -A bw_INPUT -m owner --socket-exists
#iptables -A bw_OUTPUT -m quota2 ! --name globalAlert --quota 2097152
iptables -A bw_OUTPUT -o rmnet_usb0 -j bw_costly_rmnet_usb0
iptables -A bw_OUTPUT -m owner --socket-exists
iptables -A bw_costly_rmnet_usb0 -j bw_penalty_box
#iptables -A bw_costly_rmnet_usb0 -m quota2 ! --name rmnet_usb0 --quota 9223372036854775807 -j REJECT --reject-with icmp-port-unreachable
iptables -A bw_costly_shared -j bw_penalty_box
iptables -A natctrl_FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -g natctrl_tether_counters
iptables -A natctrl_FORWARD -i wlan0 -o tun0 -m state --state INVALID -j DROP
iptables -A natctrl_FORWARD -i wlan0 -o tun0 -g natctrl_tether_counters
iptables -A natctrl_FORWARD -j DROP
iptables -A natctrl_tether_counters -i wlan0 -o tun0 -j RETURN
iptables -A natctrl_tether_counters -i tun0 -o wlan0 -j RETURN
Then I tried to simplify, just flush all and set
iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o tun0 -j MASQUERADE
no effect, whereas
iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o rmnet_usb0 -j MASQUERADE
worked fine
iprule list
-bash-4.3# iprule
0: from all lookup local
10000: from all fwmark 0xc0000 lookup 99
11000: from all iif tun0 lookup 97
12000: from all fwmark 0xc0065 lookup 243
12000: from all lookup 243
13000: from all fwmark 0x10063 lookup 97
13000: from all fwmark 0x10064 lookup 240
13000: from all fwmark 0x10065 lookup 243
13000: from all fwmark 0x10065 lookup 243
14000: from all lookup 240
14000: from all lookup 97
14000: from all lookup 243
15000: from all lookup 99
16000: from all lookup 98
17000: from all lookup 97
18000: from all iif wlan0 lookup 240
19000: from all fwmark 0x64 lookup 240
21000: from all fwmark 0x65 lookup 240
22000: from all lookup 240
23000: from all lookup main
32000: from all unreachable
-bash-4.3# route show table local
broadcast 10.139.228.172 dev rmnet_usb0 src 10.139.228.174
local 10.139.228.174 dev rmnet_usb0 src 10.139.228.174
broadcast 10.139.228.175 dev rmnet_usb0 src 10.139.228.174
broadcast 11.0.1.8 dev tun0 src 11.0.1.10
local 11.0.1.10 dev tun0 src 11.0.1.10
broadcast 11.0.1.11 dev tun0 src 11.0.1.10
broadcast 127.0.0.0 dev lo src 127.0.0.1
local 127.0.0.0/8 dev lo src 127.0.0.1
local 127.0.0.1 dev lo src 127.0.0.1
broadcast 127.255.255.255 dev lo src 127.0.0.1
broadcast 192.168.43.0 dev wlan0 src 192.168.43.1
local 192.168.43.1 dev wlan0 src 192.168.43.1
broadcast 192.168.43.255 dev wlan0 src 192.168.43.1
-bash-4.3# ip route show table 99
-bash-4.3# ip route show table 97
192.168.43.0/24 dev wlan0
-bash-4.3# ip route show table 243
-bash-4.3# ip route show table 240
-bash-4.3# ip route show table 98
-bash-4.3# ip route show table main
10.139.228.172/30 dev rmnet_usb0 src 10.139.228.174
11.0.1.8/30 dev tun0 src 11.0.1.10
94.25.128.74 via 10.139.228.173 dev rmnet_usb0 src 10.139.228.174
94.25.213.74 via 10.139.228.173 dev rmnet_usb0 src 10.139.228.174
192.168.43.0/24 dev wlan0 src 192.168.43.1
iplink:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
3: rmnet_smux0: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
4: rmnet_smux1: <BROADCAST,MULTICAST> mtu 2000 qdisc noop state DOWN qlen 1000
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
6: p2p0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
8: rmnet_usb0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/[530]
9: rmnet_usb1: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
10: rmnet_usb2: <> mtu 2000 qdisc noop state DOWN qlen 1000
link/[530]
14: tun0: <POINTOPOINT,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
link/[65534]
Please help :silly:
xda-developers