Open in app

Sign in

Write

Sign in

Mastering iptables, ip (iproute2)

yingshaoxo
5 min readMay 3, 2019

After you enabled your hotspot and VPN on your android phone, the following commands could be used to let all devices who connected to your hotspot to have the ability to enjoy the VPN without any further work.

iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADEip rule add from 192.168.43.0/24 lookup 61
ip rule add from 192.168.42.0/24 lookup 61
ip route add default dev tun0 scope link table 61ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add 192.168.42.0/24 dev wlan0 scope link table 61ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61ip route add 172.27.232.0/24 dev tun0 table 61
iptables -t filter -F FORWARD
  • -t means table
  • -F means flush. flush = clear = delete

Filter: filter is the default table. Its built-in chains are Input, Forward, Output

Delete all rules at the `Forward Chain`

Forward: send packets from one network(LAN or WLAN) to another; Packets routed by this device.

iptables -t nat -F POSTROUTING

Delete all rules at the `POSTROUTING Chain`

Nat: when a packet creates a new connection, this table is used. Its built-in chains are Prerouting, Output, Postrouting

  • Prerouting: designating packets when they come in
  • Output: locally generated packets before routing take place
  • Postrouting: altering packets on the way out

altering = modifying

iptables -t filter -A FORWARD -j ACCEPT
  • -A means `append`. Append one or more rules into the selected chain
  • -j means `next jump`

Accept all connections at the `FORWARD Chain`. Which means all routings processing by the hotspot device will be accepted.

iptables -t nat -A POSTROUTING -j MASQUERADE

Masquerade: is also known as Network_Address_Translation(NAT). It’s basically a method for allowing a computer that doesn’t have a public Internet-wide IP address communicates with other computers on the Internet.

Postrouting: altering packets on the way out

ip rule add from 192.168.43.0/24 lookup 61
ip rule add from 192.168.42.0/24 lookup 61

It’s a way to create the policy routing rules that will tell the system which table to use to determine the correct route.

It’s something like this: `ip rule add from <source address> lookup <table name>`

It is said every packet from Network `192.168.43.0 and 192.168.42.0` will use `table 61`.

And `table 61` is a `routing policy table`. It will determine which way a packet should go.

It’s very important to know that if you use this form of a command, it’s targeted for `source network`. That is to say, you control every packet sent from that network.

ip route add default dev tun0 scope link table 61

The `ip route add` command has a template as follows:

ip route add {NETWORK/MASK} via {GATEWAY_IP}
ip route add {NETWORK/MASK} dev {DEVICE}
ip route add default {NETWORK/MASK} dev {DEVICE}
ip route add default {NETWORK/MASK} via {GATEWAY_IP}

GATEWAY is nothing but an IP address which connects two different networks.

set a static routing: send packets to a certain network through a gateway (IP address).

It is said all traffic use `policy table 61` will be routed to `device tun0` if no target or device or gateway was specified.

It’s very important to know that if you use this form of a command, it’s targeted for `destinated network`. That is to say, you control every packet sent to that network.

As for `scope link`, here has some references:

Scope | Descriptionglobal | valid everywhere
link | valid only on this device (LAN)
host | valid only inside this host (LocalHost, like 127.0.0.1)
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add 192.168.42.0/24 dev wlan0 scope link table 61

Also, if a packet wants to go to Network `192.168.43.0 and 192.168.42.0`, it can be done by going through `device wlan0`.

ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61

The broadcast route type is used for link layer devices (such as Ethernet cards) which support the notion of a broadcast address or MAC address.

device wlan0 happens to be the device which establishes WIFI. And WIFI is a little Local Area Network (LAN).

As you know, in a LAN(Local area network), we need to use MAC address to identify different computers. So here in this command, we use `device wlan0`.

# It’s for NATiptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
# It’s for creating `routing table 61` and setting `device tun0` as the default routing target or gateway. (every packet which was send from network 192.168.43.0 or 192.168.42.0 will be routed to device tun0)ip rule add from 192.168.43.0/24 lookup 61
ip rule add from 192.168.42.0/24 lookup 61
ip route add default dev tun0 scope link table 61# Add `device wlan0` to `routing table 61`. So packets could be transmitted to network 192.168.43.0 or 192.168.42.0 by `tun0 and wlan0`ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add 192.168.42.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61ip route add 172.27.232.0/24 dev tun0 table 61

tun0: mostly, it’s the VPN interface

wlan0: mostly, it’s the WIFI interface

Right now, packets from network 192.168.43.0 and 192.168.42.0 will go to tun0(VPN interface) . Packets want to go to network 192.168.43.0 and 192.168.42.0 also could get there by going through wlan0(WIFI interface) .

The network 192.168.43.0 and 192.168.42.0 represented a network which all android phone was connected to when they use your hotspot.

ip route add 172.27.232.0/24 dev tun0 table 61

It is a classical routing rule.

It is said a packet can be routed from `device tun0` to `network 172.27.232.0`

`172.27.232.0` may probably the VPN’s network. For my device, it will work even without this command.

So the final script could be something like this:

iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADEip rule add from 192.168.43.0/24 lookup yingshaoxo
ip route add default dev tun0 scope link table yingshaoxoip route add 192.168.43.0/24 dev wlan0 scope link table yingshaoxoip route add broadcast 255.255.255.255 dev wlan0 scope link table yingshaoxo

Remember to replace `yingshaoxo` to a number between 0–255.

Use this to reset everything:

ip route flush table <table_id>

References:

https://anil.io/blog/android/android-tethering-vpn-wifi-hotspot-iptables-root/

https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/

<Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter-Packt Publishing (2006)>

https://blog.scottlowe.org/2013/05/29/a-quick-introduction-to-linux-policy-routing/

https://www.cyberciti.biz/faq/ip-route-add-network-command-for-linux-explained/

https://serverfault.com/questions/63014/ip-address-scope-parameter

http://linux-ip.net/html/routing-tables.html

yingshaoxo’s brain.

Networking
Iptables
Iproute2
Sharevpn
Vpnhotspot

--

--

yingshaoxo

Written by yingshaoxo

7 Followers

A man who love English and Coding.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams