树莓派访问点路由不起作用

huangapple
go评论55阅读模式
英文:

Raspberry pi access-point routing not working

问题

我已经在我的树莓派4上设置了一个访问点,遵循了这个指南:https://www.raspberrypi.com/documentation/computers/configuration.html#before-you-begin

我可以连接到无线网络,ping通树莓派wlan接口上的IP地址,DNS似乎也正常工作。

但NAT/路由没有生效。我无法访问互联网或我的网络中的其他设备。

我认为这可能与Docker有关,也许搞乱了我的iptables?但我对iptables了解不多,无法解释为什么它不起作用。以下是iptables的信息:

# 由iptables-save v1.8.7生成,于2023年2月26日星期日12:27:58完成
* 过滤
: INPUT ACCEPT [36647: 6241476]
: FORWARD DROP [151: 15122]
: OUTPUT ACCEPT [34684: 33197826]
: DOCKER - [0: 0]
: DOCKER-ISOLATION-STAGE-1 - [0: 0]
: DOCKER-ISOLATION-STAGE-2 - [0: 0]
: DOCKER-USER - [0: 0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0!-o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i br-ea8912f60ffe -o br-ea8912f60ffe -j ACCEPT
-A DOCKER -d 172.17.0.2/32!-i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.3/32!-i docker0 -o docker0 -p tcp -m tcp --dport 9443 -j ACCEPT
-A DOCKER -d 172.17.0.2/32!-i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.3/32!-i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.4/32!-i docker0 -o docker0 -p udp -m udp --dport 10001 -j ACCEPT
-A DOCKER -d 172.17.0.3/32!-i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.17.0.4/32!-i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.0.4/32!-i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.4/32!-i docker0 -o docker0 -p udp -m udp --dport 3478 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0!-o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1!-s 172.80.0.0/24 -o br-ea8912f60ffe -j DROP
-A DOCKER-ISOLATION-STAGE-1!-d 172.80.0.0/24 -i br-ea8912f60ffe -j DROP
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# 在2023年2月26日星期日12:27:58完成
# 由iptables-save v1.8.7生成,于2023年2月26日星期日12:27:58完成
* 网络地址转换
: PREROUTING ACCEPT [1508: 237688]
: INPUT ACCEPT [1207: 192448]
: OUTPUT ACCEPT [15971: 766826]
: POSTROUTING ACCEPT [8642: 433956]
: DOCKER - [0: 0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT!-d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16!-o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p udp -m udp --dport 10001 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p udp -m udp --dport 

<details>
<summary>英文:</summary>

I have setup an access point on my raspberry pi 4 following this guide:
https://www.raspberrypi.com/documentation/computers/configuration.html#before-you-begin

I can connect to the wireless network, ping the ip address on the raspberry pi wlan interface, and dns seems to work fine.
[![enter image description here](https://i.stack.imgur.com/DS0y1.png)](https://i.stack.imgur.com/DS0y1.png)

[![enter image description here](https://i.stack.imgur.com/jSYBA.png)](https://i.stack.imgur.com/jSYBA.png)

But the NAT/routing is not working. I&#39;m unable to access the internet or the rest of my network.
[![enter image description here](https://i.stack.imgur.com/MC9Va.png)](https://i.stack.imgur.com/MC9Va.png)

I believe this has something to do with docker and maybe messing up my iptables? But I don&#39;t know enough about iptables to explain why it isn&#39;t working. This is a dump of the iptables.
I see the rule &quot;-A POSTROUTING -o eth0 -j MASQUERADE&quot; was added which should enable the nat routing for my access-point.

Generated by iptables-save v1.8.7 on Sun Feb 26 12:27:58 2023

*filter
:INPUT ACCEPT [36647:6241476]
:FORWARD DROP [151:15122]
:OUTPUT ACCEPT [34684:33197826]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i br-ea8912f60ffe -o br-ea8912f60ffe -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9443 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p udp -m udp --dport 10001 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p udp -m udp --dport 3478 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 ! -s 172.80.0.0/24 -o br-ea8912f60ffe -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d 172.80.0.0/24 -i br-ea8912f60ffe -j DROP
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT

Completed on Sun Feb 26 12:27:58 2023

Generated by iptables-save v1.8.7 on Sun Feb 26 12:27:58 2023

*nat
:PREROUTING ACCEPT [1508:237688]
:INPUT ACCEPT [1207:192448]
:OUTPUT ACCEPT [15971:766826]
:POSTROUTING ACCEPT [8642:433956]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p udp -m udp --dport 10001 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p udp -m udp --dport 3478 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 9443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.2:443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9443 -j DNAT --to-destination 172.17.0.3:9443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.2:80
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.3:9000
-A DOCKER ! -i docker0 -p udp -m udp --dport 10001 -j DNAT --to-destination 172.17.0.4:10001
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 172.17.0.3:8000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 172.17.0.4:8443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.4:8080
-A DOCKER ! -i docker0 -p udp -m udp --dport 3478 -j DNAT --to-destination 172.17.0.4:3478
COMMIT

Completed on Sun Feb 26 12:27:58 2023




I tried adding a specific rule for the subnet I&#39;m trying to route with

sudo iptables -t nat -A POSTROUTING -s 192.168.4.0/24 ! -o eth0 -j MASQUERADE


I also tried cleaning the ip tables with sudo iptables -F , but docker seems to immediately change the file again

</details>


# 答案1
**得分**: 1

iptables -A FORWARD -i eth0 -o wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i wlan0 -j ACCEPT

<details>
<summary>英文:</summary>

You will need to allow forwarding of traffic from the wlan interface to the eth interface and you will also need to allow reverse traffic for established connections. Something like this should work:

    iptables -A FORWARD -i eth0 -o wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -o eth0 -i wlan0 -j ACCEPT

</details>

huangapple
  • 本文由 发表于 2023年2月26日 19:36:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/75571698.html
  • access-point
  • docker
  • iptables
  • raspberry-pi
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定