Internet Access LAN-Subnet -> Laptop with LAN and WLAN Adapter -> Fritzbox ->Internet

An Alma Linux laptop has a Lan adapter enp0s31f6 and a Wifi adapter wlp0s20f3.
The Wifi adapter is connected to a WLAN router (Fritz-Box) via DHCP, has the IP address 192.168.78.156 and allows access to the Internet. The standard gateway of the WLAN router is 192.168.78.1. The LAN adapter enp0s31f6 has a static IP address 192.168.1.40 netmask 255.255.255.0. The laptop/adapter is the default gateway of the subnet 192.168.1.0/24 , The devices of the subnet 192.168.1.0/24 should be given access to the Internet via iptables entries.

I try the following:

sudo sysctl -w net.ipv4.ip_forward=1

sudo iptables -t nat -A POSTROUTING -o wlp0s20f3 -j MASQUERADE

sudo iptables -A FORWARD -i enp0s31f6 -o wlp0s20f3 -j ACCEPT
sudo iptables -A FORWARD -i wlp0s20f3 -o enp0s31f6 -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo systemctl restart NetworkManager

All devices in the 192.168.1.0/24 network can communicate without any problems.
Access to the Internet from the devices in the 192.168.1.0/24 network is still not possible.
What error am I making?
Do I still need a route for the enp0s31f6 ?

First, which version of Alma, 8 or 9? (Although, it should not matter.)


There is no “iptables” in Alma. Not by default. The kernel has nf_tables that has taken over from netfilter. You can see all the current rules in the kernel with:

sudo nft list ruleset

There is still command “iptables”, but it is a wrapper/translator into nf_tables rules.


The default way to add rules to kernel – to manage firewall – is firewalld.service
We talk to firewalld.service with firewall-cmd
See man firewall-cmd and Chapter 40. Using and configuring firewalld | Red Hat Product Documentation

The sudo iptables ... are temporary, not persistent. The firewalld will replace them on next reboot, if not sooner.


By default, the firewalld creates chain:

	chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ct state invalid drop
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
		jump filter_FORWARD_ZONES
		reject with icmpx admin-prohibited
	}

That does alread have the state RELATED,ESTABLISHED.

FirewallD has concept of “zone”. Logically, clients on LAN are on one zone and everyone on WLAN in different zone. There are some predefined zones. See

sudo firewall-cmd --get-zones
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --info-zone=public
sudo firewall-cmd --info-zone=external

The “external” has masquerade on, so if the wlp0s20f3 were on that zone, then FirewallD would create the masquerade rule for you.


To allow traffic between zones, e.g. from public (LAN) to external (WLAN) one has to add a policy object. See Chapter 40. Using and configuring firewalld | Red Hat Product Documentation


Personally, I do prefer to use the nftables.service.

Hello jlehtone, thank you very much for your hints. It was my mistake simply to transfer the iptable rules from my Ubuntu system. I use the newest AlmaLinux 9.4 Version. I find, that firewalld is running on the system as default. Both network adapters are running in the public zone, were masquerading is off. I try now to transfer my “old” rules onto the new system. First I will study Chapter 40 to get a first idea and test it.
Best regards caoti

Hello Jukka, to forward traffic from 192.168.1.0/24 to the Fritzbox I try the following things:
1.)
sudo sysctl net.ipv4.ip_forward=1

2.)
sudo firewall-cmd --get-active-zones

both interfaces are in the public zone.

(fort test-purposes I dont use the option --permanent

3.)
sudo firewall-cmd --zone=public --add-masquerade

4.)
sudo firewall-cmd --zone=public --add-forward

5.) to rule to forward the packges
sudo firewall-cmd --zone=public --add-rich-rule=‘rule family=“ipv4” forward-port source address=192.168.1.0/24 to-port=0-65535 protocol=all to-addr=192.168.78.1’

But here I get an error message:
Error: INVALID_RULE: attribute ‘to-port’ outside of any element. Use ‘rule to-ort=…’.

Can I rearrange my rule to get an valid rule?

I tried:
sudo firewall-cmd --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“192.168.1.0/24” forward-port to-addr=“192.168.78.156” protocol=“all”’

and:
sudo firewall-cmd --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“192.168.1.0/24” accept’

but without success.

Or is my way generally false?
Thank you very much for your support.

With best regards caoti

Do remember that you want:

  1. Members of LAN can access something in this server
  2. Members of LAN can access anything in WLAN
  3. Members of WLAN can access something in this server
  4. Members of WLAN can access nothing in LAN

Therefore, members of LAN should have different rules than members of WLAN. In FirewallD parlance they should be different zones.

Switch the enp0s31f6 into external zone.

Hallo Jukka, thank you very much for your patience.

A short introductory remark.
From my subnet I need connections to public time server, dns server like 8.8.8.8 and to AlmaLinux repositories.
With Ubuntu 22.04 I could do this. Now, using AlmaLinux, it’s tricky for me.

To use both network adapters (Lan adapter enp0s31f6 and a Wifi adapter wlp0s20f3)
I have to start enp0s31f6 with the network manager manually. If I do so, I can’t ping adresses like 8.8.8.8 via WLAN, but access different websites.
To ping 8.8.8.8 successful I have to stop enp0s31f6 with Network-Manager.
If I have started enp0s31f6 with the network manager manually I can access Websites via WLAN but not ping 8.8.8.8

Now I tried the following:

$ sudo firewall-cmd --get-zones
block dmz drop external home internal nm-shared public trusted work

$ sudo firewall-cmd --get-default-zone
public

$ sudo firewall-cmd --get-active-zone
public
interfaces: wlp0s20f3 enp0s31f6

$ sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

$ sudo firewall-cmd --zone=external --change-interface=enp0s31f6
success

$ sudo firewall-cmd --get-active-zones
external
interfaces: enp0s31f6
public
interfaces: wlp0s20f3

sudo firewall-cmd --zone=public --add-forward

sudo firewall-cmd --zone=public --add-source=192.168.1.50

or:

sudo firewall-cmd --zone=public --add-rich-rule=‘rule family=ipv4 source address=192.168.1.0/24 masquerade’

But without positive effect.

From 192.168.1.40 I get connections to all 192.168.1.0/24 devices (after manually start the enp0s31f6)

Subnet
$ ping 192.168.1.50
PING 192.168.1.50 (192.168.1.50) 56(84) bytes of data.
64 Bytes von 192.168.1.50: icmp_seq=1 ttl=64 Zeit=1.53 ms

W-LAN Adapter
$ ping 192.168.x.159
PING 192.168.x.159 (192.168.x.159) 56(84) bytes of data.
64 bytes from 192.168.x.159: icmp_seq=1 ttl=64 time=0.705 ms

Fritzbox
$ ping 192.168.x.1
PING 192.168.x.1 (192.168.x.1) 56(84) bytes of data.
From 192.168.1.40 icmp_seq=2 Redirect Host(New nexthop: 192.168.x.1)

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.1.40 icmp_seq=2 Redirect Host(New nexthop: 8.8.8.8)

With best regards

What do you get with ip ro when both connections are up?

With both adapters running

$ ip ro
default via 192.168.1.40 dev enp0s31f6 proto static metric 100
default via 192.168.178.1 dev wlp0s20f3 proto dhcp src 192.168.178.159 metric 600
192.168.1.0/24 dev enp0s31f6 proto kernel scope link src 192.168.1.40 metric 100
192.168.1.0/24 via 192.168.178.1 dev enp0s31f6 proto static metric 100
192.168.178.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.178.159 metric 600
192.168.178.1 dev enp0s31f6 proto static scope link metric 100

I had an similar side effect with AlmaLinux Systems in VirtualBox Machines.

This one says that packets to 8.8.8.8 should be tossed out from enp0s31f6. Remove the “gateway” from the enp0s31f6’s config; it is nonsense.

This machine should have three logical destinations: LAN (192.168.1.0/24), WLAN (192.168.178.0/24), and outside of these two (default via 192.168.178.1).

These two routes do also look like nonsense. Where did they came from?

Good Morning Jukka,

thank you very much for your great support. With your hints I solved my problem.

1. set ip forward

sudo sysctl -w net.ipv4.ip_forward=1

2. change zone

sudo firewall-cmd --zone=external --change-interface=enp0s31f6

3. activate forwarding

sudo firewall-cmd --zone=public --add-forward

4. source network

sudo firewall-cmd --zone=public --add-source=192.168.1.0/24

5. activate source masquerade

sudo firewall-cmd --zone=public --add-rich-rule=‘rule family=ipv4 source address=192.168.1.0/24 masquerade’

gives a first running configuration.

( and set the autostart option of my LAN adapter in NetworkManager )

With best regards
caoti