Mastering iptables, ip (iproute2)
After you enabled your hotspot and VPN on your android phone, the following commands could be used to let all devices who connected to your hotspot to have the ability to enjoy the VPN without any further work.
```
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip rule add from 192.168.42.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add 192.168.42.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
ip route add 172.27.232.0/24 dev tun0 table 61
```
___
```
iptables -t filter -F FORWARD
```
* -t means `table`
* -F means `flush`. flush = clear = delete
> Filter: filter is the default table. Its built-in chains are Input, Forward, Output
Delete all rules at the `Forward Chain`
> Forward: send packets from one network(LAN or WLAN) to another; Packets routed by this device.
___
```
iptables -t nat -F POSTROUTING
```
Delete all rules at the `POSTROUTING Chain`
> Nat: when a packet creates a new connection, this table is used. Its built-in chains are Prerouting, Output, Postrouting
* Prerouting: designating packets when they come in
* Output: locally generated packets before routing take place
* Postrouting: altering packets on the way out
altering = modifying
___
```
iptables -t filter -A FORWARD -j ACCEPT
```
* -A means `append`. Append one or more rules into the selected chain
* -j means `next jump`
Accept all connections at the `FORWARD Chain`. Which means all routings processing by the hotspot device will be accepted.
___
```
iptables -t nat -A POSTROUTING -j MASQUERADE
```
> Masquerade: is also known as Network_Address_Translation(NAT). It's basically a method for allowing a computer that doesn't have a public Internet-wide IP address communicates with other computers on the Internet.
> Postrouting: altering packets on the way out
___
```
ip rule add from 192.168.43.0/24 lookup 61
ip rule add from 192.168.42.0/24 lookup 61
```
It's a way to create the policy routing rules that will tell the system which table to use to determine the correct route.
It's something like this: `ip rule add from <source address> lookup <table name>`
It is said every packet from Network `192.168.43.0 and 192.168.42.0` will use `table 61`.
And `table 61` is a `routing policy table`. It will determine which way a packet should go.
** It's very important to know that if you use this form of a command, it's targeted for `source network`. That is to say, you control every packet sent from that network. **
___
```
ip route add default dev tun0 scope link table 61
```
The `ip route add` command has a template as follows:
```
ip route add {NETWORK/MASK} via {GATEWAY_IP}
ip route add {NETWORK/MASK} dev {DEVICE}
ip route add default {NETWORK/MASK} dev {DEVICE}
ip route add default {NETWORK/MASK} via {GATEWAY_IP}
```
> GATEWAY is nothing but an IP address which connects two different networks.
> set a static routing: send packets to a certain network through a gateway (IP address).
It is said all traffic use `policy table 61` will be routed to `device tun0` if no target or device or gateway was specified.
** It's very important to know that if you use this form of a command, it's targeted for `destinated network`. That is to say, you control every packet sent to that network. **
As for `scope link`, here has some references:
```
Scope | Description
global | valid everywhere
link | valid only on this device (LAN)
host | valid only inside this host (LocalHost, like 127.0.0.1)
```
___
```
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add 192.168.42.0/24 dev wlan0 scope link table 61
```
Also, if a packet wants to go to Network `192.168.43.0 and 192.168.42.0`, it can be done by going through `device wlan0`.
___
```
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
```
> The `broadcast` route type is used for link layer devices (such as Ethernet cards) which support the notion of a broadcast address or MAC address.
`device wlan0` happens to be the device which establishes WIFI. And WIFI is a little Local Area Network (LAN).
As you know, in a LAN(Local area network), we need to use MAC address to identify different computers. So here in this command, we use `device wlan0`.
___
```
# It's for NAT
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
# It's for creating `routing table 61` and setting `device tun0` as the default routing target or gateway. (every packet which was send from network 192.168.43.0 or 192.168.42.0 will be routed to device tun0)
ip rule add from 192.168.43.0/24 lookup 61
ip rule add from 192.168.42.0/24 lookup 61
ip route add default dev tun0 scope link table 61
# Add `device wlan0` to `routing table 61`. So packets could be transmitted to network 192.168.43.0 or 192.168.42.0 by `tun0 and wlan0`
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add 192.168.42.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
ip route add 172.27.232.0/24 dev tun0 table 61
```
> tun0: mostly, it's the VPN interface
> wlan0: mostly, it's the WIFI interface
Right now, packets from `network 192.168.43.0 and 192.168.42.0` will go to `tun0(VPN interface)`. Packets want to go to `network 192.168.43.0 and 192.168.42.0` also could get there by going through `wlan0(WIFI interface)`.
The `network 192.168.43.0 and 192.168.42.0` represented a network which all android phone was connected to when they use your hotspot.
___
```
ip route add 172.27.232.0/24 dev tun0 table 61
```
It is a classical routing rule.
It is said a packet can be routed from `device tun0` to `network 172.27.232.0`
> `172.27.232.0` may probably the VPN's network. For my device, it will work even without this command.
___
So the final script could be something like this:
```
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup yingshaoxo
ip route add default dev tun0 scope link table yingshaoxo
ip route add 192.168.43.0/24 dev wlan0 scope link table yingshaoxo
ip route add broadcast 255.255.255.255 dev wlan0 scope link table yingshaoxo
```
Remember to replace `yingshaoxo` to a number between 0-255.
___
Use this to reset everything:
```
ip route flush table <table_id>
```
___
References:
https://anil.io/blog/android/android-tethering-vpn-wifi-hotspot-iptables-root/
https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/
<Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter-Packt Publishing (2006)>
https://blog.scottlowe.org/2013/05/29/a-quick-introduction-to-linux-policy-routing/
https://www.cyberciti.biz/faq/ip-route-add-network-command-for-linux-explained/
https://serverfault.com/questions/63014/ip-address-scope-parameter
http://linux-ip.net/html/routing-tables.html
yingshaoxo's brain.
```
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip rule add from 192.168.42.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add 192.168.42.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
ip route add 172.27.232.0/24 dev tun0 table 61
```
___
```
iptables -t filter -F FORWARD
```
* -t means `table`
* -F means `flush`. flush = clear = delete
> Filter: filter is the default table. Its built-in chains are Input, Forward, Output
Delete all rules at the `Forward Chain`
> Forward: send packets from one network(LAN or WLAN) to another; Packets routed by this device.
___
```
iptables -t nat -F POSTROUTING
```
Delete all rules at the `POSTROUTING Chain`
> Nat: when a packet creates a new connection, this table is used. Its built-in chains are Prerouting, Output, Postrouting
* Prerouting: designating packets when they come in
* Output: locally generated packets before routing take place
* Postrouting: altering packets on the way out
altering = modifying
___
```
iptables -t filter -A FORWARD -j ACCEPT
```
* -A means `append`. Append one or more rules into the selected chain
* -j means `next jump`
Accept all connections at the `FORWARD Chain`. Which means all routings processing by the hotspot device will be accepted.
___
```
iptables -t nat -A POSTROUTING -j MASQUERADE
```
> Masquerade: is also known as Network_Address_Translation(NAT). It's basically a method for allowing a computer that doesn't have a public Internet-wide IP address communicates with other computers on the Internet.
> Postrouting: altering packets on the way out
___
```
ip rule add from 192.168.43.0/24 lookup 61
ip rule add from 192.168.42.0/24 lookup 61
```
It's a way to create the policy routing rules that will tell the system which table to use to determine the correct route.
It's something like this: `ip rule add from <source address> lookup <table name>`
It is said every packet from Network `192.168.43.0 and 192.168.42.0` will use `table 61`.
And `table 61` is a `routing policy table`. It will determine which way a packet should go.
** It's very important to know that if you use this form of a command, it's targeted for `source network`. That is to say, you control every packet sent from that network. **
___
```
ip route add default dev tun0 scope link table 61
```
The `ip route add` command has a template as follows:
```
ip route add {NETWORK/MASK} via {GATEWAY_IP}
ip route add {NETWORK/MASK} dev {DEVICE}
ip route add default {NETWORK/MASK} dev {DEVICE}
ip route add default {NETWORK/MASK} via {GATEWAY_IP}
```
> GATEWAY is nothing but an IP address which connects two different networks.
> set a static routing: send packets to a certain network through a gateway (IP address).
It is said all traffic use `policy table 61` will be routed to `device tun0` if no target or device or gateway was specified.
** It's very important to know that if you use this form of a command, it's targeted for `destinated network`. That is to say, you control every packet sent to that network. **
As for `scope link`, here has some references:
```
Scope | Description
global | valid everywhere
link | valid only on this device (LAN)
host | valid only inside this host (LocalHost, like 127.0.0.1)
```
___
```
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add 192.168.42.0/24 dev wlan0 scope link table 61
```
Also, if a packet wants to go to Network `192.168.43.0 and 192.168.42.0`, it can be done by going through `device wlan0`.
___
```
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
```
> The `broadcast` route type is used for link layer devices (such as Ethernet cards) which support the notion of a broadcast address or MAC address.
`device wlan0` happens to be the device which establishes WIFI. And WIFI is a little Local Area Network (LAN).
As you know, in a LAN(Local area network), we need to use MAC address to identify different computers. So here in this command, we use `device wlan0`.
___
```
# It's for NAT
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
# It's for creating `routing table 61` and setting `device tun0` as the default routing target or gateway. (every packet which was send from network 192.168.43.0 or 192.168.42.0 will be routed to device tun0)
ip rule add from 192.168.42.0/24 lookup 61
ip route add default dev tun0 scope link table 61
# Add `device wlan0` to `routing table 61`. So packets could be transmitted to network 192.168.43.0 or 192.168.42.0 by `tun0 and wlan0`
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add 192.168.42.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
ip route add 172.27.232.0/24 dev tun0 table 61
```
> tun0: mostly, it's the VPN interface
> wlan0: mostly, it's the WIFI interface
Right now, packets from `network 192.168.43.0 and 192.168.42.0` will go to `tun0(VPN interface)`. Packets want to go to `network 192.168.43.0 and 192.168.42.0` also could get there by going through `wlan0(WIFI interface)`.
The `network 192.168.43.0 and 192.168.42.0` represented a network which all android phone was connected to when they use your hotspot.
___
```
ip route add 172.27.232.0/24 dev tun0 table 61
```
It is a classical routing rule.
It is said a packet can be routed from `device tun0` to `network 172.27.232.0`
> `172.27.232.0` may probably the VPN's network. For my device, it will work even without this command.
___
So the final script could be something like this:
```
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup yingshaoxo
ip route add default dev tun0 scope link table yingshaoxo
ip route add 192.168.43.0/24 dev wlan0 scope link table yingshaoxo
ip route add broadcast 255.255.255.255 dev wlan0 scope link table yingshaoxo
```
Remember to replace `yingshaoxo` to a number between 0-255.
___
Use this to reset everything:
```
ip route flush table <table_id>
```
___
References:
https://anil.io/blog/android/android-tethering-vpn-wifi-hotspot-iptables-root/
https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/
<Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter-Packt Publishing (2006)>
https://blog.scottlowe.org/2013/05/29/a-quick-introduction-to-linux-policy-routing/
https://www.cyberciti.biz/faq/ip-route-add-network-command-for-linux-explained/
https://serverfault.com/questions/63014/ip-address-scope-parameter
http://linux-ip.net/html/routing-tables.html
yingshaoxo's brain.