linux-wifi-hotspot
linux-wifi-hotspot copied to clipboard
lakinduakash
firewalld support
The following commands are needed to allow traffic when firewalld is being used.
sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd --add-masquerade
sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o <ap_iface> -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i <internet_iface> -o <ap_iface> -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i <ap_iface> -o <internet_iface> -m state --state RELATED,ESTABLISHED -j ACCEPT
Edit : This solution is NOT working, GOTO
Just add adapter name in variables(wifi_iface and internet_iface[In my case export wifi_iface=wlan0 export internet_iface=wlan0 ]) then execute commands
export wifi_iface=
export internet_iface=
sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd --add-masquerade
sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o $wifi_iface -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $internet_iface -o $wifi_iface -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $wifi_iface -o $internet_iface -m state --state RELATED,ESTABLISHED -j ACCEPT
Working Solution:
I am using Fedora 35 for testing, firewalld has default zone FedoraWorkstation. My approach is enable masquerade in zone trusted and FedoraWorkstation, and add interface ap0 to trusted zone
executing following command block will allow internet access and ip allocation via hotspot
sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade
sudo firewall-cmd --zone=trusted --add-masquerade
sudo firewall-cmd --zone=trusted --add-interface=ap0
Edit: Please test it and give feedback
- fwd firewall works without any problem
Thanks @Luciogi for testing it. Please test someone, currently I don't have a Fedora environment.
This will allow clients to connect and have internet access (tested on Ubuntu 22.04 with firewalld 1.1.1) without allowing them access to other services on the host:
firewall-cmd --permanent --new-zone=hotspot
firewall-cmd --permanent --zone=hotspot --add-service=dhcp
firewall-cmd --permanent --zone=hotspot --add-service=dns
firewall-cmd --permanent --zone=hotspot --add-interface=ap0
# Ensure the DNS ports are forwarded
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="tcp" to-port="5353" destination address="192.168.12.1"'
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="udp" to-port="5353" destination address="192.168.12.1"'
# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --zone=public --add-masquerade
firewall-cmd --permanent --new-policy hotspot-forwarding
firewall-cmd --permanent --policy hotspot-forwarding --add-ingress-zone hotspot
# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --policy hotspot-forwarding --add-egress-zone public
# If you want to restrict what ports clients can access on the internet, you can remove this
firewall-cmd --permanent --policy hotspot-forwarding --set-target ACCEPT
# And add specific services instead
#firewall-cmd --permanent --policy hotspot-forwarding --add-service http
firewall-cmd --reload
These rules will persist after a reboot, so you shouldn't need to touch them again unless you want to allow more zones to be used for internet.
Working Solution:
I am using Fedora 35 for testing, firewalld has default zone
FedoraWorkstation. My approach is enable masquerade in zonetrustedandFedoraWorkstation, and add interfaceap0totrustedzone executing following command block will allow internet access and ip allocation via hotspotsudo firewall-cmd --zone=FedoraWorkstation --add-masquerade sudo firewall-cmd --zone=trusted --add-masquerade sudo firewall-cmd --zone=trusted --add-interface=ap0Edit: Please test it and give feedback
- fwd firewall works without any problem
Sadly, this doesn't work somehow…
Are there some special settings which I missed? I got an IP address with my phone, but no internet connection.
IP of Phone: 192.168.12.13
Gateway of Phone: 192.168.12.1
Gateway of ap0: 192.168.12.1
I have a virtual interface as LAN device, but this shouldn't generate any problems, right?
Ethernet port enp1s0:
IP: 192.168.12.103
Gateway: 192.168.12.1
Normally this would be 192.168.3.3 with Gateway 192.168.3.1 I have internet in my VM, but not on the hotspot. When I missed something to mention just ask, I try to deliver.
Greets LxWulf
Edit: Yes, I use Fedora 37 with the newest updates.
@Luciogi Yes, exactly!
It does work with a LAN PCI pass through, but not with virtual devices, at least on my side.
@lxwulf I guess, VM can't directly access all wifi card capabilites , It uses bridge or NAT connection coming from Host OS May be usb wifi adapter might work
@Luciogi Yes, worth trying, but at moment have no USB dongle, but I'll keep this in mind for later.
This will allow clients to connect and have internet access (tested on Ubuntu 22.04 with firewalld 1.1.1) without allowing them access to other services on the host:
firewall-cmd --permanent --new-zone=hotspot firewall-cmd --permanent --zone=hotspot --add-service=dhcp firewall-cmd --permanent --zone=hotspot --add-service=dns firewall-cmd --permanent --zone=hotspot --add-interface=ap0 # Ensure the DNS ports are forwarded firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="tcp" to-port="5353" destination address="192.168.12.1"' firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="udp" to-port="5353" destination address="192.168.12.1"' # Change public to whatever zone you've assigned the internet connection to firewall-cmd --permanent --zone=public --add-masquerade firewall-cmd --permanent --new-policy hotspot-forwarding firewall-cmd --permanent --policy hotspot-forwarding --add-ingress-zone hotspot # Change public to whatever zone you've assigned the internet connection to firewall-cmd --permanent --policy hotspot-forwarding --add-egress-zone public # If you want to restrict what ports clients can access on the internet, you can remove this firewall-cmd --permanent --policy hotspot-forwarding --set-target ACCEPT # And add specific services instead #firewall-cmd --permanent --policy hotspot-forwarding --add-service http firewall-cmd --reloadThese rules will persist after a reboot, so you shouldn't need to touch them again unless you want to allow more zones to be used for internet.
I'm on Fedora37, and with these settings my android device is "connected without internet access"
@tubbadu Please test this https://github.com/lakinduakash/linux-wifi-hotspot/issues/166#issuecomment-1105388859
We need proper support for firewalld. Something nice like @NHellFire script translating existing regular iptables rules. For fast and easy way already discussed here, that is masquerade+add ap0 to zones
On Debian 12 with firewalld enabled, the problem was fixed by only the first three lines. Namely:
sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd --add-masquerade
But yes, given that firewalld is enabled by default on deveral distros (Including Debian), this should probably be done automatically.
If nothing else, just check if sudo firewall-cmd --state returns running, and if it does, print something during installation along the lines of "You have firewalld running. This may require explicitly adding some rules for allowing network traffic. Please visit <Link to issues> if you face issues.
EDIT: Even though I could not connect to the network, I could not use mDNS to resolve the hostname. I ended up disabling firewalld, and expect to be using something that is not as obstructive in the future.
Edit : This solution is NOT working, GOTO
Just add adapter name in variables(
wifi_ifaceandinternet_iface[In my caseexport wifi_iface=wlan0export internet_iface=wlan0]) then execute commandsexport wifi_iface= export internet_iface=sudo firewall-cmd --add-service=dhcp sudo firewall-cmd --add-service=dns sudo firewall-cmd --add-masquerade sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o $wifi_iface -j MASQUERADE sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $internet_iface -o $wifi_iface -j ACCEPT sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $wifi_iface -o $internet_iface -m state --state RELATED,ESTABLISHED -j ACCEPT
this works for me on fedora 39
Working Solution:
I am using Fedora 35 for testing, firewalld has default zone
FedoraWorkstation. My approach is enable masquerade in zonetrustedandFedoraWorkstation, and add interfaceap0totrustedzone executing following command block will allow internet access and ip allocation via hotspotsudo firewall-cmd --zone=FedoraWorkstation --add-masquerade sudo firewall-cmd --zone=trusted --add-masquerade sudo firewall-cmd --zone=trusted --add-interface=ap0Edit: Please test it and give feedback
* **fwd** firewall works without any problem
is there a way to make this permanent?
would adding --permanent work?
is there a way to make this permanent? would adding
--permanentwork?
No idea, I am not using firewalld and fedora anymore, I forgot whether these commands make permanent rules
I use Fedora Linux since version 30, and now I'm on version 39. I can confirm that the firewall-cmd command with option --permanent does work to have permanent settings. After this, you can reload the firewall to take the new settings in => firewall-cmd --reload.
All changes without the --permanent option are temporary and are lost when firewall gets reloaded firewall-cmd --reload or system rebooted.