Wicked configuration instead of Network Manager: option missing?

Higuys
I am currently using network manager, with kde-nm-connection-editor. My wlan0 card is connected to an hotspot called wifigratis. This hotspot require an authentication page with login and password.

That’s why I have connected on eth0 another hotspot gateway, witch can offer another wifi network called powerwifi, in wpa2. With powerwifi I can easily connect my phone, computers and some hardware like the google chrome key, witch are not compatible with the wifigratis login page.

When I use kde-nm-connection-editor, I select for wlan0 auto dhcp for ip addressing and open method for encryption. For eth0 I select an ip option called “shared to other computers”.

With this configuration, my computer have internet, and the other hardware can connect to powerwifi (the hotspot on eth0) easily (whithout creating a bridge or routing rules, maybe them are created automatically: I dont know!!) but the internet link on wlan0 is not stable, have a poor quality.

That’s why I whant to make the same configuration using the wicked service.

For the wifigratis - wlan0 part, everything is working fine. In yast I have selected auto DHCP and open for the wifi. My computer have internet.

But for the Eth0 part I can’t have a similar option than “shared to other computers”. The result is that my eth0 card haven’t got an ip adress (even with auto dhcp) and my hardware are half-connected to powerwifi because they can’t have an ip adress too (and they dont have internet)

***My question is, how may I have a similar configuration than “shared to other computers” with the wicked service.

***Here are my eth0 network manager config files:

[ethernet]mac-address=00:15:C5:72:FD:F7cloned-mac-address=D9:8A:2B:BC:C8:CF

[connection]
id=PowerWifiCable
uuid=1b676601-0a36-4861-b56d-94b0951289c9
type=ethernet
permissions=user:florian:;

[ipv6]
method=auto

[ipv4]
method=shared

and my eth0 ifup config files:

BOOTPROTO='dhcp'BROADCAST=''DHCLIENT_SET_DEFAULT_ROUTE='yes'
ETHTOOL_OPTIONS=''
IPADDR=''
MTU=''
NAME='BCM4401-B0 100Base-TX'
NETMASK=''
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='ifplugd'
PREFIXLEN='24'

Thanks for your help ! rotfl!

On 2015-08-12 02:16, mandragore59va wrote:

> But for the Eth0 part I can’t have a similar option than “shared to
> other computers”. The result is that my eth0 card haven’t got an ip
> adress (even with auto dhcp) and my hardware are half-connected to
> powerwifi because they can’t have an ip adress too (and they dont have
> internet)

If I understood the situation correctly, you have to setup a fixed IP
for eth0, on a different range than for wlan0, run and configure a dhcp
server daemon (which will provide an IP to your other hardware), plus
adequately configure routing.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

I think the hot-spot gateway already have a DHCP server.
Maybe l need to set up à static IP adress for eth0.
And for routing I dont have any idea how to do that!!

If I connect eth0 and wlan0 with network manager can I copy ip and routes wich are created ? (Network managers create routes right??) And were can I find them?

On 2015-08-12 03:16, mandragore59va wrote:

I should know how to do it, if I had the hardware and started hacking at
it, but I don’t know how to describe it, sorry.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Ok l can try to do so by myself but I still dont understand why à simple ipv4 option in network manager makes this working without I need to configure routes and DHCP!!

Does someone know what the ipv4 option “shared to other computer” correspond to?

I’ve never used it, so I am guessing. It is probably similar to Windows connection sharing.

To do similar in linux, you would need to do ip masquerading (which I also have never done).

It should be possible to use configure masquerading using YaST as per this old guide

http://swerdna.dyndns.org/suseics.html#suseserv

I note that when I use NM to share wired ethernet, it uses 10.42.0.0/24, with the NIC assigned 10.42.0.1 and routing as follows

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.9.1     0.0.0.0         UG    0      0        0 wlan0
10.42.0.0       0.0.0.0         255.255.255.0   U     1      0        0 ens1
192.168.9.0     0.0.0.0         255.255.255.0   U     9      0        0 wlan0

• The wlan0 addressing corresponds to my wireless network

It also launches dnsmasq (for DHCP/DNS), and some masquerading rules for NAT

# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i ens1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i ens1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i ens1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i ens1 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o ens1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i ens1 -j ACCEPT
-A FORWARD -i ens1 -o ens1 -j ACCEPT
-A FORWARD -o ens1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i ens1 -j REJECT --reject-with icmp-port-unreachable

With this configuration, my computer have internet, and the other hardware can connect to powerwifi (the hotspot on eth0) easily (whithout creating a bridge or routing rules, maybe them are created automatically: I dont know!!) but the internet link on wlan0 is not stable, have a poor quality.

That’s why I whant to make the same configuration using the wicked service.

I doubt using wicked will be the solution any stability issues you have with internet sharing.

Wicked is not better for internet sharing but it is for wlan0 internet connection!!

Today I get à new wifi card I will try with it and network manager and I tell you.

On 2015-08-12 05:06, nrickert wrote:

> I’ve never used it, so I am guessing. It is probably similar to Windows
> connection sharing.
>
> To do similar in linux, you would need to do ip masquerading (which I
> also have never done).

I think I did it ages ago, to share the modem connection. It was a
setting in the susefirewall2 setup.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Visibly there is many options: a bridge, routing rules or firewall rules but the thing I whant to know is what KDE connection editor is doing when I create an eth0 shared connection with “shared to other computers” ip option.

Even If this is working for the sharing part with network manager, wifi on wlan0 seems buggy on a hotspot connection (it disconnect every 4 or 5 minutes). That’s why I whant to use the wicked service: the link quality is really better !

I though I already hinted at that in my previous post. Check iptables as shown.

I come back, because this problem is not solved.

I have the same routes et iptables with wicked and network manager but wicked is not working at all for the sharing part.

With wicked service I have:

-P INPUT DROP-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N forward_int
-N input_ext
-N input_int
-N reject_func
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -j forward_int
-A FORWARD -i wlan0 -j forward_ext
-A FORWARD -i wlp0s29f7u8 -j forward_ext
-A FORWARD -i wlp12s0 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -m pkttype --pkt-type broadcast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -m pkttype --pkt-type multicast -j DROP
-A forward_int -m pkttype --pkt-type broadcast -j DROP
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -j reject_func
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p udp -m udp --dport 32768:61000 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable

and for route:

Table de routage IP du noyauDestination     Passerelle      Genmask         Indic Metric Ref    Use Iface
0.0.0.0         10.55.255.254   0.0.0.0         UG    0      0        0 wlp0s29f7u8
10.42.0.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.48.0.0       0.0.0.0         255.248.0.0     U     0      0        0 wlp0s29f7u8
10.48.0.0       0.0.0.0         255.248.0.0     U     0      0        0 wlp0s29f7u8 {This route is created twice by yast}

with network manager I have:

-P INPUT DROP-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N forward_int
-N input_ext
-N input_int
-N reject_func
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -d 10.42.0.0/24 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth0 -j ACCEPT
-A FORWARD -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -j forward_int
-A FORWARD -i wlan0 -j forward_ext
-A FORWARD -i wlp0s29f7u8 -j forward_ext
-A FORWARD -i wlp12s0 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -m pkttype --pkt-type broadcast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -m pkttype --pkt-type multicast -j DROP
-A forward_int -m pkttype --pkt-type broadcast -j DROP
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -j reject_func
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p udp -m udp --dport 32768:61000 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable

and for route:

Table de routage IP du noyauDestination     Passerelle      Genmask         Indic Metric Ref    Use Iface
0.0.0.0         10.55.255.254   0.0.0.0         UG    0      0        0 wlp0s29f7u8
10.42.0.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.48.0.0       0.0.0.0         255.248.0.0     U     0      0        0 wlp0s29f7u8

The computers on the shared network are connected automatically to internet using DHCP when I use networkmanager. But they can’t have an IP adress when I use wicked service, and they are not connected to internet.

Any idea?

Can you drop the firewall temporarily and observe whether that makes a difference?

Even with the firewall disabled I have the same problem:

with wicked service, the linux computer can go to internet but the others devices can’t. More info:

The windows computer is connected, have an ip adress:

http://nsa37.casimages.com/img/2015/09/02//150902033608644894.jpg

It can reach the linux computer 10.42.0.1 but not the gateway 10.55.255.254:

http://nsa37.casimages.com/img/2015/09/02/150902033605631500.jpg

My android smartphone have no ip adress :

http://nsa37.casimages.com/img/2015/09/02/150902033608284531.png

I dont know were the problem is comming from !

With network manager, the windows computer woks well :

http://nsa38.casimages.com/img/2015/09/02/150902033604288387.jpg

It can reach internet, the gateway and the linux computer:

http://nsa37.casimages.com/img/2015/09/02/150902033607705945.jpg

And my phone is connected too automatically with DHCP:

http://nsa37.casimages.com/img/2015/09/02/150902033607904039.png

I wish this will help !

I can’t really offer any further advice with this as I only use NM (and as I demonstrated only a minimal iptables configuration was needed). I would review any differences with iptables packet filter rules that may be impacting here. If you believe it should be working via your configuration with wicked, then maybe a bug report is required.

On 2015-09-02 15:56, mandragore59va wrote:
>
> Even with the firewall disabled I have the same problem:
>
> with wicked service, the linux computer can go to internet but the
> others devices can’t. More info:
>
> The windows computer is connected, have an ip adress:
>
> [image:
> http://nsa37.casimages.com/img/2015/09/02//150902033608644894.jpg]
>
> It can reach the linux computer 10.42.0.1 but not the gateway
> 10.55.255.254:
>
> [image:
> http://nsa37.casimages.com/img/2015/09/02/150902033605631500.jpg]

The gateway is not 10.55.255.254, but 10.42.0.1, in those two photos.
And with a 255.255.255.0 mask you can not reach 10.55 from 10.42 without
a gateway. AND, the gateway must be in the same range as your current
address, which is 10.42.0.12

On 2015-09-02 15:56, mandragore59va wrote:
>
> With network manager, the windows computer woks well :
>
> [image:
> http://nsa38.casimages.com/img/2015/09/02/150902033604288387.jpg]
>
> It can reach internet, the gateway and the linux computer:

See that it can ping 10.42.0.1, but not 10.55.255.254 – see my
explanation above.

> [image:
> http://nsa37.casimages.com/img/2015/09/02/150902033607705945.jpg]

Well, you do not show your settings in Windows. Hard to guess why it
works in this one.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Actually, if internet sharing is working, then the device should be able to ping both the AP (gateway) and the default gateway on the device acting as the hotpsot. For example, my iPhone can reach 10.42.0.1 and the hotspot’s default gateway 192.168.90.1, and of course the internet. NAT is often used for masquerading, but my NM-configured connection sets up the packet filtering like this

# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i wlan0 -j ACCEPT
-A FORWARD -i wlan0 -o wlan0 -j ACCEPT
-A FORWARD -o wlan0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i wlan0 -j REJECT --reject-with icmp-port-unreachable