I am sorry for this post, this is mostly a brain dump because I had a horrible time getting this to work on Artful and I want to store the steps somewhere for when I will inevitably need them again in the future.
Connection sharing is usually pretty trivial to setup, but boy does it get nasty when there's more than one. I spent hours on this.
Packages required: dnsmasq
Setup:
-
enp3s0: connected to upstream Internet. The edge router is another Artful machine sharing a connection by cable and getting Internet from WiFi. The network is 10.43.0.0/24
-
enp2s0: local network share by cable (10.2.2.0/24)
-
wlp1s0: local network share by WiFi (10.66.0.0/24)
Firewall rules have to look like that:
ouroumov@ToyBox:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i wlp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 10.66.0.0/24 -o wlp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.66.0.0/24 -i wlp1s0 -j ACCEPT
-A FORWARD -i wlp1s0 -o wlp1s0 -j ACCEPT
-A FORWARD -o wlp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i wlp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.2.2.0/24 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.2.2.0/24 -i enp2s0 -j ACCEPT
-A FORWARD -i enp2s0 -o enp2s0 -j ACCEPT
-A FORWARD -o enp2s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp2s0 -j REJECT --reject-with icmp-port-unreachable
Shared interfaces might have to be configured manually sometimes, dunno why.
root@ToyBox:~# ifconfig wlp1s0 10.66.0.1 netmask 255.255.255.0
root@ToyBox:~# ifconfig enp2s0 10.2.2.1 netmask 255.255.255.0
Finally route -n has to look something like that:
ouroumov@ToyBox:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.43.0.1 0.0.0.0 UG 100 0 0 enp3s0
10.2.2.0 0.0.0.0 255.255.255.0 U 0 0 0 enp2s0
10.43.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp3s0
10.66.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp1s0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp2s0
Not sure where that 169.254.0.0 entry comes from. It's just bloody there.
Oh almost forgot, of course you gotta configure dnsmasq to serve as a DHCP server for the two interfaces:
nano /etc/dnsmasq.conf
Inside that file:
dhcp-range=interface:enp2s0,10.2.2.2,10.2.2.254,72h
dhcp-range=interface:wlp1s0,10.66.0.1,10.66.0.254,72h
Then of course,
root@ToyBox:~# systemctl enable dnsmasq.service
root@ToyBox:~# systemctl start dnsmasq.service
Some of the steps will likely have to be repeated after reboot, I'm not looking forward to testing that hypothesis. xD