Wireless access point with hostapd on Debian
On This Page
hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS authentication server. The current version supports Linux (Host AP, mac80211-based drivers) and FreeBSD (net80211). Configure network traffic routing and Network Address Translation (NAT) using
Configure the system to forward packets from one network interface to another, applying NAT to the packets going out of the
Network configuration where the system is intended to function as a router or gateway between two networks (e.g., forwarding packets from a Wi-Fi network to an Ethernet network).
kali@kali:~$ sudo iptables -t nat -F
kali@kali:~$ sudo iptables -F
kali@kali:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
kali@kali:~$ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
kali@kali:~$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward # (DNS, dhcp still required)
1. sudo iptables -t nat -F
iptablesis a command-line utility used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.
-t natspecifies the NAT table, one of the several tables in the
iptablesutility used for network address translation.
-Fstands for ‘flush’, which clears or deletes all the rules in the selected table (in this case, the NAT table).
- Essentially, this command clears all NAT rules that may have been previously set up.
2. sudo iptables -F
-Fcommand is used without the
-toption, which means it applies to the default filter table.
- This command clears all the rules in the filter table, which is responsible for packet filtering.
3. sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING adds a rule to the POSTROUTING chain. The POSTROUTING chain is used for altering packets after they have been routed.
-o eth0 specifies the outgoing network interface,
eth0 in this case.
-j MASQUERADE sets the
MASQUERADE target. This is used for NAT. It enables IP masquerading, which hides your private IP address behind the public IP address of your network interface (here,
eth0). It’s often used in situations where your IP address is dynamically assigned, such as a dial-up or DSL connection.
This command sets up NAT for packets going out of the
4. sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
-A FORWARDadds a rule to the FORWARD chain. The FORWARD chain is used for packets that are being routed through the device.
-i wlan0specifies the incoming interface,
wlan0in this case.
-o eth0specifies the outgoing interface, eth0.
-j ACCEPTmeans that these packets will be accepted and forwarded from
- This command is typically part of configuring the device to act as a router or gateway, forwarding packets from one interface to another.
5. echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
/proc/sys/net/ipv4/ip_forwardis a system file that controls the IP forwarding setting of the kernel. When this is set to 1, it enables the system to forward IP packets from one network to another, effectively functioning as a router.
- echo 1 outputs 1, and the | sudo tee part is used to write this value into the
ip_forwardfile with the necessary permissions.
- This command is crucial for enabling IP forwarding, allowing the system to route packets between interfaces.