mckartha · July 1, 2023 17:01
diff --git a/bridge-wifi-to-eth-pi.sh b/bridge-wifi-to-eth-pi.sh
 ### This gist is a set of notes from this blog post: https://sureshjoshi.com/development/raspberry-pi-wifi-to-ethernet-bridge
 ###
 ### NOTE: This is not a ruanable script - it is strictly a breakdown of the snippets from the blog article, not an automated script. 
 ### For automation, refer to the Ansible role
 ### 
 ### Some sets of commands below have been added to allow specific blocks to be copied and run at the command-line

 ### Setup a Static IP

 ## Original instructions to set up a static IP address for the ethernet eth0 interface ...
 # nano /etc/dhcpcd.conf
 ## Add these fields with your desired IP address
 #> interface eth0
 #> static ip_address=10.10.10.1/24
 #> static routers=10.10.10.0

 ## Execute the following as the `root` user (i.e. execute `sudo su - ` after login to become `root`, then run the following):
 #--- Copy the following commands and paste them into an SSH terminal (running bash as `root`)
 DATETIME=`date -u +%F-%T`   # Use DATETIME to avoid clobbering other files
 cp -p /etc/dhcpcd.conf /etc/dhcpcd.conf.bkup.${DATETIME}
 INTIPBLOCK="10.50.10"       # This Internal IP address block should be set to a non-routable privaet block like 10.x.y.z or 172.x.y.z
 echo "
 # Set eth0 interface to static address for local ethernet LAN to be bridged to the Internet via the Wifi wlan0 interface
 interface eth0
 static ip_address=${INTIPBLOCK}.1/24
 static routers=${INTIPBLOCK}.0
 " >> /etc/dhcpcd.conf
 # ---


 # This command can kill Wifi, so you're probably just as well to reboot instead
 service dhcpcd restart
 ## Probably should just reboot later instead of running this command now ...

 ## Enable IPv4 Packet Forwarding

 ## Original instructions to set up IPv4 forwarding in the kernel ...
 #nano /etc/sysctl.conf
 # Uncomment this line or add it to the bottom
 #> net.ipv4.ip_forward=1

 # For immediate access (without a reboot)
 sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

 ## Instead add this setting to the file /etc/sysctl.d/net-ipv4-ip-forward.conf
 # --- Copy the following commands between the '# ---' marks and paste them into an SSH terminal (running bash as `root`)
 echo "
 # Enable IPv4 forwarding to route ip packets
 net.ipv4.ip_forward=1
 " > /etc/sysctl.d/net-ipv4-ip-forward.conf
 # ---

 ### Use iptables to Setup Data Forwarding
 ## Original instructions to set up firewall rules - initially using iptables but then converting to netfilter-tables using nft ...
 ## Run these iptables commands, and then convert to nft syntax
 # --- Copy the following commands between the '# ---' marks and paste them into an SSH terminal (running bash as `root`)
 iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
 iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT

 ### Ensure iptables Are Run On Boot -> although we are converting to nftables
 # Save the rules we just added
 iptables-save > /etc/iptables.ipv4-router.nat

 ## Convert the iptables syntax to nft syntax
 mkdir -p /etc/nftables
 iptables-restore-translate -f /etc/iptables.ipv4-router.nat > /etc/nftables/bridge-router.ipv4.ruleset.nat
 #---

 ## Backup the original /etc/nftables.conf file and then include statement to execute new nft rulesset
 # --- Copy the following commands between the '# ---' marks and paste them into an SSH terminal (running bash as `root`)
 DATETIME=`date -u +%F-%T`   # Use DATETIME to avoid clobbering other files
 cp -p /etc/nftables.conf /etc/nftables.conf.bkup.${DATETIME}

 echo '

 include "/etc/nftables/bridge-router.ipv4.ruleset.nat"
 ' >> /etc/nftables.conf
 systemctl enable --now nftables
 #---

 ## Confirm the nftables ruleset applied correctly by executing:
 nft list ruleset

 ## NFTables docs that were helpful
 #
 # * NFtables Wiki: Moving from iptables to nftables
 #    * https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
 # * RedHat Portal - Getting started with nftables:
 #    * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
 # * How to load nftables rules at boot?: 
 #    * https://dev1galaxy.org/viewtopic.php?id=2889


 #nano /etc/rc.local
 # Add this line to the rc.local just before 'exit 0'
 #> iptables-restore < /etc/iptables.ipv4-router.nat

 ### Setup dnsmasq to Provide IP Addresses
 apt-get install dnsmasq

 ## Add this dnsmasq config file to /etcc/dnsmasq.d/ directory - execute cmds between #--- marks

 # --- Copy the following commands between the '# ---' marks and paste them into an SSH terminal (running bash as `root`)
 # *** This Internal IP Address Block must match the one defined earlier on line 21 in the /etc/dhcpcd.conf file ***
 INTIPBLOCK="10.50.10"       # This Internal IP address block should be set to a non-routable privaet block like 10.x.y.z or 172.x.y.z
 DYNSTART="100"
 DYNEND="200"
 LEASETIMEOUT="12h"

 echo "
 interface=eth0                            # Use interface eth0
 listen-address=${INTIPBLOCK}.1            # Specify the address to listen on (static ip_address from dhcpcd.conf)
 domain-needed                             # Dont forward short names
 bogus-priv                                # Drop the non-routed address spaces.
 dhcp-range=${INTIPBLOCK}.${DYNSTART},${INTIPBLOCK}.${DYNEND},${LEASETIMEOUT}  # IP range and lease time (setting .100 to .200 as possible IPs)
 " > /etc/dnsmasq.d/bridge-router.ipv4.dhcp

 service dnsmasq restart
 #---


 #nano /etc/dnsmasq.conf
 # Replace dnsmasq.conf with this
 #> interface=eth0                            # Use interface eth0
 #> listen-address=10.10.10.1                 # Specify the address to listen on (static ip_address from dhcpcd.conf)
 #> domain-needed                             # Don't forward short names
 #> bogus-priv                                # Drop the non-routed address spaces.
 #> dhcp-range=10.10.10.100,10.10.10.200,12h  # IP range and lease time (setting .100 to .200 as possible IPs)

 #service dnsmasq restart
	### This gist is a set of notes from this blog post: https://sureshjoshi.com/development/raspberry-pi-wifi-to-ethernet-bridge
	###
	### NOTE: This is not a ruanable script - it is strictly a breakdown of the snippets from the blog article, not an automated script.
	### For automation, refer to the Ansible role
	###
	### Some sets of commands below have been added to allow specific blocks to be copied and run at the command-line

	### Setup a Static IP

	## Original instructions to set up a static IP address for the ethernet eth0 interface ...
	# nano /etc/dhcpcd.conf
	## Add these fields with your desired IP address
	#> interface eth0
	#> static ip_address=10.10.10.1/24
	#> static routers=10.10.10.0

	## Execute the following as the `root` user (i.e. execute `sudo su - ` after login to become `root`, then run the following):
	#--- Copy the following commands and paste them into an SSH terminal (running bash as `root`)
	DATETIME=`date -u +%F-%T` # Use DATETIME to avoid clobbering other files
	cp -p /etc/dhcpcd.conf /etc/dhcpcd.conf.bkup.${DATETIME}
	INTIPBLOCK="10.50.10" # This Internal IP address block should be set to a non-routable privaet block like 10.x.y.z or 172.x.y.z
	echo "
	# Set eth0 interface to static address for local ethernet LAN to be bridged to the Internet via the Wifi wlan0 interface
	interface eth0
	static ip_address=${INTIPBLOCK}.1/24
	static routers=${INTIPBLOCK}.0
	" >> /etc/dhcpcd.conf
	# ---


	# This command can kill Wifi, so you're probably just as well to reboot instead
	service dhcpcd restart
	## Probably should just reboot later instead of running this command now ...

	## Enable IPv4 Packet Forwarding

	## Original instructions to set up IPv4 forwarding in the kernel ...
	#nano /etc/sysctl.conf
	# Uncomment this line or add it to the bottom
	#> net.ipv4.ip_forward=1

	# For immediate access (without a reboot)
	sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

	## Instead add this setting to the file /etc/sysctl.d/net-ipv4-ip-forward.conf
	# --- Copy the following commands between the '# ---' marks and paste them into an SSH terminal (running bash as `root`)
	echo "
	# Enable IPv4 forwarding to route ip packets
	net.ipv4.ip_forward=1
	" > /etc/sysctl.d/net-ipv4-ip-forward.conf
	# ---

	### Use iptables to Setup Data Forwarding
	## Original instructions to set up firewall rules - initially using iptables but then converting to netfilter-tables using nft ...
	## Run these iptables commands, and then convert to nft syntax
	# --- Copy the following commands between the '# ---' marks and paste them into an SSH terminal (running bash as `root`)
	iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
	iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT

	### Ensure iptables Are Run On Boot -> although we are converting to nftables
	# Save the rules we just added
	iptables-save > /etc/iptables.ipv4-router.nat

	## Convert the iptables syntax to nft syntax
	mkdir -p /etc/nftables
	iptables-restore-translate -f /etc/iptables.ipv4-router.nat > /etc/nftables/bridge-router.ipv4.ruleset.nat
	#---

	## Backup the original /etc/nftables.conf file and then include statement to execute new nft rulesset
	# --- Copy the following commands between the '# ---' marks and paste them into an SSH terminal (running bash as `root`)
	DATETIME=`date -u +%F-%T` # Use DATETIME to avoid clobbering other files
	cp -p /etc/nftables.conf /etc/nftables.conf.bkup.${DATETIME}

	echo '

	include "/etc/nftables/bridge-router.ipv4.ruleset.nat"
	' >> /etc/nftables.conf
	systemctl enable --now nftables
	#---

	## Confirm the nftables ruleset applied correctly by executing:
	nft list ruleset

	## NFTables docs that were helpful
	#
	# * NFtables Wiki: Moving from iptables to nftables
	# * https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
	# * RedHat Portal - Getting started with nftables:
	# * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
	# * How to load nftables rules at boot?:
	# * https://dev1galaxy.org/viewtopic.php?id=2889


	#nano /etc/rc.local
	# Add this line to the rc.local just before 'exit 0'
	#> iptables-restore < /etc/iptables.ipv4-router.nat

	### Setup dnsmasq to Provide IP Addresses
	apt-get install dnsmasq

	## Add this dnsmasq config file to /etcc/dnsmasq.d/ directory - execute cmds between #--- marks

	# --- Copy the following commands between the '# ---' marks and paste them into an SSH terminal (running bash as `root`)
	# * This Internal IP Address Block must match the one defined earlier on line 21 in the /etc/dhcpcd.conf file *
	INTIPBLOCK="10.50.10" # This Internal IP address block should be set to a non-routable privaet block like 10.x.y.z or 172.x.y.z
	DYNSTART="100"
	DYNEND="200"
	LEASETIMEOUT="12h"

	echo "
	interface=eth0 # Use interface eth0
	listen-address=${INTIPBLOCK}.1 # Specify the address to listen on (static ip_address from dhcpcd.conf)
	domain-needed # Dont forward short names
	bogus-priv # Drop the non-routed address spaces.
	dhcp-range=${INTIPBLOCK}.${DYNSTART},${INTIPBLOCK}.${DYNEND},${LEASETIMEOUT} # IP range and lease time (setting .100 to .200 as possible IPs)
	" > /etc/dnsmasq.d/bridge-router.ipv4.dhcp

	service dnsmasq restart
	#---


	#nano /etc/dnsmasq.conf
	# Replace dnsmasq.conf with this
	#> interface=eth0 # Use interface eth0
	#> listen-address=10.10.10.1 # Specify the address to listen on (static ip_address from dhcpcd.conf)
	#> domain-needed # Don't forward short names
	#> bogus-priv # Drop the non-routed address spaces.
	#> dhcp-range=10.10.10.100,10.10.10.200,12h # IP range and lease time (setting .100 to .200 as possible IPs)

	#service dnsmasq restart