@2c184d53 Apologies if I'm missing something because it's late and I'm tired, but I think the related/established rule might be the wrong way around. You want to allow FORWARDing only related/established from wlan0 to eth0 but you want to FORWARD/ACCEPT all outgoing connections from eth0 to wlan0.