From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1E4AGz-0003gJ-Vx for garchives@archives.gentoo.org; Sun, 14 Aug 2005 04:39:02 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j7E4ceT4020647; Sun, 14 Aug 2005 04:38:40 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j7E4cdv6031041 for ; Sun, 14 Aug 2005 04:38:40 GMT Message-Id: <200508140438.j7E4cdv6031041@robin.gentoo.org> Received: from lark.gentoo.osuosl.org ([140.211.166.177] helo=lark.gentoo.org) by smtp.gentoo.org with smtp (Exim 4.43) id 1E4AGs-0003y1-C8 for gentoo-doc-cvs@lists.gentoo.org; Sun, 14 Aug 2005 04:38:54 +0000 Received: by lark.gentoo.org (sSMTP sendmail emulation); Sun, 14 Aug 2005 04:38:49 +0000 From: "vapier" Date: Sun, 14 Aug 2005 04:38:49 +0000 To: gentoo-doc-cvs@lists.gentoo.org Subject: [gentoo-doc-cvs] cvs commit: home-router-howto.xml Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-doc-cvs@gentoo.org Reply-to: docs-team@lists.gentoo.org X-Archives-Salt: f39e9595-0e90-4751-b480-9e1e7e16e46a X-Archives-Hash: 6aebbc50b29d1af7149a48f1d774ec13 vapier 05/08/14 04:38:49 Modified: xml/htdocs/doc/en home-router-howto.xml Log: replace eth0 with $LAN and eth1 with $WAN and rename Debugging section to Troubleshooting #102450 by Arnold Miller Revision Changes Path 1.30 +35 -27 xml/htdocs/doc/en/home-router-howto.xml file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/home-router-howto.xml?rev=1.30&content-type=text/x-cvsweb-markup&cvsroot=gentoo plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/home-router-howto.xml?rev=1.30&content-type=text/plain&cvsroot=gentoo diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/home-router-howto.xml.diff?r1=1.29&r2=1.30&cvsroot=gentoo Index: home-router-howto.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v retrieving revision 1.29 retrieving revision 1.30 diff -u -r1.29 -r1.30 --- home-router-howto.xml 4 Aug 2005 00:18:20 -0000 1.29 +++ home-router-howto.xml 14 Aug 2005 04:38:48 -0000 1.30 @@ -1,5 +1,5 @@ - + @@ -15,8 +15,8 @@ for connecting your home network to the internet. -1.9 -2005-08-03 +1.10 +2005-08-14 Introduction @@ -206,7 +206,7 @@ # nano /etc/conf.d/net Add an entry for config_eth1 and set it to adsl: config_eth1=( "adsl" ) -# ln -s net.eth0 /etc/init.d/net.eth1 +# ln -s net.lo /etc/init.d/net.eth1 # rc-update add net.eth1 default # /etc/init.d/net.eth1 start @@ -247,7 +247,7 @@ nameserver 123.123.123.123 Dynamic and Static Setup: -# ln -s net.eth0 /etc/init.d/net.eth1 +# ln -s net.lo /etc/init.d/net.eth1 # rc-update add net.eth1 default # /etc/init.d/net.eth1 start @@ -413,24 +413,28 @@ # iptables -F # iptables -t nat -F +Copy and paste these examples ... +# export LAN=eth0 +# export WAN=eth1 + Then we lock our services so they only work from the LAN -# iptables -I INPUT 1 -i eth0 -j ACCEPT +# iptables -I INPUT 1 -i ${LAN} -j ACCEPT # iptables -I INPUT 1 -i lo -j ACCEPT -# iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT -# iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT +# iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT +# iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT (Optional) Allow access to our ssh server from the WAN -# iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT +# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT Drop TCP / UDP packets to privileged ports -# iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP -# iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP +# iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP +# iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP Finally we add the rules for NAT -# iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP -# iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT -# iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT -# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE +# iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP +# iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT +# iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT +# iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE Tell the kernel that ip forwarding is OK # echo 1 > /proc/sys/net/ipv4/ip_forward # for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done @@ -486,7 +490,7 @@

All the port forwarding rules are of the form iptables -t nat -A PREROUTING -[-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port +[-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port to forward to]. iptables does not accept hostnames when port forwarding. If you are forwarding an external port to the same port on the internal machine, you can omit the destination port. See the iptables(8) page for more @@ -494,29 +498,33 @@ 

+Copy and paste these examples ...
+# export LAN=eth0
+# export WAN=eth1
+
 Forward port 2 to ssh on an internal host
-# iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22
+# iptables -t nat -A PREROUTING -p tcp --dport 2 -i ${WAN} -j DNAT --to 192.168.0.2:22
 
 FTP forwarding to an internal host
-# iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.56
+# iptables -t nat -A PREROUTING -p tcp --dport 21 -i ${WAN} -j DNAT --to 192.168.0.56
 
 HTTP forwarding to an internal host
-# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.56
+# iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56
 
 VNC forwarding for internal hosts
-# iptables -t nat -I PREROUTING -p tcp --dport 5900 -i eth1 -j DNAT --to 192.168.0.2
-# iptables -t nat -I PREROUTING -p tcp --dport 5901 -i eth1 -j DNAT --to 192.168.0.3:5900
+# iptables -t nat -I PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.2
+# iptables -t nat -I PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.168.0.3:5900
 If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname
 
 Bittorrent forwarding
-# iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i eth1 -j DNAT --to 192.168.0.2
+# iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2
 
 Game Cube Warp Pipe support
-# iptables -t nat -A PREROUTING -p udp --dport 4000 -i eth1 -j DNAT --to 192.168.0.56
+# iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56
 
 Playstation2 Online support
-# iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11
-# iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11
+# iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11
+# iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11
@@ -760,7 +768,7 @@ # emerge qmail make sure the output of `hostname` is correct # ebuild /var/db/pkg/*-*/qmail-1.03-r*/*.ebuild config -# iptables -I INPUT -p tcp --dport smtp -i ! eth0 -j REJECT +# iptables -I INPUT -p tcp --dport smtp -i ! ${LAN} -j REJECT # ln -s /var/qmail/supervise/qmail-send /service/qmail-send # ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd