* [gentoo-user] Setting up a home router
@ 2007-01-14 19:27 Daniel Pielmeier
2007-01-14 22:45 ` Dale
` (2 more replies)
0 siblings, 3 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-14 19:27 UTC (permalink / raw
To: gentoo-user
Hi,
I have a similar problem like Dale in this thread [gentoo-user] Need
help networking two machines, but i think it is not exactly the same.
I was trying to set up a home router following the
gentoo-home-router-guide
http://www.gentoo.org/doc/de/home-router-howto.xml
with shorewall as firewall following the two-interfaces-guide
http://www.shorewall.net/two-interface.htm.
I can connect from the router to the internet.
I can log in from the router to the desktop per ssh and back.
I have set up an rsync on the router and rsync works from the desktop.
I have set up dnsmasq on the server and dns is working on the desktop.
I can ping between router and desktop and from the router to the internet
I have set up an ntp on the router but ntp from the desktop gives me.
14 Jan 20:25:53 ntpdate[31522]: no server suitable for synchronization found
I can't ping from the desktop to the internet.
ping www.gentoo.org
PING www.gentoo.org (38.99.64.202) 56(84) bytes of data.
--- www.gentoo.org ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 11999ms
As you can see the address is resolved but i get 100% packet loss.
Until now i have spent much time on this issues, so i hope to solve
these problems with your help.
I have added the configurations which may help you to discover my
problem below. First the router configuration and then the desktop
configuration.
I hope i did not forget anything as it is very much, but if anything
you need is missing please ask for it.
Thanks Daniel
> router: gentoo-vdr configuration
lspci
eth0
02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169
Gigabit Ethernet (rev 10)
eth1
02:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:F0:00:0D:96
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:198008 errors:0 dropped:0 overruns:0 frame:0
TX packets:194409 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:50101373 (47.7 Mb) TX bytes:129993047 (123.9 Mb)
Interrupt:18 Base address:0xc000
eth1 Link encap:Ethernet HWaddr 00:10:DC:2B:D4:CF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:77637 errors:0 dropped:0 overruns:0 frame:0
TX packets:63189 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:93609244 (89.2 Mb) TX bytes:7282392 (6.9 Mb)
Interrupt:19
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1236 errors:0 dropped:0 overruns:0 frame:0
TX packets:1236 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:86198 (84.1 Kb) TX bytes:86198 (84.1 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:88.67.24.46 P-t-P:88.67.16.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:163 errors:0 dropped:0 overruns:0 frame:0
TX packets:118 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:12249 (11.9 Kb) TX bytes:8557 (8.3 Kb)
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
dslb-088-067-01 * 255.255.255.255 UH 0 0 0 ppp0
localhost * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default dslb-088-067-01 0.0.0.0 UG 0 0 0 ppp0
shorewall-config
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 - tcpflags,norfc1918
loc eth0 detect tcpflags,detectnets
/etc/shorewall/masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
ppp0 eth0
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW REJECT info
loc all REJECT info
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW loc REJECT info
$FW all REJECT info
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT PORT(S)
DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT loc $FW tcp 22
ACCEPT $FW loc tcp 22
ACCEPT loc $FW udp 123
REJECT net $FW icmp 8
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipsec
loc ipsec
/etc/shorewall/shorewall.conf
i have changed this from the default values
IP_FORWARDING=On
CLAMPMSS=Yes
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_dynaddr = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
/etc/conf.d/net
config_eth1="adsl"
user_eth1="xxxxxxxxxx"
dns_domain_eth1=(linux )
config_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
dns_domain_eth0=(linux )
/etc/conf.d/hostname
HOSTNAME="gentoo-vdr"
/etc/hosts
127.0.0.1 localhost
192.168.0.1 gentoo-vdr.linux gentoo-vdr
192.168.0.2 gentoo.linux gentoo
::1 localhost
> desktop: gentoo configuration
lspci
eth0
02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169
Gigabit Ethernet (rev 10)
ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:8F:D5:C4:C0
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::213:8fff:fed5:c4c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:194469 errors:0 dropped:0 overruns:0 frame:0
TX packets:198256 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:129998303 (123.9 Mb) TX bytes:50122357 (47.8 Mb)
Interrupt:17 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:129 errors:0 dropped:0 overruns:0 frame:0
TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9816 (9.5 Kb) TX bytes:9816 (9.5 Kb)
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default gentoo-vdr.linu 0.0.0.0 UG 0 0 0 eth0
/etc/conf.d/net
config_eth0=( "192.168.0.2 broadcast 192.168.0.255 netmask 255.255.255.0" )
routes_eth0=("default via 192.168.0.1")
dns_domain_eth0=(linux )
dns_servers_eth0="192.168.0.1"
ntp_servers_eth0="192.168.0.1"
/etc/hosts
127.0.0.1 localhost
192.168.0.2 gentoo.linux gentoo
192.168.0.1 gentoo-vdr.linux gentoo-vdr
::1 localhost
/etc/conf.d/hostname
HOSTNAME="gentoo"
/etc/conf.d/ntp-client
NTPCLIENT_CMD="ntpdate"
NTPCLIENT_OPTS="192.168.0.1"
> For those who are not familiar with shorewall here are the generated iptables on the router.
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ppp0_masq all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ppp0_masq (1 references)
target prot opt source destination
MASQUERADE all -- localhost/24 anywhere policy
match dir out pol none
iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
tcpre all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
tcfor all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
tcout all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
tcpost all -- anywhere anywhere
Chain tcfor (1 references)
target prot opt source destination
Chain tcout (1 references)
target prot opt source destination
Chain tcpost (1 references)
target prot opt source destination
Chain tcpre (1 references)
target prot opt source destination
iptables -L -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG udp -- anywhere anywhere udp
dpts:0:1023 LOG level warning
LOG tcp -- anywhere anywhere tcp
dpts:0:1023 LOG level warning
DROP udp -- anywhere anywhere udp dpts:0:1023
DROP tcp -- anywhere anywhere tcp dpts:0:1023
LOG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN LOG level warning
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain Drop (3 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport
dports epmap,microsoft-ds
DROP udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport
dports epmap,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain
Chain Reject (5 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport
dports epmap,microsoft-ds
reject udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
reject tcp -- anywhere anywhere multiport
dports epmap,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain
Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
DROP all -- anywhere anywhere PKTTYPE =
multicast
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp
flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (4 references)
target prot opt source destination
Chain eth0_fwd (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
loc_frwd all -- localhost/24 anywhere policy
match dir in pol ipsec
Chain eth0_in (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
loc2fw all -- localhost/24 anywhere policy
match dir in pol ipsec
Chain fw2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:fw2all:REJECT:'
reject all -- anywhere anywhere
Chain fw2loc (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:fw2loc:REJECT:'
reject all -- anywhere anywhere
Chain fw2net (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:loc2all:REJECT:'
reject all -- anywhere anywhere
Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ntp
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:loc2fw:REJECT:'
reject all -- anywhere anywhere
Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc_frwd (1 references)
target prot opt source destination
loc2net all -- anywhere anywhere policy
match dir out pol ipsec
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info ip-options prefix `Shorewall:logflags:DROP:'
DROP all -- anywhere anywhere
Chain net2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
reject icmp -- anywhere anywhere icmp echo-request
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:net2fw:DROP:'
DROP all -- anywhere anywhere
Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:net2loc:DROP:'
DROP all -- anywhere anywhere
Chain net_frwd (1 references)
target prot opt source destination
net2loc all -- anywhere localhost/24 policy
match dir out pol ipsec
Chain norfc1918 (2 references)
target prot opt source destination
rfc1918 all -- localhost/12 anywhere
rfc1918 all -- anywhere anywhere ctorigdst
localhost/12
rfc1918 all -- localhost/16 anywhere
rfc1918 all -- anywhere anywhere ctorigdst
localhost/16
rfc1918 all -- localhost/8 anywhere
rfc1918 all -- anywhere anywhere ctorigdst
localhost/8
Chain ppp0_fwd (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
norfc1918 all -- anywhere anywhere state NEW
policy match dir in pol none
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
net_frwd all -- anywhere anywhere policy
match dir in pol ipsec
Chain ppp0_in (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
norfc1918 all -- anywhere anywhere state NEW
policy match dir in pol none
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
net2fw all -- anywhere anywhere policy
match dir in pol ipsec
Chain reject (12 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
DROP all -- anywhere anywhere PKTTYPE =
multicast
DROP all -- localhost anywhere
DROP all -- 255.255.255.255 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere
reject-with tcp-reset
REJECT udp -- anywhere anywhere
reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere
reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:rfc1918:DROP:'
DROP all -- anywhere anywhere
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
LOG all -- localhost anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- localhost anywhere
LOG all -- 255.255.255.255 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG
level info prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
Chain tcpflags (4 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread* Re: [gentoo-user] Setting up a home router 2007-01-14 19:27 [gentoo-user] Setting up a home router Daniel Pielmeier @ 2007-01-14 22:45 ` Dale 2007-01-15 0:28 ` Daniel Pielmeier 2007-01-15 8:38 ` Nelson, David (ED, PAR&D) 2007-01-15 10:26 ` Hans-Werner Hilse 2 siblings, 1 reply; 55+ messages in thread From: Dale @ 2007-01-14 22:45 UTC (permalink / raw To: gentoo-user Daniel Pielmeier wrote: > Hi, > > I have a similar problem like Dale in this thread [gentoo-user] Need > help networking two machines, but i think it is not exactly the same. > > I was trying to set up a home router following the > gentoo-home-router-guide > http://www.gentoo.org/doc/de/home-router-howto.xml > with shorewall as firewall following the two-interfaces-guide > http://www.shorewall.net/two-interface.htm. > > I can connect from the router to the internet. > I can log in from the router to the desktop per ssh and back. > I have set up an rsync on the router and rsync works from the desktop. > I have set up dnsmasq on the server and dns is working on the desktop. > I can ping between router and desktop and from the router to the internet > > I have set up an ntp on the router but ntp from the desktop gives me. > 14 Jan 20:25:53 ntpdate[31522]: no server suitable for synchronization > found > > I can't ping from the desktop to the internet. > ping www.gentoo.org > PING www.gentoo.org (38.99.64.202) 56(84) bytes of data. > > --- www.gentoo.org ping statistics --- > 13 packets transmitted, 0 received, 100% packet loss, time 11999ms > > As you can see the address is resolved but i get 100% packet loss. > Until now i have spent much time on this issues, so i hope to solve > these problems with your help. > I have added the configurations which may help you to discover my > problem below. First the router configuration and then the desktop > configuration. > I hope i did not forget anything as it is very much, but if anything > you need is missing please ask for it. > > Thanks Daniel > > Hi, I used this script a long time ago. It worked until iptables got changed. It still worked but it gave a few errors. Maybe some guru can look at this and update it for us both. Then maybe I can get someone to upgrade the script on the site. I had to edit the very first bit about which interface is what. Here it is: > #!/bin/bash > IPTABLES='/sbin/iptables' > # Set interface values > EXTIF='ppp0' > #INTIF0='eth0' > INTIF1='eth0' > INTIF2='eth1' > INTIF3='eth2' > > # enable ip forwarding in the kernel > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward > # flush rules and delete chains > $IPTABLES -F > $IPTABLES -X > # enable masquerading to allow LAN internet access > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > # forward LAN traffic from $INTIF1 to Internet interface $EXTIF > $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state > NEW,ESTABLISHED -j ACCEPT > # forward LAN traffic from $INTIF2 to Internet interface $EXTIF > $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state > #NEW,ESTABLISHED -j ACCEPT > #echo -e " - Allowing access to the SSH server" > $IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT > #echo -e " - Allowing access to the HTTP server" > $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT > # block out all other Internet access on $EXTIF > $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP > $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP > OK. Now some guru help us out here. LOL I got to redo my install on my second machine. I rebooted it and it is in awful shape. I think something is wrong with a init script. It boots the kernel but errors out trying to enter a run level. Portage can't complete a compile either. It complains about the date not being set, but it is. I need to get the rust out anyway on installing. Yup, the old command line way. I boot gentoo nox. LOL I have to use the 2005.1 install guide though. :-( Supper time. Dale :-) :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-14 22:45 ` Dale @ 2007-01-15 0:28 ` Daniel Pielmeier 2007-01-15 0:57 ` Thomas Lingefelt 2007-01-15 0:58 ` Dale 0 siblings, 2 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 0:28 UTC (permalink / raw To: gentoo-user > I used this script a long time ago. It worked until iptables got > changed. It still worked but it gave a few errors. Maybe some guru can > look at this and update it for us both. Then maybe I can get someone to > upgrade the script on the site. I had to edit the very first bit about > which interface is what. Here it is: I have tested your script! Do you get an error like this: iptables v1.3.5: unknown protocol `ssh' specified I am not sure if it is right but i have replaced this line $IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT by $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT and the error disappears. For me using this iptable rules didn't work, i still can't ping the internet rom my desktop and also get the error message by the ntp-client on my desktop. Any other suggestions! Here is how i changed the script to fit my needs! #!/bin/bash IPTABLES='/sbin/iptables' # Set interface values EXTIF='ppp0' #INTIF0='eth0' INTIF1='eth0' INTIF2='eth1' # enable ip forwarding in the kernel /bin/echo 1 > /proc/sys/net/ipv4/ip_forward # flush rules and delete chains $IPTABLES -F $IPTABLES -X # enable masquerading to allow LAN internet access $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # forward LAN traffic from $INTIF1 to Internet interface $EXTIF $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT # forward LAN traffic from $INTIF2 to Internet interface $EXTIF $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT #echo -e " - Allowing access to the SSH server" $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT #echo -e " - Allowing access to the HTTP server" $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT # block out all other Internet access on $EXTIF $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 0:28 ` Daniel Pielmeier @ 2007-01-15 0:57 ` Thomas Lingefelt 2007-01-15 1:25 ` Dale 2007-01-15 0:58 ` Dale 1 sibling, 1 reply; 55+ messages in thread From: Thomas Lingefelt @ 2007-01-15 0:57 UTC (permalink / raw To: gentoo-user -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Honestly for making a router ShoreWall really helps out. Shorewall is basically a set of scripts that read configuration files that you set up and then interacts with iptables for you. http://www.shorewall.net/ http://www.shorewall.net/shorewall_quickstart_guide.htm Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFqtFkUej1z0ta0fkRCMMTAKCM61IGDuf4rQZgyQLtHqCRZJfeGgCfRyxA Az/lP6UnXA8eOQ+M3MS3SEo= =81WU -----END PGP SIGNATURE----- -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 0:57 ` Thomas Lingefelt @ 2007-01-15 1:25 ` Dale 0 siblings, 0 replies; 55+ messages in thread From: Dale @ 2007-01-15 1:25 UTC (permalink / raw To: gentoo-user Thomas Lingefelt wrote: > Honestly for making a router ShoreWall really helps out. Shorewall is > basically a set of scripts that read configuration files that you set up > and then interacts with iptables for you. > > http://www.shorewall.net/ > http://www.shorewall.net/shorewall_quickstart_guide.htm > > Thomas > If you have webmin installed, webmin can take care of some of this, both iptables and shorewall. It's GUI too. ;-) Maybe you know enough about it to figure out to get webmin to do it. Webmin is pretty cool. I used it to set up Samba once. Dale :-) :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 0:28 ` Daniel Pielmeier 2007-01-15 0:57 ` Thomas Lingefelt @ 2007-01-15 0:58 ` Dale 2007-01-15 1:33 ` Daniel Pielmeier 1 sibling, 1 reply; 55+ messages in thread From: Dale @ 2007-01-15 0:58 UTC (permalink / raw To: gentoo-user Daniel Pielmeier wrote: >> I used this script a long time ago. It worked until iptables got >> changed. It still worked but it gave a few errors. Maybe some guru can >> look at this and update it for us both. Then maybe I can get someone to >> upgrade the script on the site. I had to edit the very first bit about >> which interface is what. Here it is: > > I have tested your script! Do you get an error like this: > iptables v1.3.5: unknown protocol `ssh' specified > > I am not sure if it is right but i have replaced this line > > $IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT > by > $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT > > and the error disappears. > > For me using this iptable rules didn't work, i still can't ping the > internet rom my desktop and also get the error message by the > ntp-client on my desktop. > > Any other suggestions! > > > > > Here is how i changed the script to fit my needs! > > #!/bin/bash > > IPTABLES='/sbin/iptables' > > # Set interface values > EXTIF='ppp0' > #INTIF0='eth0' > INTIF1='eth0' > INTIF2='eth1' > > # enable ip forwarding in the kernel > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward > > # flush rules and delete chains > $IPTABLES -F > $IPTABLES -X > > # enable masquerading to allow LAN internet access > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > # forward LAN traffic from $INTIF1 to Internet interface $EXTIF > $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state > NEW,ESTABLISHED -j ACCEPT > > # forward LAN traffic from $INTIF2 to Internet interface $EXTIF > $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state > NEW,ESTABLISHED -j ACCEPT > > #echo -e " - Allowing access to the SSH server" > $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT > > #echo -e " - Allowing access to the HTTP server" > $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT > > # block out all other Internet access on $EXTIF > $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP > $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP Are you on dial-up too? The EXTIF='ppp0' may need to be eth0 for you if you are using a DSL or cable connection. I'm not real sure about any of this stuff really. I need to get a book on iptables and a whole lot of other things too. Because of my health I can't sit at the puter long enough to learn anything. I can read a book in bed then. I'll see if I can think of something else. Maybe some guru can help us both out. I need that to work too. hmm, come to think of it, I have a thread on the forums. Try this: http://forums.gentoo.org/viewtopic-t-249167-highlight-iptables.html That may help. I tend to ramble a bit. Sorry. Dale :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 0:58 ` Dale @ 2007-01-15 1:33 ` Daniel Pielmeier 2007-01-15 1:52 ` Dale 0 siblings, 1 reply; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 1:33 UTC (permalink / raw To: gentoo-user > Are you on dial-up too? The EXTIF='ppp0' may need to be eth0 for you if > you are using a DSL or cable connection. I use an adsl-modem to connect to the internet. It is configured over eth1 but the connection runs over ppp0 so i think this is right, but i am not sure. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 1:33 ` Daniel Pielmeier @ 2007-01-15 1:52 ` Dale 2007-01-15 8:25 ` Daniel Pielmeier 0 siblings, 1 reply; 55+ messages in thread From: Dale @ 2007-01-15 1:52 UTC (permalink / raw To: gentoo-user Daniel Pielmeier wrote: >> Are you on dial-up too? The EXTIF='ppp0' may need to be eth0 for you if >> you are using a DSL or cable connection. > > I use an adsl-modem to connect to the internet. It is configured over > eth1 but the connection runs over ppp0 so i think this is right, but i > am not sure. Hmmm, me either. I'm not sure about what it would be called. Do you have gkrellm installed? Sometimes I use it to see where the traffic is. That is how I knew it was iptables in my other thread. The data was getting there because gkrellm was seeing it but my system was not. No clue how one can see it and the other can't though. Dale :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 1:52 ` Dale @ 2007-01-15 8:25 ` Daniel Pielmeier 0 siblings, 0 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 8:25 UTC (permalink / raw To: gentoo-user > Hmmm, me either. I'm not sure about what it would be called. Do you > have gkrellm installed? Sometimes I use it to see where the traffic > is. That is how I knew it was iptables in my other thread. The data > was getting there because gkrellm was seeing it but my system was not. > No clue how one can see it and the other can't though. no i did not use gkrellm, i am just seting up the new desktop machine no X until now, i want to do the basics first! -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* RE: [gentoo-user] Setting up a home router 2007-01-14 19:27 [gentoo-user] Setting up a home router Daniel Pielmeier 2007-01-14 22:45 ` Dale @ 2007-01-15 8:38 ` Nelson, David (ED, PAR&D) 2007-01-15 8:55 ` Daniel Pielmeier 2007-01-15 10:26 ` Hans-Werner Hilse 2 siblings, 1 reply; 55+ messages in thread From: Nelson, David (ED, PAR&D) @ 2007-01-15 8:38 UTC (permalink / raw To: gentoo-user > -----Original Message----- > From: Daniel Pielmeier [mailto:daniel.pielmeier@googlemail.com] > Sent: 14 January 2007 19:27 > To: gentoo-user@lists.gentoo.org > Subject: [gentoo-user] Setting up a home router > > I can't ping from the desktop to the internet. > ping www.gentoo.org > PING www.gentoo.org (38.99.64.202) 56(84) bytes of data. > > --- www.gentoo.org ping statistics --- > 13 packets transmitted, 0 received, 100% packet loss, time 11999ms > I would check that you have done: echo 1 > /proc/sys/net/ipv4/ip_forward Also make sure ICMP isn't blocked anywhere. David Note: These views are my own, advice is provided with no guarantee of success. I do not represent anyone else in any emails I send to this list. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 8:38 ` Nelson, David (ED, PAR&D) @ 2007-01-15 8:55 ` Daniel Pielmeier 2007-01-15 9:49 ` Daniel Iliev 0 siblings, 1 reply; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 8:55 UTC (permalink / raw To: gentoo-user > I would check that you have done: > > echo 1 > /proc/sys/net/ipv4/ip_forward I think this is set, but i will check again. > Also make sure ICMP isn't blocked anywhere. I have only blocked ping from the internet to the firewall and nowhere else. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 8:55 ` Daniel Pielmeier @ 2007-01-15 9:49 ` Daniel Iliev 2007-01-15 9:57 ` Daniel Pielmeier 2007-01-15 18:17 ` Daniel Pielmeier 0 siblings, 2 replies; 55+ messages in thread From: Daniel Iliev @ 2007-01-15 9:49 UTC (permalink / raw To: gentoo-user Daniel Pielmeier wrote: >> I would check that you have done: >> >> echo 1 > /proc/sys/net/ipv4/ip_forward > > I think this is set, but i will check again. > >> Also make sure ICMP isn't blocked anywhere. > > I have only blocked ping from the internet to the firewall and nowhere > else. Send the output from "iptables-save", please. Otherwise we could only guess if the problem is with your firewall rules or somewhere else. -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 9:49 ` Daniel Iliev @ 2007-01-15 9:57 ` Daniel Pielmeier 2007-01-15 18:17 ` Daniel Pielmeier 1 sibling, 0 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 9:57 UTC (permalink / raw To: gentoo-user > Send the output from "iptables-save", please. Otherwise we could only > guess if the problem is with your firewall rules or somewhere else. Ok, i will do that when i am back home. i thought the output from "iptables -L" in my original post was enough. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 9:49 ` Daniel Iliev 2007-01-15 9:57 ` Daniel Pielmeier @ 2007-01-15 18:17 ` Daniel Pielmeier 2007-01-15 23:13 ` Hans-Werner Hilse 1 sibling, 1 reply; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 18:17 UTC (permalink / raw To: gentoo-user > Send the output from "iptables-save", please. Otherwise we could only > guess if the problem is with your firewall rules or somewhere else. Here we go! # Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :tcfor - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - [0:0] -A PREROUTING -j tcpre -A FORWARD -j tcfor -A OUTPUT -j tcout -A POSTROUTING -j tcpost COMMIT # Completed on Mon Jan 15 19:09:43 2007 # Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :ppp0_masq - [0:0] -A POSTROUTING -o ppp0 -j ppp0_masq -A ppp0_masq -s 192.168.0.0/255.255.255.0 -m policy --dir out --pol none -j MASQUERADE COMMIT # Completed on Mon Jan 15 19:09:43 2007 # Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :Drop - [0:0] :Reject - [0:0] :all2all - [0:0] :dropBcast - [0:0] :dropInvalid - [0:0] :dropNotSyn - [0:0] :dynamic - [0:0] :eth0_fwd - [0:0] :eth0_in - [0:0] :fw2all - [0:0] :fw2loc - [0:0] :fw2net - [0:0] :loc2all - [0:0] :loc2fw - [0:0] :loc2net - [0:0] :loc_frwd - [0:0] :logflags - [0:0] :net2all - [0:0] :net2fw - [0:0] :net2loc - [0:0] :net_frwd - [0:0] :norfc1918 - [0:0] :ppp0_fwd - [0:0] :ppp0_in - [0:0] :reject - [0:0] :rfc1918 - [0:0] :shorewall - [0:0] :smurfs - [0:0] :tcpflags - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i ppp0 -j ppp0_in -A INPUT -i eth0 -j eth0_in -A INPUT -j Reject -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6 -A INPUT -j reject -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i ppp0 -j ppp0_fwd -A FORWARD -i eth0 -j eth0_fwd -A FORWARD -j Reject -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6 -A FORWARD -j reject -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o ppp0 -m policy --dir out --pol ipsec -j fw2net -A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth0 -m policy --dir out --pol ipsec -j fw2loc -A OUTPUT -d 255.255.255.255 -o eth0 -j fw2loc -A OUTPUT -d 224.0.0.0/240.0.0.0 -o eth0 -j fw2loc -A OUTPUT -j Reject -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6 -A OUTPUT -j reject -A Drop -p tcp -m tcp --dport 113 -j reject -A Drop -j dropBcast -A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Drop -j dropInvalid -A Drop -p udp -m multiport --dports 135,445 -j DROP -A Drop -p udp -m udp --dport 137:139 -j DROP -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP -A Drop -p tcp -m multiport --dports 135,139,445 -j DROP -A Drop -p udp -m udp --dport 1900 -j DROP -A Drop -p tcp -j dropNotSyn -A Drop -p udp -m udp --sport 53 -j DROP -A Reject -p tcp -m tcp --dport 113 -j reject -A Reject -j dropBcast -A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Reject -j dropInvalid -A Reject -p udp -m multiport --dports 135,445 -j reject -A Reject -p udp -m udp --dport 137:139 -j reject -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject -A Reject -p tcp -m multiport --dports 135,139,445 -j reject -A Reject -p udp -m udp --dport 1900 -j DROP -A Reject -p tcp -j dropNotSyn -A Reject -p udp -m udp --sport 53 -j DROP -A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A all2all -j Reject -A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6 -A all2all -j reject -A dropBcast -m pkttype --pkt-type broadcast -j DROP -A dropBcast -m pkttype --pkt-type multicast -j DROP -A dropInvalid -m state --state INVALID -j DROP -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A eth0_fwd -m state --state INVALID,NEW -j dynamic -A eth0_fwd -p tcp -m policy --dir in --pol none -j tcpflags -A eth0_fwd -s 192.168.0.0/255.255.255.0 -m policy --dir in --pol ipsec -j loc_frwd -A eth0_in -m state --state INVALID,NEW -j dynamic -A eth0_in -p tcp -m policy --dir in --pol none -j tcpflags -A eth0_in -s 192.168.0.0/255.255.255.0 -m policy --dir in --pol ipsec -j loc2fw -A fw2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2all -j Reject -A fw2all -j LOG --log-prefix "Shorewall:fw2all:REJECT:" --log-level 6 -A fw2all -j reject -A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2loc -p tcp -m tcp --dport 22 -j ACCEPT -A fw2loc -j Reject -A fw2loc -j LOG --log-prefix "Shorewall:fw2loc:REJECT:" --log-level 6 -A fw2loc -j reject -A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2net -j ACCEPT -A loc2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2all -j Reject -A loc2all -j LOG --log-prefix "Shorewall:loc2all:REJECT:" --log-level 6 -A loc2all -j reject -A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2fw -p tcp -m tcp --dport 22 -j ACCEPT -A loc2fw -p udp -m udp --dport 123 -j ACCEPT -A loc2fw -j Reject -A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 6 -A loc2fw -j reject -A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2net -j ACCEPT -A loc_frwd -o ppp0 -m policy --dir out --pol ipsec -j loc2net -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options -A logflags -j DROP -A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2all -j Drop -A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6 -A net2all -j DROP -A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2fw -p icmp -m icmp --icmp-type 8 -j reject -A net2fw -j Drop -A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6 -A net2fw -j DROP -A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2loc -j Drop -A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6 -A net2loc -j DROP -A net_frwd -d 192.168.0.0/255.255.255.0 -o eth0 -m policy --dir out --pol ipsec -j net2loc -A norfc1918 -s 172.16.0.0/255.240.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918 -A norfc1918 -s 192.168.0.0/255.255.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918 -A norfc1918 -s 10.0.0.0/255.0.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918 -A ppp0_fwd -m state --state INVALID,NEW -j dynamic -A ppp0_fwd -m state --state NEW -m policy --dir in --pol none -j norfc1918 -A ppp0_fwd -p tcp -m policy --dir in --pol none -j tcpflags -A ppp0_fwd -m policy --dir in --pol ipsec -j net_frwd -A ppp0_in -m state --state INVALID,NEW -j dynamic -A ppp0_in -m state --state NEW -m policy --dir in --pol none -j norfc1918 -A ppp0_in -p tcp -m policy --dir in --pol none -j tcpflags -A ppp0_in -m policy --dir in --pol ipsec -j net2fw -A reject -m pkttype --pkt-type broadcast -j DROP -A reject -m pkttype --pkt-type multicast -j DROP -A reject -s 192.168.0.255 -j DROP -A reject -s 255.255.255.255 -j DROP -A reject -s 224.0.0.0/240.0.0.0 -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT --reject-with icmp-port-unreachable -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited -A rfc1918 -j LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level 6 -A rfc1918 -j DROP -A smurfs -s 192.168.0.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 192.168.0.255 -j DROP -A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 255.255.255.255 -j DROP -A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 224.0.0.0/240.0.0.0 -j DROP -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags COMMIT # Completed on Mon Jan 15 19:09:43 2007 -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 18:17 ` Daniel Pielmeier @ 2007-01-15 23:13 ` Hans-Werner Hilse 2007-01-15 23:30 ` Daniel Pielmeier 0 siblings, 1 reply; 55+ messages in thread From: Hans-Werner Hilse @ 2007-01-15 23:13 UTC (permalink / raw To: gentoo-user Hi, On Mon, 15 Jan 2007 19:17:45 +0100 "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote: > > Send the output from "iptables-save", please. Otherwise we could only > > guess if the problem is with your firewall rules or somewhere else. > > Here we go! > > # Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007 > [...] everything looks fine. I'm not quite sure about the "policy" module, I did never use it and it is somehow being used to check the "direction" of packets. Maybe someone else can comment. So remaining things to check would be - where do packets do what? Use "tcpdump" on the router to monitor how packets flow. Don't cite all the output, but look at where packets are coming and going. Two terminals with "tcpdump -i eth0" and "tcpdump -i ppp0" would tell you that. Send a few pings from the desktop to the internet. Also try pinging an IP from the desktop, not just hostnames (to rule out nameserver borkage). - is forwarding actually really enabled? Just "cat" the relevant /proc/sys/net/ipv4/ip_forward. -hwh -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 23:13 ` Hans-Werner Hilse @ 2007-01-15 23:30 ` Daniel Pielmeier 2007-01-16 0:40 ` Hans-Werner Hilse 2007-01-16 5:43 ` Daniel Iliev 0 siblings, 2 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 23:30 UTC (permalink / raw To: gentoo-user > - is forwarding actually really enabled? Just "cat" the > relevant /proc/sys/net/ipv4/ip_forward. cat /proc/sys/net/ipv4/ip_forward returns 1 > So remaining things to check would be > - where do packets do what? Use "tcpdump" on the router to monitor > how packets flow. Don't cite all the output, but look at where > packets are coming and going. Two terminals with "tcpdump -i eth0" > and "tcpdump -i ppp0" would tell you that. Send a few pings from the > desktop to the internet. Also try pinging an IP from the desktop, not > just hostnames (to rule out nameserver borkage). Here is what tcdump returns! ping to www.google.de from desktop ping -c5 209.85.135.147 PING 209.85.135.147 (209.85.135.147) 56(84) bytes of data. --- 209.85.135.147 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4000ms tcpdump -i ppp0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 00:23:34.170023 IP dslb-088-065-173-238.pools.arcor-ip.net.32864 > dns1.arcor-ip.de.domain: 62186+ PTR? 147.135.85.209.in-addr.arpa. (45) 00:23:34.170885 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 > dns1.arcor-ip.de.domain: 49362+ PTR? 11.2.253.145.in-addr.arpa. (43) 00:23:34.186127 IP dns1.arcor-ip.de.domain > dslb-088-065-173-238.pools.arcor-ip.net.32864: 62186 NXDomain 0/1/0 (105) 00:23:34.192706 IP dns1.arcor-ip.de.domain > dslb-088-065-173-238.pools.arcor-ip.net.32865: 49362 1/0/0 (73) 00:23:34.193083 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 > dns1.arcor-ip.de.domain: 55934+ PTR? 238.173.65.88.in-addr.arpa. (44) 00:23:34.250939 IP dns1.arcor-ip.de.domain > dslb-088-065-173-238.pools.arcor-ip.net.32865: 55934 1/0/0 (97) 00:23:44.770408 IP cpc1-pnth1-0-0-cust807.cdif.cable.ntl.com.18730 > dslb-088-065-173-238.pools.arcor-ip.net.13040: UDP, length 98 00:23:44.770494 IP dslb-088-065-173-238.pools.arcor-ip.net > cpc1-pnth1-0-0-cust807.cdif.cable.ntl.com: ICMP dslb-088-065-173-238.pools.arcor-ip.net udp port 13040 unreachable, length 134 00:23:44.770752 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 > dns1.arcor-ip.de.domain: 21398+ PTR? 40.23.6.82.in-addr.arpa. (41) 00:23:44.820873 IP dns1.arcor-ip.de.domain > dslb-088-065-173-238.pools.arcor-ip.net.32865: 21398 1/0/0 (96) 00:23:46.085482 IP 222.69.242.140.19774 > dslb-088-065-173-238.pools.arcor-ip.net.13040: UDP, length 98 00:23:46.085566 IP dslb-088-065-173-238.pools.arcor-ip.net > 222.69.242.140: ICMP dslb-088-065-173-238.pools.arcor-ip.net udp port 13040 unreachable, length 134 00:23:46.085811 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 > dns1.arcor-ip.de.domain: 28846+ PTR? 140.242.69.222.in-addr.arpa. (45) 00:23:46.509496 IP dns1.arcor-ip.de.domain > dslb-088-065-173-238.pools.arcor-ip.net.32865: 28846 NXDomain 0/1/0 (105) 00:23:52.092567 IP 222.69.242.140.19774 > dslb-088-065-173-238.pools.arcor-ip.net.13040: UDP, length 98 00:23:52.092624 IP dslb-088-065-173-238.pools.arcor-ip.net > 222.69.242.140: ICMP dslb-088-065-173-238.pools.arcor-ip.net udp port 13040 unreachable, length 134 00:23:54.447053 IP dslb-084-057-191-176.pools.arcor-ip.net.3158 > dslb-088-065-173-238.pools.arcor-ip.net.epmap: S 2228649193:2228649193(0) win 53760 <mss 1412,nop,wscale 3,nop,nop,timestamp 0 0,nop,nop,sackOK> 00:23:54.447386 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 > dns1.arcor-ip.de.domain: 55370+ PTR? 176.191.57.84.in-addr.arpa. (44) 00:23:54.463773 IP dns1.arcor-ip.de.domain > dslb-088-065-173-238.pools.arcor-ip.net.32865: 55370 1/0/0 (97) tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 00:23:32.895513 IP gentoo-vdr.linux.net.54934 > gentoo.linux.net.ssh: P 2356170685:2356170733(48) ack 1373265494 win 1034 <nop,nop,timestamp 1888728 4586914> 00:23:32.895566 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.54934: P 1:49(48) ack 48 win 81 <nop,nop,timestamp 4721101 1888728> 00:23:32.895604 IP gentoo-vdr.linux.net.54934 > gentoo.linux.net.ssh: . ack 49 win 1034 <nop,nop,timestamp 1888728 4721101> 00:23:33.913406 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh: P 220729975:220730023(48) ack 3542615936 win 5880 <nop,nop,timestamp 1888829 4706313> 00:23:33.913491 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415: P 1:65(64) ack 48 win 116 <nop,nop,timestamp 4721355 1888829> 00:23:33.913528 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh: . ack 65 win 5880 <nop,nop,timestamp 1888829 4721355> 00:23:34.168115 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh: P 48:96(48) ack 65 win 5880 <nop,nop,timestamp 1888855 4721355> 00:23:34.168191 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415: P 65:113(48) ack 96 win 116 <nop,nop,timestamp 4721419 1888855> 00:23:34.168229 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh: . ack 113 win 5880 <nop,nop,timestamp 1888855 4721419> 00:23:34.168756 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415: P 113:209(96) ack 96 win 116 <nop,nop,timestamp 4721419 1888855> 00:23:34.168814 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh: . ack 209 win 5880 <nop,nop,timestamp 1888855 4721419> 00:23:34.168771 IP gentoo.linux.net > 209.85.135.147: ICMP echo request, id 64284, seq 1, length 64 00:23:35.169420 IP gentoo.linux.net > 209.85.135.147: ICMP echo request, id 64284, seq 2, length 64 00:23:36.169461 IP gentoo.linux.net > 209.85.135.147: ICMP echo request, id 64284, seq 3, length 64 00:23:37.169504 IP gentoo.linux.net > 209.85.135.147: ICMP echo request, id 64284, seq 4, length 64 00:23:38.169550 IP gentoo.linux.net > 209.85.135.147: ICMP echo request, id 64284, seq 5, length 64 00:23:48.174063 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415: P 209:353(144) ack 96 win 116 <nop,nop,timestamp 4724920 1888855> 00:23:48.174138 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh: . ack 353 win 5871 <nop,nop,timestamp 1890255 4724920> 00:23:48.174117 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415: P 353:417(64) ack 96 win 116 <nop,nop,timestamp 4724920 1888855> 00:23:48.174157 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh: . ack 417 win 5867 <nop,nop,timestamp 1890255 4724920> 00:23:48.174170 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415: P 417:497(80) ack 96 win 116 <nop,nop,timestamp 4724920 1890255> 00:23:48.174182 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh: . ack 497 win 5862 <nop,nop,timestamp 1890255 4724920> ping to www.google.de from router ping -c5 209.85.135.147 PING 209.85.135.147 (209.85.135.147) 56(84) bytes of data. 64 bytes from 209.85.135.147: icmp_seq=1 ttl=246 time=23.2 ms 64 bytes from 209.85.135.147: icmp_seq=2 ttl=246 time=24.4 ms 64 bytes from 209.85.135.147: icmp_seq=3 ttl=246 time=23.6 ms 64 bytes from 209.85.135.147: icmp_seq=4 ttl=246 time=24.6 ms 64 bytes from 209.85.135.147: icmp_seq=5 ttl=246 time=23.7 ms --- 209.85.135.147 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4025ms rtt min/avg/max/mdev = 23.292/23.945/24.603/0.520 ms tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 0 packets captured 0 packets received by filter 0 packets dropped by kernel tcpdump -i ppp0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 00:26:45.035173 IP dslb-088-065-173-238.pools.arcor-ip.net > 209.85.135.147: ICMP echo request, id 4181, seq 1, length 64 00:26:45.036069 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 > dns1.arcor-ip.de.domain: 53808+ PTR? 147.135.85.209.in-addr.arpa. (45) 00:26:45.056503 IP dns1.arcor-ip.de.domain > dslb-088-065-173-238.pools.arcor-ip.net.32865: 53808 NXDomain 0/1/0 (105) 00:26:45.056824 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 > dns1.arcor-ip.de.domain: 37596+ PTR? 238.173.65.88.in-addr.arpa. (44) 00:26:45.058409 IP 209.85.135.147 > dslb-088-065-173-238.pools.arcor-ip.net: ICMP echo reply, id 4181, seq 1, length 64 00:26:45.074915 IP dns1.arcor-ip.de.domain > dslb-088-065-173-238.pools.arcor-ip.net.32865: 37596 1/0/0 (97) 00:26:45.125930 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 > dns1.arcor-ip.de.domain: 10166+ PTR? 11.2.253.145.in-addr.arpa. (43) 00:26:45.140233 IP dns1.arcor-ip.de.domain > dslb-088-065-173-238.pools.arcor-ip.net.32865: 10166 1/0/0 (73) 00:26:46.040910 IP dslb-088-065-173-238.pools.arcor-ip.net > 209.85.135.147: ICMP echo request, id 4181, seq 2, length 64 00:26:46.065340 IP 209.85.135.147 > dslb-088-065-173-238.pools.arcor-ip.net: ICMP echo reply, id 4181, seq 2, length 64 00:26:47.050855 IP dslb-088-065-173-238.pools.arcor-ip.net > 209.85.135.147: ICMP echo request, id 4181, seq 3, length 64 00:26:47.074438 IP 209.85.135.147 > dslb-088-065-173-238.pools.arcor-ip.net: ICMP echo reply, id 4181, seq 3, length 64 00:26:48.050866 IP dslb-088-065-173-238.pools.arcor-ip.net > 209.85.135.147: ICMP echo request, id 4181, seq 4, length 64 00:26:48.075412 IP 209.85.135.147 > dslb-088-065-173-238.pools.arcor-ip.net: ICMP echo reply, id 4181, seq 4, length 64 00:26:49.060871 IP dslb-088-065-173-238.pools.arcor-ip.net > 209.85.135.147: ICMP echo request, id 4181, seq 5, length 64 00:26:49.084519 IP 209.85.135.147 > dslb-088-065-173-238.pools.arcor-ip.net: ICMP echo reply, id 4181, seq 5, length 64 16 packets captured 32 packets received by filter 0 packets dropped by kernel -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 23:30 ` Daniel Pielmeier @ 2007-01-16 0:40 ` Hans-Werner Hilse 2007-01-16 1:37 ` Dale 2007-01-16 8:03 ` Daniel Pielmeier 2007-01-16 5:43 ` Daniel Iliev 1 sibling, 2 replies; 55+ messages in thread From: Hans-Werner Hilse @ 2007-01-16 0:40 UTC (permalink / raw To: gentoo-user Hi, On Tue, 16 Jan 2007 00:30:30 +0100 "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote: > > - is forwarding actually really enabled? Just "cat" the > > relevant /proc/sys/net/ipv4/ip_forward. > > cat /proc/sys/net/ipv4/ip_forward > returns 1 > > > So remaining things to check would be > > - where do packets do what? Use "tcpdump" on the router to monitor > > how packets flow. Don't cite all the output, but look at where > > packets are coming and going. Two terminals with "tcpdump -i eth0" > > and "tcpdump -i ppp0" would tell you that. Send a few pings from the > > desktop to the internet. Also try pinging an IP from the desktop, not > > just hostnames (to rule out nameserver borkage). > > Here is what tcdump returns! > [...] That's what I wanted to avoid with asking for not citing everything :-) But everything looks quite normal, except for that packets aren't routed. So its up to somebody else to tell exactly what that "policy" module in iptables does -- and how. I don't have answers left here -- except for the case that a manual iptables setup is sufficient. Personally, I'm quite happy with $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT for the forwarding. All that fancy-schmanzy stuff that shorewall does isn't in there, granted. -hwh -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-16 0:40 ` Hans-Werner Hilse @ 2007-01-16 1:37 ` Dale 2007-01-16 8:03 ` Daniel Pielmeier 1 sibling, 0 replies; 55+ messages in thread From: Dale @ 2007-01-16 1:37 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 3045 bytes --] Hans-Werner Hilse wrote: > Hi, > > On Tue, 16 Jan 2007 00:30:30 +0100 > "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote: > > >>> - is forwarding actually really enabled? Just "cat" the >>> relevant /proc/sys/net/ipv4/ip_forward. >>> >> cat /proc/sys/net/ipv4/ip_forward >> returns 1 >> >> >>> So remaining things to check would be >>> - where do packets do what? Use "tcpdump" on the router to monitor >>> how packets flow. Don't cite all the output, but look at where >>> packets are coming and going. Two terminals with "tcpdump -i eth0" >>> and "tcpdump -i ppp0" would tell you that. Send a few pings from the >>> desktop to the internet. Also try pinging an IP from the desktop, not >>> just hostnames (to rule out nameserver borkage). >>> >> Here is what tcdump returns! >> [...] >> > > That's what I wanted to avoid with asking for not citing everything :-) > > But everything looks quite normal, except for that packets aren't > routed. So its up to somebody else to tell exactly what that "policy" > module in iptables does -- and how. I don't have answers left here -- > except for the case that a manual iptables setup is sufficient. > > Personally, I'm quite happy with > > $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > for the forwarding. All that fancy-schmanzy stuff that shorewall does > isn't in there, granted. > > -hwh > Well, I got lucky. I'm not real sure what I did to be honest. Here is my main box that is connected to the net: > root@smoker / # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > nas2.greenwood1 * 255.255.255.255 UH 0 0 > 0 ppp0 > 192.168.0.0 * 255.255.255.0 U 0 0 > 0 eth0 > loopback * 255.0.0.0 U 0 0 0 lo > default nas2.greenwood1 0.0.0.0 UG 0 0 > 0 ppp0 > root@smoker / # > root@smoker / # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > root@smoker / # This is from the second rig: > swifty ~ # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.0.0 * 255.255.255.0 U 0 0 > 0 eth0 > loopback * 255.0.0.0 U 0 0 0 lo > default smoker 0.0.0.0 UG 0 0 > 0 eth0 > swifty ~ # No iptables on this one. I don't know what I did but it all works. I guess even I get lucky sometimes. :-O Dale :-) :-) :-) -- www.myspace.com/dalek1967 [-- Attachment #2: Type: text/html, Size: 5798 bytes --] ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-16 0:40 ` Hans-Werner Hilse 2007-01-16 1:37 ` Dale @ 2007-01-16 8:03 ` Daniel Pielmeier 2007-01-16 11:17 ` Hans-Werner Hilse 1 sibling, 1 reply; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-16 8:03 UTC (permalink / raw To: gentoo-user > But everything looks quite normal, except for that packets aren't > routed. So its up to somebody else to tell exactly what that "policy" > module in iptables does -- and how. I don't have answers left here -- > except for the case that a manual iptables setup is sufficient. > > Personally, I'm quite happy with > > $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > for the forwarding. All that fancy-schmanzy stuff that shorewall does > isn't in there, granted. Thanks, so i think that i have to get familiar with iptables itself, because i want to some more than routing. I will try this rules in the evening and tell you if it works. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-16 8:03 ` Daniel Pielmeier @ 2007-01-16 11:17 ` Hans-Werner Hilse 2007-01-16 12:10 ` Daniel Pielmeier 0 siblings, 1 reply; 55+ messages in thread From: Hans-Werner Hilse @ 2007-01-16 11:17 UTC (permalink / raw To: gentoo-user Hi, On Tue, 16 Jan 2007 09:03:59 +0100 "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote: > > Personally, I'm quite happy with > > > > $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Aaargh! That last one should have the state NEW omitted (and the following comma, of course). > Thanks, so i think that i have to get familiar with iptables itself, > because i want to some more than routing. I will try this rules in the > evening and tell you if it works. No fears, iptables is easy to configure! Search for some How-To that has a big picture of which packets entering which chains in which tables. That really helps a lot. -hwh -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-16 11:17 ` Hans-Werner Hilse @ 2007-01-16 12:10 ` Daniel Pielmeier 2007-01-16 14:21 ` Hans-Werner Hilse 2007-01-16 23:40 ` Iain Buchanan 0 siblings, 2 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-16 12:10 UTC (permalink / raw To: gentoo-user > > > Personally, I'm quite happy with > > > > > > $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > > $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > > $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > Aaargh! That last one should have the state NEW omitted (and the > following comma, of course). > > > Thanks, so i think that i have to get familiar with iptables itself, > > because i want to some more than routing. I will try this rules in the > > evening and tell you if it works. > > No fears, iptables is easy to configure! Search for some How-To that > has a big picture of which packets entering which chains in which > tables. That really helps a lot. I haven't found a how-to like this. Do you know a good how-to? At the moment iam reading this one http://iptables-tutorial.frozentux.net/iptables-tutorial.html. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-16 12:10 ` Daniel Pielmeier @ 2007-01-16 14:21 ` Hans-Werner Hilse 2007-01-16 14:39 ` Daniel Pielmeier ` (3 more replies) 2007-01-16 23:40 ` Iain Buchanan 1 sibling, 4 replies; 55+ messages in thread From: Hans-Werner Hilse @ 2007-01-16 14:21 UTC (permalink / raw To: gentoo-user Hi, On Tue, 16 Jan 2007 13:10:45 +0100 "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote: > > > Thanks, so i think that i have to get familiar with iptables > > > itself, because i want to some more than routing. I will try this > > > rules in the evening and tell you if it works. > > > > No fears, iptables is easy to configure! Search for some How-To that > > has a big picture of which packets entering which chains in which > > tables. That really helps a lot. > > I haven't found a how-to like this. Do you know a good how-to? At the > moment iam reading this one > http://iptables-tutorial.frozentux.net/iptables-tutorial.html. Thanks for that link. The document is _very_ good and complete. But I don't think it's particularly well suited for beginners. My suggestion would probably be very conservative: netfilter.org's own docs. http://www.netfilter.org/documentation/index.html -hwh -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-16 14:21 ` Hans-Werner Hilse @ 2007-01-16 14:39 ` Daniel Pielmeier 2007-01-16 20:57 ` Daniel Pielmeier ` (2 subsequent siblings) 3 siblings, 0 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-16 14:39 UTC (permalink / raw To: gentoo-user > Thanks for that link. The document is _very_ good and complete. But I > don't think it's particularly well suited for beginners. > My suggestion would probably be very conservative: netfilter.org's own > docs. http://www.netfilter.org/documentation/index.html np, i thought when i have to learn iptables, then i want to know all about. it is mentioned at the netfilter site. but i will have a look at netfilter own documentation. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-16 14:21 ` Hans-Werner Hilse 2007-01-16 14:39 ` Daniel Pielmeier @ 2007-01-16 20:57 ` Daniel Pielmeier 2007-01-17 1:32 ` Dale 2007-01-17 19:02 ` Daniel Pielmeier 3 siblings, 0 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-16 20:57 UTC (permalink / raw To: gentoo-user > Thanks for that link. The document is _very_ good and complete. But I > don't think it's particularly well suited for beginners. > > My suggestion would probably be very conservative: netfilter.org's own > docs. http://www.netfilter.org/documentation/index.html I have now applied your masquerading and forwarding rules and they are working. At he moment i am setting up some basic filter rules for switching from shorewall to plain iptables. Then i will go for advanced filtering. Thanks a lot for your and all others help. Regards Daniel LANG=de PS: Grüße aus Stuttgart und nochmal danke, ich weiß nicht ob ich das sonst hinbekommen hätte! -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-16 14:21 ` Hans-Werner Hilse 2007-01-16 14:39 ` Daniel Pielmeier 2007-01-16 20:57 ` Daniel Pielmeier @ 2007-01-17 1:32 ` Dale 2007-01-17 19:02 ` Daniel Pielmeier 3 siblings, 0 replies; 55+ messages in thread From: Dale @ 2007-01-17 1:32 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 755 bytes --] Hans-Werner Hilse wrote: > > Thanks for that link. The document is _very_ good and complete. But I > don't think it's particularly well suited for beginners. > > My suggestion would probably be very conservative: netfilter.org's own > docs. http://www.netfilter.org/documentation/index.html > > -hwh > OK. I just had to reply to this one. FINALLY somebody explained how the heck iptables works and what it does in a way that makes sense to ME. The best part is that there is a INPUT chain and a OUTPUT chain then you connect them together with iptables. THAT I could understand. Why can't they put stuff like this in the man page so that nuts like me can understand it? Thanks much for that link. Dale :-) :-) -- www.myspace.com/dalek1967 [-- Attachment #2: Type: text/html, Size: 1375 bytes --] ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-16 14:21 ` Hans-Werner Hilse ` (2 preceding siblings ...) 2007-01-17 1:32 ` Dale @ 2007-01-17 19:02 ` Daniel Pielmeier 2007-01-17 20:35 ` Dan 3 siblings, 1 reply; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-17 19:02 UTC (permalink / raw To: gentoo-user Hi again, it seems that i was running in another problem. This are my current iptables! Chain INPUT (policy ACCEPT) target prot opt source destination block all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED block all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain block (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW DROP all -- anywhere anywhere But everytime i start my internet connection with /etc/init.d/net.eth1 start it seems my rules were changed to this and i can't connect to the internet! Chain INPUT (policy ACCEPT) target prot opt source destination LOG udp -- anywhere anywhere udp dpts:0:1023 LOG level warning LOG tcp -- anywhere anywhere tcp dpts:0:1023 LOG level warning DROP udp -- anywhere anywhere udp dpts:0:1023 DROP tcp -- anywhere anywhere tcp dpts:0:1023 LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN DROP icmp -- anywhere anywhere icmp echo-request Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain block (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW DROP all -- anywhere anywhere What could be the problem here? Is the net init-script changing my rules? I think i have removed shorewall completely, so there shouldn't be any remaining files which could cause that behavior. Or are there some remaining files from shorewall? When i invoke iptables save with my generate rules and restart iptables, the rules are ok and i can connect! Thanks in advance! Daniel -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-17 19:02 ` Daniel Pielmeier @ 2007-01-17 20:35 ` Dan 2007-01-18 9:25 ` Daniel Pielmeier 0 siblings, 1 reply; 55+ messages in thread From: Dan @ 2007-01-17 20:35 UTC (permalink / raw To: gentoo-user On Wed, 17 Jan 2007 20:02:54 +0100 "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote: > Hi again, > > it seems that i was running in another problem. > > This are my current iptables! > ... > What could be the problem here? Is the net init-script changing my > rules? I think i have removed shorewall completely, so there shouldn't > be any remaining files which could cause that behavior. Or are there > some remaining files from shorewall? When i invoke iptables save with > my generate rules and restart > iptables, the rules are ok and i can connect! > > Thanks in advance! > > Daniel I've been holding back on replying for a while now, but I think you should try a simple iptables setup like this one: davey ~ # iptables -L -v ; iptables -t nat -L -v Chain INPUT (policy DROP 764K packets, 79M bytes) pkts bytes target prot opt in out source destination 50707 18M ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:smtp 955K 601M ACCEPT all -- lo any anywhere anywhere 249K 20M ACCEPT all -- ath0 any anywhere anywhere 43M 6782M ACCEPT all -- eth1 any anywhere anywhere 1 32 REJECT udp -- eth0 any anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable 1 58 REJECT udp -- eth0 any anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable 414 36292 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh 411K 91M ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED 4 184 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http 14547 1187K ACCEPT icmp -- any any anywhere anywhere Chain FORWARD (policy DROP 3017 packets, 184K bytes) pkts bytes target prot opt in out source destination 173M 111G ACCEPT all -- any any 192.168.0.0/16 anywhere 22M 19G ACCEPT all -- eth0 any anywhere 192.168.0.0/16 Chain OUTPUT (policy ACCEPT 48M packets, 13G bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 10M packets, 1189M bytes) pkts bytes target prot opt in out source destination 58003 3477K DNAT tcp -- eth0 any anywhere anywhere tcp dpt:ssh to:192.168.1.99:22 3828 213K DNAT tcp -- eth0 any anywhere anywhere tcp dpt:http to:192.168.1.99:80 14 664 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:222 to:192.168.1.1:22 248 11072 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:223 to:192.168.1.100:22 Chain POSTROUTING (policy ACCEPT 300K packets, 18M bytes) pkts bytes target prot opt in out source destination 4564K 318M MASQUERADE all -- any eth0 anywhere anywhere Chain OUTPUT (policy ACCEPT 234K packets, 15M bytes) pkts bytes target prot opt in out source destination It's my own stab at a stateful firewall and seems to be working very well for me. spore.ath.cx is my home computer network; feel free to nmap me and see what you think from the outside. It's rudimentary, but that's what I like about it. Simple. For what it's worth, I never would have been able to figure out iptables without using watch "iptables -v -L ; iptables -t nat -v -L" which ends up showing you the packets in and out of each chain and each rule, which is highly convenient for configuring firewalls. Best of luck. -- dan. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-17 20:35 ` Dan @ 2007-01-18 9:25 ` Daniel Pielmeier 2007-01-18 10:10 ` Uwe Thiem 2007-01-18 10:43 ` Dale 0 siblings, 2 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-18 9:25 UTC (permalink / raw To: gentoo-user > I've been holding back on replying for a while now, but I think you > should try a simple iptables setup like this one: Excuse me, but my problem is not that my tables are not working, they work very well. I applied forwarding and masquerading, also a basic set of filtering rules which block all access from outside. My problem is that these rules i hqave defined are somehow overwritten by the net init script, with some remaining settings from my previous shorewall configuration. I compared the tables i had with shorewall with my new settings and the one who are changed by the net init script are looking the same settings i had with shorewall for input forward and output. I am sure that i have removed shorewall completely, so i guess shorewall must have altered a file which is used by the init script, so that the old settings are restored everytime i start the net init.script. Does anybody has a clue? Regards, Daniel -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-18 9:25 ` Daniel Pielmeier @ 2007-01-18 10:10 ` Uwe Thiem 2007-01-18 10:43 ` Dale 1 sibling, 0 replies; 55+ messages in thread From: Uwe Thiem @ 2007-01-18 10:10 UTC (permalink / raw To: gentoo-user On 18 January 2007 11:25, Daniel Pielmeier wrote: > > I've been holding back on replying for a while now, but I think you > > should try a simple iptables setup like this one: > > Excuse me, but my problem is not that my tables are not working, they > work very well. I applied forwarding and masquerading, also a basic > set of filtering rules which block all access from outside. > > My problem is that these rules i hqave defined are somehow overwritten > by the net init script, with some remaining settings from my previous > shorewall configuration. > > I compared the tables i had with shorewall with my new settings and > the one who are changed by the net init script are looking the same > settings i had with shorewall for input forward and output. > > I am sure that i have removed shorewall completely, so i guess > shorewall must have altered a file which is used by the init script, > so that the old settings are restored everytime i start the net > init.script. > Does anybody has a clue? If you really removed shorewall from your runlevel (rc-update del shorewall default) try this: rm /var/lib/iptables/rules-save Uwe -- A fast and easy generator of fractals for KDE: http://www.SysEx.com.na/iwy-1.0.tar.bz2 Proof of concept of a TSP solver for KDE: http://www.SysEx.com.na/epat-0.1.tar.bz2 -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-18 9:25 ` Daniel Pielmeier 2007-01-18 10:10 ` Uwe Thiem @ 2007-01-18 10:43 ` Dale 2007-01-18 11:11 ` Daniel Pielmeier 1 sibling, 1 reply; 55+ messages in thread From: Dale @ 2007-01-18 10:43 UTC (permalink / raw To: gentoo-user Daniel Pielmeier wrote: >> I've been holding back on replying for a while now, but I think you >> should try a simple iptables setup like this one: > > Excuse me, but my problem is not that my tables are not working, they > work very well. I applied forwarding and masquerading, also a basic > set of filtering rules which block all access from outside. > > My problem is that these rules i hqave defined are somehow overwritten > by the net init script, with some remaining settings from my previous > shorewall configuration. > > I compared the tables i had with shorewall with my new settings and > the one who are changed by the net init script are looking the same > settings i had with shorewall for input forward and output. > > I am sure that i have removed shorewall completely, so i guess > shorewall must have altered a file which is used by the init script, > so that the old settings are restored everytime i start the net > init.script. > Does anybody has a clue? > > Regards, > > Daniel Did you do a /etc/init.d/iptables save by any chance? That's the only thing I can think of. Dale :-) :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-18 10:43 ` Dale @ 2007-01-18 11:11 ` Daniel Pielmeier 2007-01-18 21:04 ` Dan Farrell 2007-01-18 23:13 ` Iain Buchanan 0 siblings, 2 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-18 11:11 UTC (permalink / raw To: gentoo-user > If you really removed shorewall from your runlevel (rc-update del shorewall > default) try this: > rm /var/lib/iptables/rules-save i have removed shorewall from my runlevels and added iptables > Did you do a /etc/init.d/iptables save by any chance? That's the only > thing I can think of. the way i have applied my rules is as follows first i load them with my generated script then i invoke /etc/init.d/iptables save and to be sure i do an /etc/init.d/iptables restart iptables -L, iptables -L -t nat, iptables -L -t mangle show me my new rules when i look in /var/lib/iptables/rules-save i also see my new rules when i issue /etc/init.d/net.eth1 restart iptables -L, iptables -L -t nat, iptables -L -t mangle show me the old rules from shorewall -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-18 11:11 ` Daniel Pielmeier @ 2007-01-18 21:04 ` Dan Farrell 2007-01-18 23:13 ` Iain Buchanan 1 sibling, 0 replies; 55+ messages in thread From: Dan Farrell @ 2007-01-18 21:04 UTC (permalink / raw To: gentoo-user On Thu, 18 Jan 2007 12:11:34 +0100 "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote: > Excuse me, but my problem is not that my tables are not working, they > work very well. I applied forwarding and masquerading, also a basic > set of filtering rules which block all access from outside. oops. sorry. > > If you really removed shorewall from your runlevel (rc-update del > > shorewall default) try this: > > rm /var/lib/iptables/rules-save > > i have removed shorewall from my runlevels and added iptables > > > Did you do a /etc/init.d/iptables save by any chance? That's the > > only thing I can think of. > > > the way i have applied my rules is as follows > > first i load them with my generated script > then i invoke /etc/init.d/iptables save > and to be sure i do an /etc/init.d/iptables restart > iptables -L, iptables -L -t nat, iptables -L -t mangle show me my new > rules when i look in /var/lib/iptables/rules-save i also see my new > rules when i issue /etc/init.d/net.eth1 restart iptables -L, iptables > -L -t nat, iptables -L -t mangle show me the old rules from shorewall i wonder if shorewall is loaded as a dependancy of net.eth1 ? -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-18 11:11 ` Daniel Pielmeier 2007-01-18 21:04 ` Dan Farrell @ 2007-01-18 23:13 ` Iain Buchanan 2007-01-19 1:10 ` Daniel Pielmeier 2007-01-19 4:06 ` Dale 1 sibling, 2 replies; 55+ messages in thread From: Iain Buchanan @ 2007-01-18 23:13 UTC (permalink / raw To: gentoo-user On Thu, 2007-01-18 at 12:11 +0100, Daniel Pielmeier wrote: > the way i have applied my rules is as follows > > first i load them with my generated script > then i invoke /etc/init.d/iptables save > and to be sure i do an /etc/init.d/iptables restart > iptables -L, iptables -L -t nat, iptables -L -t mangle show me my new rules > when i look in /var/lib/iptables/rules-save i also see my new rules > when i issue /etc/init.d/net.eth1 restart iptables -L, iptables -L -t > nat, iptables -L -t mangle show me the old rules from shorewall hmm, shorewall must have done something that's more persistent. Have a look at /etc/runlevels, and make sure there is no shorewall stuff left in there. Also look in /etc/conf.d/net* and make sure there is no postup functions lying around. And make sure /etc/init.d/net.eth1 is a symlink to /etc/init.d/net.lo, and then make sure net.lo hasn't been "modified" by shorewall. you could do a `emerge --noconfmem baselayout` to make extra sure. **Read the man page first. Is there a /etc/shorewall directory? Perhaps someone who has it installed could do `equery files shorewall` so you could check that it really is deleted. Well, these idea's are really stabbing in the dark, but you gotta start somewhere! HTH, -- Iain Buchanan <iaindb at netspace dot net dot au> Workers of the world, arise! You have nothing to lose but your chairs. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-18 23:13 ` Iain Buchanan @ 2007-01-19 1:10 ` Daniel Pielmeier 2007-01-19 6:45 ` Iain Buchanan 2007-01-19 4:06 ` Dale 1 sibling, 1 reply; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-19 1:10 UTC (permalink / raw To: gentoo-user > hmm, shorewall must have done something that's more persistent. > > Have a look at /etc/runlevels, and make sure there is no shorewall stuff > left in there. > > Also look in /etc/conf.d/net* and make sure there is no postup functions > lying around. > > And make sure /etc/init.d/net.eth1 is a symlink to /etc/init.d/net.lo, > and then make sure net.lo hasn't been "modified" by shorewall. you > could do a `emerge --noconfmem baselayout` to make extra sure. **Read > the man page first. > > Is there a /etc/shorewall directory? Perhaps someone who has it > installed could do `equery files shorewall` so you could check that it > really is deleted. > > Well, these idea's are really stabbing in the dark, but you gotta start > somewhere! thanks for your hints, i checked all these things but there seems nothing of shorewall remainig! i am quite sure cause i am using a cruft script which searches for files remaining after an uninstall. The scriptt does its job there were several files from shorewall remaining, but now they are all gone but my problem still remains. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-19 1:10 ` Daniel Pielmeier @ 2007-01-19 6:45 ` Iain Buchanan 2007-01-19 7:01 ` Dale 2007-01-19 7:29 ` Uwe Thiem 0 siblings, 2 replies; 55+ messages in thread From: Iain Buchanan @ 2007-01-19 6:45 UTC (permalink / raw To: gentoo-user On Fri, 2007-01-19 at 02:10 +0100, Daniel Pielmeier wrote: > > hmm, shorewall must have done something that's more persistent. ... > > Well, these idea's are really stabbing in the dark, but you gotta start > > somewhere! > > thanks for your hints, i checked all these things but there seems > nothing of shorewall remainig! i am quite sure cause i am using a > cruft script which searches for files remaining after an uninstall. > The scriptt does its job there were several files from shorewall > remaining, but now they are all gone but my problem still remains. ah yes, I recall the cruft script! Does it exclude any directories? If there is nothing shorewall related left, then the only explanation is that shorewall must have edited an existing file somewhere... which seems strange... hal? udev? who knows! The only last thing I could suggest is running lsof to see what files are being accessed when you start the net.eth1 script. Other than that, I'm out of ideas, sorry! -- Iain Buchanan <iaindb at netspace dot net dot au> Nothing motivates a man more than to see his boss put in an honest day's work. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-19 6:45 ` Iain Buchanan @ 2007-01-19 7:01 ` Dale 2007-01-19 7:40 ` Iain Buchanan 2007-01-19 7:29 ` Uwe Thiem 1 sibling, 1 reply; 55+ messages in thread From: Dale @ 2007-01-19 7:01 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 893 bytes --] Iain Buchanan wrote: > > ah yes, I recall the cruft script! Does it exclude any directories? > > If there is nothing shorewall related left, then the only explanation is > that shorewall must have edited an existing file somewhere... which > seems strange... hal? udev? who knows! > > The only last thing I could suggest is running lsof to see what files > are being accessed when you start the net.eth1 script. > > Other than that, I'm out of ideas, sorry! > Could he delete some of the config files then re-emerge the programs they belong too? Wouldn't that "reset" them back to default then? If you would like, I'll email you, off list of course, a copy of my etc directory or specific files if you want me too. I'm on dial-up so it may take a bit to send them. Let me know. If you want specific files, let me know which ones. Dale :-) :-) :-) -- www.myspace.com/dalek1967 [-- Attachment #2: Type: text/html, Size: 1392 bytes --] ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-19 7:01 ` Dale @ 2007-01-19 7:40 ` Iain Buchanan 0 siblings, 0 replies; 55+ messages in thread From: Iain Buchanan @ 2007-01-19 7:40 UTC (permalink / raw To: gentoo-user On Fri, 2007-01-19 at 01:01 -0600, Dale wrote: > Iain Buchanan wrote: > > > > ah yes, I recall the cruft script! Does it exclude any directories? > > > > If there is nothing shorewall related left, then the only explanation is > > that shorewall must have edited an existing file somewhere... which > > seems strange... hal? udev? who knows! > > > > The only last thing I could suggest is running lsof to see what files > > are being accessed when you start the net.eth1 script. > > > > Other than that, I'm out of ideas, sorry! > > > > Could he delete some of the config files then re-emerge the programs > they belong too? Wouldn't that "reset" them back to default then? a better option would be `emerge --noconfmem <package>`, which esentially re-does all your conf files. -- Iain Buchanan <iaindb at netspace dot net dot au> Why not go out on a limb? Isn't that where the fruit is? -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-19 6:45 ` Iain Buchanan 2007-01-19 7:01 ` Dale @ 2007-01-19 7:29 ` Uwe Thiem 2007-01-19 9:08 ` Daniel Pielmeier 1 sibling, 1 reply; 55+ messages in thread From: Uwe Thiem @ 2007-01-19 7:29 UTC (permalink / raw To: gentoo-user On 19 January 2007 08:45, Iain Buchanan wrote: > On Fri, 2007-01-19 at 02:10 +0100, Daniel Pielmeier wrote: > > > hmm, shorewall must have done something that's more persistent. > > ... > > > > Well, these idea's are really stabbing in the dark, but you gotta start > > > somewhere! > > > > thanks for your hints, i checked all these things but there seems > > nothing of shorewall remainig! i am quite sure cause i am using a > > cruft script which searches for files remaining after an uninstall. > > The scriptt does its job there were several files from shorewall > > remaining, but now they are all gone but my problem still remains. > > ah yes, I recall the cruft script! Does it exclude any directories? > > If there is nothing shorewall related left, then the only explanation is > that shorewall must have edited an existing file somewhere... which > seems strange... hal? udev? who knows! I am using shorewall and it doesn't do it here. I haven't replied in this thread so far because I have not the slightest idea what causes the trouble. Actually I have tried to simulate what Daniel did. Even so, net.eth0 (in my case) doesn't change my iptables rules. Uwe -- A fast and easy generator of fractals for KDE: http://www.SysEx.com.na/iwy-1.0.tar.bz2 Proof of concept of a TSP solver for KDE: http://www.SysEx.com.na/epat-0.1.tar.bz2 -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-19 7:29 ` Uwe Thiem @ 2007-01-19 9:08 ` Daniel Pielmeier 2007-01-20 2:33 ` Iain Buchanan 0 siblings, 1 reply; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-19 9:08 UTC (permalink / raw To: gentoo-user Hi all! Thank you very much for trying to help me on this strange things. I hope i didn't have overseen a very simple thing which causes this problem. > dale wrote > > root@smoker / # equery files shorewall > [ Searching for packages matching shorewall... ] > * Contents of net-firewall/shorewall-3.0.8: > /etc > /etc/init.d > /etc/init.d/shorewall > /etc/shorewall > ... As you can see all paths are containing shorewall, so a simple find would detect all the files and i have nothing of them remaining on my system > ian wrote > > ah yes, I recall the cruft script! Does it exclude any directories? no i have checked that before there is nothing in my lib/findcruft which excludes shorewall from being detected. > The only last thing I could suggest is running lsof to see what files > are being accessed when you start the net.eth1 script. Thanks, thats a good idea, i will try that. > uwe wrote > > I am using shorewall and it doesn't do it here. > > I haven't replied in this thread so far because I have not the slightest idea > what causes the trouble. Actually I have tried to simulate what Daniel did. > Even so, net.eth0 (in my case) doesn't change my iptables rules. Another thing i will try is to reemerge shorewall put my configuration back run shorewall and search for the files which have changed recently. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-19 9:08 ` Daniel Pielmeier @ 2007-01-20 2:33 ` Iain Buchanan 2007-01-20 22:01 ` Daniel Pielmeier 0 siblings, 1 reply; 55+ messages in thread From: Iain Buchanan @ 2007-01-20 2:33 UTC (permalink / raw To: gentoo-user On Fri, 2007-01-19 at 10:08 +0100, Daniel Pielmeier wrote: > Another thing i will try is to reemerge shorewall put my configuration > back run shorewall and search for the files which have changed > recently. good idea, if you have the space you can just `cp -a /etc /etc.old` (only 124M here). Then you can diff them after installing and configuring shorewall. HTH, -- Iain Buchanan <iaindb at netspace dot net dot au> A newspaper is a circulating library with high blood pressure. -- Arthure "Bugs" Baer -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-20 2:33 ` Iain Buchanan @ 2007-01-20 22:01 ` Daniel Pielmeier 2007-01-22 0:15 ` Iain Buchanan 0 siblings, 1 reply; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-20 22:01 UTC (permalink / raw To: gentoo-user > The only last thing I could suggest is running lsof to see what files > are being accessed when you start the net.eth1 script. I tried lsof, but is there a possibility to run it constantly or for a specified time to catch the complete progress of the script, like the top command to monitor all files which are used by this process. As far as i can see lsof list only the current processes and the files used and then it stops. > a better option would be `emerge --noconfmem <package>`, which > esentially re-does all your conf files. I tried this also but i can't figure out which files could be responsible for this Additionally i tried this, running the init-script and then i applied this find command find / -mount -cmin -1 which lists all the files which status has changed the last minute, but there are no files which could be the reason for the changing if the tables. I don't know if this command does what i want. I think it lists the files which are altered and which are accessed. Am i right here? I used this find command for reinstalling shorewall and setting back the old settings too but without success. This gets a bit frustrating for me now i always have to reset my iptables manually after i start my internet connection. Is it possible that there is no real file causing this trouble? -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-20 22:01 ` Daniel Pielmeier @ 2007-01-22 0:15 ` Iain Buchanan 2007-01-23 22:29 ` Daniel Pielmeier 0 siblings, 1 reply; 55+ messages in thread From: Iain Buchanan @ 2007-01-22 0:15 UTC (permalink / raw To: gentoo-user On Sat, 2007-01-20 at 23:01 +0100, Daniel Pielmeier wrote: > > The only last thing I could suggest is running lsof to see what files > > are being accessed when you start the net.eth1 script. > > I tried lsof, but is there a possibility to run it constantly or for a > specified time to catch the complete progress of the script, like the > top command to monitor all files which are used by this process. As > far as i can see lsof list only the current processes and the files > used and then it stops. don't know :) someone else will have to help you there... > > a better option would be `emerge --noconfmem <package>`, which > > esentially re-does all your conf files. > > I tried this also but i can't figure out which files could be > responsible for this something like this should do it: for i in `sudo find /etc -name ._cfg\*`; do tkdiff `echo $i | awk '{ sub(/._cfg...._/,""); print }'` $i; done replace tkdiff with your favourite. > Additionally i tried this, running the init-script and then i applied > this find command > > find / -mount -cmin -1 > > which lists all the files which status has changed the last minute, > but there are no files which could be the reason for the changing if > the tables. > I don't know if this command does what i want. I think it lists the > files which are altered and which are accessed. Am i right here? it will list files that have been accessed, only if you _don't_ have noatime in /etc/fstab for that filesystem. noatime says don't update the time when the file is accessed (but not changed). the default is atime, but a lot of people use noatime for speed improvements. > This gets a bit frustrating for me now i always have to reset my > iptables manually after i start my internet connection. Is it possible > that there is no real file causing this trouble? There must be something, somewhere doing it.. Maybe you could join the shorewall ml and see what they say? As a workaround, you could add this to /etc/conf.d/net: postup() { if [[ $1 == "eth1" ]] ; then /etc/init.d/iptables restart fi } or something similar. Not the ideal solution, but at least it would do it automatically. sorry I can't help any further :) -- Iain Buchanan <iaindb at netspace dot net dot au> Mollison's Bureaucracy Hypothesis: If an idea can survive a bureaucratic review and be implemented it wasn't worth doing. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-22 0:15 ` Iain Buchanan @ 2007-01-23 22:29 ` Daniel Pielmeier 2007-01-26 19:42 ` Shawn Singh 0 siblings, 1 reply; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-23 22:29 UTC (permalink / raw To: gentoo-user Hi all, i solved my problem by the help of the shorewall mailing list. The shorewall maintainer Tom Eastep helped me with a quick answer. It has nothing to do with shorewall so there is no file of shorewall causing this troubles. When i set up internet connection with pppoe-setup i have activated the FIREWALL=STANDALONE setting in /etc/pppoe.conf. This loads a iptables rule set which overwrites my custom iptables, this may have also caused my problems with shorewall. Nevertheless thank you all for trying to help me so much. Daniel -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-23 22:29 ` Daniel Pielmeier @ 2007-01-26 19:42 ` Shawn Singh 2007-01-27 22:00 ` Daniel Pielmeier 0 siblings, 1 reply; 55+ messages in thread From: Shawn Singh @ 2007-01-26 19:42 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 1040 bytes --] Daniel, Would it be ok for me to email you off list to get some help with a new setup of Shorewall that I did? Thanks, Shawn On 1/23/07, Daniel Pielmeier <daniel.pielmeier@googlemail.com> wrote: > > Hi all, > > i solved my problem by the help of the shorewall mailing list. > > The shorewall maintainer Tom Eastep helped me with a quick answer. > It has nothing to do with shorewall so there is no file of shorewall > causing this troubles. > When i set up internet connection with pppoe-setup i have activated > the FIREWALL=STANDALONE setting in /etc/pppoe.conf. This loads a > iptables rule set which overwrites my custom iptables, this may have > also caused my problems with shorewall. > > Nevertheless thank you all for trying to help me so much. > > Daniel > -- > gentoo-user@gentoo.org mailing list > > -- "Most problems go away if you just wait long enough. It might look like I'm standing motionless but I'm actively waiting for our problems to go away. I don't know why this works but it does." Scott Adams, Dilbert comic [-- Attachment #2: Type: text/html, Size: 1459 bytes --] ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-26 19:42 ` Shawn Singh @ 2007-01-27 22:00 ` Daniel Pielmeier 0 siblings, 0 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-27 22:00 UTC (permalink / raw To: gentoo-user > Would it be ok for me to email you off list to get some help with a new > setup of Shorewall that I did? It would be, but i am not sure if i can help you, because i have dropped shorewall and i am no firewall expert. I would suggest you to look at the shorewall guides at the shorewall homepage, they explain some custom settings very well! Then if you have problems post it on the shorewall mailing list. The shorewall maintainer himself is very active and does a good job on this list. Regards, Daniel -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-18 23:13 ` Iain Buchanan 2007-01-19 1:10 ` Daniel Pielmeier @ 2007-01-19 4:06 ` Dale 1 sibling, 0 replies; 55+ messages in thread From: Dale @ 2007-01-19 4:06 UTC (permalink / raw To: gentoo-user Iain Buchanan wrote: > > > Is there a /etc/shorewall directory? Perhaps someone who has it > installed could do `equery files shorewall` so you could check that it > really is deleted. > > Well, these idea's are really stabbing in the dark, but you gotta start > somewhere! > > HTH, > Here you go: > root@smoker / # equery files shorewall > [ Searching for packages matching shorewall... ] > * Contents of net-firewall/shorewall-3.0.8: > /etc > /etc/init.d > /etc/init.d/shorewall > /etc/shorewall > /etc/shorewall/Makefile > /etc/shorewall/accounting > /etc/shorewall/actions > /etc/shorewall/blacklist > /etc/shorewall/continue > /etc/shorewall/ecn > /etc/shorewall/hosts > /etc/shorewall/init > /etc/shorewall/initdone > /etc/shorewall/interfaces > /etc/shorewall/ipsec > /etc/shorewall/maclist > /etc/shorewall/masq > /etc/shorewall/modules > /etc/shorewall/nat > /etc/shorewall/netmap > /etc/shorewall/params > /etc/shorewall/policy > /etc/shorewall/providers > /etc/shorewall/proxyarp > /etc/shorewall/routestopped > /etc/shorewall/rules > /etc/shorewall/shorewall.conf > /etc/shorewall/start > /etc/shorewall/started > /etc/shorewall/stop > /etc/shorewall/stopped > /etc/shorewall/tcclasses > /etc/shorewall/tcdevices > /etc/shorewall/tcrules > /etc/shorewall/tos > /etc/shorewall/tunnels > /etc/shorewall/zones > /sbin > /sbin/shorewall > /usr > /usr/share > /usr/share/doc > /usr/share/doc/shorewall-3.0.8 > /usr/share/doc/shorewall-3.0.8/Samples > /usr/share/doc/shorewall-3.0.8/Samples/LICENSE > /usr/share/doc/shorewall-3.0.8/Samples/README.txt > /usr/share/doc/shorewall-3.0.8/Samples/one-interface > /usr/share/doc/shorewall-3.0.8/Samples/one-interface/README.txt > /usr/share/doc/shorewall-3.0.8/Samples/one-interface/interfaces > /usr/share/doc/shorewall-3.0.8/Samples/one-interface/policy > /usr/share/doc/shorewall-3.0.8/Samples/one-interface/rules > /usr/share/doc/shorewall-3.0.8/Samples/one-interface/zones > /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces > /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/README.txt > /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/interfaces > /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/masq > /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/policy > /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/routestopped > /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/rules > /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/zones > /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces > /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/README.txt > /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/interfaces > /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/masq > /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/policy > /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/routestopped > /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/rules > /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/zones > /usr/share/doc/shorewall-3.0.8/changelog.txt.gz > /usr/share/doc/shorewall-3.0.8/html > /usr/share/doc/shorewall-3.0.8/html/6to4.htm > /usr/share/doc/shorewall-3.0.8/html/Accounting.html > /usr/share/doc/shorewall-3.0.8/html/Actions.html > /usr/share/doc/shorewall-3.0.8/html/CompiledPrograms.html > /usr/share/doc/shorewall-3.0.8/html/CorpNetwork.htm > /usr/share/doc/shorewall-3.0.8/html/Documentation.htm > /usr/share/doc/shorewall-3.0.8/html/Documentation_Index.html > /usr/share/doc/shorewall-3.0.8/html/ECN.html > /usr/share/doc/shorewall-3.0.8/html/ErrorMessages.html > /usr/share/doc/shorewall-3.0.8/html/FAQ.htm > /usr/share/doc/shorewall-3.0.8/html/FTP.html > /usr/share/doc/shorewall-3.0.8/html/GenericTunnels.html > /usr/share/doc/shorewall-3.0.8/html/GnuCopyright.htm > /usr/share/doc/shorewall-3.0.8/html/IPIP.htm > /usr/share/doc/shorewall-3.0.8/html/IPP2P.html > /usr/share/doc/shorewall-3.0.8/html/IPSEC-2.6.html > /usr/share/doc/shorewall-3.0.8/html/IPSEC.htm > /usr/share/doc/shorewall-3.0.8/html/Install.htm > /usr/share/doc/shorewall-3.0.8/html/Introduction.html > /usr/share/doc/shorewall-3.0.8/html/Kernel2.6.html > /usr/share/doc/shorewall-3.0.8/html/MAC_Validation.html > /usr/share/doc/shorewall-3.0.8/html/Macros.html > /usr/share/doc/shorewall-3.0.8/html/MultiISP.html > /usr/share/doc/shorewall-3.0.8/html/Multiple_Zones.html > /usr/share/doc/shorewall-3.0.8/html/NAT.htm > /usr/share/doc/shorewall-3.0.8/html/NetfilterOverview.html > /usr/share/doc/shorewall-3.0.8/html/OPENVPN.html > /usr/share/doc/shorewall-3.0.8/html/PPTP.htm > /usr/share/doc/shorewall-3.0.8/html/PacketHandling.html > /usr/share/doc/shorewall-3.0.8/html/PortKnocking.html > /usr/share/doc/shorewall-3.0.8/html/ProxyARP.htm > /usr/share/doc/shorewall-3.0.8/html/ReleaseModel.html > /usr/share/doc/shorewall-3.0.8/html/Shorewall_Doesnt.html > /usr/share/doc/shorewall-3.0.8/html/Shorewall_Squid_Usage.html > /usr/share/doc/shorewall-3.0.8/html/Shorewall_and_Aliased_Interfaces.html > /usr/share/doc/shorewall-3.0.8/html/Shorewall_and_Kazaa.html > /usr/share/doc/shorewall-3.0.8/html/Shorewall_and_Routing.html > /usr/share/doc/shorewall-3.0.8/html/SimpleBridge.html > /usr/share/doc/shorewall-3.0.8/html/UPnP.html > /usr/share/doc/shorewall-3.0.8/html/User_defined_Actions.html > /usr/share/doc/shorewall-3.0.8/html/VPN.htm > /usr/share/doc/shorewall-3.0.8/html/VPNBasics.html > /usr/share/doc/shorewall-3.0.8/html/Xen.html > /usr/share/doc/shorewall-3.0.8/html/XenMyWay.html > /usr/share/doc/shorewall-3.0.8/html/blacklisting_support.htm > /usr/share/doc/shorewall-3.0.8/html/bridge.html > /usr/share/doc/shorewall-3.0.8/html/configuration_file_basics.htm > /usr/share/doc/shorewall-3.0.8/html/dhcp.htm > /usr/share/doc/shorewall-3.0.8/html/fallback.htm > /usr/share/doc/shorewall-3.0.8/html/html.css > /usr/share/doc/shorewall-3.0.8/html/images > /usr/share/doc/shorewall-3.0.8/html/images/BD21298_.gif > /usr/share/doc/shorewall-3.0.8/html/images/BD21298_1.gif > /usr/share/doc/shorewall-3.0.8/html/images/BD21298_2.gif > /usr/share/doc/shorewall-3.0.8/html/images/BD21298_3.gif > /usr/share/doc/shorewall-3.0.8/html/images/Blizzard-of-05-p1000205.jpg > /usr/share/doc/shorewall-3.0.8/html/images/Blizzard-of-05-p1000206.jpg > /usr/share/doc/shorewall-3.0.8/html/images/Blizzard-of-05-p1000207.jpg > /usr/share/doc/shorewall-3.0.8/html/images/Blizzard-of-05-p1000208.jpg > /usr/share/doc/shorewall-3.0.8/html/images/Blizzard-of-05-p1000209.jpg > /usr/share/doc/shorewall-3.0.8/html/images/CorpNetwork.gif > /usr/share/doc/shorewall-3.0.8/html/images/Hiking1.jpg > /usr/share/doc/shorewall-3.0.8/html/images/Legend.png > /usr/share/doc/shorewall-3.0.8/html/images/Logo.png > /usr/share/doc/shorewall-3.0.8/html/images/Logo1.gif > /usr/share/doc/shorewall-3.0.8/html/images/Logo1.png > /usr/share/doc/shorewall-3.0.8/html/images/Logo2.gif > /usr/share/doc/shorewall-3.0.8/html/images/Logo3.png > /usr/share/doc/shorewall-3.0.8/html/images/MDKlinux.jpg > /usr/share/doc/shorewall-3.0.8/html/images/Mobile.png > /usr/share/doc/shorewall-3.0.8/html/images/MultiPPTP.png > /usr/share/doc/shorewall-3.0.8/html/images/MultiZone1.png > /usr/share/doc/shorewall-3.0.8/html/images/MultiZone1A.png > /usr/share/doc/shorewall-3.0.8/html/images/MultiZone1B.png > /usr/share/doc/shorewall-3.0.8/html/images/MultiZone2.png > /usr/share/doc/shorewall-3.0.8/html/images/MultiZone3.png > /usr/share/doc/shorewall-3.0.8/html/images/Netfilter.png > /usr/share/doc/shorewall-3.0.8/html/images/ORE.jpg > /usr/share/doc/shorewall-3.0.8/html/images/P1000048.jpg > /usr/share/doc/shorewall-3.0.8/html/images/P1000049.jpg > /usr/share/doc/shorewall-3.0.8/html/images/P1000050.jpg > /usr/share/doc/shorewall-3.0.8/html/images/ProtectedBy.png > /usr/share/doc/shorewall-3.0.8/html/images/Proxmox.png > /usr/share/doc/shorewall-3.0.8/html/images/QoS.png > /usr/share/doc/shorewall-3.0.8/html/images/SY00079.gif > /usr/share/doc/shorewall-3.0.8/html/images/Shorewall_Banner.gif > /usr/share/doc/shorewall-3.0.8/html/images/SimpleBridge.png > /usr/share/doc/shorewall-3.0.8/html/images/State_Diagram.png > /usr/share/doc/shorewall-3.0.8/html/images/ThreeNets.png > /usr/share/doc/shorewall-3.0.8/html/images/Tom.jpg > /usr/share/doc/shorewall-3.0.8/html/images/TomNTarry.png > /usr/share/doc/shorewall-3.0.8/html/images/TransportMode.png > /usr/share/doc/shorewall-3.0.8/html/images/Troubleshoot.png > /usr/share/doc/shorewall-3.0.8/html/images/TwoIPv6Nets1.png > /usr/share/doc/shorewall-3.0.8/html/images/TwoISPs.png > /usr/share/doc/shorewall-3.0.8/html/images/TwoNets1.jpg > /usr/share/doc/shorewall-3.0.8/html/images/TwoNets1.png > /usr/share/doc/shorewall-3.0.8/html/images/VPN.png > /usr/share/doc/shorewall-3.0.8/html/images/VPNBasics.png > /usr/share/doc/shorewall-3.0.8/html/images/Vexira_Antivirus_Logo.gif > /usr/share/doc/shorewall-3.0.8/html/images/Xen1.png > /usr/share/doc/shorewall-3.0.8/html/images/Xen2.png > /usr/share/doc/shorewall-3.0.8/html/images/Xen3.png > /usr/share/doc/shorewall-3.0.8/html/images/Xen4.png > /usr/share/doc/shorewall-3.0.8/html/images/Xen5.png > /usr/share/doc/shorewall-3.0.8/html/images/Xen6.png > /usr/share/doc/shorewall-3.0.8/html/images/ZoneDiagram.png > /usr/share/doc/shorewall-3.0.8/html/images/alz_logo2.gif > /usr/share/doc/shorewall-3.0.8/html/images/apache_pb1.gif > /usr/share/doc/shorewall-3.0.8/html/images/basics.png > /usr/share/doc/shorewall-3.0.8/html/images/basics1.png > /usr/share/doc/shorewall-3.0.8/html/images/basics2.png > /usr/share/doc/shorewall-3.0.8/html/images/bridge.png > /usr/share/doc/shorewall-3.0.8/html/images/bridge2.png > /usr/share/doc/shorewall-3.0.8/html/images/bridge3.png > /usr/share/doc/shorewall-3.0.8/html/images/but3.png > /usr/share/doc/shorewall-3.0.8/html/images/cache_now.gif > /usr/share/doc/shorewall-3.0.8/html/images/clamav-logo.png > /usr/share/doc/shorewall-3.0.8/html/images/compaq.gif > /usr/share/doc/shorewall-3.0.8/html/images/courier-imap.png > /usr/share/doc/shorewall-3.0.8/html/images/debian.jpg > /usr/share/doc/shorewall-3.0.8/html/images/dmz1.png > /usr/share/doc/shorewall-3.0.8/html/images/dmz2.png > /usr/share/doc/shorewall-3.0.8/html/images/dmz3.png > /usr/share/doc/shorewall-3.0.8/html/images/dmz4.png > /usr/share/doc/shorewall-3.0.8/html/images/dmz5.png > /usr/share/doc/shorewall-3.0.8/html/images/dmz6.png > /usr/share/doc/shorewall-3.0.8/html/images/dyndns_anim2.gif > /usr/share/doc/shorewall-3.0.8/html/images/j0213519.gif > /usr/share/doc/shorewall-3.0.8/html/images/j0233056.gif > /usr/share/doc/shorewall-3.0.8/html/images/kernel-2.6.16-1.png > /usr/share/doc/shorewall-3.0.8/html/images/kernel-2.6.16-2.png > /usr/share/doc/shorewall-3.0.8/html/images/leaflogo.gif > /usr/share/doc/shorewall-3.0.8/html/images/leaflogo.jpg > /usr/share/doc/shorewall-3.0.8/html/images/linux_powered.gif > /usr/share/doc/shorewall-3.0.8/html/images/logo-sm.jpg > /usr/share/doc/shorewall-3.0.8/html/images/logo2.png > /usr/share/doc/shorewall-3.0.8/html/images/medbutton.png > /usr/share/doc/shorewall-3.0.8/html/images/menuconfig.jpg > /usr/share/doc/shorewall-3.0.8/html/images/menuconfig1.jpg > /usr/share/doc/shorewall-3.0.8/html/images/netfilter2.6.png > /usr/share/doc/shorewall-3.0.8/html/images/netfilterconf.png > /usr/share/doc/shorewall-3.0.8/html/images/netfilterlogo.png > /usr/share/doc/shorewall-3.0.8/html/images/netmap.png > /usr/share/doc/shorewall-3.0.8/html/images/netopts.jpg > /usr/share/doc/shorewall-3.0.8/html/images/network.png > /usr/share/doc/shorewall-3.0.8/html/images/network1.png > /usr/share/doc/shorewall-3.0.8/html/images/network2.png > /usr/share/doc/shorewall-3.0.8/html/images/network3.png > /usr/share/doc/shorewall-3.0.8/html/images/network4.png > /usr/share/doc/shorewall-3.0.8/html/images/new10.gif > /usr/share/doc/shorewall-3.0.8/html/images/newlog.gif > /usr/share/doc/shorewall-3.0.8/html/images/ninjalogo.png > /usr/share/doc/shorewall-3.0.8/html/images/obrasinf.gif > /usr/share/doc/shorewall-3.0.8/html/images/ol600_01mic.png > /usr/share/doc/shorewall-3.0.8/html/images/openlogo-nd-50.png > /usr/share/doc/shorewall-3.0.8/html/images/openwrt.png > /usr/share/doc/shorewall-3.0.8/html/images/opera.png > /usr/share/doc/shorewall-3.0.8/html/images/p1000221-600-800.jpg > /usr/share/doc/shorewall-3.0.8/html/images/penguin_in_red_compaq_racer.gif > /usr/share/doc/shorewall-3.0.8/html/images/penquin_in_blue_racer_sm2.gif > /usr/share/doc/shorewall-3.0.8/html/images/postfix-white.gif > /usr/share/doc/shorewall-3.0.8/html/images/poweredby.png > /usr/share/doc/shorewall-3.0.8/html/images/poweredbycompaqlog0.gif > /usr/share/doc/shorewall-3.0.8/html/images/ppp.jpg > /usr/share/doc/shorewall-3.0.8/html/images/proxyarp.png > /usr/share/doc/shorewall-3.0.8/html/images/proxyarp1.png > /usr/share/doc/shorewall-3.0.8/html/images/pure.jpg > /usr/share/doc/shorewall-3.0.8/html/images/pureftp-d.jpg > /usr/share/doc/shorewall-3.0.8/html/images/razor.gif > /usr/share/doc/shorewall-3.0.8/html/images/sf_logo_metal2.jpg > /usr/share/doc/shorewall-3.0.8/html/images/sflogo.png > /usr/share/doc/shorewall-3.0.8/html/images/shorewall.jpg > /usr/share/doc/shorewall-3.0.8/html/images/small-picture.gif > /usr/share/doc/shorewall-3.0.8/html/images/squidnow.gif > /usr/share/doc/shorewall-3.0.8/html/images/staticnat.png > /usr/share/doc/shorewall-3.0.8/html/images/traffic_shaping2.6.png > /usr/share/doc/shorewall-3.0.8/html/images/updated.gif > /usr/share/doc/shorewall-3.0.8/html/images/washington.jpg > /usr/share/doc/shorewall-3.0.8/html/index.htm -> Documentation_Index.html > /usr/share/doc/shorewall-3.0.8/html/index.html > /usr/share/doc/shorewall-3.0.8/html/ipsets.html > /usr/share/doc/shorewall-3.0.8/html/kernel.htm > /usr/share/doc/shorewall-3.0.8/html/myfiles.htm > /usr/share/doc/shorewall-3.0.8/html/netmap.html > /usr/share/doc/shorewall-3.0.8/html/ping.html > /usr/share/doc/shorewall-3.0.8/html/ports.htm > /usr/share/doc/shorewall-3.0.8/html/quotes.htm > /usr/share/doc/shorewall-3.0.8/html/samba.htm > /usr/share/doc/shorewall-3.0.8/html/shorewall_extension_scripts.htm > /usr/share/doc/shorewall-3.0.8/html/shorewall_features.htm > /usr/share/doc/shorewall-3.0.8/html/shorewall_logging.html > /usr/share/doc/shorewall-3.0.8/html/shorewall_prerequisites.htm > /usr/share/doc/shorewall-3.0.8/html/shorewall_quickstart_guide.htm > /usr/share/doc/shorewall-3.0.8/html/shorewall_setup_guide.htm > /usr/share/doc/shorewall-3.0.8/html/standalone.htm > /usr/share/doc/shorewall-3.0.8/html/standalone_ru.html > /usr/share/doc/shorewall-3.0.8/html/starting_and_stopping_shorewall.htm > /usr/share/doc/shorewall-3.0.8/html/support.htm > /usr/share/doc/shorewall-3.0.8/html/survey-200603.html > /usr/share/doc/shorewall-3.0.8/html/template.html > /usr/share/doc/shorewall-3.0.8/html/three-interface.htm > /usr/share/doc/shorewall-3.0.8/html/three-interface_ru.html > /usr/share/doc/shorewall-3.0.8/html/traffic_shaping.htm > /usr/share/doc/shorewall-3.0.8/html/troubleshoot.htm > /usr/share/doc/shorewall-3.0.8/html/two-interface.htm > /usr/share/doc/shorewall-3.0.8/html/two-interface_ru.html > /usr/share/doc/shorewall-3.0.8/html/upgrade_issues.htm > /usr/share/doc/shorewall-3.0.8/html/useful_links.html > /usr/share/doc/shorewall-3.0.8/html/whitelisting_under_shorewall.htm > /usr/share/doc/shorewall-3.0.8/releasenotes.txt.gz > /usr/share/shorewall > /usr/share/shorewall/Limit > /usr/share/shorewall/action.Drop > /usr/share/shorewall/action.Limit > /usr/share/shorewall/action.Reject > /usr/share/shorewall/action.template > /usr/share/shorewall/actions.std > /usr/share/shorewall/configpath > /usr/share/shorewall/firewall > /usr/share/shorewall/functions > /usr/share/shorewall/help > /usr/share/shorewall/macro.AllowICMPs > /usr/share/shorewall/macro.Amanda > /usr/share/shorewall/macro.Auth > /usr/share/shorewall/macro.BitTorrent > /usr/share/shorewall/macro.CVS > /usr/share/shorewall/macro.DNS > /usr/share/shorewall/macro.Distcc > /usr/share/shorewall/macro.DropDNSrep > /usr/share/shorewall/macro.DropUPnP > /usr/share/shorewall/macro.Edonkey > /usr/share/shorewall/macro.FTP > /usr/share/shorewall/macro.Gnutella > /usr/share/shorewall/macro.ICQ > /usr/share/shorewall/macro.IMAP > /usr/share/shorewall/macro.LDAP > /usr/share/shorewall/macro.MySQL > /usr/share/shorewall/macro.NNTP > /usr/share/shorewall/macro.NTP > /usr/share/shorewall/macro.NTPbrd > /usr/share/shorewall/macro.PCA > /usr/share/shorewall/macro.POP3 > /usr/share/shorewall/macro.Ping > /usr/share/shorewall/macro.PostgreSQL > /usr/share/shorewall/macro.Rdate > /usr/share/shorewall/macro.Rsync > /usr/share/shorewall/macro.SMB > /usr/share/shorewall/macro.SMBswat > /usr/share/shorewall/macro.SMTP > /usr/share/shorewall/macro.SNMP > /usr/share/shorewall/macro.SPAMD > /usr/share/shorewall/macro.SSH > /usr/share/shorewall/macro.SVN > /usr/share/shorewall/macro.Submission > /usr/share/shorewall/macro.Syslog > /usr/share/shorewall/macro.Telnet > /usr/share/shorewall/macro.Trcrt > /usr/share/shorewall/macro.VNC > /usr/share/shorewall/macro.VNCL > /usr/share/shorewall/macro.Web > /usr/share/shorewall/macro.Webmin > /usr/share/shorewall/macro.template > /usr/share/shorewall/rfc1918 > /usr/share/shorewall/version > /var > /var/lib > /var/lib/shorewall > /var/lib/shorewall/.keep_net-firewall_shorewall-0 > root@smoker / # Hope that helps. Dale :-) :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-16 12:10 ` Daniel Pielmeier 2007-01-16 14:21 ` Hans-Werner Hilse @ 2007-01-16 23:40 ` Iain Buchanan 1 sibling, 0 replies; 55+ messages in thread From: Iain Buchanan @ 2007-01-16 23:40 UTC (permalink / raw To: gentoo-user On Tue, 2007-01-16 at 13:10 +0100, Daniel Pielmeier wrote: > I haven't found a how-to like this. Do you know a good how-to? for linux howto's, I highly recommend tldp: http://tldp.org/HOWTO/HOWTO-INDEX/networking.html#NETROUTING try the Masquerading-Simple-HOWTO. HTH, -- Iain Buchanan <iaindb at netspace dot net dot au> No woman can call herself free until she can choose consciously whether she will or will not be a mother. -- Margaret H. Sanger -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 23:30 ` Daniel Pielmeier 2007-01-16 0:40 ` Hans-Werner Hilse @ 2007-01-16 5:43 ` Daniel Iliev 1 sibling, 0 replies; 55+ messages in thread From: Daniel Iliev @ 2007-01-16 5:43 UTC (permalink / raw To: gentoo-user Again the quick & dirty solution: /etc/init.d/iptables stop iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE /etc/init.d/iptables save rc-update -a iptables default /etc/init.d/iptables start -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-14 19:27 [gentoo-user] Setting up a home router Daniel Pielmeier 2007-01-14 22:45 ` Dale 2007-01-15 8:38 ` Nelson, David (ED, PAR&D) @ 2007-01-15 10:26 ` Hans-Werner Hilse 2007-01-15 10:45 ` Daniel Pielmeier 2 siblings, 1 reply; 55+ messages in thread From: Hans-Werner Hilse @ 2007-01-15 10:26 UTC (permalink / raw To: gentoo-user Hi, On Sun, 14 Jan 2007 20:27:11 +0100 "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote: > I can connect from the router to the internet. > I can log in from the router to the desktop per ssh and back. > I have set up an rsync on the router and rsync works from the desktop. > I have set up dnsmasq on the server and dns is working on the desktop. > I can ping between router and desktop and from the router to the > internet > [...] > I can't ping from the desktop to the internet. OK, so forwarding is broken. > route > > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > dslb-088-067-01 * 255.255.255.255 UH 0 0 0 ppp0 > localhost * 255.255.255.0 U 0 0 0 eth0 > loopback * 255.0.0.0 U 0 0 0 lo > default dslb-088-067-01 0.0.0.0 UG 0 0 0 ppp0 Looking at this, I wouldn't even expect it to work at all, since the only route via eth0 is for "localhost". But since you can connect between router and desktop, I think you borked your /etc/hosts. "localhost" clearly doesn't seem to be assigned to 127.0.0.1. So fix your hostnames! This here: > /etc/hosts > > 127.0.0.1 localhost > 192.168.0.1 gentoo-vdr.linux gentoo-vdr > 192.168.0.2 gentoo.linux gentoo > ::1 localhost just can't be true if the routes above are the complete routes and you can connect to your desktop from the router. Another option than /etc/hosts may be a seriously broken dnsmasq config. > > For those who are not familiar with shorewall here are the > > generated iptables on the router. > > iptables -L -t filter > > Chain FORWARD (policy DROP) > target prot opt source destination Empty FORWARD chain and policy DROP means everything not going to the router itself is gonna be dropped. Note that you made yourself a hard time since there's DROP and REJECT (built-in targets) and you also reference "Drop", "drop", "Reject" and "reject" targets. I never used shorewall, but if that naming is from them, they are clearly freaks. -hwh -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 10:26 ` Hans-Werner Hilse @ 2007-01-15 10:45 ` Daniel Pielmeier 2007-01-15 11:04 ` Hans-Werner Hilse 0 siblings, 1 reply; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 10:45 UTC (permalink / raw To: gentoo-user > > route > > > > Kernel IP routing table > > Destination Gateway Genmask Flags Metric Ref Use Iface > > dslb-088-067-01 * 255.255.255.255 UH 0 0 0 ppp0 > > localhost * 255.255.255.0 U 0 0 0 eth0 > > loopback * 255.0.0.0 U 0 0 0 lo > > default dslb-088-067-01 0.0.0.0 UG 0 0 0 ppp0 > > Looking at this, I wouldn't even expect it to work at all, since the > only route via eth0 is for "localhost". But since you can connect > between router and desktop, I think you borked your /etc/hosts. > "localhost" clearly doesn't seem to be assigned to 127.0.0.1. So fix > your hostnames! > > > This here: > > > /etc/hosts > > > > 127.0.0.1 localhost > > 192.168.0.1 gentoo-vdr.linux gentoo-vdr > > 192.168.0.2 gentoo.linux gentoo > > ::1 localhost I think localhost is assigned to 127.0.0.1, or did i misunderstood something? > just can't be true if the routes above are the complete routes and you > can connect to your desktop from the router. I can connect from router to desktop and back ping and ssh are working, i can connect to the internet from the router, but i couldn't do this from the desktop > Another option than /etc/hosts may be a seriously broken dnsmasq config. I will post the config when i am back. > > > For those who are not familiar with shorewall here are the > > > generated iptables on the router. > > > > iptables -L -t filter > > > > Chain FORWARD (policy DROP) > > target prot opt source destination > > Empty FORWARD chain and policy DROP means everything not going to the > router itself is gonna be dropped. > > Note that you made yourself a hard time since there's DROP and REJECT > (built-in targets) and you also reference "Drop", "drop", "Reject" and > "reject" targets. I never used shorewall, but if that naming is from > them, they are clearly freaks. the whole iptables config is generated by shorewall, i recognised this different namings too. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 10:45 ` Daniel Pielmeier @ 2007-01-15 11:04 ` Hans-Werner Hilse 2007-01-15 11:18 ` Daniel Pielmeier 2007-01-15 18:23 ` Daniel Pielmeier 0 siblings, 2 replies; 55+ messages in thread From: Hans-Werner Hilse @ 2007-01-15 11:04 UTC (permalink / raw To: gentoo-user Hi, On Mon, 15 Jan 2007 11:45:13 +0100 "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote: > > This here: > > > > > /etc/hosts > > > > > > 127.0.0.1 localhost > > > 192.168.0.1 gentoo-vdr.linux gentoo-vdr > > > 192.168.0.2 gentoo.linux gentoo > > > ::1 localhost > > I think localhost is assigned to 127.0.0.1, or did i misunderstood > something? No, that's (usually) correct. But in the route excerpt you've cited above (please post "route -n" next time!) the route for "localhost" was set to "dev eth0". Also, the subnet was a /24 one, instead of the usual /8 for localhost. So there's some inconsistency between that file and the routes. The /etc/hosts you've shown looks good, please post dnsmasq's config. > the whole iptables config is generated by shorewall, i recognised this > different namings too. Hm, OK, you're sure the tables were empty and Gentoo's iptables save feature doesn't somehow get in your way? But anyway, the NAT/forwarding can't work for the reason I mentioned (empty FORWARD chain and DROP policy). -hwh -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 11:04 ` Hans-Werner Hilse @ 2007-01-15 11:18 ` Daniel Pielmeier 2007-01-15 18:23 ` Daniel Pielmeier 1 sibling, 0 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 11:18 UTC (permalink / raw To: gentoo-user > > I think localhost is assigned to 127.0.0.1, or did i misunderstood > > something? > > No, that's (usually) correct. But in the route excerpt you've cited > above (please post "route -n" next time!) the route for "localhost" was > set to "dev eth0". Also, the subnet was a /24 one, instead of the > usual /8 for localhost. So there's some inconsistency between that file > and the routes. The /etc/hosts you've shown looks good, please post > dnsmasq's config. I will do that in the evening > > the whole iptables config is generated by shorewall, i recognised this > > different namings too. > > Hm, OK, you're sure the tables were empty and Gentoo's iptables save > feature doesn't somehow get in your way? But anyway, the NAT/forwarding > can't work for the reason I mentioned (empty FORWARD chain and DROP > policy). Yes i think they were empty, when i stop shorewall "iptables -L" just gives me empty tables. Also i never used iptables directly. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 11:04 ` Hans-Werner Hilse 2007-01-15 11:18 ` Daniel Pielmeier @ 2007-01-15 18:23 ` Daniel Pielmeier 2007-01-15 18:42 ` Daniel Pielmeier 2007-01-15 22:55 ` Hans-Werner Hilse 1 sibling, 2 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 18:23 UTC (permalink / raw To: gentoo-user > > I think localhost is assigned to 127.0.0.1, or did i misunderstood > > something? > > No, that's (usually) correct. But in the route excerpt you've cited > above (please post "route -n" next time!) the route for "localhost" was > set to "dev eth0". Also, the subnet was a /24 one, instead of the > usual /8 for localhost. So there's some inconsistency between that file > and the routes. The /etc/hosts you've shown looks good, please post > dnsmasq's config. Here are the files you have requested! route -n on desktop Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 route -n on router Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 88.67.16.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 88.67.16.1 0.0.0.0 UG 0 0 0 ppp0 dnsmasq.conf on router # Configuration file for dnsmasq. # # Format is one option per line, legal options are the same # as the long options legal on the command line. See # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. # The following two options make you a better netizen, since they # tell dnsmasq to filter out queries which the public DNS cannot # answer, and which load the servers (especially the root servers) # uneccessarily. If you have a dial-on-demand link they also stop # these requests from bringing up the link uneccessarily. # Never forward plain names (without a dot or domain part) domain-needed # Never forward addresses in the non-routed address spaces. bogus-priv # Uncomment this to filter useless windows-originated DNS requests # which can trigger dial-on-demand links needlessly. # Note that (amongst other things) this blocks all SRV requests, # so don't use it if you use eg Kerberos. # This option only affects forwarding, SRV records originating for # dnsmasq (via srv-host= lines) are not suppressed by it. #filterwin2k # Change this line if you want dns to get its upstream servers from # somewhere other that /etc/resolv.conf #resolv-file= # By default, dnsmasq will send queries to any of the upstream # servers it knows about and tries to favour servers to are known # to be up. Uncommenting this forces dnsmasq to try each query # with each server strictly in the order they appear in # /etc/resolv.conf #strict-order # If you don't want dnsmasq to read /etc/resolv.conf or any other # file, getting its servers from this file instead (see below), then # uncomment this #no-resolv # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv # files for changes and re-read them then uncomment this. #no-poll # Add other name servers here, with domain specs if they are for # non-public domains. #server=/localnet/192.168.0.1 # Add local-only domains here, queries in these domains are answered # from /etc/hosts or DHCP only. #local=/localnet/ # Add domains which you want to force to an IP address here. # The example below send any host in doubleclick.net to a local # webserver. #address=/doubleclick.net/127.0.0.1 # If you want dnsmasq to change uid and gid to something other # than the default, edit the following lines. #user= #group= # If you want dnsmasq to listen for DHCP and DNS requests only on # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than one interface. interface=eth0 # Or you can specify which interface _not_ to listen on #except-interface= # Or which to listen on by address (remember to include 127.0.0.1 if # you use this.) #listen-address= # If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to # disable DHCP on it. #no-dhcp-interface= # On systems which support it, dnsmasq binds the wildcard address, # even when it is listening on only some interfaces. It then discards # requests that it shouldn't reply to. This has the advantage of # working even when interfaces come and go and change address. If you # want dnsmasq to really bind only the interfaces it is listening on, # uncomment this option. About the only time you may need this is when # running another nameserver on the same machine. #bind-interfaces # If you don't want dnsmasq to read /etc/hosts, uncomment the # following line. #no-hosts # or if you want it to read another file, as well as /etc/hosts, use # this. #addn-hosts=/etc/banner_add_hosts # Set this (and domain: see below) if you want to have a domain # automatically added to simple names in a hosts-file. #expand-hosts # Set the domain for dnsmasq. this is optional, but if it is set, it # does the following things. # 1) Allows DHCP hosts to have fully qualified domain names, as long # as the domain part matches this setting. # 2) Sets the "domain" DHCP option thereby potentially setting the # domain of all systems configured by DHCP # 3) Provides the domain part for "expand-hosts" #domain=thekelleys.org.uk # Uncomment this to enable the integrated DHCP server, you need # to supply the range of addresses available for lease and optionally # a lease time. If you have more than one network, you will need to # repeat this for each network on which you want to supply DHCP # service. dhcp-range=192.168.0.1,192.168.0.255,72h # This is an example of a DHCP range where the netmask is given. This # is needed for networks we reach the dnsmasq DHCP server via a relay # agent. If you don't know what a DHCP relay agent is, you probably # don't need to worry about this. #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h # This is an example of a DHCP range with a network-id, so that # some DHCP options may be set only for this network. #dhcp-range=red,192.168.0.50,192.168.0.150 # Supply parameters for specified hosts using DHCP. There are lots # of valid alternatives, so we will give examples of each. Note that # IP addresses DO NOT have to be in the range given above, they just # need to be on the same network. The order of the parameters in these # do not matter, it's permissble to give name,adddress and MAC in any order # Always allocate the host with ethernet address 11:22:33:44:55:66 # The IP address 192.168.0.60 #dhcp-host=11:22:33:44:55:66,192.168.0.60 # Always set the name of the host with hardware address # 11:22:33:44:55:66 to be "fred" #dhcp-host=11:22:33:44:55:66,fred # Always give the host with ethernet address 11:22:33:44:55:66 # the name fred and IP address 192.168.0.60 and lease time 45 minutes #dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m # Give the machine which says it's name is "bert" IP address # 192.168.0.70 and an infinite lease #dhcp-host=bert,192.168.0.70,infinite # Always give the host with client identifier 01:02:02:04 # the IP address 192.168.0.60 #dhcp-host=id:01:02:02:04,192.168.0.60 # Always give the host with client identifier "marjorie" # the IP address 192.168.0.60 #dhcp-host=id:marjorie,192.168.0.60 # Enable the address given for "judge" in /etc/hosts # to be given to a machine presenting the name "judge" when # it asks for a DHCP lease. #dhcp-host=judge # Never offer DHCP service to a machine whose ethernet # address is 11:22:33:44:55:66 #dhcp-host=11:22:33:44:55:66,ignore # Ignore any client-id presented by the machine with ethernet # address 11:22:33:44:55:66. This is useful to prevent a machine # being treated differently when running under different OS's or # between PXE boot and OS boot. #dhcp-host=11:22:33:44:55:66,id:* # Send extra options which are tagged as "red" to # the machine with ethernet address 11:22:33:44:55:66 #dhcp-host=11:22:33:44:55:66,net:red # Send extra options which are tagged as "red" to # any machine with ethernet address starting 11:22:33: #dhcp-host=11:22:33:*:*:*,net:red # Send extra options which are tagged as "red" to any machine whose # DHCP vendorclass string includes the substring "Linux" #dhcp-vendorclass=red,Linux # Send extra options which are tagged as "red" to any machine one # of whose DHCP userclass strings includes the substring "accounts" #dhcp-userclass=red,accounts # Send extra options which are tagged as "red" to any machine whose # MAC address matches the pattern. #dhcp-mac=red,00:60:8C:*:*:* # If this line is uncommented, dnsmasq will read /etc/ethers and act # on the ethernet-address/IP pairs found there just as if they had # been given as --dhcp-host options. Useful if you keep # MAC-address/host mappings there for other purposes. #read-ethers # Send options to hosts which ask for a DHCP lease. # See RFC 2132 for details of available options. # Note that all the common settings, such as netmask and # broadcast address, DNS server and default route, are given # sane defaults by dnsmasq. You very likely will not need any # any dhcp-options. If you use Windows clients and Samba, there # are some options which are recommended, they are detailed at the # end of this section. # For reference, the common options are: # subnet mask - 1 # default router - 3 # DNS server - 6 # broadcast address - 28 # Override the default route supplied by dnsmasq, which assumes the # router is the same machine as the one running dnsmasq. #dhcp-option=3,1.2.3.4 # Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 #dhcp-option=42,192.168.0.4,10.10.0.5 # Set the NTP time server address to be the same machine as # is running dnsmasq #dhcp-option=42,0.0.0.0 # Set the NIS domain name to "welly" #dhcp-option=40,welly # Set the default time-to-live to 50 #dhcp-option=23,50 # Set the "all subnets are local" flag #dhcp-option=27,1 # Send the etherboot magic flag and then etherboot options (a string). #dhcp-option=128,e4:45:74:68:00:00 #dhcp-option=129,NIC=eepro100 # Specify an option which will only be sent to the "red" network # (see dhcp-range for the declaration of the "red" network) #dhcp-option=red,42,192.168.1.1 # The following DHCP options set up dnsmasq in the same way as is specified # for the ISC dhcpcd in # http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt # adapted for a typical dnsmasq installation where the host running # dnsmasq is also the host running samba. # you may want to uncomment them if you use Windows clients and Samba. #dhcp-option=19,0 # option ip-forwarding off #dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) #dhcp-option=45,0.0.0.0 # netbios datagram distribution server #dhcp-option=46,8 # netbios node type #dhcp-option=47 # empty netbios scope. # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client # probably doesn't support this...... #dhcp-option=119,eng.apple.com,marketing.apple.com # Send RFC-3442 classless static routes (note the netmask encoding) #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 # Send encapsulated vendor-class specific options. The vendor-class # is sent as DHCP option 60, and all the options marked with the # vendor class are send encapsulated in DHCP option 43. The meaning of # the options is defined by the vendor-class. This example sets the # mtftp address to 0.0.0.0 for PXEClients #dhcp-option=vendor:PXEClient,1,0.0.0.0 # Set the boot filename and tftpd server name and address # for BOOTP. You will only need this is you want to # boot machines over the network. #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 # Set the limit on DHCP leases, the default is 150 #dhcp-lease-max=150 # The DHCP server needs somewhere on disk to keep its lease database. # This defaults to a sane location, but if you want to change it, use # the line below. #dhcp-leasefile=/var/lib/misc/dnsmasq.leases # Set the DHCP server to authoritative mode. In this mode it will barge in # and take over the lease for any client which broadcasts on the network, # whether it has a record of the lease or not. This avoids long timeouts # when a machine wakes up on a new network. DO NOT enable this if there's # the slighest chance that you might end up accidentally configuring a DHCP # server for your campus/company accidentally. The ISC server uses the same # the same option, and this URL provides more information: # http://www.isc.org/index.pl?/sw/dhcp/authoritative.php #dhcp-authoritative # Run an executable when a DHCP lease is created or destroyed. # The arguments sent to the script are "add" or "del", # then the MAC address, the IP address and finally the hostname # if there is one. #dhcp-script=/bin/echo # Set the cachesize here. #cache-size=150 # If you want to disable negative caching, uncomment this. #no-negcache # Normally responses which come form /etc/hosts and the DHCP lease # file have Time-To-Live set as zero, which conventionally means # do not cache further. If you are happy to trade lower load on the # server for potentially stale date, you can set a time-to-live (in # seconds) here. #local-ttl= # If you want dnsmasq to detect attempts by Verisign to send queries # to unregistered .com and .net hosts to its sitefinder service and # have dnsmasq instead return the correct NXDOMAIN response, uncomment # this line. You can add similar lines to do the same for other # registries which have implemented wildcard A records. #bogus-nxdomain=64.94.110.11 # If you want to fix up DNS results from upstream servers, use the # alias option. This only works for IPv4. # This alias makes a result of 1.2.3.4 appear as 5.6.7.8 #alias=1.2.3.4,5.6.7.8 # and this maps 1.2.3.x to 5.6.7.x #alias=1.2.3.0,5.6.7.0,255.255.255.0 # Change these lines if you want dnsmasq to serve MX records. # Return an MX record named "maildomain.com" with target # servermachine.com and preference 50 #mx-host=maildomain.com,servermachine.com,50 # Set the default target for MX records created using the localmx option. #mx-target=servermachine.com # Return an MX record pointing to the mx-target for all local # machines. #localmx # Return an MX record pointing to itself for all local machines. #selfmx # Change the following lines if you want dnsmasq to serve SRV # records. These are useful if you want to serve ldap requests for # Active Directory and other windows-originated DNS requests. # See RFC 2782. # You may add multiple srv-host lines. # The fields are <name>,<target>,<port>,<priority>,<weight> # If the domain part if missing from the name (so that is just has the # service and protocol sections) then the domain given by the domain= # config option is used. (Note that expand-hosts does not need to be # set for this to work.) # A SRV record sending LDAP for the example.com domain to # ldapserver.example.com port 289 #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 # A SRV record sending LDAP for the example.com domain to # ldapserver.example.com port 289 (using domain=) #domain=example.com #srv-host=_ldap._tcp,ldapserver.example.com,389 # Two SRV records for LDAP, each with different priorities #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 # A SRV record indicating that there is no LDAP server for the domain # example.com #srv-host=_ldap._tcp.example.com # Change the following lines to enable dnsmasq to serve TXT records. # These are used for things like SPF and zeroconf. (Note that the # domain-name expansion done for SRV records _does_not # occur for TXT records.) #Example SPF. #txt-record=example.com,v=spf1 a -all #Example zeroconf #txt-record=_http._tcp.example.com,name=value,paper=A4 # For debugging purposes, log each DNS query as it passes through # dnsmasq. #log-queries # Include a another lot of configuration options. #conf-file=/etc/dnsmasq.more.conf -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 18:23 ` Daniel Pielmeier @ 2007-01-15 18:42 ` Daniel Pielmeier 2007-01-15 22:55 ` Hans-Werner Hilse 1 sibling, 0 replies; 55+ messages in thread From: Daniel Pielmeier @ 2007-01-15 18:42 UTC (permalink / raw To: gentoo-user Another thing that makes me wonder is that the home router guide did nothing mention about name_servers or gateways. According to the guide this line seems to be enough: config_eth0=( "192.168.0.2 broadcast 192.168.0.255 netmask 255.255.255.0" ) But without the routes setting i get "network unreachable" when i try to ping: routes_eth0=("default via 192.168.0.1") and without the dns_servers setting the ip adresses are not resolved: dns_servers_eth0=("192.168.0.1" ) I have also seen the gateways setting on my searches, what is the right one routes or gateway or what is the difference. gateways_eth0="192.168.0.1" -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router 2007-01-15 18:23 ` Daniel Pielmeier 2007-01-15 18:42 ` Daniel Pielmeier @ 2007-01-15 22:55 ` Hans-Werner Hilse 1 sibling, 0 replies; 55+ messages in thread From: Hans-Werner Hilse @ 2007-01-15 22:55 UTC (permalink / raw To: gentoo-user Hi, On Mon, 15 Jan 2007 19:23:53 +0100 "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote: > > No, that's (usually) correct. But in the route excerpt you've cited > > above (please post "route -n" next time!) the route for "localhost" was > > set to "dev eth0". Also, the subnet was a /24 one, instead of the > > usual /8 for localhost. So there's some inconsistency between that file > > and the routes. The /etc/hosts you've shown looks good, please post > > dnsmasq's config. > > Here are the files you have requested! > > route -n on router > > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 88.67.16.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 88.67.16.1 0.0.0.0 UG 0 0 0 ppp0 Ah, OK, so *this* is fine. The route for eth0 is correct. So it's just the name resolving on the router that returns "localhost" when being asked for the hostname for 192.168.0.1. Since all of this isn't about name resolving, we probably can even leave out that dnsmasq thingy. But your config is essentially this: > interface=eth0 > dhcp-range=192.168.0.1,192.168.0.255,72h If this is supposed to work, chose another beginning of that range, at least 192.168.0.2. But I think dnsmasq is even clever enough not to issue its own address to clients. I'll write a separate post about the firewalling issues in a moment. -hwh -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 55+ messages in thread
end of thread, other threads:[~2007-01-27 22:06 UTC | newest] Thread overview: 55+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-01-14 19:27 [gentoo-user] Setting up a home router Daniel Pielmeier 2007-01-14 22:45 ` Dale 2007-01-15 0:28 ` Daniel Pielmeier 2007-01-15 0:57 ` Thomas Lingefelt 2007-01-15 1:25 ` Dale 2007-01-15 0:58 ` Dale 2007-01-15 1:33 ` Daniel Pielmeier 2007-01-15 1:52 ` Dale 2007-01-15 8:25 ` Daniel Pielmeier 2007-01-15 8:38 ` Nelson, David (ED, PAR&D) 2007-01-15 8:55 ` Daniel Pielmeier 2007-01-15 9:49 ` Daniel Iliev 2007-01-15 9:57 ` Daniel Pielmeier 2007-01-15 18:17 ` Daniel Pielmeier 2007-01-15 23:13 ` Hans-Werner Hilse 2007-01-15 23:30 ` Daniel Pielmeier 2007-01-16 0:40 ` Hans-Werner Hilse 2007-01-16 1:37 ` Dale 2007-01-16 8:03 ` Daniel Pielmeier 2007-01-16 11:17 ` Hans-Werner Hilse 2007-01-16 12:10 ` Daniel Pielmeier 2007-01-16 14:21 ` Hans-Werner Hilse 2007-01-16 14:39 ` Daniel Pielmeier 2007-01-16 20:57 ` Daniel Pielmeier 2007-01-17 1:32 ` Dale 2007-01-17 19:02 ` Daniel Pielmeier 2007-01-17 20:35 ` Dan 2007-01-18 9:25 ` Daniel Pielmeier 2007-01-18 10:10 ` Uwe Thiem 2007-01-18 10:43 ` Dale 2007-01-18 11:11 ` Daniel Pielmeier 2007-01-18 21:04 ` Dan Farrell 2007-01-18 23:13 ` Iain Buchanan 2007-01-19 1:10 ` Daniel Pielmeier 2007-01-19 6:45 ` Iain Buchanan 2007-01-19 7:01 ` Dale 2007-01-19 7:40 ` Iain Buchanan 2007-01-19 7:29 ` Uwe Thiem 2007-01-19 9:08 ` Daniel Pielmeier 2007-01-20 2:33 ` Iain Buchanan 2007-01-20 22:01 ` Daniel Pielmeier 2007-01-22 0:15 ` Iain Buchanan 2007-01-23 22:29 ` Daniel Pielmeier 2007-01-26 19:42 ` Shawn Singh 2007-01-27 22:00 ` Daniel Pielmeier 2007-01-19 4:06 ` Dale 2007-01-16 23:40 ` Iain Buchanan 2007-01-16 5:43 ` Daniel Iliev 2007-01-15 10:26 ` Hans-Werner Hilse 2007-01-15 10:45 ` Daniel Pielmeier 2007-01-15 11:04 ` Hans-Werner Hilse 2007-01-15 11:18 ` Daniel Pielmeier 2007-01-15 18:23 ` Daniel Pielmeier 2007-01-15 18:42 ` Daniel Pielmeier 2007-01-15 22:55 ` Hans-Werner Hilse
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox