From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1H6dLr-0002nh-Ep for garchives@archives.gentoo.org; Tue, 16 Jan 2007 01:43:04 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id l0G1fpsf016925; Tue, 16 Jan 2007 01:41:51 GMT Received: from mirus.exceedtech.net (ns0.exceedtech.net [70.151.169.5]) by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id l0G1bbTC019620 for ; Tue, 16 Jan 2007 01:37:38 GMT Received: from [65.144.10.105] (0-1pool10-105.nas2.greenwood1.ms.us.da.qwest.net [65.144.10.105]) by mirus.exceedtech.net (8.12.8/8.12.8) with ESMTP id l0G1bUqQ032132 for ; Mon, 15 Jan 2007 19:37:31 -0600 Message-ID: <45AC2C5A.3010701@exceedtech.net> Date: Mon, 15 Jan 2007 19:37:30 -0600 From: Dale User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070105 SeaMonkey/1.0.7 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Setting up a home router References: <6142e6140701141127ke803445jb5d9a89f8fa523a@mail.gmail.com> <3D60AF2712C16D42A38076E52FD6E3D23F0CA7@ukmcrdembx01.rd.astrazeneca.net> <6142e6140701150055m280342c8o5058943472d1b175@mail.gmail.com> <45AB4E14.1000406@ilievnet.com> <6142e6140701151017xa81c2e6k73e0a064575780f2@mail.gmail.com> <20070116001332.1ccbfb03.hilse@web.de> <6142e6140701151530g4eca995fhfe21396929a50b73@mail.gmail.com> <20070116014049.031f8e0f.hilse@web.de> In-Reply-To: <20070116014049.031f8e0f.hilse@web.de> Content-Type: multipart/alternative; boundary="------------020204060608050507000003" X-Archives-Salt: aaee3348-e339-49ce-aae3-e8ea8cb05e36 X-Archives-Hash: efc22d888e315fcf12cb03684f6d706f This is a multi-part message in MIME format. --------------020204060608050507000003 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hans-Werner Hilse wrote: > Hi, > > On Tue, 16 Jan 2007 00:30:30 +0100 > "Daniel Pielmeier" wrote: > > >>> - is forwarding actually really enabled? Just "cat" the >>> relevant /proc/sys/net/ipv4/ip_forward. >>> >> cat /proc/sys/net/ipv4/ip_forward >> returns 1 >> >> >>> So remaining things to check would be >>> - where do packets do what? Use "tcpdump" on the router to monitor >>> how packets flow. Don't cite all the output, but look at where >>> packets are coming and going. Two terminals with "tcpdump -i eth0" >>> and "tcpdump -i ppp0" would tell you that. Send a few pings from the >>> desktop to the internet. Also try pinging an IP from the desktop, not >>> just hostnames (to rule out nameserver borkage). >>> >> Here is what tcdump returns! >> [...] >> > > That's what I wanted to avoid with asking for not citing everything :-) > > But everything looks quite normal, except for that packets aren't > routed. So its up to somebody else to tell exactly what that "policy" > module in iptables does -- and how. I don't have answers left here -- > except for the case that a manual iptables setup is sufficient. > > Personally, I'm quite happy with > > $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > for the forwarding. All that fancy-schmanzy stuff that shorewall does > isn't in there, granted. > > -hwh > Well, I got lucky. I'm not real sure what I did to be honest. Here is my main box that is connected to the net: > root@smoker / # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > nas2.greenwood1 * 255.255.255.255 UH 0 0 > 0 ppp0 > 192.168.0.0 * 255.255.255.0 U 0 0 > 0 eth0 > loopback * 255.0.0.0 U 0 0 0 lo > default nas2.greenwood1 0.0.0.0 UG 0 0 > 0 ppp0 > root@smoker / # > root@smoker / # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > root@smoker / # This is from the second rig: > swifty ~ # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.0.0 * 255.255.255.0 U 0 0 > 0 eth0 > loopback * 255.0.0.0 U 0 0 0 lo > default smoker 0.0.0.0 UG 0 0 > 0 eth0 > swifty ~ # No iptables on this one. I don't know what I did but it all works. I guess even I get lucky sometimes. :-O Dale :-) :-) :-) -- www.myspace.com/dalek1967 --------------020204060608050507000003 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hans-Werner Hilse wrote: 
Hi,

On Tue, 16 Jan 2007 00:30:30 +0100
"Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote:

  
- is forwarding actually really enabled? Just "cat" the
  relevant /proc/sys/net/ipv4/ip_forward.
      
cat /proc/sys/net/ipv4/ip_forward
returns 1

    
So remaining things to check would be
- where do packets do what? Use "tcpdump" on the router to monitor
  how packets flow. Don't cite all the output, but look at where
  packets are coming and going. Two terminals with "tcpdump -i eth0"
  and "tcpdump -i ppp0" would tell you that. Send a few pings from the
  desktop to the internet. Also try pinging an IP from the desktop, not
  just hostnames (to rule out nameserver borkage).
      
Here is what tcdump returns!
[...]
    

That's what I wanted to avoid with asking for not citing everything :-)

But everything looks quite normal, except for that packets aren't
routed. So its up to somebody else to tell exactly what that "policy"
module in iptables does -- and how. I don't have answers left here --
except for the case that a manual iptables setup is sufficient.

Personally, I'm quite happy with

$ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

for the forwarding. All that fancy-schmanzy stuff that shorewall does
isn't in there, granted.

-hwh

Well, I got lucky.  I'm not real sure what I did to be honest.  Here is my main box that is connected to the net:

root@smoker / # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
nas2.greenwood1 *               255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         nas2.greenwood1 0.0.0.0         UG    0      0        0 ppp0
root@smoker / #

root@smoker / # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@smoker / #

This is from the second rig:

swifty ~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         smoker          0.0.0.0         UG    0      0        0 eth0
swifty ~ #

No iptables on this one.  I don't know what I did but it all works.  I guess even I get lucky sometimes.  :-O

Dale

:-)  :-)  :-)




-- 
www.myspace.com/dalek1967
--------------020204060608050507000003-- -- gentoo-user@gentoo.org mailing list