* [gentoo-user] Setting up a home router
@ 2007-01-14 19:27 Daniel Pielmeier
2007-01-14 22:45 ` Dale
` (2 more replies)
0 siblings, 3 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-14 19:27 UTC (permalink / raw
To: gentoo-user
Hi,
I have a similar problem like Dale in this thread [gentoo-user] Need
help networking two machines, but i think it is not exactly the same.
I was trying to set up a home router following the
gentoo-home-router-guide
http://www.gentoo.org/doc/de/home-router-howto.xml
with shorewall as firewall following the two-interfaces-guide
http://www.shorewall.net/two-interface.htm.
I can connect from the router to the internet.
I can log in from the router to the desktop per ssh and back.
I have set up an rsync on the router and rsync works from the desktop.
I have set up dnsmasq on the server and dns is working on the desktop.
I can ping between router and desktop and from the router to the internet
I have set up an ntp on the router but ntp from the desktop gives me.
14 Jan 20:25:53 ntpdate[31522]: no server suitable for synchronization found
I can't ping from the desktop to the internet.
ping www.gentoo.org
PING www.gentoo.org (38.99.64.202) 56(84) bytes of data.
--- www.gentoo.org ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 11999ms
As you can see the address is resolved but i get 100% packet loss.
Until now i have spent much time on this issues, so i hope to solve
these problems with your help.
I have added the configurations which may help you to discover my
problem below. First the router configuration and then the desktop
configuration.
I hope i did not forget anything as it is very much, but if anything
you need is missing please ask for it.
Thanks Daniel
> router: gentoo-vdr configuration
lspci
eth0
02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169
Gigabit Ethernet (rev 10)
eth1
02:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:F0:00:0D:96
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:198008 errors:0 dropped:0 overruns:0 frame:0
TX packets:194409 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:50101373 (47.7 Mb) TX bytes:129993047 (123.9 Mb)
Interrupt:18 Base address:0xc000
eth1 Link encap:Ethernet HWaddr 00:10:DC:2B:D4:CF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:77637 errors:0 dropped:0 overruns:0 frame:0
TX packets:63189 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:93609244 (89.2 Mb) TX bytes:7282392 (6.9 Mb)
Interrupt:19
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1236 errors:0 dropped:0 overruns:0 frame:0
TX packets:1236 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:86198 (84.1 Kb) TX bytes:86198 (84.1 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:88.67.24.46 P-t-P:88.67.16.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:163 errors:0 dropped:0 overruns:0 frame:0
TX packets:118 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:12249 (11.9 Kb) TX bytes:8557 (8.3 Kb)
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
dslb-088-067-01 * 255.255.255.255 UH 0 0 0 ppp0
localhost * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default dslb-088-067-01 0.0.0.0 UG 0 0 0 ppp0
shorewall-config
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 - tcpflags,norfc1918
loc eth0 detect tcpflags,detectnets
/etc/shorewall/masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
ppp0 eth0
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW REJECT info
loc all REJECT info
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW loc REJECT info
$FW all REJECT info
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT PORT(S)
DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT loc $FW tcp 22
ACCEPT $FW loc tcp 22
ACCEPT loc $FW udp 123
REJECT net $FW icmp 8
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipsec
loc ipsec
/etc/shorewall/shorewall.conf
i have changed this from the default values
IP_FORWARDING=On
CLAMPMSS=Yes
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_dynaddr = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
/etc/conf.d/net
config_eth1="adsl"
user_eth1="xxxxxxxxxx"
dns_domain_eth1=(linux )
config_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
dns_domain_eth0=(linux )
/etc/conf.d/hostname
HOSTNAME="gentoo-vdr"
/etc/hosts
127.0.0.1 localhost
192.168.0.1 gentoo-vdr.linux gentoo-vdr
192.168.0.2 gentoo.linux gentoo
::1 localhost
> desktop: gentoo configuration
lspci
eth0
02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169
Gigabit Ethernet (rev 10)
ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:8F:D5:C4:C0
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::213:8fff:fed5:c4c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:194469 errors:0 dropped:0 overruns:0 frame:0
TX packets:198256 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:129998303 (123.9 Mb) TX bytes:50122357 (47.8 Mb)
Interrupt:17 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:129 errors:0 dropped:0 overruns:0 frame:0
TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9816 (9.5 Kb) TX bytes:9816 (9.5 Kb)
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default gentoo-vdr.linu 0.0.0.0 UG 0 0 0 eth0
/etc/conf.d/net
config_eth0=( "192.168.0.2 broadcast 192.168.0.255 netmask 255.255.255.0" )
routes_eth0=("default via 192.168.0.1")
dns_domain_eth0=(linux )
dns_servers_eth0="192.168.0.1"
ntp_servers_eth0="192.168.0.1"
/etc/hosts
127.0.0.1 localhost
192.168.0.2 gentoo.linux gentoo
192.168.0.1 gentoo-vdr.linux gentoo-vdr
::1 localhost
/etc/conf.d/hostname
HOSTNAME="gentoo"
/etc/conf.d/ntp-client
NTPCLIENT_CMD="ntpdate"
NTPCLIENT_OPTS="192.168.0.1"
> For those who are not familiar with shorewall here are the generated iptables on the router.
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ppp0_masq all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ppp0_masq (1 references)
target prot opt source destination
MASQUERADE all -- localhost/24 anywhere policy
match dir out pol none
iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
tcpre all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
tcfor all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
tcout all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
tcpost all -- anywhere anywhere
Chain tcfor (1 references)
target prot opt source destination
Chain tcout (1 references)
target prot opt source destination
Chain tcpost (1 references)
target prot opt source destination
Chain tcpre (1 references)
target prot opt source destination
iptables -L -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG udp -- anywhere anywhere udp
dpts:0:1023 LOG level warning
LOG tcp -- anywhere anywhere tcp
dpts:0:1023 LOG level warning
DROP udp -- anywhere anywhere udp dpts:0:1023
DROP tcp -- anywhere anywhere tcp dpts:0:1023
LOG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN LOG level warning
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain Drop (3 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport
dports epmap,microsoft-ds
DROP udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport
dports epmap,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain
Chain Reject (5 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport
dports epmap,microsoft-ds
reject udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
reject tcp -- anywhere anywhere multiport
dports epmap,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain
Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
DROP all -- anywhere anywhere PKTTYPE =
multicast
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp
flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (4 references)
target prot opt source destination
Chain eth0_fwd (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
loc_frwd all -- localhost/24 anywhere policy
match dir in pol ipsec
Chain eth0_in (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
loc2fw all -- localhost/24 anywhere policy
match dir in pol ipsec
Chain fw2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:fw2all:REJECT:'
reject all -- anywhere anywhere
Chain fw2loc (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:fw2loc:REJECT:'
reject all -- anywhere anywhere
Chain fw2net (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:loc2all:REJECT:'
reject all -- anywhere anywhere
Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ntp
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:loc2fw:REJECT:'
reject all -- anywhere anywhere
Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc_frwd (1 references)
target prot opt source destination
loc2net all -- anywhere anywhere policy
match dir out pol ipsec
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info ip-options prefix `Shorewall:logflags:DROP:'
DROP all -- anywhere anywhere
Chain net2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
reject icmp -- anywhere anywhere icmp echo-request
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:net2fw:DROP:'
DROP all -- anywhere anywhere
Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:net2loc:DROP:'
DROP all -- anywhere anywhere
Chain net_frwd (1 references)
target prot opt source destination
net2loc all -- anywhere localhost/24 policy
match dir out pol ipsec
Chain norfc1918 (2 references)
target prot opt source destination
rfc1918 all -- localhost/12 anywhere
rfc1918 all -- anywhere anywhere ctorigdst
localhost/12
rfc1918 all -- localhost/16 anywhere
rfc1918 all -- anywhere anywhere ctorigdst
localhost/16
rfc1918 all -- localhost/8 anywhere
rfc1918 all -- anywhere anywhere ctorigdst
localhost/8
Chain ppp0_fwd (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
norfc1918 all -- anywhere anywhere state NEW
policy match dir in pol none
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
net_frwd all -- anywhere anywhere policy
match dir in pol ipsec
Chain ppp0_in (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
norfc1918 all -- anywhere anywhere state NEW
policy match dir in pol none
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
net2fw all -- anywhere anywhere policy
match dir in pol ipsec
Chain reject (12 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
DROP all -- anywhere anywhere PKTTYPE =
multicast
DROP all -- localhost anywhere
DROP all -- 255.255.255.255 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere
reject-with tcp-reset
REJECT udp -- anywhere anywhere
reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere
reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:rfc1918:DROP:'
DROP all -- anywhere anywhere
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
LOG all -- localhost anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- localhost anywhere
LOG all -- 255.255.255.255 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG
level info prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
Chain tcpflags (4 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-14 19:27 [gentoo-user] Setting up a home router Daniel Pielmeier
@ 2007-01-14 22:45 ` Dale
2007-01-15 0:28 ` Daniel Pielmeier
2007-01-15 8:38 ` Nelson, David (ED, PAR&D)
2007-01-15 10:26 ` Hans-Werner Hilse
2 siblings, 1 reply; 55+ messages in thread
From: Dale @ 2007-01-14 22:45 UTC (permalink / raw
To: gentoo-user
Daniel Pielmeier wrote:
> Hi,
>
> I have a similar problem like Dale in this thread [gentoo-user] Need
> help networking two machines, but i think it is not exactly the same.
>
> I was trying to set up a home router following the
> gentoo-home-router-guide
> http://www.gentoo.org/doc/de/home-router-howto.xml
> with shorewall as firewall following the two-interfaces-guide
> http://www.shorewall.net/two-interface.htm.
>
> I can connect from the router to the internet.
> I can log in from the router to the desktop per ssh and back.
> I have set up an rsync on the router and rsync works from the desktop.
> I have set up dnsmasq on the server and dns is working on the desktop.
> I can ping between router and desktop and from the router to the internet
>
> I have set up an ntp on the router but ntp from the desktop gives me.
> 14 Jan 20:25:53 ntpdate[31522]: no server suitable for synchronization
> found
>
> I can't ping from the desktop to the internet.
> ping www.gentoo.org
> PING www.gentoo.org (38.99.64.202) 56(84) bytes of data.
>
> --- www.gentoo.org ping statistics ---
> 13 packets transmitted, 0 received, 100% packet loss, time 11999ms
>
> As you can see the address is resolved but i get 100% packet loss.
> Until now i have spent much time on this issues, so i hope to solve
> these problems with your help.
> I have added the configurations which may help you to discover my
> problem below. First the router configuration and then the desktop
> configuration.
> I hope i did not forget anything as it is very much, but if anything
> you need is missing please ask for it.
>
> Thanks Daniel
>
>
Hi,
I used this script a long time ago. It worked until iptables got
changed. It still worked but it gave a few errors. Maybe some guru can
look at this and update it for us both. Then maybe I can get someone to
upgrade the script on the site. I had to edit the very first bit about
which interface is what. Here it is:
> #!/bin/bash
> IPTABLES='/sbin/iptables'
> # Set interface values
> EXTIF='ppp0'
> #INTIF0='eth0'
> INTIF1='eth0'
> INTIF2='eth1'
> INTIF3='eth2'
>
> # enable ip forwarding in the kernel
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
> # flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
> # enable masquerading to allow LAN internet access
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
> $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT
> # forward LAN traffic from $INTIF2 to Internet interface $EXTIF
> $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state
> #NEW,ESTABLISHED -j ACCEPT
> #echo -e " - Allowing access to the SSH server"
> $IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT
> #echo -e " - Allowing access to the HTTP server"
> $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
> # block out all other Internet access on $EXTIF
> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
> $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
>
OK. Now some guru help us out here. LOL I got to redo my install on
my second machine. I rebooted it and it is in awful shape. I think
something is wrong with a init script. It boots the kernel but errors
out trying to enter a run level. Portage can't complete a compile
either. It complains about the date not being set, but it is. I need
to get the rust out anyway on installing. Yup, the old command line
way. I boot gentoo nox. LOL I have to use the 2005.1 install guide
though. :-(
Supper time.
Dale
:-) :-) :-) :-)
--
www.myspace.com/dalek1967
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-14 22:45 ` Dale
@ 2007-01-15 0:28 ` Daniel Pielmeier
2007-01-15 0:57 ` Thomas Lingefelt
2007-01-15 0:58 ` Dale
0 siblings, 2 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 0:28 UTC (permalink / raw
To: gentoo-user
> I used this script a long time ago. It worked until iptables got
> changed. It still worked but it gave a few errors. Maybe some guru can
> look at this and update it for us both. Then maybe I can get someone to
> upgrade the script on the site. I had to edit the very first bit about
> which interface is what. Here it is:
I have tested your script! Do you get an error like this:
iptables v1.3.5: unknown protocol `ssh' specified
I am not sure if it is right but i have replaced this line
$IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT
by
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
and the error disappears.
For me using this iptable rules didn't work, i still can't ping the
internet rom my desktop and also get the error message by the
ntp-client on my desktop.
Any other suggestions!
Here is how i changed the script to fit my needs!
#!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
EXTIF='ppp0'
#INTIF0='eth0'
INTIF1='eth0'
INTIF2='eth1'
# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state
NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from $INTIF2 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state
NEW,ESTABLISHED -j ACCEPT
#echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
#echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 0:28 ` Daniel Pielmeier
@ 2007-01-15 0:57 ` Thomas Lingefelt
2007-01-15 1:25 ` Dale
2007-01-15 0:58 ` Dale
1 sibling, 1 reply; 55+ messages in thread
From: Thomas Lingefelt @ 2007-01-15 0:57 UTC (permalink / raw
To: gentoo-user
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Honestly for making a router ShoreWall really helps out. Shorewall is
basically a set of scripts that read configuration files that you set up
and then interacts with iptables for you.
http://www.shorewall.net/
http://www.shorewall.net/shorewall_quickstart_guide.htm
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFqtFkUej1z0ta0fkRCMMTAKCM61IGDuf4rQZgyQLtHqCRZJfeGgCfRyxA
Az/lP6UnXA8eOQ+M3MS3SEo=
=81WU
-----END PGP SIGNATURE-----
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 0:28 ` Daniel Pielmeier
2007-01-15 0:57 ` Thomas Lingefelt
@ 2007-01-15 0:58 ` Dale
2007-01-15 1:33 ` Daniel Pielmeier
1 sibling, 1 reply; 55+ messages in thread
From: Dale @ 2007-01-15 0:58 UTC (permalink / raw
To: gentoo-user
Daniel Pielmeier wrote:
>> I used this script a long time ago. It worked until iptables got
>> changed. It still worked but it gave a few errors. Maybe some guru can
>> look at this and update it for us both. Then maybe I can get someone to
>> upgrade the script on the site. I had to edit the very first bit about
>> which interface is what. Here it is:
>
> I have tested your script! Do you get an error like this:
> iptables v1.3.5: unknown protocol `ssh' specified
>
> I am not sure if it is right but i have replaced this line
>
> $IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT
> by
> $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
>
> and the error disappears.
>
> For me using this iptable rules didn't work, i still can't ping the
> internet rom my desktop and also get the error message by the
> ntp-client on my desktop.
>
> Any other suggestions!
>
>
>
>
> Here is how i changed the script to fit my needs!
>
> #!/bin/bash
>
> IPTABLES='/sbin/iptables'
>
> # Set interface values
> EXTIF='ppp0'
> #INTIF0='eth0'
> INTIF1='eth0'
> INTIF2='eth1'
>
> # enable ip forwarding in the kernel
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
>
> # enable masquerading to allow LAN internet access
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
> $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> # forward LAN traffic from $INTIF2 to Internet interface $EXTIF
> $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> #echo -e " - Allowing access to the SSH server"
> $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
>
> #echo -e " - Allowing access to the HTTP server"
> $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
>
> # block out all other Internet access on $EXTIF
> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
> $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
Are you on dial-up too? The EXTIF='ppp0' may need to be eth0 for you if
you are using a DSL or cable connection.
I'm not real sure about any of this stuff really. I need to get a book
on iptables and a whole lot of other things too. Because of my health I
can't sit at the puter long enough to learn anything. I can read a book
in bed then.
I'll see if I can think of something else. Maybe some guru can help us
both out. I need that to work too. hmm, come to think of it, I have a
thread on the forums. Try this:
http://forums.gentoo.org/viewtopic-t-249167-highlight-iptables.html
That may help. I tend to ramble a bit. Sorry.
Dale
:-) :-) :-)
--
www.myspace.com/dalek1967
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 0:57 ` Thomas Lingefelt
@ 2007-01-15 1:25 ` Dale
0 siblings, 0 replies; 55+ messages in thread
From: Dale @ 2007-01-15 1:25 UTC (permalink / raw
To: gentoo-user
Thomas Lingefelt wrote:
> Honestly for making a router ShoreWall really helps out. Shorewall is
> basically a set of scripts that read configuration files that you set up
> and then interacts with iptables for you.
>
> http://www.shorewall.net/
> http://www.shorewall.net/shorewall_quickstart_guide.htm
>
> Thomas
>
If you have webmin installed, webmin can take care of some of this, both
iptables and shorewall. It's GUI too. ;-) Maybe you know enough about
it to figure out to get webmin to do it. Webmin is pretty cool. I used
it to set up Samba once.
Dale
:-) :-) :-) :-)
--
www.myspace.com/dalek1967
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 0:58 ` Dale
@ 2007-01-15 1:33 ` Daniel Pielmeier
2007-01-15 1:52 ` Dale
0 siblings, 1 reply; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 1:33 UTC (permalink / raw
To: gentoo-user
> Are you on dial-up too? The EXTIF='ppp0' may need to be eth0 for you if
> you are using a DSL or cable connection.
I use an adsl-modem to connect to the internet. It is configured over
eth1 but the connection runs over ppp0 so i think this is right, but i
am not sure.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 1:33 ` Daniel Pielmeier
@ 2007-01-15 1:52 ` Dale
2007-01-15 8:25 ` Daniel Pielmeier
0 siblings, 1 reply; 55+ messages in thread
From: Dale @ 2007-01-15 1:52 UTC (permalink / raw
To: gentoo-user
Daniel Pielmeier wrote:
>> Are you on dial-up too? The EXTIF='ppp0' may need to be eth0 for you if
>> you are using a DSL or cable connection.
>
> I use an adsl-modem to connect to the internet. It is configured over
> eth1 but the connection runs over ppp0 so i think this is right, but i
> am not sure.
Hmmm, me either. I'm not sure about what it would be called. Do you
have gkrellm installed? Sometimes I use it to see where the traffic
is. That is how I knew it was iptables in my other thread. The data
was getting there because gkrellm was seeing it but my system was not.
No clue how one can see it and the other can't though.
Dale
:-) :-) :-)
--
www.myspace.com/dalek1967
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 1:52 ` Dale
@ 2007-01-15 8:25 ` Daniel Pielmeier
0 siblings, 0 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 8:25 UTC (permalink / raw
To: gentoo-user
> Hmmm, me either. I'm not sure about what it would be called. Do you
> have gkrellm installed? Sometimes I use it to see where the traffic
> is. That is how I knew it was iptables in my other thread. The data
> was getting there because gkrellm was seeing it but my system was not.
> No clue how one can see it and the other can't though.
no i did not use gkrellm, i am just seting up the new desktop machine
no X until now, i want to do the basics first!
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* RE: [gentoo-user] Setting up a home router
2007-01-14 19:27 [gentoo-user] Setting up a home router Daniel Pielmeier
2007-01-14 22:45 ` Dale
@ 2007-01-15 8:38 ` Nelson, David (ED, PAR&D)
2007-01-15 8:55 ` Daniel Pielmeier
2007-01-15 10:26 ` Hans-Werner Hilse
2 siblings, 1 reply; 55+ messages in thread
From: Nelson, David (ED, PAR&D) @ 2007-01-15 8:38 UTC (permalink / raw
To: gentoo-user
> -----Original Message-----
> From: Daniel Pielmeier [mailto:daniel.pielmeier@googlemail.com]
> Sent: 14 January 2007 19:27
> To: gentoo-user@lists.gentoo.org
> Subject: [gentoo-user] Setting up a home router
>
> I can't ping from the desktop to the internet.
> ping www.gentoo.org
> PING www.gentoo.org (38.99.64.202) 56(84) bytes of data.
>
> --- www.gentoo.org ping statistics ---
> 13 packets transmitted, 0 received, 100% packet loss, time 11999ms
>
I would check that you have done:
echo 1 > /proc/sys/net/ipv4/ip_forward
Also make sure ICMP isn't blocked anywhere.
David
Note: These views are my own, advice is provided with no guarantee of success. I do not represent anyone else in any emails I send to this list.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 8:38 ` Nelson, David (ED, PAR&D)
@ 2007-01-15 8:55 ` Daniel Pielmeier
2007-01-15 9:49 ` Daniel Iliev
0 siblings, 1 reply; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 8:55 UTC (permalink / raw
To: gentoo-user
> I would check that you have done:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
I think this is set, but i will check again.
> Also make sure ICMP isn't blocked anywhere.
I have only blocked ping from the internet to the firewall and nowhere else.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 8:55 ` Daniel Pielmeier
@ 2007-01-15 9:49 ` Daniel Iliev
2007-01-15 9:57 ` Daniel Pielmeier
2007-01-15 18:17 ` Daniel Pielmeier
0 siblings, 2 replies; 55+ messages in thread
From: Daniel Iliev @ 2007-01-15 9:49 UTC (permalink / raw
To: gentoo-user
Daniel Pielmeier wrote:
>> I would check that you have done:
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> I think this is set, but i will check again.
>
>> Also make sure ICMP isn't blocked anywhere.
>
> I have only blocked ping from the internet to the firewall and nowhere
> else.
Send the output from "iptables-save", please. Otherwise we could only
guess if the problem is with your firewall rules or somewhere else.
--
Best regards,
Daniel
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 9:49 ` Daniel Iliev
@ 2007-01-15 9:57 ` Daniel Pielmeier
2007-01-15 18:17 ` Daniel Pielmeier
1 sibling, 0 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 9:57 UTC (permalink / raw
To: gentoo-user
> Send the output from "iptables-save", please. Otherwise we could only
> guess if the problem is with your firewall rules or somewhere else.
Ok, i will do that when i am back home. i thought the output from
"iptables -L" in my original post was enough.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-14 19:27 [gentoo-user] Setting up a home router Daniel Pielmeier
2007-01-14 22:45 ` Dale
2007-01-15 8:38 ` Nelson, David (ED, PAR&D)
@ 2007-01-15 10:26 ` Hans-Werner Hilse
2007-01-15 10:45 ` Daniel Pielmeier
2 siblings, 1 reply; 55+ messages in thread
From: Hans-Werner Hilse @ 2007-01-15 10:26 UTC (permalink / raw
To: gentoo-user
Hi,
On Sun, 14 Jan 2007 20:27:11 +0100 "Daniel Pielmeier"
<daniel.pielmeier@googlemail.com> wrote:
> I can connect from the router to the internet.
> I can log in from the router to the desktop per ssh and back.
> I have set up an rsync on the router and rsync works from the desktop.
> I have set up dnsmasq on the server and dns is working on the desktop.
> I can ping between router and desktop and from the router to the
> internet
> [...]
> I can't ping from the desktop to the internet.
OK, so forwarding is broken.
> route
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> dslb-088-067-01 * 255.255.255.255 UH 0 0 0 ppp0
> localhost * 255.255.255.0 U 0 0 0 eth0
> loopback * 255.0.0.0 U 0 0 0 lo
> default dslb-088-067-01 0.0.0.0 UG 0 0 0 ppp0
Looking at this, I wouldn't even expect it to work at all, since the
only route via eth0 is for "localhost". But since you can connect
between router and desktop, I think you borked your /etc/hosts.
"localhost" clearly doesn't seem to be assigned to 127.0.0.1. So fix
your hostnames!
This here:
> /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.0.1 gentoo-vdr.linux gentoo-vdr
> 192.168.0.2 gentoo.linux gentoo
> ::1 localhost
just can't be true if the routes above are the complete routes and you
can connect to your desktop from the router.
Another option than /etc/hosts may be a seriously broken dnsmasq config.
> > For those who are not familiar with shorewall here are the
> > generated iptables on the router.
>
> iptables -L -t filter
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
Empty FORWARD chain and policy DROP means everything not going to the
router itself is gonna be dropped.
Note that you made yourself a hard time since there's DROP and REJECT
(built-in targets) and you also reference "Drop", "drop", "Reject" and
"reject" targets. I never used shorewall, but if that naming is from
them, they are clearly freaks.
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 10:26 ` Hans-Werner Hilse
@ 2007-01-15 10:45 ` Daniel Pielmeier
2007-01-15 11:04 ` Hans-Werner Hilse
0 siblings, 1 reply; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 10:45 UTC (permalink / raw
To: gentoo-user
> > route
> >
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use Iface
> > dslb-088-067-01 * 255.255.255.255 UH 0 0 0 ppp0
> > localhost * 255.255.255.0 U 0 0 0 eth0
> > loopback * 255.0.0.0 U 0 0 0 lo
> > default dslb-088-067-01 0.0.0.0 UG 0 0 0 ppp0
>
> Looking at this, I wouldn't even expect it to work at all, since the
> only route via eth0 is for "localhost". But since you can connect
> between router and desktop, I think you borked your /etc/hosts.
> "localhost" clearly doesn't seem to be assigned to 127.0.0.1. So fix
> your hostnames!
>
>
> This here:
>
> > /etc/hosts
> >
> > 127.0.0.1 localhost
> > 192.168.0.1 gentoo-vdr.linux gentoo-vdr
> > 192.168.0.2 gentoo.linux gentoo
> > ::1 localhost
I think localhost is assigned to 127.0.0.1, or did i misunderstood something?
> just can't be true if the routes above are the complete routes and you
> can connect to your desktop from the router.
I can connect from router to desktop and back ping and ssh are
working, i can connect to the internet from the router, but i couldn't
do this from the desktop
> Another option than /etc/hosts may be a seriously broken dnsmasq config.
I will post the config when i am back.
> > > For those who are not familiar with shorewall here are the
> > > generated iptables on the router.
> >
> > iptables -L -t filter
> >
> > Chain FORWARD (policy DROP)
> > target prot opt source destination
>
> Empty FORWARD chain and policy DROP means everything not going to the
> router itself is gonna be dropped.
>
> Note that you made yourself a hard time since there's DROP and REJECT
> (built-in targets) and you also reference "Drop", "drop", "Reject" and
> "reject" targets. I never used shorewall, but if that naming is from
> them, they are clearly freaks.
the whole iptables config is generated by shorewall, i recognised this
different namings too.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 10:45 ` Daniel Pielmeier
@ 2007-01-15 11:04 ` Hans-Werner Hilse
2007-01-15 11:18 ` Daniel Pielmeier
2007-01-15 18:23 ` Daniel Pielmeier
0 siblings, 2 replies; 55+ messages in thread
From: Hans-Werner Hilse @ 2007-01-15 11:04 UTC (permalink / raw
To: gentoo-user
Hi,
On Mon, 15 Jan 2007 11:45:13 +0100 "Daniel Pielmeier"
<daniel.pielmeier@googlemail.com> wrote:
> > This here:
> >
> > > /etc/hosts
> > >
> > > 127.0.0.1 localhost
> > > 192.168.0.1 gentoo-vdr.linux gentoo-vdr
> > > 192.168.0.2 gentoo.linux gentoo
> > > ::1 localhost
>
> I think localhost is assigned to 127.0.0.1, or did i misunderstood
> something?
No, that's (usually) correct. But in the route excerpt you've cited
above (please post "route -n" next time!) the route for "localhost" was
set to "dev eth0". Also, the subnet was a /24 one, instead of the
usual /8 for localhost. So there's some inconsistency between that file
and the routes. The /etc/hosts you've shown looks good, please post
dnsmasq's config.
> the whole iptables config is generated by shorewall, i recognised this
> different namings too.
Hm, OK, you're sure the tables were empty and Gentoo's iptables save
feature doesn't somehow get in your way? But anyway, the NAT/forwarding
can't work for the reason I mentioned (empty FORWARD chain and DROP
policy).
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 11:04 ` Hans-Werner Hilse
@ 2007-01-15 11:18 ` Daniel Pielmeier
2007-01-15 18:23 ` Daniel Pielmeier
1 sibling, 0 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 11:18 UTC (permalink / raw
To: gentoo-user
> > I think localhost is assigned to 127.0.0.1, or did i misunderstood
> > something?
>
> No, that's (usually) correct. But in the route excerpt you've cited
> above (please post "route -n" next time!) the route for "localhost" was
> set to "dev eth0". Also, the subnet was a /24 one, instead of the
> usual /8 for localhost. So there's some inconsistency between that file
> and the routes. The /etc/hosts you've shown looks good, please post
> dnsmasq's config.
I will do that in the evening
> > the whole iptables config is generated by shorewall, i recognised this
> > different namings too.
>
> Hm, OK, you're sure the tables were empty and Gentoo's iptables save
> feature doesn't somehow get in your way? But anyway, the NAT/forwarding
> can't work for the reason I mentioned (empty FORWARD chain and DROP
> policy).
Yes i think they were empty, when i stop shorewall "iptables -L" just
gives me empty tables. Also i never used iptables directly.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 9:49 ` Daniel Iliev
2007-01-15 9:57 ` Daniel Pielmeier
@ 2007-01-15 18:17 ` Daniel Pielmeier
2007-01-15 23:13 ` Hans-Werner Hilse
1 sibling, 1 reply; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 18:17 UTC (permalink / raw
To: gentoo-user
> Send the output from "iptables-save", please. Otherwise we could only
> guess if the problem is with your firewall rules or somewhere else.
Here we go!
# Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Mon Jan 15 19:09:43 2007
# Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ppp0_masq - [0:0]
-A POSTROUTING -o ppp0 -j ppp0_masq
-A ppp0_masq -s 192.168.0.0/255.255.255.0 -m policy --dir out --pol
none -j MASQUERADE
COMMIT
# Completed on Mon Jan 15 19:09:43 2007
# Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:all2all - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:fw2all - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:loc2all - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:loc_frwd - [0:0]
:logflags - [0:0]
:net2all - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:net_frwd - [0:0]
:norfc1918 - [0:0]
:ppp0_fwd - [0:0]
:ppp0_in - [0:0]
:reject - [0:0]
:rfc1918 - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp0 -j ppp0_in
-A INPUT -i eth0 -j eth0_in
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -j reject
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i ppp0 -j ppp0_fwd
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -j reject
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o ppp0 -m policy --dir out --pol ipsec -j fw2net
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth0 -m policy --dir out
--pol ipsec -j fw2loc
-A OUTPUT -d 255.255.255.255 -o eth0 -j fw2loc
-A OUTPUT -d 224.0.0.0/240.0.0.0 -o eth0 -j fw2loc
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -j reject
-A Drop -p tcp -m tcp --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p udp -m multiport --dports 135,445 -j DROP
-A Drop -p udp -m udp --dport 137:139 -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A Drop -p udp -m udp --dport 1900 -j DROP
-A Drop -p tcp -j dropNotSyn
-A Drop -p udp -m udp --sport 53 -j DROP
-A Reject -p tcp -m tcp --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p udp -m multiport --dports 135,445 -j reject
-A Reject -p udp -m udp --dport 137:139 -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
-A Reject -p udp -m udp --dport 1900 -j DROP
-A Reject -p tcp -j dropNotSyn
-A Reject -p udp -m udp --sport 53 -j DROP
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -j Reject
-A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6
-A all2all -j reject
-A dropBcast -m pkttype --pkt-type broadcast -j DROP
-A dropBcast -m pkttype --pkt-type multicast -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A eth0_fwd -m state --state INVALID,NEW -j dynamic
-A eth0_fwd -p tcp -m policy --dir in --pol none -j tcpflags
-A eth0_fwd -s 192.168.0.0/255.255.255.0 -m policy --dir in --pol
ipsec -j loc_frwd
-A eth0_in -m state --state INVALID,NEW -j dynamic
-A eth0_in -p tcp -m policy --dir in --pol none -j tcpflags
-A eth0_in -s 192.168.0.0/255.255.255.0 -m policy --dir in --pol ipsec
-j loc2fw
-A fw2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2all -j Reject
-A fw2all -j LOG --log-prefix "Shorewall:fw2all:REJECT:" --log-level 6
-A fw2all -j reject
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2loc -p tcp -m tcp --dport 22 -j ACCEPT
-A fw2loc -j Reject
-A fw2loc -j LOG --log-prefix "Shorewall:fw2loc:REJECT:" --log-level 6
-A fw2loc -j reject
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -j ACCEPT
-A loc2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2all -j Reject
-A loc2all -j LOG --log-prefix "Shorewall:loc2all:REJECT:" --log-level 6
-A loc2all -j reject
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 22 -j ACCEPT
-A loc2fw -p udp -m udp --dport 123 -j ACCEPT
-A loc2fw -j Reject
-A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 6
-A loc2fw -j reject
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -j ACCEPT
-A loc_frwd -o ppp0 -m policy --dir out --pol ipsec -j loc2net
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level
6 --log-ip-options
-A logflags -j DROP
-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2all -j Drop
-A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6
-A net2all -j DROP
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p icmp -m icmp --icmp-type 8 -j reject
-A net2fw -j Drop
-A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6
-A net2fw -j DROP
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -j Drop
-A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6
-A net2loc -j DROP
-A net_frwd -d 192.168.0.0/255.255.255.0 -o eth0 -m policy --dir out
--pol ipsec -j net2loc
-A norfc1918 -s 172.16.0.0/255.240.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918
-A norfc1918 -s 192.168.0.0/255.255.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918
-A norfc1918 -s 10.0.0.0/255.0.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918
-A ppp0_fwd -m state --state INVALID,NEW -j dynamic
-A ppp0_fwd -m state --state NEW -m policy --dir in --pol none -j norfc1918
-A ppp0_fwd -p tcp -m policy --dir in --pol none -j tcpflags
-A ppp0_fwd -m policy --dir in --pol ipsec -j net_frwd
-A ppp0_in -m state --state INVALID,NEW -j dynamic
-A ppp0_in -m state --state NEW -m policy --dir in --pol none -j norfc1918
-A ppp0_in -p tcp -m policy --dir in --pol none -j tcpflags
-A ppp0_in -m policy --dir in --pol ipsec -j net2fw
-A reject -m pkttype --pkt-type broadcast -j DROP
-A reject -m pkttype --pkt-type multicast -j DROP
-A reject -s 192.168.0.255 -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A rfc1918 -j LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level 6
-A rfc1918 -j DROP
-A smurfs -s 192.168.0.255 -j LOG --log-prefix
"Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.168.0.255 -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix
"Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix
"Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags
COMMIT
# Completed on Mon Jan 15 19:09:43 2007
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 11:04 ` Hans-Werner Hilse
2007-01-15 11:18 ` Daniel Pielmeier
@ 2007-01-15 18:23 ` Daniel Pielmeier
2007-01-15 18:42 ` Daniel Pielmeier
2007-01-15 22:55 ` Hans-Werner Hilse
1 sibling, 2 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 18:23 UTC (permalink / raw
To: gentoo-user
> > I think localhost is assigned to 127.0.0.1, or did i misunderstood
> > something?
>
> No, that's (usually) correct. But in the route excerpt you've cited
> above (please post "route -n" next time!) the route for "localhost" was
> set to "dev eth0". Also, the subnet was a /24 one, instead of the
> usual /8 for localhost. So there's some inconsistency between that file
> and the routes. The /etc/hosts you've shown looks good, please post
> dnsmasq's config.
Here are the files you have requested!
route -n on desktop
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
route -n on router
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
88.67.16.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 88.67.16.1 0.0.0.0 UG 0 0 0 ppp0
dnsmasq.conf on router
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# uneccessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link uneccessarily.
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
#strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in doubleclick.net to a local
# webserver.
#address=/doubleclick.net/127.0.0.1
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=eth0
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP on it.
#no-dhcp-interface=
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=192.168.0.1,192.168.0.255,72h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
# This is an example of a DHCP range with a network-id, so that
# some DHCP options may be set only for this network.
#dhcp-range=red,192.168.0.50,192.168.0.150
# Supply parameters for specified hosts using DHCP. There are lots
# of valid alternatives, so we will give examples of each. Note that
# IP addresses DO NOT have to be in the range given above, they just
# need to be on the same network. The order of the parameters in these
# do not matter, it's permissble to give name,adddress and MAC in any order
# Always allocate the host with ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60
# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred
# Always give the host with ethernet address 11:22:33:44:55:66
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
# Give the machine which says it's name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite
# Always give the host with client identifier 01:02:02:04
# the IP address 192.168.0.60
#dhcp-host=id:01:02:02:04,192.168.0.60
# Always give the host with client identifier "marjorie"
# the IP address 192.168.0.60
#dhcp-host=id:marjorie,192.168.0.60
# Enable the address given for "judge" in /etc/hosts
# to be given to a machine presenting the name "judge" when
# it asks for a DHCP lease.
#dhcp-host=judge
# Never offer DHCP service to a machine whose ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore
# Ignore any client-id presented by the machine with ethernet
# address 11:22:33:44:55:66. This is useful to prevent a machine
# being treated differently when running under different OS's or
# between PXE boot and OS boot.
#dhcp-host=11:22:33:44:55:66,id:*
# Send extra options which are tagged as "red" to
# the machine with ethernet address 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,net:red
# Send extra options which are tagged as "red" to
# any machine with ethernet address starting 11:22:33:
#dhcp-host=11:22:33:*:*:*,net:red
# Send extra options which are tagged as "red" to any machine whose
# DHCP vendorclass string includes the substring "Linux"
#dhcp-vendorclass=red,Linux
# Send extra options which are tagged as "red" to any machine one
# of whose DHCP userclass strings includes the substring "accounts"
#dhcp-userclass=red,accounts
# Send extra options which are tagged as "red" to any machine whose
# MAC address matches the pattern.
#dhcp-mac=red,00:60:8C:*:*:*
# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers
# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need any
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.
# For reference, the common options are:
# subnet mask - 1
# default router - 3
# DNS server - 6
# broadcast address - 28
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
#dhcp-option=3,1.2.3.4
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=42,192.168.0.4,10.10.0.5
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
#dhcp-option=red,42,192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment them if you use Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s)
aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
#dhcp-option=47 # empty netbios scope.
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=119,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send encapsulated vendor-class specific options. The vendor-class
# is sent as DHCP option 60, and all the options marked with the
# vendor class are send encapsulated in DHCP option 43. The meaning of
# the options is defined by the vendor-class. This example sets the
# mtftp address to 0.0.0.0 for PXEClients
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Set the boot filename and tftpd server name and address
# for BOOTP. You will only need this is you want to
# boot machines over the network.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slighest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses the same
# the same option, and this URL provides more information:
# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php
#dhcp-authoritative
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come form /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 289
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 289 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,v=spf1 a -all
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Include a another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 18:23 ` Daniel Pielmeier
@ 2007-01-15 18:42 ` Daniel Pielmeier
2007-01-15 22:55 ` Hans-Werner Hilse
1 sibling, 0 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 18:42 UTC (permalink / raw
To: gentoo-user
Another thing that makes me wonder is that the home router guide did
nothing mention about name_servers or gateways.
According to the guide this line seems to be enough:
config_eth0=( "192.168.0.2 broadcast 192.168.0.255 netmask 255.255.255.0" )
But without the routes setting i get "network unreachable" when i try to ping:
routes_eth0=("default via 192.168.0.1")
and without the dns_servers setting the ip adresses are not resolved:
dns_servers_eth0=("192.168.0.1" )
I have also seen the gateways setting on my searches, what is the
right one routes or gateway or what is the difference.
gateways_eth0="192.168.0.1"
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 18:23 ` Daniel Pielmeier
2007-01-15 18:42 ` Daniel Pielmeier
@ 2007-01-15 22:55 ` Hans-Werner Hilse
1 sibling, 0 replies; 55+ messages in thread
From: Hans-Werner Hilse @ 2007-01-15 22:55 UTC (permalink / raw
To: gentoo-user
Hi,
On Mon, 15 Jan 2007 19:23:53 +0100
"Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote:
> > No, that's (usually) correct. But in the route excerpt you've cited
> > above (please post "route -n" next time!) the route for "localhost" was
> > set to "dev eth0". Also, the subnet was a /24 one, instead of the
> > usual /8 for localhost. So there's some inconsistency between that file
> > and the routes. The /etc/hosts you've shown looks good, please post
> > dnsmasq's config.
>
> Here are the files you have requested!
>
> route -n on router
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 88.67.16.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 88.67.16.1 0.0.0.0 UG 0 0 0 ppp0
Ah, OK, so *this* is fine. The route for eth0 is correct. So it's just
the name resolving on the router that returns "localhost" when being
asked for the hostname for 192.168.0.1.
Since all of this isn't about name resolving, we probably can even
leave out that dnsmasq thingy. But your config is essentially this:
> interface=eth0
> dhcp-range=192.168.0.1,192.168.0.255,72h
If this is supposed to work, chose another beginning of that range, at
least 192.168.0.2. But I think dnsmasq is even clever enough not to
issue its own address to clients.
I'll write a separate post about the firewalling issues in a moment.
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 18:17 ` Daniel Pielmeier
@ 2007-01-15 23:13 ` Hans-Werner Hilse
2007-01-15 23:30 ` Daniel Pielmeier
0 siblings, 1 reply; 55+ messages in thread
From: Hans-Werner Hilse @ 2007-01-15 23:13 UTC (permalink / raw
To: gentoo-user
Hi,
On Mon, 15 Jan 2007 19:17:45 +0100
"Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote:
> > Send the output from "iptables-save", please. Otherwise we could only
> > guess if the problem is with your firewall rules or somewhere else.
>
> Here we go!
>
> # Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007
> [...]
everything looks fine. I'm not quite sure about the "policy" module, I
did never use it and it is somehow being used to check the "direction"
of packets. Maybe someone else can comment.
So remaining things to check would be
- where do packets do what? Use "tcpdump" on the router to monitor
how packets flow. Don't cite all the output, but look at where
packets are coming and going. Two terminals with "tcpdump -i eth0"
and "tcpdump -i ppp0" would tell you that. Send a few pings from the
desktop to the internet. Also try pinging an IP from the desktop, not
just hostnames (to rule out nameserver borkage).
- is forwarding actually really enabled? Just "cat" the
relevant /proc/sys/net/ipv4/ip_forward.
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 23:13 ` Hans-Werner Hilse
@ 2007-01-15 23:30 ` Daniel Pielmeier
2007-01-16 0:40 ` Hans-Werner Hilse
2007-01-16 5:43 ` Daniel Iliev
0 siblings, 2 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-15 23:30 UTC (permalink / raw
To: gentoo-user
> - is forwarding actually really enabled? Just "cat" the
> relevant /proc/sys/net/ipv4/ip_forward.
cat /proc/sys/net/ipv4/ip_forward
returns 1
> So remaining things to check would be
> - where do packets do what? Use "tcpdump" on the router to monitor
> how packets flow. Don't cite all the output, but look at where
> packets are coming and going. Two terminals with "tcpdump -i eth0"
> and "tcpdump -i ppp0" would tell you that. Send a few pings from the
> desktop to the internet. Also try pinging an IP from the desktop, not
> just hostnames (to rule out nameserver borkage).
Here is what tcdump returns!
ping to www.google.de from desktop
ping -c5 209.85.135.147
PING 209.85.135.147 (209.85.135.147) 56(84) bytes of data.
--- 209.85.135.147 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4000ms
tcpdump -i ppp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
00:23:34.170023 IP dslb-088-065-173-238.pools.arcor-ip.net.32864 >
dns1.arcor-ip.de.domain: 62186+ PTR? 147.135.85.209.in-addr.arpa.
(45)
00:23:34.170885 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 >
dns1.arcor-ip.de.domain: 49362+ PTR? 11.2.253.145.in-addr.arpa. (43)
00:23:34.186127 IP dns1.arcor-ip.de.domain >
dslb-088-065-173-238.pools.arcor-ip.net.32864: 62186 NXDomain 0/1/0
(105)
00:23:34.192706 IP dns1.arcor-ip.de.domain >
dslb-088-065-173-238.pools.arcor-ip.net.32865: 49362 1/0/0 (73)
00:23:34.193083 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 >
dns1.arcor-ip.de.domain: 55934+ PTR? 238.173.65.88.in-addr.arpa. (44)
00:23:34.250939 IP dns1.arcor-ip.de.domain >
dslb-088-065-173-238.pools.arcor-ip.net.32865: 55934 1/0/0 (97)
00:23:44.770408 IP cpc1-pnth1-0-0-cust807.cdif.cable.ntl.com.18730 >
dslb-088-065-173-238.pools.arcor-ip.net.13040: UDP, length 98
00:23:44.770494 IP dslb-088-065-173-238.pools.arcor-ip.net >
cpc1-pnth1-0-0-cust807.cdif.cable.ntl.com: ICMP
dslb-088-065-173-238.pools.arcor-ip.net udp port 13040 unreachable,
length 134
00:23:44.770752 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 >
dns1.arcor-ip.de.domain: 21398+ PTR? 40.23.6.82.in-addr.arpa. (41)
00:23:44.820873 IP dns1.arcor-ip.de.domain >
dslb-088-065-173-238.pools.arcor-ip.net.32865: 21398 1/0/0 (96)
00:23:46.085482 IP 222.69.242.140.19774 >
dslb-088-065-173-238.pools.arcor-ip.net.13040: UDP, length 98
00:23:46.085566 IP dslb-088-065-173-238.pools.arcor-ip.net >
222.69.242.140: ICMP dslb-088-065-173-238.pools.arcor-ip.net udp port
13040 unreachable, length 134
00:23:46.085811 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 >
dns1.arcor-ip.de.domain: 28846+ PTR? 140.242.69.222.in-addr.arpa.
(45)
00:23:46.509496 IP dns1.arcor-ip.de.domain >
dslb-088-065-173-238.pools.arcor-ip.net.32865: 28846 NXDomain 0/1/0
(105)
00:23:52.092567 IP 222.69.242.140.19774 >
dslb-088-065-173-238.pools.arcor-ip.net.13040: UDP, length 98
00:23:52.092624 IP dslb-088-065-173-238.pools.arcor-ip.net >
222.69.242.140: ICMP dslb-088-065-173-238.pools.arcor-ip.net udp port
13040 unreachable, length 134
00:23:54.447053 IP dslb-084-057-191-176.pools.arcor-ip.net.3158 >
dslb-088-065-173-238.pools.arcor-ip.net.epmap: S
2228649193:2228649193(0) win 53760 <mss 1412,nop,wscale
3,nop,nop,timestamp 0 0,nop,nop,sackOK>
00:23:54.447386 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 >
dns1.arcor-ip.de.domain: 55370+ PTR? 176.191.57.84.in-addr.arpa. (44)
00:23:54.463773 IP dns1.arcor-ip.de.domain >
dslb-088-065-173-238.pools.arcor-ip.net.32865: 55370 1/0/0 (97)
tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
00:23:32.895513 IP gentoo-vdr.linux.net.54934 > gentoo.linux.net.ssh:
P 2356170685:2356170733(48) ack 1373265494 win 1034 <nop,nop,timestamp
1888728 4586914>
00:23:32.895566 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.54934:
P 1:49(48) ack 48 win 81 <nop,nop,timestamp 4721101 1888728>
00:23:32.895604 IP gentoo-vdr.linux.net.54934 > gentoo.linux.net.ssh:
. ack 49 win 1034 <nop,nop,timestamp 1888728 4721101>
00:23:33.913406 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh:
P 220729975:220730023(48) ack 3542615936 win 5880 <nop,nop,timestamp
1888829 4706313>
00:23:33.913491 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415:
P 1:65(64) ack 48 win 116 <nop,nop,timestamp 4721355 1888829>
00:23:33.913528 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh:
. ack 65 win 5880 <nop,nop,timestamp 1888829 4721355>
00:23:34.168115 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh:
P 48:96(48) ack 65 win 5880 <nop,nop,timestamp 1888855 4721355>
00:23:34.168191 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415:
P 65:113(48) ack 96 win 116 <nop,nop,timestamp 4721419 1888855>
00:23:34.168229 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh:
. ack 113 win 5880 <nop,nop,timestamp 1888855 4721419>
00:23:34.168756 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415:
P 113:209(96) ack 96 win 116 <nop,nop,timestamp 4721419 1888855>
00:23:34.168814 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh:
. ack 209 win 5880 <nop,nop,timestamp 1888855 4721419>
00:23:34.168771 IP gentoo.linux.net > 209.85.135.147: ICMP echo
request, id 64284, seq 1, length 64
00:23:35.169420 IP gentoo.linux.net > 209.85.135.147: ICMP echo
request, id 64284, seq 2, length 64
00:23:36.169461 IP gentoo.linux.net > 209.85.135.147: ICMP echo
request, id 64284, seq 3, length 64
00:23:37.169504 IP gentoo.linux.net > 209.85.135.147: ICMP echo
request, id 64284, seq 4, length 64
00:23:38.169550 IP gentoo.linux.net > 209.85.135.147: ICMP echo
request, id 64284, seq 5, length 64
00:23:48.174063 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415:
P 209:353(144) ack 96 win 116 <nop,nop,timestamp 4724920 1888855>
00:23:48.174138 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh:
. ack 353 win 5871 <nop,nop,timestamp 1890255 4724920>
00:23:48.174117 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415:
P 353:417(64) ack 96 win 116 <nop,nop,timestamp 4724920 1888855>
00:23:48.174157 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh:
. ack 417 win 5867 <nop,nop,timestamp 1890255 4724920>
00:23:48.174170 IP gentoo.linux.net.ssh > gentoo-vdr.linux.net.36415:
P 417:497(80) ack 96 win 116 <nop,nop,timestamp 4724920 1890255>
00:23:48.174182 IP gentoo-vdr.linux.net.36415 > gentoo.linux.net.ssh:
. ack 497 win 5862 <nop,nop,timestamp 1890255 4724920>
ping to www.google.de from router
ping -c5 209.85.135.147
PING 209.85.135.147 (209.85.135.147) 56(84) bytes of data.
64 bytes from 209.85.135.147: icmp_seq=1 ttl=246 time=23.2 ms
64 bytes from 209.85.135.147: icmp_seq=2 ttl=246 time=24.4 ms
64 bytes from 209.85.135.147: icmp_seq=3 ttl=246 time=23.6 ms
64 bytes from 209.85.135.147: icmp_seq=4 ttl=246 time=24.6 ms
64 bytes from 209.85.135.147: icmp_seq=5 ttl=246 time=23.7 ms
--- 209.85.135.147 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4025ms
rtt min/avg/max/mdev = 23.292/23.945/24.603/0.520 ms
tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
tcpdump -i ppp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
00:26:45.035173 IP dslb-088-065-173-238.pools.arcor-ip.net >
209.85.135.147: ICMP echo request, id 4181, seq 1, length 64
00:26:45.036069 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 >
dns1.arcor-ip.de.domain: 53808+ PTR? 147.135.85.209.in-addr.arpa.
(45)
00:26:45.056503 IP dns1.arcor-ip.de.domain >
dslb-088-065-173-238.pools.arcor-ip.net.32865: 53808 NXDomain 0/1/0
(105)
00:26:45.056824 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 >
dns1.arcor-ip.de.domain: 37596+ PTR? 238.173.65.88.in-addr.arpa. (44)
00:26:45.058409 IP 209.85.135.147 >
dslb-088-065-173-238.pools.arcor-ip.net: ICMP echo reply, id 4181, seq
1, length 64
00:26:45.074915 IP dns1.arcor-ip.de.domain >
dslb-088-065-173-238.pools.arcor-ip.net.32865: 37596 1/0/0 (97)
00:26:45.125930 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 >
dns1.arcor-ip.de.domain: 10166+ PTR? 11.2.253.145.in-addr.arpa. (43)
00:26:45.140233 IP dns1.arcor-ip.de.domain >
dslb-088-065-173-238.pools.arcor-ip.net.32865: 10166 1/0/0 (73)
00:26:46.040910 IP dslb-088-065-173-238.pools.arcor-ip.net >
209.85.135.147: ICMP echo request, id 4181, seq 2, length 64
00:26:46.065340 IP 209.85.135.147 >
dslb-088-065-173-238.pools.arcor-ip.net: ICMP echo reply, id 4181, seq
2, length 64
00:26:47.050855 IP dslb-088-065-173-238.pools.arcor-ip.net >
209.85.135.147: ICMP echo request, id 4181, seq 3, length 64
00:26:47.074438 IP 209.85.135.147 >
dslb-088-065-173-238.pools.arcor-ip.net: ICMP echo reply, id 4181, seq
3, length 64
00:26:48.050866 IP dslb-088-065-173-238.pools.arcor-ip.net >
209.85.135.147: ICMP echo request, id 4181, seq 4, length 64
00:26:48.075412 IP 209.85.135.147 >
dslb-088-065-173-238.pools.arcor-ip.net: ICMP echo reply, id 4181, seq
4, length 64
00:26:49.060871 IP dslb-088-065-173-238.pools.arcor-ip.net >
209.85.135.147: ICMP echo request, id 4181, seq 5, length 64
00:26:49.084519 IP 209.85.135.147 >
dslb-088-065-173-238.pools.arcor-ip.net: ICMP echo reply, id 4181, seq
5, length 64
16 packets captured
32 packets received by filter
0 packets dropped by kernel
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 23:30 ` Daniel Pielmeier
@ 2007-01-16 0:40 ` Hans-Werner Hilse
2007-01-16 1:37 ` Dale
2007-01-16 8:03 ` Daniel Pielmeier
2007-01-16 5:43 ` Daniel Iliev
1 sibling, 2 replies; 55+ messages in thread
From: Hans-Werner Hilse @ 2007-01-16 0:40 UTC (permalink / raw
To: gentoo-user
Hi,
On Tue, 16 Jan 2007 00:30:30 +0100
"Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote:
> > - is forwarding actually really enabled? Just "cat" the
> > relevant /proc/sys/net/ipv4/ip_forward.
>
> cat /proc/sys/net/ipv4/ip_forward
> returns 1
>
> > So remaining things to check would be
> > - where do packets do what? Use "tcpdump" on the router to monitor
> > how packets flow. Don't cite all the output, but look at where
> > packets are coming and going. Two terminals with "tcpdump -i eth0"
> > and "tcpdump -i ppp0" would tell you that. Send a few pings from the
> > desktop to the internet. Also try pinging an IP from the desktop, not
> > just hostnames (to rule out nameserver borkage).
>
> Here is what tcdump returns!
> [...]
That's what I wanted to avoid with asking for not citing everything :-)
But everything looks quite normal, except for that packets aren't
routed. So its up to somebody else to tell exactly what that "policy"
module in iptables does -- and how. I don't have answers left here --
except for the case that a manual iptables setup is sufficient.
Personally, I'm quite happy with
$ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
for the forwarding. All that fancy-schmanzy stuff that shorewall does
isn't in there, granted.
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-16 0:40 ` Hans-Werner Hilse
@ 2007-01-16 1:37 ` Dale
2007-01-16 8:03 ` Daniel Pielmeier
1 sibling, 0 replies; 55+ messages in thread
From: Dale @ 2007-01-16 1:37 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 3045 bytes --]
Hans-Werner Hilse wrote:
> Hi,
>
> On Tue, 16 Jan 2007 00:30:30 +0100
> "Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote:
>
>
>>> - is forwarding actually really enabled? Just "cat" the
>>> relevant /proc/sys/net/ipv4/ip_forward.
>>>
>> cat /proc/sys/net/ipv4/ip_forward
>> returns 1
>>
>>
>>> So remaining things to check would be
>>> - where do packets do what? Use "tcpdump" on the router to monitor
>>> how packets flow. Don't cite all the output, but look at where
>>> packets are coming and going. Two terminals with "tcpdump -i eth0"
>>> and "tcpdump -i ppp0" would tell you that. Send a few pings from the
>>> desktop to the internet. Also try pinging an IP from the desktop, not
>>> just hostnames (to rule out nameserver borkage).
>>>
>> Here is what tcdump returns!
>> [...]
>>
>
> That's what I wanted to avoid with asking for not citing everything :-)
>
> But everything looks quite normal, except for that packets aren't
> routed. So its up to somebody else to tell exactly what that "policy"
> module in iptables does -- and how. I don't have answers left here --
> except for the case that a manual iptables setup is sufficient.
>
> Personally, I'm quite happy with
>
> $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> for the forwarding. All that fancy-schmanzy stuff that shorewall does
> isn't in there, granted.
>
> -hwh
>
Well, I got lucky. I'm not real sure what I did to be honest. Here is
my main box that is connected to the net:
> root@smoker / # route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> nas2.greenwood1 * 255.255.255.255 UH 0 0
> 0 ppp0
> 192.168.0.0 * 255.255.255.0 U 0 0
> 0 eth0
> loopback * 255.0.0.0 U 0 0 0 lo
> default nas2.greenwood1 0.0.0.0 UG 0 0
> 0 ppp0
> root@smoker / #
> root@smoker / # iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> root@smoker / #
This is from the second rig:
> swifty ~ # route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> 192.168.0.0 * 255.255.255.0 U 0 0
> 0 eth0
> loopback * 255.0.0.0 U 0 0 0 lo
> default smoker 0.0.0.0 UG 0 0
> 0 eth0
> swifty ~ #
No iptables on this one. I don't know what I did but it all works. I
guess even I get lucky sometimes. :-O
Dale
:-) :-) :-)
--
www.myspace.com/dalek1967
[-- Attachment #2: Type: text/html, Size: 5798 bytes --]
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-15 23:30 ` Daniel Pielmeier
2007-01-16 0:40 ` Hans-Werner Hilse
@ 2007-01-16 5:43 ` Daniel Iliev
1 sibling, 0 replies; 55+ messages in thread
From: Daniel Iliev @ 2007-01-16 5:43 UTC (permalink / raw
To: gentoo-user
Again the quick & dirty solution:
/etc/init.d/iptables stop
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/etc/init.d/iptables save
rc-update -a iptables default
/etc/init.d/iptables start
--
Best regards,
Daniel
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-16 0:40 ` Hans-Werner Hilse
2007-01-16 1:37 ` Dale
@ 2007-01-16 8:03 ` Daniel Pielmeier
2007-01-16 11:17 ` Hans-Werner Hilse
1 sibling, 1 reply; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-16 8:03 UTC (permalink / raw
To: gentoo-user
> But everything looks quite normal, except for that packets aren't
> routed. So its up to somebody else to tell exactly what that "policy"
> module in iptables does -- and how. I don't have answers left here --
> except for the case that a manual iptables setup is sufficient.
>
> Personally, I'm quite happy with
>
> $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> for the forwarding. All that fancy-schmanzy stuff that shorewall does
> isn't in there, granted.
Thanks, so i think that i have to get familiar with iptables itself,
because i want to some more than routing. I will try this rules in the
evening and tell you if it works.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-16 8:03 ` Daniel Pielmeier
@ 2007-01-16 11:17 ` Hans-Werner Hilse
2007-01-16 12:10 ` Daniel Pielmeier
0 siblings, 1 reply; 55+ messages in thread
From: Hans-Werner Hilse @ 2007-01-16 11:17 UTC (permalink / raw
To: gentoo-user
Hi,
On Tue, 16 Jan 2007 09:03:59 +0100 "Daniel Pielmeier"
<daniel.pielmeier@googlemail.com> wrote:
> > Personally, I'm quite happy with
> >
> > $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> > $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Aaargh! That last one should have the state NEW omitted (and the
following comma, of course).
> Thanks, so i think that i have to get familiar with iptables itself,
> because i want to some more than routing. I will try this rules in the
> evening and tell you if it works.
No fears, iptables is easy to configure! Search for some How-To that
has a big picture of which packets entering which chains in which
tables. That really helps a lot.
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-16 11:17 ` Hans-Werner Hilse
@ 2007-01-16 12:10 ` Daniel Pielmeier
2007-01-16 14:21 ` Hans-Werner Hilse
2007-01-16 23:40 ` Iain Buchanan
0 siblings, 2 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-16 12:10 UTC (permalink / raw
To: gentoo-user
> > > Personally, I'm quite happy with
> > >
> > > $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> > > $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > > $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> Aaargh! That last one should have the state NEW omitted (and the
> following comma, of course).
>
> > Thanks, so i think that i have to get familiar with iptables itself,
> > because i want to some more than routing. I will try this rules in the
> > evening and tell you if it works.
>
> No fears, iptables is easy to configure! Search for some How-To that
> has a big picture of which packets entering which chains in which
> tables. That really helps a lot.
I haven't found a how-to like this. Do you know a good how-to? At the
moment iam reading this one
http://iptables-tutorial.frozentux.net/iptables-tutorial.html.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-16 12:10 ` Daniel Pielmeier
@ 2007-01-16 14:21 ` Hans-Werner Hilse
2007-01-16 14:39 ` Daniel Pielmeier
` (3 more replies)
2007-01-16 23:40 ` Iain Buchanan
1 sibling, 4 replies; 55+ messages in thread
From: Hans-Werner Hilse @ 2007-01-16 14:21 UTC (permalink / raw
To: gentoo-user
Hi,
On Tue, 16 Jan 2007 13:10:45 +0100 "Daniel Pielmeier"
<daniel.pielmeier@googlemail.com> wrote:
> > > Thanks, so i think that i have to get familiar with iptables
> > > itself, because i want to some more than routing. I will try this
> > > rules in the evening and tell you if it works.
> >
> > No fears, iptables is easy to configure! Search for some How-To that
> > has a big picture of which packets entering which chains in which
> > tables. That really helps a lot.
>
> I haven't found a how-to like this. Do you know a good how-to? At the
> moment iam reading this one
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html.
Thanks for that link. The document is _very_ good and complete. But I
don't think it's particularly well suited for beginners.
My suggestion would probably be very conservative: netfilter.org's own
docs. http://www.netfilter.org/documentation/index.html
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-16 14:21 ` Hans-Werner Hilse
@ 2007-01-16 14:39 ` Daniel Pielmeier
2007-01-16 20:57 ` Daniel Pielmeier
` (2 subsequent siblings)
3 siblings, 0 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-16 14:39 UTC (permalink / raw
To: gentoo-user
> Thanks for that link. The document is _very_ good and complete. But I
> don't think it's particularly well suited for beginners.
> My suggestion would probably be very conservative: netfilter.org's own
> docs. http://www.netfilter.org/documentation/index.html
np, i thought when i have to learn iptables, then i want to know all
about. it is mentioned at the netfilter site. but i will have a look
at netfilter own documentation.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-16 14:21 ` Hans-Werner Hilse
2007-01-16 14:39 ` Daniel Pielmeier
@ 2007-01-16 20:57 ` Daniel Pielmeier
2007-01-17 1:32 ` Dale
2007-01-17 19:02 ` Daniel Pielmeier
3 siblings, 0 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-16 20:57 UTC (permalink / raw
To: gentoo-user
> Thanks for that link. The document is _very_ good and complete. But I
> don't think it's particularly well suited for beginners.
>
> My suggestion would probably be very conservative: netfilter.org's own
> docs. http://www.netfilter.org/documentation/index.html
I have now applied your masquerading and forwarding rules and they are
working. At he moment i am setting up some basic filter rules for
switching from shorewall to plain iptables. Then i will go for
advanced filtering. Thanks a lot for your and all others help.
Regards Daniel
LANG=de
PS: Grüße aus Stuttgart und nochmal danke, ich weiß nicht ob ich das
sonst hinbekommen hätte!
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-16 12:10 ` Daniel Pielmeier
2007-01-16 14:21 ` Hans-Werner Hilse
@ 2007-01-16 23:40 ` Iain Buchanan
1 sibling, 0 replies; 55+ messages in thread
From: Iain Buchanan @ 2007-01-16 23:40 UTC (permalink / raw
To: gentoo-user
On Tue, 2007-01-16 at 13:10 +0100, Daniel Pielmeier wrote:
> I haven't found a how-to like this. Do you know a good how-to?
for linux howto's, I highly recommend tldp:
http://tldp.org/HOWTO/HOWTO-INDEX/networking.html#NETROUTING
try the Masquerading-Simple-HOWTO.
HTH,
--
Iain Buchanan <iaindb at netspace dot net dot au>
No woman can call herself free until she can choose consciously whether
she will or will not be a mother.
-- Margaret H. Sanger
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-16 14:21 ` Hans-Werner Hilse
2007-01-16 14:39 ` Daniel Pielmeier
2007-01-16 20:57 ` Daniel Pielmeier
@ 2007-01-17 1:32 ` Dale
2007-01-17 19:02 ` Daniel Pielmeier
3 siblings, 0 replies; 55+ messages in thread
From: Dale @ 2007-01-17 1:32 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 755 bytes --]
Hans-Werner Hilse wrote:
>
> Thanks for that link. The document is _very_ good and complete. But I
> don't think it's particularly well suited for beginners.
>
> My suggestion would probably be very conservative: netfilter.org's own
> docs. http://www.netfilter.org/documentation/index.html
>
> -hwh
>
OK. I just had to reply to this one. FINALLY somebody explained how
the heck iptables works and what it does in a way that makes sense to
ME. The best part is that there is a INPUT chain and a OUTPUT chain
then you connect them together with iptables. THAT I could understand.
Why can't they put stuff like this in the man page so that nuts like me
can understand it?
Thanks much for that link.
Dale
:-) :-)
--
www.myspace.com/dalek1967
[-- Attachment #2: Type: text/html, Size: 1375 bytes --]
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-16 14:21 ` Hans-Werner Hilse
` (2 preceding siblings ...)
2007-01-17 1:32 ` Dale
@ 2007-01-17 19:02 ` Daniel Pielmeier
2007-01-17 20:35 ` Dan
3 siblings, 1 reply; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-17 19:02 UTC (permalink / raw
To: gentoo-user
Hi again,
it seems that i was running in another problem.
This are my current iptables!
Chain INPUT (policy ACCEPT)
target prot opt source destination
block all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
block all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain block (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- anywhere anywhere
But everytime i start my internet connection with /etc/init.d/net.eth1
start it seems my rules were changed to this and i can't connect to
the internet!
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG udp -- anywhere anywhere udp
dpts:0:1023 LOG level warning
LOG tcp -- anywhere anywhere tcp
dpts:0:1023 LOG level warning
DROP udp -- anywhere anywhere udp dpts:0:1023
DROP tcp -- anywhere anywhere tcp dpts:0:1023
LOG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN LOG level warning
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain block (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- anywhere anywhere
What could be the problem here? Is the net init-script changing my
rules? I think i have removed shorewall completely, so there shouldn't
be any remaining files which could cause that behavior. Or are there
some remaining files from shorewall? When i invoke iptables save with
my generate rules and restart
iptables, the rules are ok and i can connect!
Thanks in advance!
Daniel
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-17 19:02 ` Daniel Pielmeier
@ 2007-01-17 20:35 ` Dan
2007-01-18 9:25 ` Daniel Pielmeier
0 siblings, 1 reply; 55+ messages in thread
From: Dan @ 2007-01-17 20:35 UTC (permalink / raw
To: gentoo-user
On Wed, 17 Jan 2007 20:02:54 +0100
"Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote:
> Hi again,
>
> it seems that i was running in another problem.
>
> This are my current iptables!
> ...
> What could be the problem here? Is the net init-script changing my
> rules? I think i have removed shorewall completely, so there shouldn't
> be any remaining files which could cause that behavior. Or are there
> some remaining files from shorewall? When i invoke iptables save with
> my generate rules and restart
> iptables, the rules are ok and i can connect!
>
> Thanks in advance!
>
> Daniel
I've been holding back on replying for a while now, but I think you
should try a simple iptables setup like this one:
davey ~ # iptables -L -v ; iptables -t nat -L -v
Chain INPUT (policy DROP 764K packets, 79M bytes)
pkts bytes target prot opt in out source
destination 50707 18M ACCEPT tcp -- eth0 any
anywhere anywhere tcp dpt:smtp 955K 601M
ACCEPT all -- lo any anywhere anywhere 249K
20M ACCEPT all -- ath0 any anywhere anywhere
43M 6782M ACCEPT all -- eth1 any anywhere
anywhere 1 32 REJECT udp -- eth0 any
anywhere anywhere udp dpt:bootps reject-with
icmp-port-unreachable 1 58 REJECT udp -- eth0 any
anywhere anywhere udp dpt:domain reject-with
icmp-port-unreachable 414 36292 ACCEPT tcp -- eth0 any
anywhere anywhere tcp dpt:ssh 411K 91M
ACCEPT all -- eth0 any anywhere
anywhere state RELATED,ESTABLISHED 4 184 ACCEPT tcp
-- eth0 any anywhere anywhere tcp
dpt:http 14547 1187K ACCEPT icmp -- any any
anywhere anywhere
Chain FORWARD (policy DROP 3017 packets, 184K bytes)
pkts bytes target prot opt in out source
destination 173M 111G ACCEPT all -- any any
192.168.0.0/16 anywhere 22M 19G ACCEPT all -- eth0
any anywhere 192.168.0.0/16
Chain OUTPUT (policy ACCEPT 48M packets, 13G bytes)
pkts bytes target prot opt in out source
destination Chain PREROUTING (policy ACCEPT 10M packets, 1189M bytes)
pkts bytes target prot opt in out source
destination 58003 3477K DNAT tcp -- eth0 any
anywhere anywhere tcp dpt:ssh to:192.168.1.99:22
3828 213K DNAT tcp -- eth0 any anywhere
anywhere tcp dpt:http to:192.168.1.99:80 14 664 DNAT
tcp -- eth0 any anywhere anywhere tcp
dpt:222 to:192.168.1.1:22 248 11072 DNAT tcp -- eth0 any
anywhere anywhere tcp dpt:223
to:192.168.1.100:22
Chain POSTROUTING (policy ACCEPT 300K packets, 18M bytes)
pkts bytes target prot opt in out source
destination 4564K 318M MASQUERADE all -- any eth0
anywhere anywhere
Chain OUTPUT (policy ACCEPT 234K packets, 15M bytes)
pkts bytes target prot opt in out source
destination
It's my own stab at a stateful firewall and seems to be working very
well for me. spore.ath.cx is my home computer network; feel free to
nmap me and see what you think from the outside. It's rudimentary, but
that's what I like about it. Simple.
For what it's worth, I never would have been able to figure out
iptables without using
watch "iptables -v -L ; iptables -t nat -v -L"
which ends up showing you the packets in and out of each chain and each
rule, which is highly convenient for configuring firewalls.
Best of luck.
-- dan.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-17 20:35 ` Dan
@ 2007-01-18 9:25 ` Daniel Pielmeier
2007-01-18 10:10 ` Uwe Thiem
2007-01-18 10:43 ` Dale
0 siblings, 2 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-18 9:25 UTC (permalink / raw
To: gentoo-user
> I've been holding back on replying for a while now, but I think you
> should try a simple iptables setup like this one:
Excuse me, but my problem is not that my tables are not working, they
work very well. I applied forwarding and masquerading, also a basic
set of filtering rules which block all access from outside.
My problem is that these rules i hqave defined are somehow overwritten
by the net init script, with some remaining settings from my previous
shorewall configuration.
I compared the tables i had with shorewall with my new settings and
the one who are changed by the net init script are looking the same
settings i had with shorewall for input forward and output.
I am sure that i have removed shorewall completely, so i guess
shorewall must have altered a file which is used by the init script,
so that the old settings are restored everytime i start the net
init.script.
Does anybody has a clue?
Regards,
Daniel
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-18 9:25 ` Daniel Pielmeier
@ 2007-01-18 10:10 ` Uwe Thiem
2007-01-18 10:43 ` Dale
1 sibling, 0 replies; 55+ messages in thread
From: Uwe Thiem @ 2007-01-18 10:10 UTC (permalink / raw
To: gentoo-user
On 18 January 2007 11:25, Daniel Pielmeier wrote:
> > I've been holding back on replying for a while now, but I think you
> > should try a simple iptables setup like this one:
>
> Excuse me, but my problem is not that my tables are not working, they
> work very well. I applied forwarding and masquerading, also a basic
> set of filtering rules which block all access from outside.
>
> My problem is that these rules i hqave defined are somehow overwritten
> by the net init script, with some remaining settings from my previous
> shorewall configuration.
>
> I compared the tables i had with shorewall with my new settings and
> the one who are changed by the net init script are looking the same
> settings i had with shorewall for input forward and output.
>
> I am sure that i have removed shorewall completely, so i guess
> shorewall must have altered a file which is used by the init script,
> so that the old settings are restored everytime i start the net
> init.script.
> Does anybody has a clue?
If you really removed shorewall from your runlevel (rc-update del shorewall
default) try this:
rm /var/lib/iptables/rules-save
Uwe
--
A fast and easy generator of fractals for KDE:
http://www.SysEx.com.na/iwy-1.0.tar.bz2
Proof of concept of a TSP solver for KDE:
http://www.SysEx.com.na/epat-0.1.tar.bz2
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-18 9:25 ` Daniel Pielmeier
2007-01-18 10:10 ` Uwe Thiem
@ 2007-01-18 10:43 ` Dale
2007-01-18 11:11 ` Daniel Pielmeier
1 sibling, 1 reply; 55+ messages in thread
From: Dale @ 2007-01-18 10:43 UTC (permalink / raw
To: gentoo-user
Daniel Pielmeier wrote:
>> I've been holding back on replying for a while now, but I think you
>> should try a simple iptables setup like this one:
>
> Excuse me, but my problem is not that my tables are not working, they
> work very well. I applied forwarding and masquerading, also a basic
> set of filtering rules which block all access from outside.
>
> My problem is that these rules i hqave defined are somehow overwritten
> by the net init script, with some remaining settings from my previous
> shorewall configuration.
>
> I compared the tables i had with shorewall with my new settings and
> the one who are changed by the net init script are looking the same
> settings i had with shorewall for input forward and output.
>
> I am sure that i have removed shorewall completely, so i guess
> shorewall must have altered a file which is used by the init script,
> so that the old settings are restored everytime i start the net
> init.script.
> Does anybody has a clue?
>
> Regards,
>
> Daniel
Did you do a /etc/init.d/iptables save by any chance? That's the only
thing I can think of.
Dale
:-) :-) :-) :-)
--
www.myspace.com/dalek1967
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-18 10:43 ` Dale
@ 2007-01-18 11:11 ` Daniel Pielmeier
2007-01-18 21:04 ` Dan Farrell
2007-01-18 23:13 ` Iain Buchanan
0 siblings, 2 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-18 11:11 UTC (permalink / raw
To: gentoo-user
> If you really removed shorewall from your runlevel (rc-update del shorewall
> default) try this:
> rm /var/lib/iptables/rules-save
i have removed shorewall from my runlevels and added iptables
> Did you do a /etc/init.d/iptables save by any chance? That's the only
> thing I can think of.
the way i have applied my rules is as follows
first i load them with my generated script
then i invoke /etc/init.d/iptables save
and to be sure i do an /etc/init.d/iptables restart
iptables -L, iptables -L -t nat, iptables -L -t mangle show me my new rules
when i look in /var/lib/iptables/rules-save i also see my new rules
when i issue /etc/init.d/net.eth1 restart iptables -L, iptables -L -t
nat, iptables -L -t mangle show me the old rules from shorewall
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-18 11:11 ` Daniel Pielmeier
@ 2007-01-18 21:04 ` Dan Farrell
2007-01-18 23:13 ` Iain Buchanan
1 sibling, 0 replies; 55+ messages in thread
From: Dan Farrell @ 2007-01-18 21:04 UTC (permalink / raw
To: gentoo-user
On Thu, 18 Jan 2007 12:11:34 +0100
"Daniel Pielmeier" <daniel.pielmeier@googlemail.com> wrote:
> Excuse me, but my problem is not that my tables are not working, they
> work very well. I applied forwarding and masquerading, also a basic
> set of filtering rules which block all access from outside.
oops. sorry.
> > If you really removed shorewall from your runlevel (rc-update del
> > shorewall default) try this:
> > rm /var/lib/iptables/rules-save
>
> i have removed shorewall from my runlevels and added iptables
>
> > Did you do a /etc/init.d/iptables save by any chance? That's the
> > only thing I can think of.
>
>
> the way i have applied my rules is as follows
>
> first i load them with my generated script
> then i invoke /etc/init.d/iptables save
> and to be sure i do an /etc/init.d/iptables restart
> iptables -L, iptables -L -t nat, iptables -L -t mangle show me my new
> rules when i look in /var/lib/iptables/rules-save i also see my new
> rules when i issue /etc/init.d/net.eth1 restart iptables -L, iptables
> -L -t nat, iptables -L -t mangle show me the old rules from shorewall
i wonder if shorewall is loaded as a dependancy of net.eth1 ?
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-18 11:11 ` Daniel Pielmeier
2007-01-18 21:04 ` Dan Farrell
@ 2007-01-18 23:13 ` Iain Buchanan
2007-01-19 1:10 ` Daniel Pielmeier
2007-01-19 4:06 ` Dale
1 sibling, 2 replies; 55+ messages in thread
From: Iain Buchanan @ 2007-01-18 23:13 UTC (permalink / raw
To: gentoo-user
On Thu, 2007-01-18 at 12:11 +0100, Daniel Pielmeier wrote:
> the way i have applied my rules is as follows
>
> first i load them with my generated script
> then i invoke /etc/init.d/iptables save
> and to be sure i do an /etc/init.d/iptables restart
> iptables -L, iptables -L -t nat, iptables -L -t mangle show me my new rules
> when i look in /var/lib/iptables/rules-save i also see my new rules
> when i issue /etc/init.d/net.eth1 restart iptables -L, iptables -L -t
> nat, iptables -L -t mangle show me the old rules from shorewall
hmm, shorewall must have done something that's more persistent.
Have a look at /etc/runlevels, and make sure there is no shorewall stuff
left in there.
Also look in /etc/conf.d/net* and make sure there is no postup functions
lying around.
And make sure /etc/init.d/net.eth1 is a symlink to /etc/init.d/net.lo,
and then make sure net.lo hasn't been "modified" by shorewall. you
could do a `emerge --noconfmem baselayout` to make extra sure. **Read
the man page first.
Is there a /etc/shorewall directory? Perhaps someone who has it
installed could do `equery files shorewall` so you could check that it
really is deleted.
Well, these idea's are really stabbing in the dark, but you gotta start
somewhere!
HTH,
--
Iain Buchanan <iaindb at netspace dot net dot au>
Workers of the world, arise! You have nothing to lose but your chairs.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-18 23:13 ` Iain Buchanan
@ 2007-01-19 1:10 ` Daniel Pielmeier
2007-01-19 6:45 ` Iain Buchanan
2007-01-19 4:06 ` Dale
1 sibling, 1 reply; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-19 1:10 UTC (permalink / raw
To: gentoo-user
> hmm, shorewall must have done something that's more persistent.
>
> Have a look at /etc/runlevels, and make sure there is no shorewall stuff
> left in there.
>
> Also look in /etc/conf.d/net* and make sure there is no postup functions
> lying around.
>
> And make sure /etc/init.d/net.eth1 is a symlink to /etc/init.d/net.lo,
> and then make sure net.lo hasn't been "modified" by shorewall. you
> could do a `emerge --noconfmem baselayout` to make extra sure. **Read
> the man page first.
>
> Is there a /etc/shorewall directory? Perhaps someone who has it
> installed could do `equery files shorewall` so you could check that it
> really is deleted.
>
> Well, these idea's are really stabbing in the dark, but you gotta start
> somewhere!
thanks for your hints, i checked all these things but there seems
nothing of shorewall remainig! i am quite sure cause i am using a
cruft script which searches for files remaining after an uninstall.
The scriptt does its job there were several files from shorewall
remaining, but now they are all gone but my problem still remains.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-18 23:13 ` Iain Buchanan
2007-01-19 1:10 ` Daniel Pielmeier
@ 2007-01-19 4:06 ` Dale
1 sibling, 0 replies; 55+ messages in thread
From: Dale @ 2007-01-19 4:06 UTC (permalink / raw
To: gentoo-user
Iain Buchanan wrote:
>
>
> Is there a /etc/shorewall directory? Perhaps someone who has it
> installed could do `equery files shorewall` so you could check that it
> really is deleted.
>
> Well, these idea's are really stabbing in the dark, but you gotta start
> somewhere!
>
> HTH,
>
Here you go:
> root@smoker / # equery files shorewall
> [ Searching for packages matching shorewall... ]
> * Contents of net-firewall/shorewall-3.0.8:
> /etc
> /etc/init.d
> /etc/init.d/shorewall
> /etc/shorewall
> /etc/shorewall/Makefile
> /etc/shorewall/accounting
> /etc/shorewall/actions
> /etc/shorewall/blacklist
> /etc/shorewall/continue
> /etc/shorewall/ecn
> /etc/shorewall/hosts
> /etc/shorewall/init
> /etc/shorewall/initdone
> /etc/shorewall/interfaces
> /etc/shorewall/ipsec
> /etc/shorewall/maclist
> /etc/shorewall/masq
> /etc/shorewall/modules
> /etc/shorewall/nat
> /etc/shorewall/netmap
> /etc/shorewall/params
> /etc/shorewall/policy
> /etc/shorewall/providers
> /etc/shorewall/proxyarp
> /etc/shorewall/routestopped
> /etc/shorewall/rules
> /etc/shorewall/shorewall.conf
> /etc/shorewall/start
> /etc/shorewall/started
> /etc/shorewall/stop
> /etc/shorewall/stopped
> /etc/shorewall/tcclasses
> /etc/shorewall/tcdevices
> /etc/shorewall/tcrules
> /etc/shorewall/tos
> /etc/shorewall/tunnels
> /etc/shorewall/zones
> /sbin
> /sbin/shorewall
> /usr
> /usr/share
> /usr/share/doc
> /usr/share/doc/shorewall-3.0.8
> /usr/share/doc/shorewall-3.0.8/Samples
> /usr/share/doc/shorewall-3.0.8/Samples/LICENSE
> /usr/share/doc/shorewall-3.0.8/Samples/README.txt
> /usr/share/doc/shorewall-3.0.8/Samples/one-interface
> /usr/share/doc/shorewall-3.0.8/Samples/one-interface/README.txt
> /usr/share/doc/shorewall-3.0.8/Samples/one-interface/interfaces
> /usr/share/doc/shorewall-3.0.8/Samples/one-interface/policy
> /usr/share/doc/shorewall-3.0.8/Samples/one-interface/rules
> /usr/share/doc/shorewall-3.0.8/Samples/one-interface/zones
> /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces
> /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/README.txt
> /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/interfaces
> /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/masq
> /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/policy
> /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/routestopped
> /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/rules
> /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/zones
> /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces
> /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/README.txt
> /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/interfaces
> /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/masq
> /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/policy
> /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/routestopped
> /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/rules
> /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/zones
> /usr/share/doc/shorewall-3.0.8/changelog.txt.gz
> /usr/share/doc/shorewall-3.0.8/html
> /usr/share/doc/shorewall-3.0.8/html/6to4.htm
> /usr/share/doc/shorewall-3.0.8/html/Accounting.html
> /usr/share/doc/shorewall-3.0.8/html/Actions.html
> /usr/share/doc/shorewall-3.0.8/html/CompiledPrograms.html
> /usr/share/doc/shorewall-3.0.8/html/CorpNetwork.htm
> /usr/share/doc/shorewall-3.0.8/html/Documentation.htm
> /usr/share/doc/shorewall-3.0.8/html/Documentation_Index.html
> /usr/share/doc/shorewall-3.0.8/html/ECN.html
> /usr/share/doc/shorewall-3.0.8/html/ErrorMessages.html
> /usr/share/doc/shorewall-3.0.8/html/FAQ.htm
> /usr/share/doc/shorewall-3.0.8/html/FTP.html
> /usr/share/doc/shorewall-3.0.8/html/GenericTunnels.html
> /usr/share/doc/shorewall-3.0.8/html/GnuCopyright.htm
> /usr/share/doc/shorewall-3.0.8/html/IPIP.htm
> /usr/share/doc/shorewall-3.0.8/html/IPP2P.html
> /usr/share/doc/shorewall-3.0.8/html/IPSEC-2.6.html
> /usr/share/doc/shorewall-3.0.8/html/IPSEC.htm
> /usr/share/doc/shorewall-3.0.8/html/Install.htm
> /usr/share/doc/shorewall-3.0.8/html/Introduction.html
> /usr/share/doc/shorewall-3.0.8/html/Kernel2.6.html
> /usr/share/doc/shorewall-3.0.8/html/MAC_Validation.html
> /usr/share/doc/shorewall-3.0.8/html/Macros.html
> /usr/share/doc/shorewall-3.0.8/html/MultiISP.html
> /usr/share/doc/shorewall-3.0.8/html/Multiple_Zones.html
> /usr/share/doc/shorewall-3.0.8/html/NAT.htm
> /usr/share/doc/shorewall-3.0.8/html/NetfilterOverview.html
> /usr/share/doc/shorewall-3.0.8/html/OPENVPN.html
> /usr/share/doc/shorewall-3.0.8/html/PPTP.htm
> /usr/share/doc/shorewall-3.0.8/html/PacketHandling.html
> /usr/share/doc/shorewall-3.0.8/html/PortKnocking.html
> /usr/share/doc/shorewall-3.0.8/html/ProxyARP.htm
> /usr/share/doc/shorewall-3.0.8/html/ReleaseModel.html
> /usr/share/doc/shorewall-3.0.8/html/Shorewall_Doesnt.html
> /usr/share/doc/shorewall-3.0.8/html/Shorewall_Squid_Usage.html
> /usr/share/doc/shorewall-3.0.8/html/Shorewall_and_Aliased_Interfaces.html
> /usr/share/doc/shorewall-3.0.8/html/Shorewall_and_Kazaa.html
> /usr/share/doc/shorewall-3.0.8/html/Shorewall_and_Routing.html
> /usr/share/doc/shorewall-3.0.8/html/SimpleBridge.html
> /usr/share/doc/shorewall-3.0.8/html/UPnP.html
> /usr/share/doc/shorewall-3.0.8/html/User_defined_Actions.html
> /usr/share/doc/shorewall-3.0.8/html/VPN.htm
> /usr/share/doc/shorewall-3.0.8/html/VPNBasics.html
> /usr/share/doc/shorewall-3.0.8/html/Xen.html
> /usr/share/doc/shorewall-3.0.8/html/XenMyWay.html
> /usr/share/doc/shorewall-3.0.8/html/blacklisting_support.htm
> /usr/share/doc/shorewall-3.0.8/html/bridge.html
> /usr/share/doc/shorewall-3.0.8/html/configuration_file_basics.htm
> /usr/share/doc/shorewall-3.0.8/html/dhcp.htm
> /usr/share/doc/shorewall-3.0.8/html/fallback.htm
> /usr/share/doc/shorewall-3.0.8/html/html.css
> /usr/share/doc/shorewall-3.0.8/html/images
> /usr/share/doc/shorewall-3.0.8/html/images/BD21298_.gif
> /usr/share/doc/shorewall-3.0.8/html/images/BD21298_1.gif
> /usr/share/doc/shorewall-3.0.8/html/images/BD21298_2.gif
> /usr/share/doc/shorewall-3.0.8/html/images/BD21298_3.gif
> /usr/share/doc/shorewall-3.0.8/html/images/Blizzard-of-05-p1000205.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/Blizzard-of-05-p1000206.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/Blizzard-of-05-p1000207.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/Blizzard-of-05-p1000208.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/Blizzard-of-05-p1000209.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/CorpNetwork.gif
> /usr/share/doc/shorewall-3.0.8/html/images/Hiking1.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/Legend.png
> /usr/share/doc/shorewall-3.0.8/html/images/Logo.png
> /usr/share/doc/shorewall-3.0.8/html/images/Logo1.gif
> /usr/share/doc/shorewall-3.0.8/html/images/Logo1.png
> /usr/share/doc/shorewall-3.0.8/html/images/Logo2.gif
> /usr/share/doc/shorewall-3.0.8/html/images/Logo3.png
> /usr/share/doc/shorewall-3.0.8/html/images/MDKlinux.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/Mobile.png
> /usr/share/doc/shorewall-3.0.8/html/images/MultiPPTP.png
> /usr/share/doc/shorewall-3.0.8/html/images/MultiZone1.png
> /usr/share/doc/shorewall-3.0.8/html/images/MultiZone1A.png
> /usr/share/doc/shorewall-3.0.8/html/images/MultiZone1B.png
> /usr/share/doc/shorewall-3.0.8/html/images/MultiZone2.png
> /usr/share/doc/shorewall-3.0.8/html/images/MultiZone3.png
> /usr/share/doc/shorewall-3.0.8/html/images/Netfilter.png
> /usr/share/doc/shorewall-3.0.8/html/images/ORE.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/P1000048.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/P1000049.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/P1000050.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/ProtectedBy.png
> /usr/share/doc/shorewall-3.0.8/html/images/Proxmox.png
> /usr/share/doc/shorewall-3.0.8/html/images/QoS.png
> /usr/share/doc/shorewall-3.0.8/html/images/SY00079.gif
> /usr/share/doc/shorewall-3.0.8/html/images/Shorewall_Banner.gif
> /usr/share/doc/shorewall-3.0.8/html/images/SimpleBridge.png
> /usr/share/doc/shorewall-3.0.8/html/images/State_Diagram.png
> /usr/share/doc/shorewall-3.0.8/html/images/ThreeNets.png
> /usr/share/doc/shorewall-3.0.8/html/images/Tom.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/TomNTarry.png
> /usr/share/doc/shorewall-3.0.8/html/images/TransportMode.png
> /usr/share/doc/shorewall-3.0.8/html/images/Troubleshoot.png
> /usr/share/doc/shorewall-3.0.8/html/images/TwoIPv6Nets1.png
> /usr/share/doc/shorewall-3.0.8/html/images/TwoISPs.png
> /usr/share/doc/shorewall-3.0.8/html/images/TwoNets1.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/TwoNets1.png
> /usr/share/doc/shorewall-3.0.8/html/images/VPN.png
> /usr/share/doc/shorewall-3.0.8/html/images/VPNBasics.png
> /usr/share/doc/shorewall-3.0.8/html/images/Vexira_Antivirus_Logo.gif
> /usr/share/doc/shorewall-3.0.8/html/images/Xen1.png
> /usr/share/doc/shorewall-3.0.8/html/images/Xen2.png
> /usr/share/doc/shorewall-3.0.8/html/images/Xen3.png
> /usr/share/doc/shorewall-3.0.8/html/images/Xen4.png
> /usr/share/doc/shorewall-3.0.8/html/images/Xen5.png
> /usr/share/doc/shorewall-3.0.8/html/images/Xen6.png
> /usr/share/doc/shorewall-3.0.8/html/images/ZoneDiagram.png
> /usr/share/doc/shorewall-3.0.8/html/images/alz_logo2.gif
> /usr/share/doc/shorewall-3.0.8/html/images/apache_pb1.gif
> /usr/share/doc/shorewall-3.0.8/html/images/basics.png
> /usr/share/doc/shorewall-3.0.8/html/images/basics1.png
> /usr/share/doc/shorewall-3.0.8/html/images/basics2.png
> /usr/share/doc/shorewall-3.0.8/html/images/bridge.png
> /usr/share/doc/shorewall-3.0.8/html/images/bridge2.png
> /usr/share/doc/shorewall-3.0.8/html/images/bridge3.png
> /usr/share/doc/shorewall-3.0.8/html/images/but3.png
> /usr/share/doc/shorewall-3.0.8/html/images/cache_now.gif
> /usr/share/doc/shorewall-3.0.8/html/images/clamav-logo.png
> /usr/share/doc/shorewall-3.0.8/html/images/compaq.gif
> /usr/share/doc/shorewall-3.0.8/html/images/courier-imap.png
> /usr/share/doc/shorewall-3.0.8/html/images/debian.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/dmz1.png
> /usr/share/doc/shorewall-3.0.8/html/images/dmz2.png
> /usr/share/doc/shorewall-3.0.8/html/images/dmz3.png
> /usr/share/doc/shorewall-3.0.8/html/images/dmz4.png
> /usr/share/doc/shorewall-3.0.8/html/images/dmz5.png
> /usr/share/doc/shorewall-3.0.8/html/images/dmz6.png
> /usr/share/doc/shorewall-3.0.8/html/images/dyndns_anim2.gif
> /usr/share/doc/shorewall-3.0.8/html/images/j0213519.gif
> /usr/share/doc/shorewall-3.0.8/html/images/j0233056.gif
> /usr/share/doc/shorewall-3.0.8/html/images/kernel-2.6.16-1.png
> /usr/share/doc/shorewall-3.0.8/html/images/kernel-2.6.16-2.png
> /usr/share/doc/shorewall-3.0.8/html/images/leaflogo.gif
> /usr/share/doc/shorewall-3.0.8/html/images/leaflogo.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/linux_powered.gif
> /usr/share/doc/shorewall-3.0.8/html/images/logo-sm.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/logo2.png
> /usr/share/doc/shorewall-3.0.8/html/images/medbutton.png
> /usr/share/doc/shorewall-3.0.8/html/images/menuconfig.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/menuconfig1.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/netfilter2.6.png
> /usr/share/doc/shorewall-3.0.8/html/images/netfilterconf.png
> /usr/share/doc/shorewall-3.0.8/html/images/netfilterlogo.png
> /usr/share/doc/shorewall-3.0.8/html/images/netmap.png
> /usr/share/doc/shorewall-3.0.8/html/images/netopts.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/network.png
> /usr/share/doc/shorewall-3.0.8/html/images/network1.png
> /usr/share/doc/shorewall-3.0.8/html/images/network2.png
> /usr/share/doc/shorewall-3.0.8/html/images/network3.png
> /usr/share/doc/shorewall-3.0.8/html/images/network4.png
> /usr/share/doc/shorewall-3.0.8/html/images/new10.gif
> /usr/share/doc/shorewall-3.0.8/html/images/newlog.gif
> /usr/share/doc/shorewall-3.0.8/html/images/ninjalogo.png
> /usr/share/doc/shorewall-3.0.8/html/images/obrasinf.gif
> /usr/share/doc/shorewall-3.0.8/html/images/ol600_01mic.png
> /usr/share/doc/shorewall-3.0.8/html/images/openlogo-nd-50.png
> /usr/share/doc/shorewall-3.0.8/html/images/openwrt.png
> /usr/share/doc/shorewall-3.0.8/html/images/opera.png
> /usr/share/doc/shorewall-3.0.8/html/images/p1000221-600-800.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/penguin_in_red_compaq_racer.gif
> /usr/share/doc/shorewall-3.0.8/html/images/penquin_in_blue_racer_sm2.gif
> /usr/share/doc/shorewall-3.0.8/html/images/postfix-white.gif
> /usr/share/doc/shorewall-3.0.8/html/images/poweredby.png
> /usr/share/doc/shorewall-3.0.8/html/images/poweredbycompaqlog0.gif
> /usr/share/doc/shorewall-3.0.8/html/images/ppp.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/proxyarp.png
> /usr/share/doc/shorewall-3.0.8/html/images/proxyarp1.png
> /usr/share/doc/shorewall-3.0.8/html/images/pure.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/pureftp-d.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/razor.gif
> /usr/share/doc/shorewall-3.0.8/html/images/sf_logo_metal2.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/sflogo.png
> /usr/share/doc/shorewall-3.0.8/html/images/shorewall.jpg
> /usr/share/doc/shorewall-3.0.8/html/images/small-picture.gif
> /usr/share/doc/shorewall-3.0.8/html/images/squidnow.gif
> /usr/share/doc/shorewall-3.0.8/html/images/staticnat.png
> /usr/share/doc/shorewall-3.0.8/html/images/traffic_shaping2.6.png
> /usr/share/doc/shorewall-3.0.8/html/images/updated.gif
> /usr/share/doc/shorewall-3.0.8/html/images/washington.jpg
> /usr/share/doc/shorewall-3.0.8/html/index.htm -> Documentation_Index.html
> /usr/share/doc/shorewall-3.0.8/html/index.html
> /usr/share/doc/shorewall-3.0.8/html/ipsets.html
> /usr/share/doc/shorewall-3.0.8/html/kernel.htm
> /usr/share/doc/shorewall-3.0.8/html/myfiles.htm
> /usr/share/doc/shorewall-3.0.8/html/netmap.html
> /usr/share/doc/shorewall-3.0.8/html/ping.html
> /usr/share/doc/shorewall-3.0.8/html/ports.htm
> /usr/share/doc/shorewall-3.0.8/html/quotes.htm
> /usr/share/doc/shorewall-3.0.8/html/samba.htm
> /usr/share/doc/shorewall-3.0.8/html/shorewall_extension_scripts.htm
> /usr/share/doc/shorewall-3.0.8/html/shorewall_features.htm
> /usr/share/doc/shorewall-3.0.8/html/shorewall_logging.html
> /usr/share/doc/shorewall-3.0.8/html/shorewall_prerequisites.htm
> /usr/share/doc/shorewall-3.0.8/html/shorewall_quickstart_guide.htm
> /usr/share/doc/shorewall-3.0.8/html/shorewall_setup_guide.htm
> /usr/share/doc/shorewall-3.0.8/html/standalone.htm
> /usr/share/doc/shorewall-3.0.8/html/standalone_ru.html
> /usr/share/doc/shorewall-3.0.8/html/starting_and_stopping_shorewall.htm
> /usr/share/doc/shorewall-3.0.8/html/support.htm
> /usr/share/doc/shorewall-3.0.8/html/survey-200603.html
> /usr/share/doc/shorewall-3.0.8/html/template.html
> /usr/share/doc/shorewall-3.0.8/html/three-interface.htm
> /usr/share/doc/shorewall-3.0.8/html/three-interface_ru.html
> /usr/share/doc/shorewall-3.0.8/html/traffic_shaping.htm
> /usr/share/doc/shorewall-3.0.8/html/troubleshoot.htm
> /usr/share/doc/shorewall-3.0.8/html/two-interface.htm
> /usr/share/doc/shorewall-3.0.8/html/two-interface_ru.html
> /usr/share/doc/shorewall-3.0.8/html/upgrade_issues.htm
> /usr/share/doc/shorewall-3.0.8/html/useful_links.html
> /usr/share/doc/shorewall-3.0.8/html/whitelisting_under_shorewall.htm
> /usr/share/doc/shorewall-3.0.8/releasenotes.txt.gz
> /usr/share/shorewall
> /usr/share/shorewall/Limit
> /usr/share/shorewall/action.Drop
> /usr/share/shorewall/action.Limit
> /usr/share/shorewall/action.Reject
> /usr/share/shorewall/action.template
> /usr/share/shorewall/actions.std
> /usr/share/shorewall/configpath
> /usr/share/shorewall/firewall
> /usr/share/shorewall/functions
> /usr/share/shorewall/help
> /usr/share/shorewall/macro.AllowICMPs
> /usr/share/shorewall/macro.Amanda
> /usr/share/shorewall/macro.Auth
> /usr/share/shorewall/macro.BitTorrent
> /usr/share/shorewall/macro.CVS
> /usr/share/shorewall/macro.DNS
> /usr/share/shorewall/macro.Distcc
> /usr/share/shorewall/macro.DropDNSrep
> /usr/share/shorewall/macro.DropUPnP
> /usr/share/shorewall/macro.Edonkey
> /usr/share/shorewall/macro.FTP
> /usr/share/shorewall/macro.Gnutella
> /usr/share/shorewall/macro.ICQ
> /usr/share/shorewall/macro.IMAP
> /usr/share/shorewall/macro.LDAP
> /usr/share/shorewall/macro.MySQL
> /usr/share/shorewall/macro.NNTP
> /usr/share/shorewall/macro.NTP
> /usr/share/shorewall/macro.NTPbrd
> /usr/share/shorewall/macro.PCA
> /usr/share/shorewall/macro.POP3
> /usr/share/shorewall/macro.Ping
> /usr/share/shorewall/macro.PostgreSQL
> /usr/share/shorewall/macro.Rdate
> /usr/share/shorewall/macro.Rsync
> /usr/share/shorewall/macro.SMB
> /usr/share/shorewall/macro.SMBswat
> /usr/share/shorewall/macro.SMTP
> /usr/share/shorewall/macro.SNMP
> /usr/share/shorewall/macro.SPAMD
> /usr/share/shorewall/macro.SSH
> /usr/share/shorewall/macro.SVN
> /usr/share/shorewall/macro.Submission
> /usr/share/shorewall/macro.Syslog
> /usr/share/shorewall/macro.Telnet
> /usr/share/shorewall/macro.Trcrt
> /usr/share/shorewall/macro.VNC
> /usr/share/shorewall/macro.VNCL
> /usr/share/shorewall/macro.Web
> /usr/share/shorewall/macro.Webmin
> /usr/share/shorewall/macro.template
> /usr/share/shorewall/rfc1918
> /usr/share/shorewall/version
> /var
> /var/lib
> /var/lib/shorewall
> /var/lib/shorewall/.keep_net-firewall_shorewall-0
> root@smoker / #
Hope that helps.
Dale
:-) :-) :-) :-)
--
www.myspace.com/dalek1967
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-19 1:10 ` Daniel Pielmeier
@ 2007-01-19 6:45 ` Iain Buchanan
2007-01-19 7:01 ` Dale
2007-01-19 7:29 ` Uwe Thiem
0 siblings, 2 replies; 55+ messages in thread
From: Iain Buchanan @ 2007-01-19 6:45 UTC (permalink / raw
To: gentoo-user
On Fri, 2007-01-19 at 02:10 +0100, Daniel Pielmeier wrote:
> > hmm, shorewall must have done something that's more persistent.
...
> > Well, these idea's are really stabbing in the dark, but you gotta start
> > somewhere!
>
> thanks for your hints, i checked all these things but there seems
> nothing of shorewall remainig! i am quite sure cause i am using a
> cruft script which searches for files remaining after an uninstall.
> The scriptt does its job there were several files from shorewall
> remaining, but now they are all gone but my problem still remains.
ah yes, I recall the cruft script! Does it exclude any directories?
If there is nothing shorewall related left, then the only explanation is
that shorewall must have edited an existing file somewhere... which
seems strange... hal? udev? who knows!
The only last thing I could suggest is running lsof to see what files
are being accessed when you start the net.eth1 script.
Other than that, I'm out of ideas, sorry!
--
Iain Buchanan <iaindb at netspace dot net dot au>
Nothing motivates a man more than to see his boss put in an honest day's work.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-19 6:45 ` Iain Buchanan
@ 2007-01-19 7:01 ` Dale
2007-01-19 7:40 ` Iain Buchanan
2007-01-19 7:29 ` Uwe Thiem
1 sibling, 1 reply; 55+ messages in thread
From: Dale @ 2007-01-19 7:01 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 893 bytes --]
Iain Buchanan wrote:
>
> ah yes, I recall the cruft script! Does it exclude any directories?
>
> If there is nothing shorewall related left, then the only explanation is
> that shorewall must have edited an existing file somewhere... which
> seems strange... hal? udev? who knows!
>
> The only last thing I could suggest is running lsof to see what files
> are being accessed when you start the net.eth1 script.
>
> Other than that, I'm out of ideas, sorry!
>
Could he delete some of the config files then re-emerge the programs
they belong too? Wouldn't that "reset" them back to default then?
If you would like, I'll email you, off list of course, a copy of my etc
directory or specific files if you want me too. I'm on dial-up so it
may take a bit to send them. Let me know. If you want specific files,
let me know which ones.
Dale
:-) :-) :-)
--
www.myspace.com/dalek1967
[-- Attachment #2: Type: text/html, Size: 1392 bytes --]
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-19 6:45 ` Iain Buchanan
2007-01-19 7:01 ` Dale
@ 2007-01-19 7:29 ` Uwe Thiem
2007-01-19 9:08 ` Daniel Pielmeier
1 sibling, 1 reply; 55+ messages in thread
From: Uwe Thiem @ 2007-01-19 7:29 UTC (permalink / raw
To: gentoo-user
On 19 January 2007 08:45, Iain Buchanan wrote:
> On Fri, 2007-01-19 at 02:10 +0100, Daniel Pielmeier wrote:
> > > hmm, shorewall must have done something that's more persistent.
>
> ...
>
> > > Well, these idea's are really stabbing in the dark, but you gotta start
> > > somewhere!
> >
> > thanks for your hints, i checked all these things but there seems
> > nothing of shorewall remainig! i am quite sure cause i am using a
> > cruft script which searches for files remaining after an uninstall.
> > The scriptt does its job there were several files from shorewall
> > remaining, but now they are all gone but my problem still remains.
>
> ah yes, I recall the cruft script! Does it exclude any directories?
>
> If there is nothing shorewall related left, then the only explanation is
> that shorewall must have edited an existing file somewhere... which
> seems strange... hal? udev? who knows!
I am using shorewall and it doesn't do it here.
I haven't replied in this thread so far because I have not the slightest idea
what causes the trouble. Actually I have tried to simulate what Daniel did.
Even so, net.eth0 (in my case) doesn't change my iptables rules.
Uwe
--
A fast and easy generator of fractals for KDE:
http://www.SysEx.com.na/iwy-1.0.tar.bz2
Proof of concept of a TSP solver for KDE:
http://www.SysEx.com.na/epat-0.1.tar.bz2
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-19 7:01 ` Dale
@ 2007-01-19 7:40 ` Iain Buchanan
0 siblings, 0 replies; 55+ messages in thread
From: Iain Buchanan @ 2007-01-19 7:40 UTC (permalink / raw
To: gentoo-user
On Fri, 2007-01-19 at 01:01 -0600, Dale wrote:
> Iain Buchanan wrote:
> >
> > ah yes, I recall the cruft script! Does it exclude any directories?
> >
> > If there is nothing shorewall related left, then the only explanation is
> > that shorewall must have edited an existing file somewhere... which
> > seems strange... hal? udev? who knows!
> >
> > The only last thing I could suggest is running lsof to see what files
> > are being accessed when you start the net.eth1 script.
> >
> > Other than that, I'm out of ideas, sorry!
> >
>
> Could he delete some of the config files then re-emerge the programs
> they belong too? Wouldn't that "reset" them back to default then?
a better option would be `emerge --noconfmem <package>`, which
esentially re-does all your conf files.
--
Iain Buchanan <iaindb at netspace dot net dot au>
Why not go out on a limb? Isn't that where the fruit is?
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-19 7:29 ` Uwe Thiem
@ 2007-01-19 9:08 ` Daniel Pielmeier
2007-01-20 2:33 ` Iain Buchanan
0 siblings, 1 reply; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-19 9:08 UTC (permalink / raw
To: gentoo-user
Hi all!
Thank you very much for trying to help me on this strange things. I
hope i didn't have overseen a very simple thing which causes this
problem.
> dale wrote
>
> root@smoker / # equery files shorewall
> [ Searching for packages matching shorewall... ]
> * Contents of net-firewall/shorewall-3.0.8:
> /etc
> /etc/init.d
> /etc/init.d/shorewall
> /etc/shorewall
> ...
As you can see all paths are containing shorewall, so a simple find
would detect all the files and i have nothing of them remaining on my
system
> ian wrote
>
> ah yes, I recall the cruft script! Does it exclude any directories?
no i have checked that before there is nothing in my lib/findcruft
which excludes shorewall from being detected.
> The only last thing I could suggest is running lsof to see what files
> are being accessed when you start the net.eth1 script.
Thanks, thats a good idea, i will try that.
> uwe wrote
>
> I am using shorewall and it doesn't do it here.
>
> I haven't replied in this thread so far because I have not the slightest idea
> what causes the trouble. Actually I have tried to simulate what Daniel did.
> Even so, net.eth0 (in my case) doesn't change my iptables rules.
Another thing i will try is to reemerge shorewall put my configuration
back run shorewall and search for the files which have changed
recently.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-19 9:08 ` Daniel Pielmeier
@ 2007-01-20 2:33 ` Iain Buchanan
2007-01-20 22:01 ` Daniel Pielmeier
0 siblings, 1 reply; 55+ messages in thread
From: Iain Buchanan @ 2007-01-20 2:33 UTC (permalink / raw
To: gentoo-user
On Fri, 2007-01-19 at 10:08 +0100, Daniel Pielmeier wrote:
> Another thing i will try is to reemerge shorewall put my configuration
> back run shorewall and search for the files which have changed
> recently.
good idea, if you have the space you can just `cp -a /etc /etc.old`
(only 124M here). Then you can diff them after installing and
configuring shorewall.
HTH,
--
Iain Buchanan <iaindb at netspace dot net dot au>
A newspaper is a circulating library with high blood pressure.
-- Arthure "Bugs" Baer
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-20 2:33 ` Iain Buchanan
@ 2007-01-20 22:01 ` Daniel Pielmeier
2007-01-22 0:15 ` Iain Buchanan
0 siblings, 1 reply; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-20 22:01 UTC (permalink / raw
To: gentoo-user
> The only last thing I could suggest is running lsof to see what files
> are being accessed when you start the net.eth1 script.
I tried lsof, but is there a possibility to run it constantly or for a
specified time to catch the complete progress of the script, like the
top command to monitor all files which are used by this process. As
far as i can see lsof list only the current processes and the files
used and then it stops.
> a better option would be `emerge --noconfmem <package>`, which
> esentially re-does all your conf files.
I tried this also but i can't figure out which files could be
responsible for this
Additionally i tried this, running the init-script and then i applied
this find command
find / -mount -cmin -1
which lists all the files which status has changed the last minute,
but there are no files which could be the reason for the changing if
the tables.
I don't know if this command does what i want. I think it lists the
files which are altered and which are accessed. Am i right here?
I used this find command for reinstalling shorewall and setting back
the old settings too but without success.
This gets a bit frustrating for me now i always have to reset my
iptables manually after i start my internet connection. Is it possible
that there is no real file causing this trouble?
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-20 22:01 ` Daniel Pielmeier
@ 2007-01-22 0:15 ` Iain Buchanan
2007-01-23 22:29 ` Daniel Pielmeier
0 siblings, 1 reply; 55+ messages in thread
From: Iain Buchanan @ 2007-01-22 0:15 UTC (permalink / raw
To: gentoo-user
On Sat, 2007-01-20 at 23:01 +0100, Daniel Pielmeier wrote:
> > The only last thing I could suggest is running lsof to see what files
> > are being accessed when you start the net.eth1 script.
>
> I tried lsof, but is there a possibility to run it constantly or for a
> specified time to catch the complete progress of the script, like the
> top command to monitor all files which are used by this process. As
> far as i can see lsof list only the current processes and the files
> used and then it stops.
don't know :) someone else will have to help you there...
> > a better option would be `emerge --noconfmem <package>`, which
> > esentially re-does all your conf files.
>
> I tried this also but i can't figure out which files could be
> responsible for this
something like this should do it:
for i in `sudo find /etc -name ._cfg\*`; do tkdiff `echo $i | awk
'{ sub(/._cfg...._/,""); print }'` $i; done
replace tkdiff with your favourite.
> Additionally i tried this, running the init-script and then i applied
> this find command
>
> find / -mount -cmin -1
>
> which lists all the files which status has changed the last minute,
> but there are no files which could be the reason for the changing if
> the tables.
> I don't know if this command does what i want. I think it lists the
> files which are altered and which are accessed. Am i right here?
it will list files that have been accessed, only if you _don't_ have
noatime in /etc/fstab for that filesystem. noatime says don't update
the time when the file is accessed (but not changed). the default is
atime, but a lot of people use noatime for speed improvements.
> This gets a bit frustrating for me now i always have to reset my
> iptables manually after i start my internet connection. Is it possible
> that there is no real file causing this trouble?
There must be something, somewhere doing it.. Maybe you could join the
shorewall ml and see what they say? As a workaround, you could add this
to /etc/conf.d/net:
postup() {
if [[ $1 == "eth1" ]] ; then
/etc/init.d/iptables restart
fi
}
or something similar. Not the ideal solution, but at least it would do
it automatically.
sorry I can't help any further :)
--
Iain Buchanan <iaindb at netspace dot net dot au>
Mollison's Bureaucracy Hypothesis:
If an idea can survive a bureaucratic review and be implemented
it wasn't worth doing.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-22 0:15 ` Iain Buchanan
@ 2007-01-23 22:29 ` Daniel Pielmeier
2007-01-26 19:42 ` Shawn Singh
0 siblings, 1 reply; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-23 22:29 UTC (permalink / raw
To: gentoo-user
Hi all,
i solved my problem by the help of the shorewall mailing list.
The shorewall maintainer Tom Eastep helped me with a quick answer.
It has nothing to do with shorewall so there is no file of shorewall
causing this troubles.
When i set up internet connection with pppoe-setup i have activated
the FIREWALL=STANDALONE setting in /etc/pppoe.conf. This loads a
iptables rule set which overwrites my custom iptables, this may have
also caused my problems with shorewall.
Nevertheless thank you all for trying to help me so much.
Daniel
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-23 22:29 ` Daniel Pielmeier
@ 2007-01-26 19:42 ` Shawn Singh
2007-01-27 22:00 ` Daniel Pielmeier
0 siblings, 1 reply; 55+ messages in thread
From: Shawn Singh @ 2007-01-26 19:42 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1040 bytes --]
Daniel,
Would it be ok for me to email you off list to get some help with a new
setup of Shorewall that I did?
Thanks,
Shawn
On 1/23/07, Daniel Pielmeier <daniel.pielmeier@googlemail.com> wrote:
>
> Hi all,
>
> i solved my problem by the help of the shorewall mailing list.
>
> The shorewall maintainer Tom Eastep helped me with a quick answer.
> It has nothing to do with shorewall so there is no file of shorewall
> causing this troubles.
> When i set up internet connection with pppoe-setup i have activated
> the FIREWALL=STANDALONE setting in /etc/pppoe.conf. This loads a
> iptables rule set which overwrites my custom iptables, this may have
> also caused my problems with shorewall.
>
> Nevertheless thank you all for trying to help me so much.
>
> Daniel
> --
> gentoo-user@gentoo.org mailing list
>
>
--
"Most problems go away if you just wait long enough. It might look like I'm
standing motionless but I'm actively waiting for our problems to go away. I
don't know why this works but it does."
Scott Adams, Dilbert comic
[-- Attachment #2: Type: text/html, Size: 1459 bytes --]
^ permalink raw reply [flat|nested] 55+ messages in thread
* Re: [gentoo-user] Setting up a home router
2007-01-26 19:42 ` Shawn Singh
@ 2007-01-27 22:00 ` Daniel Pielmeier
0 siblings, 0 replies; 55+ messages in thread
From: Daniel Pielmeier @ 2007-01-27 22:00 UTC (permalink / raw
To: gentoo-user
> Would it be ok for me to email you off list to get some help with a new
> setup of Shorewall that I did?
It would be, but i am not sure if i can help you, because i have
dropped shorewall and i am no firewall expert.
I would suggest you to look at the shorewall guides at the shorewall
homepage, they explain some custom settings very well! Then if you
have problems post it on the shorewall mailing list. The shorewall
maintainer himself is very active and does a good job on this list.
Regards,
Daniel
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 55+ messages in thread
end of thread, other threads:[~2007-01-27 22:06 UTC | newest]
Thread overview: 55+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-14 19:27 [gentoo-user] Setting up a home router Daniel Pielmeier
2007-01-14 22:45 ` Dale
2007-01-15 0:28 ` Daniel Pielmeier
2007-01-15 0:57 ` Thomas Lingefelt
2007-01-15 1:25 ` Dale
2007-01-15 0:58 ` Dale
2007-01-15 1:33 ` Daniel Pielmeier
2007-01-15 1:52 ` Dale
2007-01-15 8:25 ` Daniel Pielmeier
2007-01-15 8:38 ` Nelson, David (ED, PAR&D)
2007-01-15 8:55 ` Daniel Pielmeier
2007-01-15 9:49 ` Daniel Iliev
2007-01-15 9:57 ` Daniel Pielmeier
2007-01-15 18:17 ` Daniel Pielmeier
2007-01-15 23:13 ` Hans-Werner Hilse
2007-01-15 23:30 ` Daniel Pielmeier
2007-01-16 0:40 ` Hans-Werner Hilse
2007-01-16 1:37 ` Dale
2007-01-16 8:03 ` Daniel Pielmeier
2007-01-16 11:17 ` Hans-Werner Hilse
2007-01-16 12:10 ` Daniel Pielmeier
2007-01-16 14:21 ` Hans-Werner Hilse
2007-01-16 14:39 ` Daniel Pielmeier
2007-01-16 20:57 ` Daniel Pielmeier
2007-01-17 1:32 ` Dale
2007-01-17 19:02 ` Daniel Pielmeier
2007-01-17 20:35 ` Dan
2007-01-18 9:25 ` Daniel Pielmeier
2007-01-18 10:10 ` Uwe Thiem
2007-01-18 10:43 ` Dale
2007-01-18 11:11 ` Daniel Pielmeier
2007-01-18 21:04 ` Dan Farrell
2007-01-18 23:13 ` Iain Buchanan
2007-01-19 1:10 ` Daniel Pielmeier
2007-01-19 6:45 ` Iain Buchanan
2007-01-19 7:01 ` Dale
2007-01-19 7:40 ` Iain Buchanan
2007-01-19 7:29 ` Uwe Thiem
2007-01-19 9:08 ` Daniel Pielmeier
2007-01-20 2:33 ` Iain Buchanan
2007-01-20 22:01 ` Daniel Pielmeier
2007-01-22 0:15 ` Iain Buchanan
2007-01-23 22:29 ` Daniel Pielmeier
2007-01-26 19:42 ` Shawn Singh
2007-01-27 22:00 ` Daniel Pielmeier
2007-01-19 4:06 ` Dale
2007-01-16 23:40 ` Iain Buchanan
2007-01-16 5:43 ` Daniel Iliev
2007-01-15 10:26 ` Hans-Werner Hilse
2007-01-15 10:45 ` Daniel Pielmeier
2007-01-15 11:04 ` Hans-Werner Hilse
2007-01-15 11:18 ` Daniel Pielmeier
2007-01-15 18:23 ` Daniel Pielmeier
2007-01-15 18:42 ` Daniel Pielmeier
2007-01-15 22:55 ` Hans-Werner Hilse
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox