Re: [gentoo-user] problem with setting up home router [SOLVED]
Great! I'm glad we could help you work it out. To summarize, then, the setup of the iptables rules (especially regarding the forwards and nat rules) should use ppp0 rather than the eth1 (which is the actual lan interface card). By using ppp0 rather than eth1 the traffic is now properly forwarded from the lan to the internet and back. Thank you very much. Next time I can setup faster. However I have to study about iptables. askar -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] problem with setting up home router
FORWARD doesn't see those as destinated to 192.168.0.0/16, i guess. I'd rather use state module and write them as follows: iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED \ -j ACCEPT iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED \ -j ACCEPT I got error: iptables: No chain/target/match by that name. You'll get this message if you don't have connection tracking enabled in the kernel (or if it is a module, the module hasn't been loaded). I am newbie in such staff. Is there anybody succeded with setting up home router with http://www.gentoo.org/doc/en/home-router-howto.xml? Most of the googling you might do on this typically will point to a floppy-based distribution for setting up a router (because they are less concerned with a usable linux box as they are setting up a secure routing system). I know that o'reilly has a book on linux iptables (check out http://www.oreilly.com) which I found to be a great reference on setting up a complete set of iptables rules in conjunction with building a fully-functional linux system that also acts as a router/firewall. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
On 4/25/05, Willie Wong [EMAIL PROTECTED] wrote: On Mon, Apr 25, 2005 at 12:08:25AM +0600, askar ... wrote: humour me and post `iptables -L -v -t nat' to show the nat routing table. The result is: Chain PREROUTING (policy ACCEPT 9193 packets, 593K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 5884 packets, 330K bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- anyeth1anywhere anywhere Chain OUTPUT (policy ACCEPT 3789 packets, 230K bytes) pkts bytes target prot opt in out source destination Since iptables is installed, I am assuming you turned on all the relevant items in the kernel, recompiled, and booted etc etc... (didn't see you mention that in your original mail, but I hope you did that already). I followed the gentoo howto guide on home router items1-5. In item 2, Kernel setup, I installed as shown there, but instead check like s and x, I chosed *. And after recompiling I rebooted the system. That's fine. Go to the Windows box, what IP address is it getting at this moment? Host lookup works and that should mean the INPUT chain on the iptables is fine. The problem should now be with only the FORWARD chain. The only thing I can see happening is that the Windows Box is not sending its packet using the accepted IP address range. Thanks. IP address of WindowsPC is 192.168.0.250. I'am able to reslove hosts with nslookup. The problem - cannot use the internet. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
After that, try connectin to the internet with the Windows box again. I did all things you wrote. But still fails to connect the internet from Windows box After it failed, either # dmesg or # tail -n 60 /var/log/kernel/current And show us the output. #tail -n 60 /var/log/kernel/current had error 'tail: cannot open `/var/log/kernel/current' for reading: No such file or directory'. #dmesg result (sorry - it is very long) is: 0.250 DST=64.12.163.132 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2056 DF PROTO=TCP SPT=3669 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.163.132 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2057 DF PROTO=TCP SPT=3669 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2058 DF PROTO=TCP SPT=3668 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.163.132 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2059 DF PROTO=TCP SPT=3669 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2061 DF PROTO=TCP SPT=3670 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2062 DF PROTO=TCP SPT=3670 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2063 DF PROTO=TCP SPT=3670 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2066 DF PROTO=TCP SPT=3672 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2067 DF PROTO=TCP SPT=3672 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2068 DF PROTO=TCP SPT=3672 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2069 DF PROTO=TCP SPT=3674 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2070 DF PROTO=TCP SPT=3674 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.163.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2073 DF PROTO=TCP SPT=3675 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2074 DF PROTO=TCP SPT=3674 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.163.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2075 DF PROTO=TCP SPT=3675 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.163.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2076 DF PROTO=TCP SPT=3675 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.185 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2078 DF PROTO=TCP SPT=3677 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.185 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2079 DF PROTO=TCP SPT=3677 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.185 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2080 DF PROTO=TCP SPT=3677 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.185 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2081 DF PROTO=TCP SPT=3679 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.185 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2082 DF PROTO=TCP SPT=3679 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.185 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2083 DF PROTO=TCP SPT=3679 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.185 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2085 DF PROTO=TCP SPT=3680 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.185 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2086 DF PROTO=TCP SPT=3680 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=205.188.248.209 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2087 DF PROTO=TCP SPT=3682 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
RE: [gentoo-user] problem with setting up home router
Well there's the indication of your problem. Apparently your system thinks that the packets coming in from eth0 need to go to ppp0 rather than eth1. Sounds like your routing tables are kinda hosed up. eth0 is lan card for LAN, eth1 is for modem. What's the output of route -v? Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface loop-cs1.elcat. * 255.255.255.255 UH0 00 ppp0 192.168.0.0 * 255.255.255.0 U 0 00 eth0 loopbacklocalhost 255.0.0.0 UG0 00 lo default loop-cs1.elcat. 0.0.0.0 UG0 00 ppp0 Well, Askar, that is definitely your problem. Your routing table thinks that packets destined for 192.168.* are to be directed to the ppp0 interface rather than eth1. Try the following as root: # route add -net 192.168.0.0 netmask 255.255.255.0 dev eth1 If I have my syntax right it should route incoming packets to the eth1 interface rather than ppp0 (although the mask might not be right in that 192.168.0.1 should be the local box rather than an intranet box; perhaps someone out there could offer a little more assistance here). Route -v should now report the path to eth1. After that is corrected, incoming packets should be able to get through to the windows box; either that or the logs should report a different message for dropped incoming packets. Dave -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
Argh... I must be too tired from working on my thesis. see below On Mon, Apr 25, 2005 at 02:08:09PM -0400, Willie Wong wrote: Wait... something's wrong here (oh crap, after looking carefully at the mail I sent last, I noticed the following... According to the instructions, you would have ended up with the LOG target AFTER the first DROP target because of the -I insert option instead of -A... my bad... but that also raises the question: Why the hell are the packets below getting dropped?) Okay, try this: iptables -F FORWARD iptables -P FORWARD DROP iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -d ! 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i eth1 -d 192.168.0.0/16 -j ACCEPT above should be -i ppp0 instead of -i eth1 iptables -A FORWARD -i eth0 -j LOG iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE And send the log again if it doesn't work. This time you don't have to send so many lines, just dmesg | tail -n 40 should be enough. W On Mon, Apr 25, 2005 at 10:44:01PM +0600, askar ... wrote: After that, try connectin to the internet with the Windows box again. I did all things you wrote. But still fails to connect the internet from Windows box After it failed, either # dmesg or # tail -n 60 /var/log/kernel/current And show us the output. #tail -n 60 /var/log/kernel/current had error 'tail: cannot open `/var/log/kernel/current' for reading: No such file or directory'. #dmesg result (sorry - it is very long) is: 0.250 DST=64.12.163.132 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2056 DF PROTO=TCP SPT=3669 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.163.132 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2057 DF PROTO=TCP SPT=3669 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 -- * Address: 45 Spelman Hall, Princeton University 08544 * * Phone: x68958 AIM: AngularJerk* *E-mail: [EMAIL PROTECTED]From: sep.dynalias.net * So for the physical pendulum you think of some irregular object, perhaps an eggplant. An eggplant wouldn't be terribly frictionless, but we do what we can. ~DeathMech, S. Sondhi. P-town PHY 205 Sortir en Pantoufles: up 14 days, 4:00 -- gentoo-user@gentoo.org mailing list -- * Address: 45 Spelman Hall, Princeton University 08544 * * Phone: x68958 AIM: AngularJerk* *E-mail: [EMAIL PROTECTED]From: sep.dynalias.net * You feel stuck with your debt if you can't budge it. Sortir en Pantoufles: up 14 days, 4:37 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
On 4/26/05, Willie Wong [EMAIL PROTECTED] wrote: Wait... something's wrong here (oh crap, after looking carefully at the mail I sent last, I noticed the following... According to the instructions, you would have ended up with the LOG target AFTER the first DROP target because of the -I insert option instead of -A... my bad... but that also raises the question: Why the hell are the packets below getting dropped?) Okay, try this: iptables -F FORWARD iptables -P FORWARD DROP iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -d ! 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i eth1 -d 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i eth0 -j LOG iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE And send the log again if it doesn't work. This time you don't have to send so many lines, just dmesg | tail -n 40 should be enough. Result seems long: Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=205.188.153.121 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2146 DF PROTO=TCP SPT=3692 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=205.188.248.199 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2148 DF PROTO=TCP SPT=3693 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=205.188.248.199 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2149 DF PROTO=TCP SPT=3693 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=205.188.153.121 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2150 DF PROTO=TCP SPT=3692 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=205.188.248.199 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2151 DF PROTO=TCP SPT=3693 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=205.188.153.121 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2152 DF PROTO=TCP SPT=3695 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=205.188.153.121 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2153 DF PROTO=TCP SPT=3695 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=205.188.153.121 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2154 DF PROTO=TCP SPT=3695 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2156 DF PROTO=TCP SPT=3696 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2157 DF PROTO=TCP SPT=3696 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2158 DF PROTO=TCP SPT=3696 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2159 DF PROTO=TCP SPT=3698 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2160 DF PROTO=TCP SPT=3698 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.163.132 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2161 DF PROTO=TCP SPT=3699 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.163.132 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2162 DF PROTO=TCP SPT=3699 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2163 DF PROTO=TCP SPT=3698 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.163.132 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2164 DF PROTO=TCP SPT=3699 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2166 DF PROTO=TCP SPT=3700 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2167 DF PROTO=TCP SPT=3700 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2168 DF PROTO=TCP SPT=3700 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2169 DF PROTO=TCP SPT=3702 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0 SRC=192.168.0.250 DST=64.12.161.153 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2170 DF PROTO=TCP SPT=3702 DPT=5190 WINDOW=65535 RES=0x00 SYN URGP=0 Dropped forwarded packets:IN=eth0 OUT=ppp0
Re: [gentoo-user] problem with setting up home router
On 4/26/05, askar ... [EMAIL PROTECTED] wrote: On 4/26/05, Dave Nebinger [EMAIL PROTECTED] wrote: Well there's the indication of your problem. Apparently your system thinks that the packets coming in from eth0 need to go to ppp0 rather than eth1. Here I remembered words of gentoo howto guide 'Warning: When the DSL interface comes up, it will create ppp0. Although your NIC is called eth1, the IP is actually bound to ppp0. From now on, when you see examples that utilize 'eth1', substitute with 'ppp0'. '. Does it mean, in iptables settings instead of eth1 I had to put ppp0? These 2 lines of gentoo howto guide: # iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE instead of eth1 I put ppp0. And now I can use the internet from WindowsBOX. :) Here I put the result of #iptables -L -v: Chain INPUT (policy ACCEPT 2827K packets, 4031M bytes) pkts bytes target prot opt in out source destination 92 27799 ACCEPT all -- lo any anywhere anywhere 115 25281 ACCEPT all -- eth0 any anywhere anywhere 0 0 REJECT udp -- !eth0 any anywhere anywhereudp dpt:bootps reject-with icmp-port-unreachable 0 0 REJECT udp -- !eth0 any anywhere anywhereudp dpt:domain reject-with icmp-port-unreachable 0 0 DROP tcp -- !eth0 any anywhere anywheretcp dpts:0:1023 0 0 DROP udp -- !eth0 any anywhere anywhereudp dpts:0:1023 0 0 ACCEPT tcp -- ppp0 any anywhere anywheretcp dpt:ssh Chain FORWARD (policy DROP 764 packets, 33352 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- eth0 any anywhere 192.168.0.0/16 410 42004 ACCEPT all -- eth0 any 192.168.0.0/16 anywhere 453 199K ACCEPT all -- ppp0 any anywhere 192.168.0.0/16 Chain OUTPUT (policy ACCEPT 3985K packets, 3831M bytes) pkts bytes target prot opt in out source destination askar -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
Dear Dave and Willie, and others! Thanks for your assistance. Anyway, furthermore I have to understand iptables more and more. Thanks again. askarOn 4/26/05, askar ... [EMAIL PROTECTED] wrote: On 4/26/05, askar ... [EMAIL PROTECTED] wrote: On 4/26/05, Dave Nebinger [EMAIL PROTECTED] wrote: Well there's the indication of your problem.Apparently your systemthinks that the packets coming in from eth0 need to go to ppp0 rather than eth1. Here I remembered words of gentoo howto guide 'Warning: When the DSL interface comes up, it will create ppp0. Although your NIC is called eth1, the IP is actually bound to ppp0. From now on, when you see examples that utilize 'eth1', substitute with 'ppp0'. '. Does it mean, in iptables settings instead of eth1 I had to put ppp0? These 2 lines of gentoo howto guide: # iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE instead of eth1 I put ppp0. And now I can use the internet from WindowsBOX. :) Here I put the result of #iptables -L -v: Chain INPUT (policy ACCEPT 2827K packets, 4031M bytes)pkts bytes target prot opt in out source destination92 27799 ACCEPT all--lo any anywhere anywhere 115 25281 ACCEPT all--eth0 any anywhere anywhere 0 0 REJECT udp--!eth0any anywhere anywhereudp dpt:bootps reject-with icmp-port-unreachable 0 0 REJECT udp--!eth0any anywhere anywhereudp dpt:domain reject-with icmp-port-unreachable 0 0 DROP tcp--!eth0any anywhere anywheretcp dpts:0:1023 0 0 DROP udp--!eth0any anywhere anywhereudp dpts:0:1023 0 0 ACCEPT tcp--ppp0 any anywhere anywheretcp dpt:ssh Chain FORWARD (policy DROP 764 packets, 33352 bytes)pkts bytes target prot opt in out source destination 0 0 DROP all--eth0 any anywhere 192.168.0.0/16 410 42004 ACCEPT all--eth0 any 192.168.0.0/16 anywhere 453199K ACCEPT all--ppp0 any anywhere 192.168.0.0/16 Chain OUTPUT (policy ACCEPT 3985K packets, 3831M bytes)pkts bytes target prot opt in out source destination askar
RE: [gentoo-user] problem with setting up home router [SOLVED]
On 4/26/05, askar ... [EMAIL PROTECTED] wrote: On 4/26/05, Dave Nebinger [EMAIL PROTECTED] wrote: Well there's the indication of your problem. Apparently your system thinks that the packets coming in from eth0 need to go to ppp0 rather than eth1. Here I remembered words of gentoo howto guide 'Warning: When the DSL interface comes up, it will create ppp0. Although your NIC is called eth1, the IP is actually bound to ppp0. From now on, when you see examples that utilize 'eth1', substitute with 'ppp0'. '. Does it mean, in iptables settings instead of eth1 I had to put ppp0? These 2 lines of gentoo howto guide: # iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE instead of eth1 I put ppp0. And now I can use the internet from WindowsBOX. :) Great! I'm glad we could help you work it out. To summarize, then, the setup of the iptables rules (especially regarding the forwards and nat rules) should use ppp0 rather than the eth1 (which is the actual lan interface card). By using ppp0 rather than eth1 the traffic is now properly forwarded from the lan to the internet and back. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
On 4/24/05, Willie Wong [EMAIL PROTECTED] wrote: Did you follow the gentoo home router guide? I suggest you start over... with the line that says iptables -F you have LOTS of duplicate rules in your chain, and some of them doesn't make sense: you don't want ACCEPT all -- anywhereanywhere to be on the top of your INPUT chain, since that destroys the whole purpose of having an iptables. One helpful command is iptables -D chain rulenum for example, in the case of the aforementioned ACCEPT policy in the INPUT chain, you do iptables -D INPUT 1 to remove the top most item. Keep in mind that the rules are renumbered everytime you make a change. I suspect, since you are doing routing, that you have multiple interfaces. In that case, it would make much more sense to post iptables -L -v so we can see which interface the rules applies to. At present. my 2 PCs can talk to each others. WinPC can resolve hostnames by nslookup, but can use internet. askar -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
On Sun, Apr 24, 2005 at 01:10:51PM +0600, askar ... wrote: At present. my 2 PCs can talk to each others. WinPC can resolve hostnames by nslookup, but can use internet. askar seriously. post your iptables -L -v , not just iptables -L We need to see the interface information. DHCP is obviously working for you. The only problem it seems is that the packets are getting lost somewhere. Dave's message above hints that perhaps the packets are not getting routed to the right interface. W -- * Address: 45 Spelman Hall, Princeton University 08544 * * Phone: x68958 AIM: AngularJerk* *E-mail: [EMAIL PROTECTED]From: sep.dynalias.net * Cross Product is an Abomination. ~Prof. Edward Nelson. MAT 217. P-Town Sortir en Pantoufles: up 13 days, 2:46 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
On 4/24/05, Willie Wong [EMAIL PROTECTED] wrote: On Sun, Apr 24, 2005 at 01:10:51PM +0600, askar ... wrote: At present. my 2 PCs can talk to each others. WinPC can resolve hostnames by nslookup, but can use internet. askar seriously. post your iptables -L -v , not just iptables -L We need to see the interface information. DHCP is obviously working for you. The only problem it seems is that the packets are getting lost somewhere. Dave's message above hints that perhaps the packets are not getting routed to the right interface. Here is my iptables -L -v result: bash-2.05b# iptables -L -v Chain INPUT (policy ACCEPT 2798K packets, 4013M bytes) pkts bytes target prot opt in out source destination 0 0 REJECT udp -- !eth0 any anywhere anywhereudp dpt:bootps reject-with icmp-port-unreachable 0 0 REJECT udp -- !eth0 any anywhere anywhereudp dpt:domain reject-with icmp-port-unreachable 0 0 ACCEPT tcp -- eth1 any anywhere anywheretcp dpt:ssh 77 4436 DROP tcp -- !eth0 any anywhere anywheretcp dpts:0:1023 178 DROP udp -- !eth0 any anywhere anywhereudp dpts:0:1023 Chain FORWARD (policy ACCEPT 20 packets, 984 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- eth0 any anywhere 192.168.0.0/16 954 45864 ACCEPT all -- eth0 any 192.168.0.0/16 anywhere 0 0 ACCEPT all -- eth1 any anywhere 192.168.0.0/16 Chain OUTPUT (policy ACCEPT 3958K packets, 3821M bytes) pkts bytes target prot opt in out source destination -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
On Sun, Apr 24, 2005 at 11:16:23PM +0600, askar ... wrote: Here is my iptables -L -v result: bash-2.05b# iptables -L -v Chain INPUT (policy ACCEPT 2798K packets, 4013M bytes) pkts bytes target prot opt in out source destination 0 0 REJECT udp -- !eth0 any anywhere anywhereudp dpt:bootps reject-with icmp-port-unreachable 0 0 REJECT udp -- !eth0 any anywhere anywhereudp dpt:domain reject-with icmp-port-unreachable 0 0 ACCEPT tcp -- eth1 any anywhere anywheretcp dpt:ssh 77 4436 DROP tcp -- !eth0 any anywhere anywheretcp dpts:0:1023 178 DROP udp -- !eth0 any anywhere anywhereudp dpts:0:1023 Chain FORWARD (policy ACCEPT 20 packets, 984 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- eth0 any anywhere 192.168.0.0/16 954 45864 ACCEPT all -- eth0 any 192.168.0.0/16 anywhere 0 0 ACCEPT all -- eth1 any anywhere 192.168.0.0/16 Chain OUTPUT (policy ACCEPT 3958K packets, 3821M bytes) pkts bytes target prot opt in out source destination As far as I can tell, your iptables checks out fine. I know you mentioned this in your first mail, but can you check if you have ip_forwarding turned on? cat /proc/sys/net/ipv4/ip_forward it should give a value 1 W -- * Address: 45 Spelman Hall, Princeton University 08544 * * Phone: x68958 AIM: AngularJerk* *E-mail: [EMAIL PROTECTED]From: sep.dynalias.net * It was real. At least, if it wasn't real, it did support them, and as that is what sofas are supposed to do, this, by any test that mattered, was a real sofa. Sortir en Pantoufles: up 13 days, 3:46 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
As far as I can tell, your iptables checks out fine. I know you mentioned this in your first mail, but can you check if you have ip_forwarding turned on? cat /proc/sys/net/ipv4/ip_forward it should give a value 1 Yes, I have a value 1. askar -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
On 4/24/05, Willie Wong [EMAIL PROTECTED] wrote: On Sun, Apr 24, 2005 at 11:16:23PM +0600, askar ... wrote: Here is my iptables -L -v result: bash-2.05b# iptables -L -v Chain INPUT (policy ACCEPT 2798K packets, 4013M bytes) pkts bytes target prot opt in out source destination 0 0 REJECT udp -- !eth0 any anywhere anywhereudp dpt:bootps reject-with icmp-port-unreachable 0 0 REJECT udp -- !eth0 any anywhere anywhereudp dpt:domain reject-with icmp-port-unreachable 0 0 ACCEPT tcp -- eth1 any anywhere anywheretcp dpt:ssh 77 4436 DROP tcp -- !eth0 any anywhere anywheretcp dpts:0:1023 178 DROP udp -- !eth0 any anywhere anywhereudp dpts:0:1023 Chain FORWARD (policy ACCEPT 20 packets, 984 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- eth0 any anywhere 192.168.0.0/16 954 45864 ACCEPT all -- eth0 any 192.168.0.0/16 anywhere 0 0 ACCEPT all -- eth1 any anywhere 192.168.0.0/16 Chain OUTPUT (policy ACCEPT 3958K packets, 3821M bytes) pkts bytes target prot opt in out source destination humour me and post `iptables -L -v -t nat' to show the nat routing table. The result is: Chain PREROUTING (policy ACCEPT 9193 packets, 593K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 5884 packets, 330K bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- anyeth1anywhere anywhere Chain OUTPUT (policy ACCEPT 3789 packets, 230K bytes) pkts bytes target prot opt in out source destination Since iptables is installed, I am assuming you turned on all the relevant items in the kernel, recompiled, and booted etc etc... (didn't see you mention that in your original mail, but I hope you did that already). I followed the gentoo howto guide on home router items1-5. In item 2, Kernel setup, I installed as shown there, but instead check like s and x, I chosed *. And after recompiling I rebooted the system. askar -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
On Mon, Apr 25, 2005 at 12:08:25AM +0600, askar ... wrote: humour me and post `iptables -L -v -t nat' to show the nat routing table. The result is: Chain PREROUTING (policy ACCEPT 9193 packets, 593K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 5884 packets, 330K bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- anyeth1anywhere anywhere Chain OUTPUT (policy ACCEPT 3789 packets, 230K bytes) pkts bytes target prot opt in out source destination Since iptables is installed, I am assuming you turned on all the relevant items in the kernel, recompiled, and booted etc etc... (didn't see you mention that in your original mail, but I hope you did that already). I followed the gentoo howto guide on home router items1-5. In item 2, Kernel setup, I installed as shown there, but instead check like s and x, I chosed *. And after recompiling I rebooted the system. That's fine. Go to the Windows box, what IP address is it getting at this moment? Host lookup works and that should mean the INPUT chain on the iptables is fine. The problem should now be with only the FORWARD chain. The only thing I can see happening is that the Windows Box is not sending its packet using the accepted IP address range. W -- * Address: 45 Spelman Hall, Princeton University 08544 * * Phone: x68958 AIM: AngularJerk* *E-mail: [EMAIL PROTECTED]From: sep.dynalias.net * For the relative problem is one in which the relative radius vectors...from one to the other? So, actually, I was wrong. Kepler was right after all. ~DeathMech, S. Sondhi. P-town PHY 205 Sortir en Pantoufles: up 13 days, 5:15 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
On Apr 24, 2005, at 6:14 pm, askar ... wrote: At present. my 2 PCs can talk to each others. WinPC can resolve hostnames by nslookup, but can use internet. Wait, isn't this what you wanted? Or do you mean WinPC cannot use the internet? Yes, my WinPC cannot use the internet. :( This is the best way to be sure it won't get a virus. ;P Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
What does iptables -L say? The result is: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT udp -- anywhere anywhereudp dpt:bootps reject-with icmp-port-unreachable REJECT udp -- anywhere anywhereudp dpt:domain reject-with icmp-port-unreachable ACCEPT tcp -- anywhere anywheretcp dpt:ssh DROP tcp -- anywhere anywheretcp dpts:0:1023 DROP udp -- anywhere anywhereudp dpts:0:1023 Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere 192.168.0.0/16 DROP all -- anywhere 192.168.0.0/16 DROP all -- anywhere 192.168.0.0/16 DROP all -- anywhere 192.168.0.0/16 ACCEPT all -- 192.168.0.0/16 anywhere ACCEPT all -- anywhere 192.168.0.0/16 ACCEPT all -- 192.168.0.0/16 anywhere ACCEPT all -- anywhere 192.168.0.0/16 LOGall -- anywhere anywhereLOG level warning prefix `Dropped outgoing: ' LOGall -- anywhere anywhereLOG level warning prefix `Dropped incoming: ' ACCEPT all -- 192.168.0.0/16 anywhere ACCEPT all -- anywhere 192.168.0.0/16 ACCEPT all -- 192.168.0.0/16 anywhere ACCEPT all -- anywhere 192.168.0.0/16 Chain OUTPUT (policy ACCEPT) target prot opt source destination -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
On 4/24/05, Willie Wong [EMAIL PROTECTED] wrote: Did you follow the gentoo home router guide? I suggest you start over... with the line that says iptables -F you have LOTS of duplicate rules in your chain, and some of them doesn't make sense: you don't want ACCEPT all -- anywhereanywhere to be on the top of your INPUT chain, since that destroys the whole purpose of having an iptables. One helpful command is iptables -D chain rulenum for example, in the case of the aforementioned ACCEPT policy in the INPUT chain, you do iptables -D INPUT 1 to remove the top most item. Keep in mind that the rules are renumbered everytime you make a change. I suspect, since you are doing routing, that you have multiple interfaces. In that case, it would make much more sense to post iptables -L -v so we can see which interface the rules applies to. I followed the gentoo howto home router guide. The result of iptables -L was what I posted in ML. First of all I want to setup iptabel rules, and after to learn in details the concept of iptables. Is there any other how to manual I could use. My environment is the same as in the gentoo's howto: I have 2 LAN cards. eth0 - for LAN, eth1 - for ADSL modem. askar -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] problem with setting up home router
# iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP # iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT # iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT I'm still working through my iptables for my home router, but I think you need to specify both the input and output cards for the FORWARD directive to get them to work. Try: iptables -I FORWARD -i eth0 -o eth1 -d 192.168.0.0/255.255.0.0 -j DROP iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/255.255.0.0 -j ACCEPT iptables -A FORWARD -I eth1 -o eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
You seem to have missed out this one
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
My home router stopped working without that.
Hope that helps somewhat.
-
Alex A. Smith MCP
ASMHosting.com Owner
askar ... wrote:
Hello!
Installed Gentoo 2005.0, stage3.
I want to make home router for 2 computers: Gentoo and Win2000.
2 computers connected directly to each other with Lan cable.
I tried to set according to the
http://www.gentoo.org/doc/en/home-router-howto.xml
Things done as follows:
1) rp-pppoe installed and working.
Setup ADSL connection with adsl-setup
I'm able to use Internet.
2) /etc/conf.d/net:
iface_eth0=192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0
iface_eth1=up
# ADSL modem connected to the eth1
# eth0 for LAN
3) during gentoo installation done:
# rc-update add net.eth0 default
# cd /etc/init.d
# ln -s net.eth0 net.eth1
# rc-update add net.eth1 default
4) installed DHCP server:
# emerge dhcp
5) /etc/conf.d/dhcp:
IFACE=eth0
DHCPD_OPTS=-q
# These setting were done by default. I did nothing here
6) # nano /etc/dhcp/dhcpd.conf:
authoritative;
ddns-update-style ad-hoc;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.250;
default-lease-time 259200;
max-lease-time 518400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
}
#These data I took from http://www.gentoo.org/doc/en/home-router-howto.xml
7) # rc-update add dhcp default
# /etc/init.d/dhcp start
8) # emerge dnsmasq
9) nano /etc/conf.d/dnsmasq:
DNSMASQ_OPTS=-i eth0
10) # rc-update add dnsmasq default
# /etc/init.d/dnsmasq start
11) # iptables -F
# iptables -t nat -F
# iptables -I INPUT 1 -i eth0 -j ACCEPT
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT
# iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT
# iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT
# iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
# iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP
# iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# echo 1 /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 $f ; done
12) # /etc/init.d/iptables save
# rc-update add iptables default
13) # nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
What I have now:
1) 2 computers can ping each other
2) Win PC can look up hostnames via DNS
The probles is I still can't use internet from WinPC.
Please help me.
Askar
--
gentoo-user@gentoo.org mailing list
RE: [gentoo-user] problem with setting up home router
You seem to have missed out this one # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT He didn't miss it, it's not part of the page. And it shouldn't be needed as the rules that he's defined does not inspect state at all; they simply accept packets (regardless of state) when they are being forwarded to the lan. -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] problem with setting up home router
The iptable rules from the howto seem to assume that the default policy is set up to the following: INPUT - DROP FORWARD - DROP OUTPUT - ACCEPT Seeing as I hate assuming what is actually going on, I would add the following lines to the top of the iptables script: iptables -P INPUT DROP iptables -P FILTER DROP iptables -P OUTPUT ACCEPT -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem with setting up home router
Rather than roll your own iptables script, use monmotha (its in portage) to get up and running. As well as better protection, you can eliminate iptables as the cause of your problems. BillK On Thu, 2005-04-21 at 22:38 +0600, askar ... wrote: Hello! Installed Gentoo 2005.0, stage3. -- gentoo-user@gentoo.org mailing list
