Re: [gentoo-user] Setting up a home router
Would it be ok for me to email you off list to get some help with a new setup of Shorewall that I did? It would be, but i am not sure if i can help you, because i have dropped shorewall and i am no firewall expert. I would suggest you to look at the shorewall guides at the shorewall homepage, they explain some custom settings very well! Then if you have problems post it on the shorewall mailing list. The shorewall maintainer himself is very active and does a good job on this list. Regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Daniel, Would it be ok for me to email you off list to get some help with a new setup of Shorewall that I did? Thanks, Shawn On 1/23/07, Daniel Pielmeier [EMAIL PROTECTED] wrote: Hi all, i solved my problem by the help of the shorewall mailing list. The shorewall maintainer Tom Eastep helped me with a quick answer. It has nothing to do with shorewall so there is no file of shorewall causing this troubles. When i set up internet connection with pppoe-setup i have activated the FIREWALL=STANDALONE setting in /etc/pppoe.conf. This loads a iptables rule set which overwrites my custom iptables, this may have also caused my problems with shorewall. Nevertheless thank you all for trying to help me so much. Daniel -- gentoo-user@gentoo.org mailing list -- Most problems go away if you just wait long enough. It might look like I'm standing motionless but I'm actively waiting for our problems to go away. I don't know why this works but it does. Scott Adams, Dilbert comic
Re: [gentoo-user] Setting up a home router
Hi all, i solved my problem by the help of the shorewall mailing list. The shorewall maintainer Tom Eastep helped me with a quick answer. It has nothing to do with shorewall so there is no file of shorewall causing this troubles. When i set up internet connection with pppoe-setup i have activated the FIREWALL=STANDALONE setting in /etc/pppoe.conf. This loads a iptables rule set which overwrites my custom iptables, this may have also caused my problems with shorewall. Nevertheless thank you all for trying to help me so much. Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
On Sat, 2007-01-20 at 23:01 +0100, Daniel Pielmeier wrote:
The only last thing I could suggest is running lsof to see what files
are being accessed when you start the net.eth1 script.
I tried lsof, but is there a possibility to run it constantly or for a
specified time to catch the complete progress of the script, like the
top command to monitor all files which are used by this process. As
far as i can see lsof list only the current processes and the files
used and then it stops.
don't know :) someone else will have to help you there...
a better option would be `emerge --noconfmem package`, which
esentially re-does all your conf files.
I tried this also but i can't figure out which files could be
responsible for this
something like this should do it:
for i in `sudo find /etc -name ._cfg\*`; do tkdiff `echo $i | awk
'{ sub(/._cfg_/,); print }'` $i; done
replace tkdiff with your favourite.
Additionally i tried this, running the init-script and then i applied
this find command
find / -mount -cmin -1
which lists all the files which status has changed the last minute,
but there are no files which could be the reason for the changing if
the tables.
I don't know if this command does what i want. I think it lists the
files which are altered and which are accessed. Am i right here?
it will list files that have been accessed, only if you _don't_ have
noatime in /etc/fstab for that filesystem. noatime says don't update
the time when the file is accessed (but not changed). the default is
atime, but a lot of people use noatime for speed improvements.
This gets a bit frustrating for me now i always have to reset my
iptables manually after i start my internet connection. Is it possible
that there is no real file causing this trouble?
There must be something, somewhere doing it.. Maybe you could join the
shorewall ml and see what they say? As a workaround, you could add this
to /etc/conf.d/net:
postup() {
if [[ $1 == eth1 ]] ; then
/etc/init.d/iptables restart
fi
}
or something similar. Not the ideal solution, but at least it would do
it automatically.
sorry I can't help any further :)
--
Iain Buchanan iaindb at netspace dot net dot au
Mollison's Bureaucracy Hypothesis:
If an idea can survive a bureaucratic review and be implemented
it wasn't worth doing.
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
The only last thing I could suggest is running lsof to see what files are being accessed when you start the net.eth1 script. I tried lsof, but is there a possibility to run it constantly or for a specified time to catch the complete progress of the script, like the top command to monitor all files which are used by this process. As far as i can see lsof list only the current processes and the files used and then it stops. a better option would be `emerge --noconfmem package`, which esentially re-does all your conf files. I tried this also but i can't figure out which files could be responsible for this Additionally i tried this, running the init-script and then i applied this find command find / -mount -cmin -1 which lists all the files which status has changed the last minute, but there are no files which could be the reason for the changing if the tables. I don't know if this command does what i want. I think it lists the files which are altered and which are accessed. Am i right here? I used this find command for reinstalling shorewall and setting back the old settings too but without success. This gets a bit frustrating for me now i always have to reset my iptables manually after i start my internet connection. Is it possible that there is no real file causing this trouble? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Hi all! Thank you very much for trying to help me on this strange things. I hope i didn't have overseen a very simple thing which causes this problem. dale wrote [EMAIL PROTECTED] / # equery files shorewall [ Searching for packages matching shorewall... ] * Contents of net-firewall/shorewall-3.0.8: /etc /etc/init.d /etc/init.d/shorewall /etc/shorewall ... As you can see all paths are containing shorewall, so a simple find would detect all the files and i have nothing of them remaining on my system ian wrote ah yes, I recall the cruft script! Does it exclude any directories? no i have checked that before there is nothing in my lib/findcruft which excludes shorewall from being detected. The only last thing I could suggest is running lsof to see what files are being accessed when you start the net.eth1 script. Thanks, thats a good idea, i will try that. uwe wrote I am using shorewall and it doesn't do it here. I haven't replied in this thread so far because I have not the slightest idea what causes the trouble. Actually I have tried to simulate what Daniel did. Even so, net.eth0 (in my case) doesn't change my iptables rules. Another thing i will try is to reemerge shorewall put my configuration back run shorewall and search for the files which have changed recently. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
On Fri, 2007-01-19 at 10:08 +0100, Daniel Pielmeier wrote: Another thing i will try is to reemerge shorewall put my configuration back run shorewall and search for the files which have changed recently. good idea, if you have the space you can just `cp -a /etc /etc.old` (only 124M here). Then you can diff them after installing and configuring shorewall. HTH, -- Iain Buchanan iaindb at netspace dot net dot au A newspaper is a circulating library with high blood pressure. -- Arthure Bugs Baer -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
I've been holding back on replying for a while now, but I think you should try a simple iptables setup like this one: Excuse me, but my problem is not that my tables are not working, they work very well. I applied forwarding and masquerading, also a basic set of filtering rules which block all access from outside. My problem is that these rules i hqave defined are somehow overwritten by the net init script, with some remaining settings from my previous shorewall configuration. I compared the tables i had with shorewall with my new settings and the one who are changed by the net init script are looking the same settings i had with shorewall for input forward and output. I am sure that i have removed shorewall completely, so i guess shorewall must have altered a file which is used by the init script, so that the old settings are restored everytime i start the net init.script. Does anybody has a clue? Regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
On 18 January 2007 11:25, Daniel Pielmeier wrote: I've been holding back on replying for a while now, but I think you should try a simple iptables setup like this one: Excuse me, but my problem is not that my tables are not working, they work very well. I applied forwarding and masquerading, also a basic set of filtering rules which block all access from outside. My problem is that these rules i hqave defined are somehow overwritten by the net init script, with some remaining settings from my previous shorewall configuration. I compared the tables i had with shorewall with my new settings and the one who are changed by the net init script are looking the same settings i had with shorewall for input forward and output. I am sure that i have removed shorewall completely, so i guess shorewall must have altered a file which is used by the init script, so that the old settings are restored everytime i start the net init.script. Does anybody has a clue? If you really removed shorewall from your runlevel (rc-update del shorewall default) try this: rm /var/lib/iptables/rules-save Uwe -- A fast and easy generator of fractals for KDE: http://www.SysEx.com.na/iwy-1.0.tar.bz2 Proof of concept of a TSP solver for KDE: http://www.SysEx.com.na/epat-0.1.tar.bz2 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Daniel Pielmeier wrote: I've been holding back on replying for a while now, but I think you should try a simple iptables setup like this one: Excuse me, but my problem is not that my tables are not working, they work very well. I applied forwarding and masquerading, also a basic set of filtering rules which block all access from outside. My problem is that these rules i hqave defined are somehow overwritten by the net init script, with some remaining settings from my previous shorewall configuration. I compared the tables i had with shorewall with my new settings and the one who are changed by the net init script are looking the same settings i had with shorewall for input forward and output. I am sure that i have removed shorewall completely, so i guess shorewall must have altered a file which is used by the init script, so that the old settings are restored everytime i start the net init.script. Does anybody has a clue? Regards, Daniel Did you do a /etc/init.d/iptables save by any chance? That's the only thing I can think of. Dale :-) :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
If you really removed shorewall from your runlevel (rc-update del shorewall default) try this: rm /var/lib/iptables/rules-save i have removed shorewall from my runlevels and added iptables Did you do a /etc/init.d/iptables save by any chance? That's the only thing I can think of. the way i have applied my rules is as follows first i load them with my generated script then i invoke /etc/init.d/iptables save and to be sure i do an /etc/init.d/iptables restart iptables -L, iptables -L -t nat, iptables -L -t mangle show me my new rules when i look in /var/lib/iptables/rules-save i also see my new rules when i issue /etc/init.d/net.eth1 restart iptables -L, iptables -L -t nat, iptables -L -t mangle show me the old rules from shorewall -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
On Thu, 18 Jan 2007 12:11:34 +0100 Daniel Pielmeier [EMAIL PROTECTED] wrote: Excuse me, but my problem is not that my tables are not working, they work very well. I applied forwarding and masquerading, also a basic set of filtering rules which block all access from outside. oops. sorry. If you really removed shorewall from your runlevel (rc-update del shorewall default) try this: rm /var/lib/iptables/rules-save i have removed shorewall from my runlevels and added iptables Did you do a /etc/init.d/iptables save by any chance? That's the only thing I can think of. the way i have applied my rules is as follows first i load them with my generated script then i invoke /etc/init.d/iptables save and to be sure i do an /etc/init.d/iptables restart iptables -L, iptables -L -t nat, iptables -L -t mangle show me my new rules when i look in /var/lib/iptables/rules-save i also see my new rules when i issue /etc/init.d/net.eth1 restart iptables -L, iptables -L -t nat, iptables -L -t mangle show me the old rules from shorewall i wonder if shorewall is loaded as a dependancy of net.eth1 ? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
On Thu, 2007-01-18 at 12:11 +0100, Daniel Pielmeier wrote: the way i have applied my rules is as follows first i load them with my generated script then i invoke /etc/init.d/iptables save and to be sure i do an /etc/init.d/iptables restart iptables -L, iptables -L -t nat, iptables -L -t mangle show me my new rules when i look in /var/lib/iptables/rules-save i also see my new rules when i issue /etc/init.d/net.eth1 restart iptables -L, iptables -L -t nat, iptables -L -t mangle show me the old rules from shorewall hmm, shorewall must have done something that's more persistent. Have a look at /etc/runlevels, and make sure there is no shorewall stuff left in there. Also look in /etc/conf.d/net* and make sure there is no postup functions lying around. And make sure /etc/init.d/net.eth1 is a symlink to /etc/init.d/net.lo, and then make sure net.lo hasn't been modified by shorewall. you could do a `emerge --noconfmem baselayout` to make extra sure. **Read the man page first. Is there a /etc/shorewall directory? Perhaps someone who has it installed could do `equery files shorewall` so you could check that it really is deleted. Well, these idea's are really stabbing in the dark, but you gotta start somewhere! HTH, -- Iain Buchanan iaindb at netspace dot net dot au Workers of the world, arise! You have nothing to lose but your chairs. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
hmm, shorewall must have done something that's more persistent. Have a look at /etc/runlevels, and make sure there is no shorewall stuff left in there. Also look in /etc/conf.d/net* and make sure there is no postup functions lying around. And make sure /etc/init.d/net.eth1 is a symlink to /etc/init.d/net.lo, and then make sure net.lo hasn't been modified by shorewall. you could do a `emerge --noconfmem baselayout` to make extra sure. **Read the man page first. Is there a /etc/shorewall directory? Perhaps someone who has it installed could do `equery files shorewall` so you could check that it really is deleted. Well, these idea's are really stabbing in the dark, but you gotta start somewhere! thanks for your hints, i checked all these things but there seems nothing of shorewall remainig! i am quite sure cause i am using a cruft script which searches for files remaining after an uninstall. The scriptt does its job there were several files from shorewall remaining, but now they are all gone but my problem still remains. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Iain Buchanan wrote: Is there a /etc/shorewall directory? Perhaps someone who has it installed could do `equery files shorewall` so you could check that it really is deleted. Well, these idea's are really stabbing in the dark, but you gotta start somewhere! HTH, Here you go: [EMAIL PROTECTED] / # equery files shorewall [ Searching for packages matching shorewall... ] * Contents of net-firewall/shorewall-3.0.8: /etc /etc/init.d /etc/init.d/shorewall /etc/shorewall /etc/shorewall/Makefile /etc/shorewall/accounting /etc/shorewall/actions /etc/shorewall/blacklist /etc/shorewall/continue /etc/shorewall/ecn /etc/shorewall/hosts /etc/shorewall/init /etc/shorewall/initdone /etc/shorewall/interfaces /etc/shorewall/ipsec /etc/shorewall/maclist /etc/shorewall/masq /etc/shorewall/modules /etc/shorewall/nat /etc/shorewall/netmap /etc/shorewall/params /etc/shorewall/policy /etc/shorewall/providers /etc/shorewall/proxyarp /etc/shorewall/routestopped /etc/shorewall/rules /etc/shorewall/shorewall.conf /etc/shorewall/start /etc/shorewall/started /etc/shorewall/stop /etc/shorewall/stopped /etc/shorewall/tcclasses /etc/shorewall/tcdevices /etc/shorewall/tcrules /etc/shorewall/tos /etc/shorewall/tunnels /etc/shorewall/zones /sbin /sbin/shorewall /usr /usr/share /usr/share/doc /usr/share/doc/shorewall-3.0.8 /usr/share/doc/shorewall-3.0.8/Samples /usr/share/doc/shorewall-3.0.8/Samples/LICENSE /usr/share/doc/shorewall-3.0.8/Samples/README.txt /usr/share/doc/shorewall-3.0.8/Samples/one-interface /usr/share/doc/shorewall-3.0.8/Samples/one-interface/README.txt /usr/share/doc/shorewall-3.0.8/Samples/one-interface/interfaces /usr/share/doc/shorewall-3.0.8/Samples/one-interface/policy /usr/share/doc/shorewall-3.0.8/Samples/one-interface/rules /usr/share/doc/shorewall-3.0.8/Samples/one-interface/zones /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/README.txt /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/interfaces /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/masq /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/policy /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/routestopped /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/rules /usr/share/doc/shorewall-3.0.8/Samples/three-interfaces/zones /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/README.txt /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/interfaces /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/masq /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/policy /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/routestopped /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/rules /usr/share/doc/shorewall-3.0.8/Samples/two-interfaces/zones /usr/share/doc/shorewall-3.0.8/changelog.txt.gz /usr/share/doc/shorewall-3.0.8/html /usr/share/doc/shorewall-3.0.8/html/6to4.htm /usr/share/doc/shorewall-3.0.8/html/Accounting.html /usr/share/doc/shorewall-3.0.8/html/Actions.html /usr/share/doc/shorewall-3.0.8/html/CompiledPrograms.html /usr/share/doc/shorewall-3.0.8/html/CorpNetwork.htm /usr/share/doc/shorewall-3.0.8/html/Documentation.htm /usr/share/doc/shorewall-3.0.8/html/Documentation_Index.html /usr/share/doc/shorewall-3.0.8/html/ECN.html /usr/share/doc/shorewall-3.0.8/html/ErrorMessages.html /usr/share/doc/shorewall-3.0.8/html/FAQ.htm /usr/share/doc/shorewall-3.0.8/html/FTP.html /usr/share/doc/shorewall-3.0.8/html/GenericTunnels.html /usr/share/doc/shorewall-3.0.8/html/GnuCopyright.htm /usr/share/doc/shorewall-3.0.8/html/IPIP.htm /usr/share/doc/shorewall-3.0.8/html/IPP2P.html /usr/share/doc/shorewall-3.0.8/html/IPSEC-2.6.html /usr/share/doc/shorewall-3.0.8/html/IPSEC.htm /usr/share/doc/shorewall-3.0.8/html/Install.htm /usr/share/doc/shorewall-3.0.8/html/Introduction.html /usr/share/doc/shorewall-3.0.8/html/Kernel2.6.html /usr/share/doc/shorewall-3.0.8/html/MAC_Validation.html /usr/share/doc/shorewall-3.0.8/html/Macros.html /usr/share/doc/shorewall-3.0.8/html/MultiISP.html /usr/share/doc/shorewall-3.0.8/html/Multiple_Zones.html /usr/share/doc/shorewall-3.0.8/html/NAT.htm /usr/share/doc/shorewall-3.0.8/html/NetfilterOverview.html /usr/share/doc/shorewall-3.0.8/html/OPENVPN.html /usr/share/doc/shorewall-3.0.8/html/PPTP.htm /usr/share/doc/shorewall-3.0.8/html/PacketHandling.html /usr/share/doc/shorewall-3.0.8/html/PortKnocking.html /usr/share/doc/shorewall-3.0.8/html/ProxyARP.htm /usr/share/doc/shorewall-3.0.8/html/ReleaseModel.html /usr/share/doc/shorewall-3.0.8/html/Shorewall_Doesnt.html /usr/share/doc/shorewall-3.0.8/html/Shorewall_Squid_Usage.html /usr/share/doc/shorewall-3.0.8/html/Shorewall_and_Aliased_Interfaces.html /usr/share/doc/shorewall-3.0.8/html/Shorewall_and_Kazaa.html /usr/share/doc/shorewall-3.0.8/html/Shorewall_and_Routing.html
Re: [gentoo-user] Setting up a home router
On Fri, 2007-01-19 at 02:10 +0100, Daniel Pielmeier wrote: hmm, shorewall must have done something that's more persistent. ... Well, these idea's are really stabbing in the dark, but you gotta start somewhere! thanks for your hints, i checked all these things but there seems nothing of shorewall remainig! i am quite sure cause i am using a cruft script which searches for files remaining after an uninstall. The scriptt does its job there were several files from shorewall remaining, but now they are all gone but my problem still remains. ah yes, I recall the cruft script! Does it exclude any directories? If there is nothing shorewall related left, then the only explanation is that shorewall must have edited an existing file somewhere... which seems strange... hal? udev? who knows! The only last thing I could suggest is running lsof to see what files are being accessed when you start the net.eth1 script. Other than that, I'm out of ideas, sorry! -- Iain Buchanan iaindb at netspace dot net dot au Nothing motivates a man more than to see his boss put in an honest day's work. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Iain Buchanan wrote: ah yes, I recall the cruft script! Does it exclude any directories? If there is nothing shorewall related left, then the only explanation is that shorewall must have edited an existing file somewhere... which seems strange... hal? udev? who knows! The only last thing I could suggest is running lsof to see what files are being accessed when you start the net.eth1 script. Other than that, I'm out of ideas, sorry! Could he delete some of the config files then re-emerge the programs they belong too? Wouldn't that reset them back to default then? If you would like, I'll email you, off list of course, a copy of my etc directory or specific files if you want me too. I'm on dial-up so it may take a bit to send them. Let me know. If you want specific files, let me know which ones. Dale :-) :-) :-) -- www.myspace.com/dalek1967
Re: [gentoo-user] Setting up a home router
On Fri, 2007-01-19 at 01:01 -0600, Dale wrote: Iain Buchanan wrote: ah yes, I recall the cruft script! Does it exclude any directories? If there is nothing shorewall related left, then the only explanation is that shorewall must have edited an existing file somewhere... which seems strange... hal? udev? who knows! The only last thing I could suggest is running lsof to see what files are being accessed when you start the net.eth1 script. Other than that, I'm out of ideas, sorry! Could he delete some of the config files then re-emerge the programs they belong too? Wouldn't that reset them back to default then? a better option would be `emerge --noconfmem package`, which esentially re-does all your conf files. -- Iain Buchanan iaindb at netspace dot net dot au Why not go out on a limb? Isn't that where the fruit is? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
On 19 January 2007 08:45, Iain Buchanan wrote: On Fri, 2007-01-19 at 02:10 +0100, Daniel Pielmeier wrote: hmm, shorewall must have done something that's more persistent. ... Well, these idea's are really stabbing in the dark, but you gotta start somewhere! thanks for your hints, i checked all these things but there seems nothing of shorewall remainig! i am quite sure cause i am using a cruft script which searches for files remaining after an uninstall. The scriptt does its job there were several files from shorewall remaining, but now they are all gone but my problem still remains. ah yes, I recall the cruft script! Does it exclude any directories? If there is nothing shorewall related left, then the only explanation is that shorewall must have edited an existing file somewhere... which seems strange... hal? udev? who knows! I am using shorewall and it doesn't do it here. I haven't replied in this thread so far because I have not the slightest idea what causes the trouble. Actually I have tried to simulate what Daniel did. Even so, net.eth0 (in my case) doesn't change my iptables rules. Uwe -- A fast and easy generator of fractals for KDE: http://www.SysEx.com.na/iwy-1.0.tar.bz2 Proof of concept of a TSP solver for KDE: http://www.SysEx.com.na/epat-0.1.tar.bz2 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Hi again, it seems that i was running in another problem. This are my current iptables! Chain INPUT (policy ACCEPT) target prot opt source destination block all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywherestate NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywherestate NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywherestate RELATED,ESTABLISHED block all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain block (2 references) target prot opt source destination ACCEPT all -- anywhere anywherestate RELATED,ESTABLISHED ACCEPT all -- anywhere anywherestate NEW DROP all -- anywhere anywhere But everytime i start my internet connection with /etc/init.d/net.eth1 start it seems my rules were changed to this and i can't connect to the internet! Chain INPUT (policy ACCEPT) target prot opt source destination LOGudp -- anywhere anywhereudp dpts:0:1023 LOG level warning LOGtcp -- anywhere anywheretcp dpts:0:1023 LOG level warning DROP udp -- anywhere anywhereudp dpts:0:1023 DROP tcp -- anywhere anywheretcp dpts:0:1023 LOGtcp -- anywhere anywheretcp flags:FIN,SYN,RST,ACK/SYN LOG level warning DROP tcp -- anywhere anywheretcp flags:FIN,SYN,RST,ACK/SYN DROP icmp -- anywhere anywhereicmp echo-request Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain block (0 references) target prot opt source destination ACCEPT all -- anywhere anywherestate RELATED,ESTABLISHED ACCEPT all -- anywhere anywherestate NEW DROP all -- anywhere anywhere What could be the problem here? Is the net init-script changing my rules? I think i have removed shorewall completely, so there shouldn't be any remaining files which could cause that behavior. Or are there some remaining files from shorewall? When i invoke iptables save with my generate rules and restart iptables, the rules are ok and i can connect! Thanks in advance! Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
On Wed, 17 Jan 2007 20:02:54 +0100 Daniel Pielmeier [EMAIL PROTECTED] wrote: Hi again, it seems that i was running in another problem. This are my current iptables! ... What could be the problem here? Is the net init-script changing my rules? I think i have removed shorewall completely, so there shouldn't be any remaining files which could cause that behavior. Or are there some remaining files from shorewall? When i invoke iptables save with my generate rules and restart iptables, the rules are ok and i can connect! Thanks in advance! Daniel I've been holding back on replying for a while now, but I think you should try a simple iptables setup like this one: davey ~ # iptables -L -v ; iptables -t nat -L -v Chain INPUT (policy DROP 764K packets, 79M bytes) pkts bytes target prot opt in out source destination 50707 18M ACCEPT tcp -- eth0 any anywhere anywheretcp dpt:smtp 955K 601M ACCEPT all -- lo any anywhere anywhere 249K 20M ACCEPT all -- ath0 any anywhere anywhere 43M 6782M ACCEPT all -- eth1 any anywhere anywhere 132 REJECT udp -- eth0 any anywhere anywhereudp dpt:bootps reject-with icmp-port-unreachable 158 REJECT udp -- eth0 any anywhere anywhereudp dpt:domain reject-with icmp-port-unreachable 414 36292 ACCEPT tcp -- eth0 any anywhere anywheretcp dpt:ssh 411K 91M ACCEPT all -- eth0 any anywhere anywherestate RELATED,ESTABLISHED 4 184 ACCEPT tcp -- eth0 any anywhere anywheretcp dpt:http 14547 1187K ACCEPT icmp -- anyany anywhere anywhere Chain FORWARD (policy DROP 3017 packets, 184K bytes) pkts bytes target prot opt in out source destination 173M 111G ACCEPT all -- anyany 192.168.0.0/16 anywhere 22M 19G ACCEPT all -- eth0 any anywhere 192.168.0.0/16 Chain OUTPUT (policy ACCEPT 48M packets, 13G bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 10M packets, 1189M bytes) pkts bytes target prot opt in out source destination 58003 3477K DNAT tcp -- eth0 any anywhere anywheretcp dpt:ssh to:192.168.1.99:22 3828 213K DNAT tcp -- eth0 any anywhere anywheretcp dpt:http to:192.168.1.99:80 14 664 DNAT tcp -- eth0 any anywhere anywheretcp dpt:222 to:192.168.1.1:22 248 11072 DNAT tcp -- eth0 any anywhere anywheretcp dpt:223 to:192.168.1.100:22 Chain POSTROUTING (policy ACCEPT 300K packets, 18M bytes) pkts bytes target prot opt in out source destination 4564K 318M MASQUERADE all -- anyeth0 anywhere anywhere Chain OUTPUT (policy ACCEPT 234K packets, 15M bytes) pkts bytes target prot opt in out source destination It's my own stab at a stateful firewall and seems to be working very well for me. spore.ath.cx is my home computer network; feel free to nmap me and see what you think from the outside. It's rudimentary, but that's what I like about it. Simple. For what it's worth, I never would have been able to figure out iptables without using watch iptables -v -L ; iptables -t nat -v -L which ends up showing you the packets in and out of each chain and each rule, which is highly convenient for configuring firewalls. Best of luck. -- dan. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
But everything looks quite normal, except for that packets aren't routed. So its up to somebody else to tell exactly what that policy module in iptables does -- and how. I don't have answers left here -- except for the case that a manual iptables setup is sufficient. Personally, I'm quite happy with $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT for the forwarding. All that fancy-schmanzy stuff that shorewall does isn't in there, granted. Thanks, so i think that i have to get familiar with iptables itself, because i want to some more than routing. I will try this rules in the evening and tell you if it works. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Hi, On Tue, 16 Jan 2007 09:03:59 +0100 Daniel Pielmeier [EMAIL PROTECTED] wrote: Personally, I'm quite happy with $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Aaargh! That last one should have the state NEW omitted (and the following comma, of course). Thanks, so i think that i have to get familiar with iptables itself, because i want to some more than routing. I will try this rules in the evening and tell you if it works. No fears, iptables is easy to configure! Search for some How-To that has a big picture of which packets entering which chains in which tables. That really helps a lot. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Personally, I'm quite happy with $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Aaargh! That last one should have the state NEW omitted (and the following comma, of course). Thanks, so i think that i have to get familiar with iptables itself, because i want to some more than routing. I will try this rules in the evening and tell you if it works. No fears, iptables is easy to configure! Search for some How-To that has a big picture of which packets entering which chains in which tables. That really helps a lot. I haven't found a how-to like this. Do you know a good how-to? At the moment iam reading this one http://iptables-tutorial.frozentux.net/iptables-tutorial.html. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Hi, On Tue, 16 Jan 2007 13:10:45 +0100 Daniel Pielmeier [EMAIL PROTECTED] wrote: Thanks, so i think that i have to get familiar with iptables itself, because i want to some more than routing. I will try this rules in the evening and tell you if it works. No fears, iptables is easy to configure! Search for some How-To that has a big picture of which packets entering which chains in which tables. That really helps a lot. I haven't found a how-to like this. Do you know a good how-to? At the moment iam reading this one http://iptables-tutorial.frozentux.net/iptables-tutorial.html. Thanks for that link. The document is _very_ good and complete. But I don't think it's particularly well suited for beginners. My suggestion would probably be very conservative: netfilter.org's own docs. http://www.netfilter.org/documentation/index.html -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Thanks for that link. The document is _very_ good and complete. But I don't think it's particularly well suited for beginners. My suggestion would probably be very conservative: netfilter.org's own docs. http://www.netfilter.org/documentation/index.html np, i thought when i have to learn iptables, then i want to know all about. it is mentioned at the netfilter site. but i will have a look at netfilter own documentation. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Thanks for that link. The document is _very_ good and complete. But I don't think it's particularly well suited for beginners. My suggestion would probably be very conservative: netfilter.org's own docs. http://www.netfilter.org/documentation/index.html I have now applied your masquerading and forwarding rules and they are working. At he moment i am setting up some basic filter rules for switching from shorewall to plain iptables. Then i will go for advanced filtering. Thanks a lot for your and all others help. Regards Daniel LANG=de PS: Grüße aus Stuttgart und nochmal danke, ich weiß nicht ob ich das sonst hinbekommen hätte! -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
On Tue, 2007-01-16 at 13:10 +0100, Daniel Pielmeier wrote: I haven't found a how-to like this. Do you know a good how-to? for linux howto's, I highly recommend tldp: http://tldp.org/HOWTO/HOWTO-INDEX/networking.html#NETROUTING try the Masquerading-Simple-HOWTO. HTH, -- Iain Buchanan iaindb at netspace dot net dot au No woman can call herself free until she can choose consciously whether she will or will not be a mother. -- Margaret H. Sanger -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Hans-Werner Hilse wrote: Thanks for that link. The document is _very_ good and complete. But I don't think it's particularly well suited for beginners. My suggestion would probably be very conservative: netfilter.org's own docs. http://www.netfilter.org/documentation/index.html -hwh OK. I just had to reply to this one. FINALLY somebody explained how the heck iptables works and what it does in a way that makes sense to ME. The best part is that there is a INPUT chain and a OUTPUT chain then you connect them together with iptables. THAT I could understand. Why can't they put stuff like this in the man page so that nuts like me can understand it? Thanks much for that link. Dale :-) :-) -- www.myspace.com/dalek1967
Re: [gentoo-user] Setting up a home router
Hmmm, me either. I'm not sure about what it would be called. Do you have gkrellm installed? Sometimes I use it to see where the traffic is. That is how I knew it was iptables in my other thread. The data was getting there because gkrellm was seeing it but my system was not. No clue how one can see it and the other can't though. no i did not use gkrellm, i am just seting up the new desktop machine no X until now, i want to do the basics first! -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Setting up a home router
-Original Message- From: Daniel Pielmeier [mailto:[EMAIL PROTECTED] Sent: 14 January 2007 19:27 To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Setting up a home router I can't ping from the desktop to the internet. ping www.gentoo.org PING www.gentoo.org (38.99.64.202) 56(84) bytes of data. --- www.gentoo.org ping statistics --- 13 packets transmitted, 0 received, 100% packet loss, time 11999ms I would check that you have done: echo 1 /proc/sys/net/ipv4/ip_forward Also make sure ICMP isn't blocked anywhere. David Note: These views are my own, advice is provided with no guarantee of success. I do not represent anyone else in any emails I send to this list. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
I would check that you have done: echo 1 /proc/sys/net/ipv4/ip_forward I think this is set, but i will check again. Also make sure ICMP isn't blocked anywhere. I have only blocked ping from the internet to the firewall and nowhere else. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Daniel Pielmeier wrote: I would check that you have done: echo 1 /proc/sys/net/ipv4/ip_forward I think this is set, but i will check again. Also make sure ICMP isn't blocked anywhere. I have only blocked ping from the internet to the firewall and nowhere else. Send the output from iptables-save, please. Otherwise we could only guess if the problem is with your firewall rules or somewhere else. -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Send the output from iptables-save, please. Otherwise we could only guess if the problem is with your firewall rules or somewhere else. Ok, i will do that when i am back home. i thought the output from iptables -L in my original post was enough. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Hi, On Sun, 14 Jan 2007 20:27:11 +0100 Daniel Pielmeier [EMAIL PROTECTED] wrote: I can connect from the router to the internet. I can log in from the router to the desktop per ssh and back. I have set up an rsync on the router and rsync works from the desktop. I have set up dnsmasq on the server and dns is working on the desktop. I can ping between router and desktop and from the router to the internet [...] I can't ping from the desktop to the internet. OK, so forwarding is broken. route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface dslb-088-067-01 * 255.255.255.255 UH0 00 ppp0 localhost * 255.255.255.0 U 0 00 eth0 loopback* 255.0.0.0 U 0 00 lo default dslb-088-067-01 0.0.0.0 UG0 00 ppp0 Looking at this, I wouldn't even expect it to work at all, since the only route via eth0 is for localhost. But since you can connect between router and desktop, I think you borked your /etc/hosts. localhost clearly doesn't seem to be assigned to 127.0.0.1. So fix your hostnames! This here: /etc/hosts 127.0.0.1 localhost 192.168.0.1 gentoo-vdr.linux gentoo-vdr 192.168.0.2 gentoo.linux gentoo ::1 localhost just can't be true if the routes above are the complete routes and you can connect to your desktop from the router. Another option than /etc/hosts may be a seriously broken dnsmasq config. For those who are not familiar with shorewall here are the generated iptables on the router. iptables -L -t filter Chain FORWARD (policy DROP) target prot opt source destination Empty FORWARD chain and policy DROP means everything not going to the router itself is gonna be dropped. Note that you made yourself a hard time since there's DROP and REJECT (built-in targets) and you also reference Drop, drop, Reject and reject targets. I never used shorewall, but if that naming is from them, they are clearly freaks. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface dslb-088-067-01 * 255.255.255.255 UH0 00 ppp0 localhost * 255.255.255.0 U 0 00 eth0 loopback* 255.0.0.0 U 0 00 lo default dslb-088-067-01 0.0.0.0 UG0 00 ppp0 Looking at this, I wouldn't even expect it to work at all, since the only route via eth0 is for localhost. But since you can connect between router and desktop, I think you borked your /etc/hosts. localhost clearly doesn't seem to be assigned to 127.0.0.1. So fix your hostnames! This here: /etc/hosts 127.0.0.1 localhost 192.168.0.1 gentoo-vdr.linux gentoo-vdr 192.168.0.2 gentoo.linux gentoo ::1 localhost I think localhost is assigned to 127.0.0.1, or did i misunderstood something? just can't be true if the routes above are the complete routes and you can connect to your desktop from the router. I can connect from router to desktop and back ping and ssh are working, i can connect to the internet from the router, but i couldn't do this from the desktop Another option than /etc/hosts may be a seriously broken dnsmasq config. I will post the config when i am back. For those who are not familiar with shorewall here are the generated iptables on the router. iptables -L -t filter Chain FORWARD (policy DROP) target prot opt source destination Empty FORWARD chain and policy DROP means everything not going to the router itself is gonna be dropped. Note that you made yourself a hard time since there's DROP and REJECT (built-in targets) and you also reference Drop, drop, Reject and reject targets. I never used shorewall, but if that naming is from them, they are clearly freaks. the whole iptables config is generated by shorewall, i recognised this different namings too. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Hi, On Mon, 15 Jan 2007 11:45:13 +0100 Daniel Pielmeier [EMAIL PROTECTED] wrote: This here: /etc/hosts 127.0.0.1 localhost 192.168.0.1 gentoo-vdr.linux gentoo-vdr 192.168.0.2 gentoo.linux gentoo ::1 localhost I think localhost is assigned to 127.0.0.1, or did i misunderstood something? No, that's (usually) correct. But in the route excerpt you've cited above (please post route -n next time!) the route for localhost was set to dev eth0. Also, the subnet was a /24 one, instead of the usual /8 for localhost. So there's some inconsistency between that file and the routes. The /etc/hosts you've shown looks good, please post dnsmasq's config. the whole iptables config is generated by shorewall, i recognised this different namings too. Hm, OK, you're sure the tables were empty and Gentoo's iptables save feature doesn't somehow get in your way? But anyway, the NAT/forwarding can't work for the reason I mentioned (empty FORWARD chain and DROP policy). -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
I think localhost is assigned to 127.0.0.1, or did i misunderstood something? No, that's (usually) correct. But in the route excerpt you've cited above (please post route -n next time!) the route for localhost was set to dev eth0. Also, the subnet was a /24 one, instead of the usual /8 for localhost. So there's some inconsistency between that file and the routes. The /etc/hosts you've shown looks good, please post dnsmasq's config. I will do that in the evening the whole iptables config is generated by shorewall, i recognised this different namings too. Hm, OK, you're sure the tables were empty and Gentoo's iptables save feature doesn't somehow get in your way? But anyway, the NAT/forwarding can't work for the reason I mentioned (empty FORWARD chain and DROP policy). Yes i think they were empty, when i stop shorewall iptables -L just gives me empty tables. Also i never used iptables directly. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Send the output from iptables-save, please. Otherwise we could only guess if the problem is with your firewall rules or somewhere else. Here we go! # Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :tcfor - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - [0:0] -A PREROUTING -j tcpre -A FORWARD -j tcfor -A OUTPUT -j tcout -A POSTROUTING -j tcpost COMMIT # Completed on Mon Jan 15 19:09:43 2007 # Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :ppp0_masq - [0:0] -A POSTROUTING -o ppp0 -j ppp0_masq -A ppp0_masq -s 192.168.0.0/255.255.255.0 -m policy --dir out --pol none -j MASQUERADE COMMIT # Completed on Mon Jan 15 19:09:43 2007 # Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :Drop - [0:0] :Reject - [0:0] :all2all - [0:0] :dropBcast - [0:0] :dropInvalid - [0:0] :dropNotSyn - [0:0] :dynamic - [0:0] :eth0_fwd - [0:0] :eth0_in - [0:0] :fw2all - [0:0] :fw2loc - [0:0] :fw2net - [0:0] :loc2all - [0:0] :loc2fw - [0:0] :loc2net - [0:0] :loc_frwd - [0:0] :logflags - [0:0] :net2all - [0:0] :net2fw - [0:0] :net2loc - [0:0] :net_frwd - [0:0] :norfc1918 - [0:0] :ppp0_fwd - [0:0] :ppp0_in - [0:0] :reject - [0:0] :rfc1918 - [0:0] :shorewall - [0:0] :smurfs - [0:0] :tcpflags - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i ppp0 -j ppp0_in -A INPUT -i eth0 -j eth0_in -A INPUT -j Reject -A INPUT -j LOG --log-prefix Shorewall:INPUT:REJECT: --log-level 6 -A INPUT -j reject -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i ppp0 -j ppp0_fwd -A FORWARD -i eth0 -j eth0_fwd -A FORWARD -j Reject -A FORWARD -j LOG --log-prefix Shorewall:FORWARD:REJECT: --log-level 6 -A FORWARD -j reject -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o ppp0 -m policy --dir out --pol ipsec -j fw2net -A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth0 -m policy --dir out --pol ipsec -j fw2loc -A OUTPUT -d 255.255.255.255 -o eth0 -j fw2loc -A OUTPUT -d 224.0.0.0/240.0.0.0 -o eth0 -j fw2loc -A OUTPUT -j Reject -A OUTPUT -j LOG --log-prefix Shorewall:OUTPUT:REJECT: --log-level 6 -A OUTPUT -j reject -A Drop -p tcp -m tcp --dport 113 -j reject -A Drop -j dropBcast -A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Drop -j dropInvalid -A Drop -p udp -m multiport --dports 135,445 -j DROP -A Drop -p udp -m udp --dport 137:139 -j DROP -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP -A Drop -p tcp -m multiport --dports 135,139,445 -j DROP -A Drop -p udp -m udp --dport 1900 -j DROP -A Drop -p tcp -j dropNotSyn -A Drop -p udp -m udp --sport 53 -j DROP -A Reject -p tcp -m tcp --dport 113 -j reject -A Reject -j dropBcast -A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Reject -j dropInvalid -A Reject -p udp -m multiport --dports 135,445 -j reject -A Reject -p udp -m udp --dport 137:139 -j reject -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject -A Reject -p tcp -m multiport --dports 135,139,445 -j reject -A Reject -p udp -m udp --dport 1900 -j DROP -A Reject -p tcp -j dropNotSyn -A Reject -p udp -m udp --sport 53 -j DROP -A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A all2all -j Reject -A all2all -j LOG --log-prefix Shorewall:all2all:REJECT: --log-level 6 -A all2all -j reject -A dropBcast -m pkttype --pkt-type broadcast -j DROP -A dropBcast -m pkttype --pkt-type multicast -j DROP -A dropInvalid -m state --state INVALID -j DROP -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A eth0_fwd -m state --state INVALID,NEW -j dynamic -A eth0_fwd -p tcp -m policy --dir in --pol none -j tcpflags -A eth0_fwd -s 192.168.0.0/255.255.255.0 -m policy --dir in --pol ipsec -j loc_frwd -A eth0_in -m state --state INVALID,NEW -j dynamic -A eth0_in -p tcp -m policy --dir in --pol none -j tcpflags -A eth0_in -s 192.168.0.0/255.255.255.0 -m policy --dir in --pol ipsec -j loc2fw -A fw2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2all -j Reject -A fw2all -j LOG --log-prefix Shorewall:fw2all:REJECT: --log-level 6 -A fw2all -j reject -A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2loc -p tcp -m tcp --dport 22 -j ACCEPT -A fw2loc -j Reject -A fw2loc -j LOG --log-prefix Shorewall:fw2loc:REJECT: --log-level 6 -A fw2loc -j reject -A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2net -j ACCEPT -A loc2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2all -j Reject -A loc2all -j LOG --log-prefix Shorewall:loc2all:REJECT: --log-level 6 -A loc2all -j reject -A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2fw -p tcp -m tcp --dport 22 -j ACCEPT -A loc2fw -p udp -m udp --dport 123 -j ACCEPT -A loc2fw -j Reject -A loc2fw -j LOG --log-prefix
Re: [gentoo-user] Setting up a home router
I think localhost is assigned to 127.0.0.1, or did i misunderstood something? No, that's (usually) correct. But in the route excerpt you've cited above (please post route -n next time!) the route for localhost was set to dev eth0. Also, the subnet was a /24 one, instead of the usual /8 for localhost. So there's some inconsistency between that file and the routes. The /etc/hosts you've shown looks good, please post dnsmasq's config. Here are the files you have requested! route -n on desktop Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 00 lo 0.0.0.0 192.168.0.1 0.0.0.0 UG0 00 eth0 route -n on router Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 88.67.16.1 0.0.0.0 255.255.255.255 UH0 00 ppp0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 00 lo 0.0.0.0 88.67.16.1 0.0.0.0 UG0 00 ppp0 dnsmasq.conf on router # Configuration file for dnsmasq. # # Format is one option per line, legal options are the same # as the long options legal on the command line. See # /usr/sbin/dnsmasq --help or man 8 dnsmasq for details. # The following two options make you a better netizen, since they # tell dnsmasq to filter out queries which the public DNS cannot # answer, and which load the servers (especially the root servers) # uneccessarily. If you have a dial-on-demand link they also stop # these requests from bringing up the link uneccessarily. # Never forward plain names (without a dot or domain part) domain-needed # Never forward addresses in the non-routed address spaces. bogus-priv # Uncomment this to filter useless windows-originated DNS requests # which can trigger dial-on-demand links needlessly. # Note that (amongst other things) this blocks all SRV requests, # so don't use it if you use eg Kerberos. # This option only affects forwarding, SRV records originating for # dnsmasq (via srv-host= lines) are not suppressed by it. #filterwin2k # Change this line if you want dns to get its upstream servers from # somewhere other that /etc/resolv.conf #resolv-file= # By default, dnsmasq will send queries to any of the upstream # servers it knows about and tries to favour servers to are known # to be up. Uncommenting this forces dnsmasq to try each query # with each server strictly in the order they appear in # /etc/resolv.conf #strict-order # If you don't want dnsmasq to read /etc/resolv.conf or any other # file, getting its servers from this file instead (see below), then # uncomment this #no-resolv # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv # files for changes and re-read them then uncomment this. #no-poll # Add other name servers here, with domain specs if they are for # non-public domains. #server=/localnet/192.168.0.1 # Add local-only domains here, queries in these domains are answered # from /etc/hosts or DHCP only. #local=/localnet/ # Add domains which you want to force to an IP address here. # The example below send any host in doubleclick.net to a local # webserver. #address=/doubleclick.net/127.0.0.1 # If you want dnsmasq to change uid and gid to something other # than the default, edit the following lines. #user= #group= # If you want dnsmasq to listen for DHCP and DNS requests only on # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than one interface. interface=eth0 # Or you can specify which interface _not_ to listen on #except-interface= # Or which to listen on by address (remember to include 127.0.0.1 if # you use this.) #listen-address= # If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to # disable DHCP on it. #no-dhcp-interface= # On systems which support it, dnsmasq binds the wildcard address, # even when it is listening on only some interfaces. It then discards # requests that it shouldn't reply to. This has the advantage of # working even when interfaces come and go and change address. If you # want dnsmasq to really bind only the interfaces it is listening on, # uncomment this option. About the only time you may need this is when # running another nameserver on the same machine. #bind-interfaces # If you don't want dnsmasq to read /etc/hosts, uncomment the # following line. #no-hosts # or if you want it to read another file, as well as /etc/hosts, use # this. #addn-hosts=/etc/banner_add_hosts # Set this (and domain: see below) if you want to have a domain # automatically added to simple names in a hosts-file. #expand-hosts # Set the
Re: [gentoo-user] Setting up a home router
Another thing that makes me wonder is that the home router guide did nothing mention about name_servers or gateways. According to the guide this line seems to be enough: config_eth0=( 192.168.0.2 broadcast 192.168.0.255 netmask 255.255.255.0 ) But without the routes setting i get network unreachable when i try to ping: routes_eth0=(default via 192.168.0.1) and without the dns_servers setting the ip adresses are not resolved: dns_servers_eth0=(192.168.0.1 ) I have also seen the gateways setting on my searches, what is the right one routes or gateway or what is the difference. gateways_eth0=192.168.0.1 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Hi, On Mon, 15 Jan 2007 19:23:53 +0100 Daniel Pielmeier [EMAIL PROTECTED] wrote: No, that's (usually) correct. But in the route excerpt you've cited above (please post route -n next time!) the route for localhost was set to dev eth0. Also, the subnet was a /24 one, instead of the usual /8 for localhost. So there's some inconsistency between that file and the routes. The /etc/hosts you've shown looks good, please post dnsmasq's config. Here are the files you have requested! route -n on router Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 88.67.16.1 0.0.0.0 255.255.255.255 UH0 00 ppp0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 00 lo 0.0.0.0 88.67.16.1 0.0.0.0 UG0 00 ppp0 Ah, OK, so *this* is fine. The route for eth0 is correct. So it's just the name resolving on the router that returns localhost when being asked for the hostname for 192.168.0.1. Since all of this isn't about name resolving, we probably can even leave out that dnsmasq thingy. But your config is essentially this: interface=eth0 dhcp-range=192.168.0.1,192.168.0.255,72h If this is supposed to work, chose another beginning of that range, at least 192.168.0.2. But I think dnsmasq is even clever enough not to issue its own address to clients. I'll write a separate post about the firewalling issues in a moment. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Hi, On Mon, 15 Jan 2007 19:17:45 +0100 Daniel Pielmeier [EMAIL PROTECTED] wrote: Send the output from iptables-save, please. Otherwise we could only guess if the problem is with your firewall rules or somewhere else. Here we go! # Generated by iptables-save v1.3.5 on Mon Jan 15 19:09:43 2007 [...] everything looks fine. I'm not quite sure about the policy module, I did never use it and it is somehow being used to check the direction of packets. Maybe someone else can comment. So remaining things to check would be - where do packets do what? Use tcpdump on the router to monitor how packets flow. Don't cite all the output, but look at where packets are coming and going. Two terminals with tcpdump -i eth0 and tcpdump -i ppp0 would tell you that. Send a few pings from the desktop to the internet. Also try pinging an IP from the desktop, not just hostnames (to rule out nameserver borkage). - is forwarding actually really enabled? Just cat the relevant /proc/sys/net/ipv4/ip_forward. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
- is forwarding actually really enabled? Just cat the relevant /proc/sys/net/ipv4/ip_forward. cat /proc/sys/net/ipv4/ip_forward returns 1 So remaining things to check would be - where do packets do what? Use tcpdump on the router to monitor how packets flow. Don't cite all the output, but look at where packets are coming and going. Two terminals with tcpdump -i eth0 and tcpdump -i ppp0 would tell you that. Send a few pings from the desktop to the internet. Also try pinging an IP from the desktop, not just hostnames (to rule out nameserver borkage). Here is what tcdump returns! ping to www.google.de from desktop ping -c5 209.85.135.147 PING 209.85.135.147 (209.85.135.147) 56(84) bytes of data. --- 209.85.135.147 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4000ms tcpdump -i ppp0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 00:23:34.170023 IP dslb-088-065-173-238.pools.arcor-ip.net.32864 dns1.arcor-ip.de.domain: 62186+ PTR? 147.135.85.209.in-addr.arpa. (45) 00:23:34.170885 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 dns1.arcor-ip.de.domain: 49362+ PTR? 11.2.253.145.in-addr.arpa. (43) 00:23:34.186127 IP dns1.arcor-ip.de.domain dslb-088-065-173-238.pools.arcor-ip.net.32864: 62186 NXDomain 0/1/0 (105) 00:23:34.192706 IP dns1.arcor-ip.de.domain dslb-088-065-173-238.pools.arcor-ip.net.32865: 49362 1/0/0 (73) 00:23:34.193083 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 dns1.arcor-ip.de.domain: 55934+ PTR? 238.173.65.88.in-addr.arpa. (44) 00:23:34.250939 IP dns1.arcor-ip.de.domain dslb-088-065-173-238.pools.arcor-ip.net.32865: 55934 1/0/0 (97) 00:23:44.770408 IP cpc1-pnth1-0-0-cust807.cdif.cable.ntl.com.18730 dslb-088-065-173-238.pools.arcor-ip.net.13040: UDP, length 98 00:23:44.770494 IP dslb-088-065-173-238.pools.arcor-ip.net cpc1-pnth1-0-0-cust807.cdif.cable.ntl.com: ICMP dslb-088-065-173-238.pools.arcor-ip.net udp port 13040 unreachable, length 134 00:23:44.770752 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 dns1.arcor-ip.de.domain: 21398+ PTR? 40.23.6.82.in-addr.arpa. (41) 00:23:44.820873 IP dns1.arcor-ip.de.domain dslb-088-065-173-238.pools.arcor-ip.net.32865: 21398 1/0/0 (96) 00:23:46.085482 IP 222.69.242.140.19774 dslb-088-065-173-238.pools.arcor-ip.net.13040: UDP, length 98 00:23:46.085566 IP dslb-088-065-173-238.pools.arcor-ip.net 222.69.242.140: ICMP dslb-088-065-173-238.pools.arcor-ip.net udp port 13040 unreachable, length 134 00:23:46.085811 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 dns1.arcor-ip.de.domain: 28846+ PTR? 140.242.69.222.in-addr.arpa. (45) 00:23:46.509496 IP dns1.arcor-ip.de.domain dslb-088-065-173-238.pools.arcor-ip.net.32865: 28846 NXDomain 0/1/0 (105) 00:23:52.092567 IP 222.69.242.140.19774 dslb-088-065-173-238.pools.arcor-ip.net.13040: UDP, length 98 00:23:52.092624 IP dslb-088-065-173-238.pools.arcor-ip.net 222.69.242.140: ICMP dslb-088-065-173-238.pools.arcor-ip.net udp port 13040 unreachable, length 134 00:23:54.447053 IP dslb-084-057-191-176.pools.arcor-ip.net.3158 dslb-088-065-173-238.pools.arcor-ip.net.epmap: S 2228649193:2228649193(0) win 53760 mss 1412,nop,wscale 3,nop,nop,timestamp 0 0,nop,nop,sackOK 00:23:54.447386 IP dslb-088-065-173-238.pools.arcor-ip.net.32865 dns1.arcor-ip.de.domain: 55370+ PTR? 176.191.57.84.in-addr.arpa. (44) 00:23:54.463773 IP dns1.arcor-ip.de.domain dslb-088-065-173-238.pools.arcor-ip.net.32865: 55370 1/0/0 (97) tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 00:23:32.895513 IP gentoo-vdr.linux.net.54934 gentoo.linux.net.ssh: P 2356170685:2356170733(48) ack 1373265494 win 1034 nop,nop,timestamp 1888728 4586914 00:23:32.895566 IP gentoo.linux.net.ssh gentoo-vdr.linux.net.54934: P 1:49(48) ack 48 win 81 nop,nop,timestamp 4721101 1888728 00:23:32.895604 IP gentoo-vdr.linux.net.54934 gentoo.linux.net.ssh: . ack 49 win 1034 nop,nop,timestamp 1888728 4721101 00:23:33.913406 IP gentoo-vdr.linux.net.36415 gentoo.linux.net.ssh: P 220729975:220730023(48) ack 3542615936 win 5880 nop,nop,timestamp 129 4706313 00:23:33.913491 IP gentoo.linux.net.ssh gentoo-vdr.linux.net.36415: P 1:65(64) ack 48 win 116 nop,nop,timestamp 4721355 129 00:23:33.913528 IP gentoo-vdr.linux.net.36415 gentoo.linux.net.ssh: . ack 65 win 5880 nop,nop,timestamp 129 4721355 00:23:34.168115 IP gentoo-vdr.linux.net.36415 gentoo.linux.net.ssh: P 48:96(48) ack 65 win 5880 nop,nop,timestamp 155 4721355 00:23:34.168191 IP gentoo.linux.net.ssh gentoo-vdr.linux.net.36415: P 65:113(48) ack 96 win 116 nop,nop,timestamp 4721419 155 00:23:34.168229 IP gentoo-vdr.linux.net.36415 gentoo.linux.net.ssh: . ack 113 win 5880 nop,nop,timestamp 155 4721419 00:23:34.168756 IP gentoo.linux.net.ssh gentoo-vdr.linux.net.36415: P 113:209(96) ack 96 win 116
Re: [gentoo-user] Setting up a home router
Hi, On Tue, 16 Jan 2007 00:30:30 +0100 Daniel Pielmeier [EMAIL PROTECTED] wrote: - is forwarding actually really enabled? Just cat the relevant /proc/sys/net/ipv4/ip_forward. cat /proc/sys/net/ipv4/ip_forward returns 1 So remaining things to check would be - where do packets do what? Use tcpdump on the router to monitor how packets flow. Don't cite all the output, but look at where packets are coming and going. Two terminals with tcpdump -i eth0 and tcpdump -i ppp0 would tell you that. Send a few pings from the desktop to the internet. Also try pinging an IP from the desktop, not just hostnames (to rule out nameserver borkage). Here is what tcdump returns! [...] That's what I wanted to avoid with asking for not citing everything :-) But everything looks quite normal, except for that packets aren't routed. So its up to somebody else to tell exactly what that policy module in iptables does -- and how. I don't have answers left here -- except for the case that a manual iptables setup is sufficient. Personally, I'm quite happy with $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT for the forwarding. All that fancy-schmanzy stuff that shorewall does isn't in there, granted. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Hans-Werner Hilse wrote: Hi, On Tue, 16 Jan 2007 00:30:30 +0100 Daniel Pielmeier [EMAIL PROTECTED] wrote: - is forwarding actually really enabled? Just cat the relevant /proc/sys/net/ipv4/ip_forward. cat /proc/sys/net/ipv4/ip_forward returns 1 So remaining things to check would be - where do packets do what? Use tcpdump on the router to monitor how packets flow. Don't cite all the output, but look at where packets are coming and going. Two terminals with tcpdump -i eth0 and tcpdump -i ppp0 would tell you that. Send a few pings from the desktop to the internet. Also try pinging an IP from the desktop, not just hostnames (to rule out nameserver borkage). Here is what tcdump returns! [...] That's what I wanted to avoid with asking for not citing everything :-) But everything looks quite normal, except for that packets aren't routed. So its up to somebody else to tell exactly what that policy module in iptables does -- and how. I don't have answers left here -- except for the case that a manual iptables setup is sufficient. Personally, I'm quite happy with $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT for the forwarding. All that fancy-schmanzy stuff that shorewall does isn't in there, granted. -hwh Well, I got lucky. I'm not real sure what I did to be honest. Here is my main box that is connected to the net: [EMAIL PROTECTED] / # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface nas2.greenwood1 * 255.255.255.255 UH0 0 0 ppp0 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 loopback* 255.0.0.0 U 0 00 lo default nas2.greenwood1 0.0.0.0 UG0 0 0 ppp0 [EMAIL PROTECTED] / # [EMAIL PROTECTED] / # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [EMAIL PROTECTED] / # This is from the second rig: swifty ~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 loopback* 255.0.0.0 U 0 00 lo default smoker 0.0.0.0 UG0 0 0 eth0 swifty ~ # No iptables on this one. I don't know what I did but it all works. I guess even I get lucky sometimes. :-O Dale :-) :-) :-) -- www.myspace.com/dalek1967
Re: [gentoo-user] Setting up a home router
Again the quick dirty solution: /etc/init.d/iptables stop iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE /etc/init.d/iptables save rc-update -a iptables default /etc/init.d/iptables start -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
[gentoo-user] Setting up a home router
Hi, I have a similar problem like Dale in this thread [gentoo-user] Need help networking two machines, but i think it is not exactly the same. I was trying to set up a home router following the gentoo-home-router-guide http://www.gentoo.org/doc/de/home-router-howto.xml with shorewall as firewall following the two-interfaces-guide http://www.shorewall.net/two-interface.htm. I can connect from the router to the internet. I can log in from the router to the desktop per ssh and back. I have set up an rsync on the router and rsync works from the desktop. I have set up dnsmasq on the server and dns is working on the desktop. I can ping between router and desktop and from the router to the internet I have set up an ntp on the router but ntp from the desktop gives me. 14 Jan 20:25:53 ntpdate[31522]: no server suitable for synchronization found I can't ping from the desktop to the internet. ping www.gentoo.org PING www.gentoo.org (38.99.64.202) 56(84) bytes of data. --- www.gentoo.org ping statistics --- 13 packets transmitted, 0 received, 100% packet loss, time 11999ms As you can see the address is resolved but i get 100% packet loss. Until now i have spent much time on this issues, so i hope to solve these problems with your help. I have added the configurations which may help you to discover my problem below. First the router configuration and then the desktop configuration. I hope i did not forget anything as it is very much, but if anything you need is missing please ask for it. Thanks Daniel router: gentoo-vdr configuration lspci eth0 02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet (rev 10) eth1 02:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) ifconfig eth0 Link encap:Ethernet HWaddr 00:11:F0:00:0D:96 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:198008 errors:0 dropped:0 overruns:0 frame:0 TX packets:194409 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:50101373 (47.7 Mb) TX bytes:129993047 (123.9 Mb) Interrupt:18 Base address:0xc000 eth1 Link encap:Ethernet HWaddr 00:10:DC:2B:D4:CF UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:77637 errors:0 dropped:0 overruns:0 frame:0 TX packets:63189 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:93609244 (89.2 Mb) TX bytes:7282392 (6.9 Mb) Interrupt:19 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1236 errors:0 dropped:0 overruns:0 frame:0 TX packets:1236 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:86198 (84.1 Kb) TX bytes:86198 (84.1 Kb) ppp0 Link encap:Point-to-Point Protocol inet addr:88.67.24.46 P-t-P:88.67.16.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:163 errors:0 dropped:0 overruns:0 frame:0 TX packets:118 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:12249 (11.9 Kb) TX bytes:8557 (8.3 Kb) route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface dslb-088-067-01 * 255.255.255.255 UH0 00 ppp0 localhost * 255.255.255.0 U 0 00 eth0 loopback* 255.0.0.0 U 0 00 lo default dslb-088-067-01 0.0.0.0 UG0 00 ppp0 shorewall-config /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net ppp0- tcpflags,norfc1918 loc eth0detect tcpflags,detectnets /etc/shorewall/masq #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC ppp0eth0 /etc/shorewall/policy #SOURCE DESTPOLICY LOG LIMIT:BURST # Policies for traffic originating from the local LAN (loc) # # If you want to force clients to access the Internet via a proxy server # on your firewall, change the loc to net policy to REJECT info. loc net ACCEPT loc $FW REJECT info loc all REJECT info # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net ACCEPT $FW loc REJECT info $FW all REJECT info #
Re: [gentoo-user] Setting up a home router
Daniel Pielmeier wrote: Hi, I have a similar problem like Dale in this thread [gentoo-user] Need help networking two machines, but i think it is not exactly the same. I was trying to set up a home router following the gentoo-home-router-guide http://www.gentoo.org/doc/de/home-router-howto.xml with shorewall as firewall following the two-interfaces-guide http://www.shorewall.net/two-interface.htm. I can connect from the router to the internet. I can log in from the router to the desktop per ssh and back. I have set up an rsync on the router and rsync works from the desktop. I have set up dnsmasq on the server and dns is working on the desktop. I can ping between router and desktop and from the router to the internet I have set up an ntp on the router but ntp from the desktop gives me. 14 Jan 20:25:53 ntpdate[31522]: no server suitable for synchronization found I can't ping from the desktop to the internet. ping www.gentoo.org PING www.gentoo.org (38.99.64.202) 56(84) bytes of data. --- www.gentoo.org ping statistics --- 13 packets transmitted, 0 received, 100% packet loss, time 11999ms As you can see the address is resolved but i get 100% packet loss. Until now i have spent much time on this issues, so i hope to solve these problems with your help. I have added the configurations which may help you to discover my problem below. First the router configuration and then the desktop configuration. I hope i did not forget anything as it is very much, but if anything you need is missing please ask for it. Thanks Daniel Hi, I used this script a long time ago. It worked until iptables got changed. It still worked but it gave a few errors. Maybe some guru can look at this and update it for us both. Then maybe I can get someone to upgrade the script on the site. I had to edit the very first bit about which interface is what. Here it is: #!/bin/bash IPTABLES='/sbin/iptables' # Set interface values EXTIF='ppp0' #INTIF0='eth0' INTIF1='eth0' INTIF2='eth1' INTIF3='eth2' # enable ip forwarding in the kernel /bin/echo 1 /proc/sys/net/ipv4/ip_forward # flush rules and delete chains $IPTABLES -F $IPTABLES -X # enable masquerading to allow LAN internet access $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # forward LAN traffic from $INTIF1 to Internet interface $EXTIF $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT # forward LAN traffic from $INTIF2 to Internet interface $EXTIF $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state #NEW,ESTABLISHED -j ACCEPT #echo -e- Allowing access to the SSH server $IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT #echo -e- Allowing access to the HTTP server $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT # block out all other Internet access on $EXTIF $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP OK. Now some guru help us out here. LOL I got to redo my install on my second machine. I rebooted it and it is in awful shape. I think something is wrong with a init script. It boots the kernel but errors out trying to enter a run level. Portage can't complete a compile either. It complains about the date not being set, but it is. I need to get the rust out anyway on installing. Yup, the old command line way. I boot gentoo nox. LOL I have to use the 2005.1 install guide though. :-( Supper time. Dale :-) :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
I used this script a long time ago. It worked until iptables got changed. It still worked but it gave a few errors. Maybe some guru can look at this and update it for us both. Then maybe I can get someone to upgrade the script on the site. I had to edit the very first bit about which interface is what. Here it is: I have tested your script! Do you get an error like this: iptables v1.3.5: unknown protocol `ssh' specified I am not sure if it is right but i have replaced this line $IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT by $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT and the error disappears. For me using this iptable rules didn't work, i still can't ping the internet rom my desktop and also get the error message by the ntp-client on my desktop. Any other suggestions! Here is how i changed the script to fit my needs! #!/bin/bash IPTABLES='/sbin/iptables' # Set interface values EXTIF='ppp0' #INTIF0='eth0' INTIF1='eth0' INTIF2='eth1' # enable ip forwarding in the kernel /bin/echo 1 /proc/sys/net/ipv4/ip_forward # flush rules and delete chains $IPTABLES -F $IPTABLES -X # enable masquerading to allow LAN internet access $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # forward LAN traffic from $INTIF1 to Internet interface $EXTIF $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT # forward LAN traffic from $INTIF2 to Internet interface $EXTIF $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT #echo -e- Allowing access to the SSH server $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT #echo -e- Allowing access to the HTTP server $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT # block out all other Internet access on $EXTIF $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Honestly for making a router ShoreWall really helps out. Shorewall is basically a set of scripts that read configuration files that you set up and then interacts with iptables for you. http://www.shorewall.net/ http://www.shorewall.net/shorewall_quickstart_guide.htm Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFqtFkUej1z0ta0fkRCMMTAKCM61IGDuf4rQZgyQLtHqCRZJfeGgCfRyxA Az/lP6UnXA8eOQ+M3MS3SEo= =81WU -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Daniel Pielmeier wrote: I used this script a long time ago. It worked until iptables got changed. It still worked but it gave a few errors. Maybe some guru can look at this and update it for us both. Then maybe I can get someone to upgrade the script on the site. I had to edit the very first bit about which interface is what. Here it is: I have tested your script! Do you get an error like this: iptables v1.3.5: unknown protocol `ssh' specified I am not sure if it is right but i have replaced this line $IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT by $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT and the error disappears. For me using this iptable rules didn't work, i still can't ping the internet rom my desktop and also get the error message by the ntp-client on my desktop. Any other suggestions! Here is how i changed the script to fit my needs! #!/bin/bash IPTABLES='/sbin/iptables' # Set interface values EXTIF='ppp0' #INTIF0='eth0' INTIF1='eth0' INTIF2='eth1' # enable ip forwarding in the kernel /bin/echo 1 /proc/sys/net/ipv4/ip_forward # flush rules and delete chains $IPTABLES -F $IPTABLES -X # enable masquerading to allow LAN internet access $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # forward LAN traffic from $INTIF1 to Internet interface $EXTIF $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT # forward LAN traffic from $INTIF2 to Internet interface $EXTIF $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT #echo -e- Allowing access to the SSH server $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT #echo -e- Allowing access to the HTTP server $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT # block out all other Internet access on $EXTIF $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP Are you on dial-up too? The EXTIF='ppp0' may need to be eth0 for you if you are using a DSL or cable connection. I'm not real sure about any of this stuff really. I need to get a book on iptables and a whole lot of other things too. Because of my health I can't sit at the puter long enough to learn anything. I can read a book in bed then. I'll see if I can think of something else. Maybe some guru can help us both out. I need that to work too. hmm, come to think of it, I have a thread on the forums. Try this: http://forums.gentoo.org/viewtopic-t-249167-highlight-iptables.html That may help. I tend to ramble a bit. Sorry. Dale :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Thomas Lingefelt wrote: Honestly for making a router ShoreWall really helps out. Shorewall is basically a set of scripts that read configuration files that you set up and then interacts with iptables for you. http://www.shorewall.net/ http://www.shorewall.net/shorewall_quickstart_guide.htm Thomas If you have webmin installed, webmin can take care of some of this, both iptables and shorewall. It's GUI too. ;-) Maybe you know enough about it to figure out to get webmin to do it. Webmin is pretty cool. I used it to set up Samba once. Dale :-) :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Are you on dial-up too? The EXTIF='ppp0' may need to be eth0 for you if you are using a DSL or cable connection. I use an adsl-modem to connect to the internet. It is configured over eth1 but the connection runs over ppp0 so i think this is right, but i am not sure. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Setting up a home router
Daniel Pielmeier wrote: Are you on dial-up too? The EXTIF='ppp0' may need to be eth0 for you if you are using a DSL or cable connection. I use an adsl-modem to connect to the internet. It is configured over eth1 but the connection runs over ppp0 so i think this is right, but i am not sure. Hmmm, me either. I'm not sure about what it would be called. Do you have gkrellm installed? Sometimes I use it to see where the traffic is. That is how I knew it was iptables in my other thread. The data was getting there because gkrellm was seeing it but my system was not. No clue how one can see it and the other can't though. Dale :-) :-) :-) -- www.myspace.com/dalek1967 -- gentoo-user@gentoo.org mailing list
