uuufz, after 30 min debugging session I feel like a private investigator...
O.k. it seems firewall.conf is irrelevant because in /usr/share/arno- iptable-firewall/environment another config file is calles /usr/share/arno- iptable-firewall/astlinux.shim, which overrides all settings :-( It seems to derive the setting of INTERNAL_NET from the internal interfaces defined on the network panel (and stored in INTIF, INTIP, INT2IF, etc...) Now, I can't set another INTIF because it would be on the same interface. I tried that and the result was a "bricked" router (well, I opened it and changed the config back directly on the CF card). Tom Chadwin wrote: > Try editing /mnt/kd/arno-iptables-firewall/firewall.conf > > Tom > > >> -----Original Message----- >> From: Michael [mailto:[email protected]] >> Sent: 14 July 2010 15:13 >> To: [email protected] >> Subject: Re: [Astlinux-users] Static routes >> >> Well, reading through the FAQ of arno's firewall, it should >> be as easy as specifying >> >> INTERNAL_NET="192.168.0.0/24" in firewall.conf >> >> Strangely, if I modify /etc/arnos-iptables-firewall/firewall.conf >> accordingly, nothing changes. All iptable entries remain the >> same (as verified with iptables -L after restart of arnos firewall). >> >> >> >> >> Michael wrote: >> >> > Hmm, I am not even able to add a rule to the firewall to >> forward data >> > from >> > 192.168.0.128/25 to EXTIF >> > >> > :-( >> > >> > >> > This seems to be more complex that I thought. After adding >> the route >> > to the astlinux box, teh subnet is freely reachable within the LAN, >> > but it cannot access the internet. >> > >> > Is there somewhere a good tutorial to arno's firewall? >> > >> > Thanks >> > >> > Michael >> > >> > Michael wrote: >> > >> >> Hi Tom >> >> >> >> Thanks for the answer. >> >> >> >> Using elocal was what I had in mind. However, the firewall >> rules also >> >> need to be adapted. >> >> >> >> The case on doc.astlinux.org refers to the astlinux net >> being a subnet. >> >> In my case the astlinux is the main net with an activated >> firewall to >> >> the internet. >> >> >> >> If I understand the firewall config correct it only fowards data >> >> between the EXTIF and the INFIF for the nets that are >> defined on the network tab. >> >> This means in my case 192.168.0.0/25 (netmask 255.255.255.128). >> >> >> >> The subnet of mny LAN has 192.168.0.128/25 (netmask >> 255.255.255.128). >> >> >> >> The route command allows astlinux to route the packages for the >> >> subnet correctly. But the firewall will only allow >> 192.168.0.0/25 to >> >> traverse to the internet. >> >> >> >> It might be possible to add custom rules into arnos firewall. But >> >> there might also be a simpler way, I hope... >> >> >> >> Michael >> >> >> >> Tom Chadwin wrote: >> >> >> >>> Hi Michael >> >>> >> >>> See if the instructions on the following page suit your >> requirements: >> >>> >> >>> http://doc.astlinux.org/userdoc:tt_network_config >> >>> >> >>> Cheers >> >>> >> >>> Tom >> >>> >> >>> >> >>>> -----Original Message----- >> >>>> From: Michael [mailto:[email protected]] >> >>>> Sent: 14 July 2010 09:31 >> >>>> To: [email protected] >> >>>> Subject: [Astlinux-users] Static routes >> >>>> >> >>>> Hello >> >>>> >> >>>> Just a short question: Where would I add static routes >> into astlinux? >> >>>> >> >>>> In my LAN I have another (small) router with a subnet. >> >>>> Actually, it is a linux box that simply connects another >> room via >> >>>> WLAN with the astlinux main router. >> >>>> >> >>>> I would liked to have used bridging instead of nat for the small >> >>>> router but there seems to be a bug in wpa_supplicant >> that does not >> >>>> allow it to work properly on a bridge. >> >>>> >> >>>> So I need to define a static route into the astlinux router, >> >>>> something like: >> >>>> >> >>>> So, if my main LAN is 192.168.0.0/25 and the subnet is >> >>>> 192.168.0.128/29 then I would need to add a route like this >> >>>> >> >>>> route add -net 192.168.0.128 netmask 255.255.255.248 gw >> >>>> 192.168.0.129 dev >> >>>> br1 >> >>>> >> >>>> Hmm, I guess I also need to adapt the firewall as it will only >> >>>> forward data from EXTIF to INTIF for the main net... (?!) >> >>>> >> >>>> Or is there a simple way to do it which also adapts the firewall >> >>>> accordingly? >> >>>> >> >>>> Thanks >> >>>> >> >>>> Michael >> >>>> >> >>>> >> > >> > >> > >> > >> -------------------------------------------------------------- >> ---------------- >> > This SF.net email is sponsored by Sprint What will you do >> first with >> > EVO, the first 4G phone? >> > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> >> >> >> -------------------------------------------------------------- >> ---------------- >> This SF.net email is sponsored by Sprint What will you do >> first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> _______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via >> PayPal to [email protected]. >> > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
