Hi,
I have a similar problem like Dale in this thread [gentoo-user] Need
help networking two machines, but i think it is not exactly the same.
I was trying to set up a home router following the
gentoo-home-router-guide
http://www.gentoo.org/doc/de/home-router-howto.xml
with shorewall as firewall following the two-interfaces-guide
http://www.shorewall.net/two-interface.htm.
I can connect from the router to the internet.
I can log in from the router to the desktop per ssh and back.
I have set up an rsync on the router and rsync works from the desktop.
I have set up dnsmasq on the server and dns is working on the desktop.
I can ping between router and desktop and from the router to the internet
I have set up an ntp on the router but ntp from the desktop gives me.
14 Jan 20:25:53 ntpdate[31522]: no server suitable for synchronization found
I can't ping from the desktop to the internet.
ping www.gentoo.org
PING www.gentoo.org (38.99.64.202) 56(84) bytes of data.
--- www.gentoo.org ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 11999ms
As you can see the address is resolved but i get 100% packet loss.
Until now i have spent much time on this issues, so i hope to solve
these problems with your help.
I have added the configurations which may help you to discover my
problem below. First the router configuration and then the desktop
configuration.
I hope i did not forget anything as it is very much, but if anything
you need is missing please ask for it.
Thanks Daniel
router: gentoo-vdr configuration
lspci
eth0
02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169
Gigabit Ethernet (rev 10)
eth1
02:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:F0:00:0D:96
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:198008 errors:0 dropped:0 overruns:0 frame:0
TX packets:194409 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:50101373 (47.7 Mb) TX bytes:129993047 (123.9 Mb)
Interrupt:18 Base address:0xc000
eth1 Link encap:Ethernet HWaddr 00:10:DC:2B:D4:CF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:77637 errors:0 dropped:0 overruns:0 frame:0
TX packets:63189 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:93609244 (89.2 Mb) TX bytes:7282392 (6.9 Mb)
Interrupt:19
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1236 errors:0 dropped:0 overruns:0 frame:0
TX packets:1236 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:86198 (84.1 Kb) TX bytes:86198 (84.1 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:88.67.24.46 P-t-P:88.67.16.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:163 errors:0 dropped:0 overruns:0 frame:0
TX packets:118 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:12249 (11.9 Kb) TX bytes:8557 (8.3 Kb)
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
dslb-088-067-01 * 255.255.255.255 UH 0 0 0 ppp0
localhost * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default dslb-088-067-01 0.0.0.0 UG 0 0 0 ppp0
shorewall-config
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 - tcpflags,norfc1918
loc eth0 detect tcpflags,detectnets
/etc/shorewall/masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
ppp0 eth0
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW REJECT info
loc all REJECT info
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW loc REJECT info
$FW all REJECT info
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT PORT(S)
DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT loc $FW tcp 22
ACCEPT $FW loc tcp 22
ACCEPT loc $FW udp 123
REJECT net $FW icmp 8
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipsec
loc ipsec
/etc/shorewall/shorewall.conf
i have changed this from the default values
IP_FORWARDING=On
CLAMPMSS=Yes
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_dynaddr = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
/etc/conf.d/net
config_eth1="adsl"
user_eth1="xxxxxxxxxx"
dns_domain_eth1=(linux )
config_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
dns_domain_eth0=(linux )
/etc/conf.d/hostname
HOSTNAME="gentoo-vdr"
/etc/hosts
127.0.0.1 localhost
192.168.0.1 gentoo-vdr.linux gentoo-vdr
192.168.0.2 gentoo.linux gentoo
::1 localhost
desktop: gentoo configuration
lspci
eth0
02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169
Gigabit Ethernet (rev 10)
ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:8F:D5:C4:C0
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::213:8fff:fed5:c4c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:194469 errors:0 dropped:0 overruns:0 frame:0
TX packets:198256 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:129998303 (123.9 Mb) TX bytes:50122357 (47.8 Mb)
Interrupt:17 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:129 errors:0 dropped:0 overruns:0 frame:0
TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9816 (9.5 Kb) TX bytes:9816 (9.5 Kb)
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default gentoo-vdr.linu 0.0.0.0 UG 0 0 0 eth0
/etc/conf.d/net
config_eth0=( "192.168.0.2 broadcast 192.168.0.255 netmask 255.255.255.0" )
routes_eth0=("default via 192.168.0.1")
dns_domain_eth0=(linux )
dns_servers_eth0="192.168.0.1"
ntp_servers_eth0="192.168.0.1"
/etc/hosts
127.0.0.1 localhost
192.168.0.2 gentoo.linux gentoo
192.168.0.1 gentoo-vdr.linux gentoo-vdr
::1 localhost
/etc/conf.d/hostname
HOSTNAME="gentoo"
/etc/conf.d/ntp-client
NTPCLIENT_CMD="ntpdate"
NTPCLIENT_OPTS="192.168.0.1"
For those who are not familiar with shorewall here are the generated iptables
on the router.
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ppp0_masq all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ppp0_masq (1 references)
target prot opt source destination
MASQUERADE all -- localhost/24 anywhere policy
match dir out pol none
iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
tcpre all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
tcfor all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
tcout all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
tcpost all -- anywhere anywhere
Chain tcfor (1 references)
target prot opt source destination
Chain tcout (1 references)
target prot opt source destination
Chain tcpost (1 references)
target prot opt source destination
Chain tcpre (1 references)
target prot opt source destination
iptables -L -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG udp -- anywhere anywhere udp
dpts:0:1023 LOG level warning
LOG tcp -- anywhere anywhere tcp
dpts:0:1023 LOG level warning
DROP udp -- anywhere anywhere udp dpts:0:1023
DROP tcp -- anywhere anywhere tcp dpts:0:1023
LOG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN LOG level warning
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain Drop (3 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport
dports epmap,microsoft-ds
DROP udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport
dports epmap,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain
Chain Reject (5 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport
dports epmap,microsoft-ds
reject udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
reject tcp -- anywhere anywhere multiport
dports epmap,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain
Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
DROP all -- anywhere anywhere PKTTYPE =
multicast
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp
flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (4 references)
target prot opt source destination
Chain eth0_fwd (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
loc_frwd all -- localhost/24 anywhere policy
match dir in pol ipsec
Chain eth0_in (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
loc2fw all -- localhost/24 anywhere policy
match dir in pol ipsec
Chain fw2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:fw2all:REJECT:'
reject all -- anywhere anywhere
Chain fw2loc (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:fw2loc:REJECT:'
reject all -- anywhere anywhere
Chain fw2net (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:loc2all:REJECT:'
reject all -- anywhere anywhere
Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ntp
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:loc2fw:REJECT:'
reject all -- anywhere anywhere
Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc_frwd (1 references)
target prot opt source destination
loc2net all -- anywhere anywhere policy
match dir out pol ipsec
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info ip-options prefix `Shorewall:logflags:DROP:'
DROP all -- anywhere anywhere
Chain net2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
reject icmp -- anywhere anywhere icmp echo-request
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:net2fw:DROP:'
DROP all -- anywhere anywhere
Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:net2loc:DROP:'
DROP all -- anywhere anywhere
Chain net_frwd (1 references)
target prot opt source destination
net2loc all -- anywhere localhost/24 policy
match dir out pol ipsec
Chain norfc1918 (2 references)
target prot opt source destination
rfc1918 all -- localhost/12 anywhere
rfc1918 all -- anywhere anywhere ctorigdst
localhost/12
rfc1918 all -- localhost/16 anywhere
rfc1918 all -- anywhere anywhere ctorigdst
localhost/16
rfc1918 all -- localhost/8 anywhere
rfc1918 all -- anywhere anywhere ctorigdst
localhost/8
Chain ppp0_fwd (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
norfc1918 all -- anywhere anywhere state NEW
policy match dir in pol none
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
net_frwd all -- anywhere anywhere policy
match dir in pol ipsec
Chain ppp0_in (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
norfc1918 all -- anywhere anywhere state NEW
policy match dir in pol none
tcpflags tcp -- anywhere anywhere policy
match dir in pol none
net2fw all -- anywhere anywhere policy
match dir in pol ipsec
Chain reject (12 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
DROP all -- anywhere anywhere PKTTYPE =
multicast
DROP all -- localhost anywhere
DROP all -- 255.255.255.255 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere
reject-with tcp-reset
REJECT udp -- anywhere anywhere
reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere
reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:rfc1918:DROP:'
DROP all -- anywhere anywhere
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
LOG all -- localhost anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- localhost anywhere
LOG all -- 255.255.255.255 anywhere LOG level
info prefix `Shorewall:smurfs:DROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG
level info prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
Chain tcpflags (4 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
--
[email protected] mailing list
