vapier 05/08/14 04:38:49 Modified: xml/htdocs/doc/en home-router-howto.xml Log: replace eth0 with $LAN and eth1 with $WAN and rename Debugging section to Troubleshooting #102450 by Arnold Miller
Revision Changes Path 1.30 +35 -27 xml/htdocs/doc/en/home-router-howto.xml file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/home-router-howto.xml?rev=1.30&content-type=text/x-cvsweb-markup&cvsroot=gentoo plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/home-router-howto.xml?rev=1.30&content-type=text/plain&cvsroot=gentoo diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/home-router-howto.xml.diff?r1=1.29&r2=1.30&cvsroot=gentoo Index: home-router-howto.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v retrieving revision 1.29 retrieving revision 1.30 diff -u -r1.29 -r1.30 --- home-router-howto.xml 4 Aug 2005 00:18:20 -0000 1.29 +++ home-router-howto.xml 14 Aug 2005 04:38:48 -0000 1.30 @@ -1,5 +1,5 @@ <?xml version='1.0' encoding='UTF-8'?> -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.29 2005/08/04 00:18:20 vapier Exp $ --> +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.30 2005/08/14 04:38:48 vapier Exp $ --> <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> <guide link="/doc/en/home-router-howto.xml"> @@ -15,8 +15,8 @@ for connecting your home network to the internet. </abstract> -<version>1.9</version> -<date>2005-08-03</date> +<version>1.10</version> +<date>2005-08-14</date> <chapter> <title>Introduction</title> @@ -206,7 +206,7 @@ # <i>nano /etc/conf.d/net</i> <comment>Add an entry for config_eth1 and set it to adsl:</comment> config_eth1=( "adsl" ) -# <i>ln -s net.eth0 /etc/init.d/net.eth1</i> +# <i>ln -s net.lo /etc/init.d/net.eth1</i> # <i>rc-update add net.eth1 default</i> # <i>/etc/init.d/net.eth1 start</i> </pre> @@ -247,7 +247,7 @@ nameserver 123.123.123.123 <comment>Dynamic and Static Setup:</comment> -# <i>ln -s net.eth0 /etc/init.d/net.eth1</i> +# <i>ln -s net.lo /etc/init.d/net.eth1</i> # <i>rc-update add net.eth1 default</i> # <i>/etc/init.d/net.eth1 start</i> </pre> @@ -413,24 +413,28 @@ # <i>iptables -F</i> # <i>iptables -t nat -F</i> +<comment>Copy and paste these examples ...</comment> +# <i>export LAN=eth0</i> +# <i>export WAN=eth1</i> + <comment>Then we lock our services so they only work from the LAN</comment> -# <i>iptables -I INPUT 1 -i eth0 -j ACCEPT</i> +# <i>iptables -I INPUT 1 -i ${LAN} -j ACCEPT</i> # <i>iptables -I INPUT 1 -i lo -j ACCEPT</i> -# <i>iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT</i> -# <i>iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT</i> +# <i>iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT</i> +# <i>iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT</i> <comment>(Optional) Allow access to our ssh server from the WAN</comment> -# <i>iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT</i> +# <i>iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT</i> <comment>Drop TCP / UDP packets to privileged ports</comment> -# <i>iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i> -# <i>iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i> +# <i>iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i> +# <i>iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i> <comment>Finally we add the rules for NAT</comment> -# <i>iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP</i> -# <i>iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT</i> -# <i>iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT</i> -# <i>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE</i> +# <i>iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP</i> +# <i>iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT</i> +# <i>iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT</i> +# <i>iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE</i> <comment>Tell the kernel that ip forwarding is OK</comment> # <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i> # <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i> @@ -486,7 +490,7 @@ <p> All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING -[-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port +[-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port to forward to]</c>. iptables does not accept hostnames when port forwarding. If you are forwarding an external port to the same port on the internal machine, you can omit the destination port. See the iptables(8) page for more @@ -494,29 +498,33 @@ </p> <pre caption="Running the iptables commands"> +<comment>Copy and paste these examples ...</comment> +# <i>export LAN=eth0</i> +# <i>export WAN=eth1</i> + <comment>Forward port 2 to ssh on an internal host</comment> -# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22</i> +# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i ${WAN} -j DNAT --to 192.168.0.2:22</i> <comment>FTP forwarding to an internal host</comment> -# <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.56</i> +# <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i ${WAN} -j DNAT --to 192.168.0.56</i> <comment>HTTP forwarding to an internal host</comment> -# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.56</i> +# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56</i> <comment>VNC forwarding for internal hosts</comment> -# <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i eth1 -j DNAT --to 192.168.0.2</i> -# <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i eth1 -j DNAT --to 192.168.0.3:5900</i> +# <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.2</i> +# <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.168.0.3:5900</i> <comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment> <comment>Bittorrent forwarding</comment> -# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i eth1 -j DNAT --to 192.168.0.2</i> +# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2</i> <comment>Game Cube Warp Pipe support</comment> -# <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i eth1 -j DNAT --to 192.168.0.56</i> +# <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56</i> <comment>Playstation2 Online support</comment> -# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i> -# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i> +# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i> +# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i> </pre> <note> @@ -760,7 +768,7 @@ # <i>emerge qmail</i> <comment>make sure the output of `hostname` is correct</comment> # <i>ebuild /var/db/pkg/*-*/qmail-1.03-r*/*.ebuild config</i> -# <i>iptables -I INPUT -p tcp --dport smtp -i ! eth0 -j REJECT</i> +# <i>iptables -I INPUT -p tcp --dport smtp -i ! ${LAN} -j REJECT</i> # <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i> # <i>ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd</i> <!-- @@ -811,7 +819,7 @@ </chapter> <chapter> -<title>Debugging</title> +<title>Troubleshooting</title> <section> <title>Useful Tools</title> -- [email protected] mailing list
