Re: [gentoo-user] Need help with routing
Hans-Werner Hilse schrieb: Hi, On Tue, 11 Sep 2007 21:38:26 +0200 Florian Philipp [EMAIL PROTECTED] wrote: Now the kernel can handle connection state matching :) I can apply your rules with one exception: iptables -A POSTROUTING -o ppp0 -j MASQUERADE The same error message as before. But a different cause: My brain ;-) That should rather read $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE (I forgot the -t nat) There is, however, a kernel configuration needed for masquerading, too (CONFIG_IP_NF_TARGET_MASQUERADE on newer kernels, you can search for it -- or just MASQUERADE on older kernels -- using the / key in the kernel's menuconfig). So if iptables keeps complaining, check that too. BTW: I'm starting to really hate the HOWTO that much that I might even consider editing it. The HOWTO got this command wrong as well: It MASQUERADEs the connections going out to the LAN interface... For a proper durable setup, after performing all steps manually until you have iptables in the way, you should issue $ /etc/init.d/iptables save and have iptables fire up using rc-update, if not yet done. Also put the sysctl setting in /etc/sysctl.conf. Then routing/masquerading will be set up right on each boot. -hwh Thank you for your patience, it's finally working! If you don't edit the wiki, I'll do it (sooner or later). Just tell me if you don't want to see your name when I give you credit for the settings. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing [OT: Issues with an article on the wiki]
Hi, On Wed, 12 Sep 2007 18:35:41 +0200 Florian Philipp [EMAIL PROTECTED] wrote: Thank you for your patience, it's finally working! OK, that's good news :-) If you don't edit the wiki, I'll do it (sooner or later). Just tell me if you don't want to see your name when I give you credit for the settings. Reading through it, it'll need a general rewrite. The more I look at it, the less it makes sense. Though on the discussion site, the last comment gives a valuable hint to what the main culprit is: The article doesn't clarify on its focus (and I guess that's why it hasn't got that much attention yet). Based on the title, there are many ways to conclude what task is described there. I guess it was really about routing an internet connection to some clients, but the general concept of Routing is broader. So I think the article should - clarify what it's about (introduction) - introduce routing and the route command (and/or ip route) - introduce masquerading (what you wanted and the original article intended to describe, I think) I'll take a try on rewriting it this evening (CEST). Feel free to further rewrite it or start doing it, but I really think the aspects noted above are worth following. -hwh -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
Hans-Werner Hilse schrieb: Hi, On Mon, 10 Sep 2007 20:59:03 +0200 Florian Philipp [EMAIL PROTECTED] wrote: I'll attach relevant ifconfig, route and iptables -L output. Hm, OK. This: snip Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.8.0.1 anywhere ACCEPT all -- anywhere 10.8.0.1 DROP all -- !10.8.0.1 anywhere snip is on what computer? On the server (I guess it's the router) the last line would effectively prevent routing for the client (but I don't know why ICMP works...). I would suggest starting without it and then setting up proper rules -- and then setting the chain's policy to DROP (plus some REJECT rules for proper answers). Dan's hint is also worth investigating. BTW: use route/ifconfig/netstat/iptables' -n switch to make analysis easier! -hwh I followed the howto's nomenclature of server and client. I'm a bit puzzled right now. Is there anything essentially wrong with the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed it word by word. The drop rule is explained as #prevent others ip from conecting to my eth0 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
On Mon, 10 Sep 2007 22:48:20 +0200 Hans-Werner Hilse [EMAIL PROTECTED] wrote: is on what computer? On the server (I guess it's the router) the last line would effectively prevent routing for the client (but I don't know why ICMP works...). I would suggest starting without it and then setting up proper rules -- and then setting the chain's policy to DROP (plus some REJECT rules for proper answers). I agree, I thought your firewall rules were a little wacky too. These rules only route to one host. generally you'd want to route to a whole network, not just one host. (but I don't know why ICMP works...). -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
Hi, On Tue, 11 Sep 2007 17:30:51 +0200 Florian Philipp [EMAIL PROTECTED] wrote: Hm, OK. This: snip Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.8.0.1 anywhere ACCEPT all -- anywhere 10.8.0.1 DROP all -- !10.8.0.1 anywhere snip is on what computer? On the server (I guess it's the router) the last line would effectively prevent routing for the client (but I don't know why ICMP works...). I would suggest starting without it and then setting up proper rules -- and then setting the chain's policy to DROP (plus some REJECT rules for proper answers). I followed the howto's nomenclature of server and client. I'm a bit puzzled right now. Is there anything essentially wrong with the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed it word by word. The drop rule is explained as #prevent others ip from conecting to my eth0 Hm, judging from that the article on Routing uses a Client and Server nomenclature, I consider the article being at least partly crap ;-) And yes, that guide really seems to be a bunch of BS (sorry, but that's the way it seems to be). It is outright horrible. Personally I hate discussing on Wikis' Discussion Pages, so, no, I won't correct it (but looking at its discussion page, others considered it bad, too, and are planning to correct/delete it). That iptables setup is absolutely stupid. It accepts packets from and to the machine itself (note that 10.8.0.1 is the router's IP), but will drop any packet not originating from 10.8.0.1. The latter should be true for all packets originating from the client (since it has the address 10.8.0.2). So all the client's communication is dropped, and that's it, end of story. Better have a look at netfilter's set of HOWTOs, especially the NAT howto. Better learn what you're doing... Otherwise, just take the hints from my previous posting. My suggestion for a proper setup would be $ iptables -F FORWARD $ iptables -P FORWARD DROP $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules allowing for forwarding designated ports, if any You'll certainly want to keep this: $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE in place, too. Note that this trusts any box connecting via eth0, not just a single client. -hwh -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
Dan Farrell schrieb: On Mon, 10 Sep 2007 22:48:20 +0200 Hans-Werner Hilse [EMAIL PROTECTED] wrote: is on what computer? On the server (I guess it's the router) the last line would effectively prevent routing for the client (but I don't know why ICMP works...). I would suggest starting without it and then setting up proper rules -- and then setting the chain's policy to DROP (plus some REJECT rules for proper answers). I agree, I thought your firewall rules were a little wacky too. These rules only route to one host. generally you'd want to route to a whole network, not just one host. (but I don't know why ICMP works...). Well, as I've written, they aren't my rules. I just copied and pasted them. I know just as much about iptables as I know about cars. I know the theory, I've seen the building process from like 10 meters distance and I use finished product. I'd really appreciate if you could post the correct settings or config file(s). -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
Hans-Werner Hilse schrieb: Hi, On Tue, 11 Sep 2007 17:30:51 +0200 Florian Philipp [EMAIL PROTECTED] wrote: Hm, OK. This: snip Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.8.0.1 anywhere ACCEPT all -- anywhere 10.8.0.1 DROP all -- !10.8.0.1 anywhere snip is on what computer? On the server (I guess it's the router) the last line would effectively prevent routing for the client (but I don't know why ICMP works...). I would suggest starting without it and then setting up proper rules -- and then setting the chain's policy to DROP (plus some REJECT rules for proper answers). I followed the howto's nomenclature of server and client. I'm a bit puzzled right now. Is there anything essentially wrong with the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed it word by word. The drop rule is explained as #prevent others ip from conecting to my eth0 Hm, judging from that the article on Routing uses a Client and Server nomenclature, I consider the article being at least partly crap ;-) And yes, that guide really seems to be a bunch of BS (sorry, but that's the way it seems to be). It is outright horrible. Personally I hate discussing on Wikis' Discussion Pages, so, no, I won't correct it (but looking at its discussion page, others considered it bad, too, and are planning to correct/delete it). That iptables setup is absolutely stupid. It accepts packets from and to the machine itself (note that 10.8.0.1 is the router's IP), but will drop any packet not originating from 10.8.0.1. The latter should be true for all packets originating from the client (since it has the address 10.8.0.2). So all the client's communication is dropped, and that's it, end of story. Better have a look at netfilter's set of HOWTOs, especially the NAT howto. Better learn what you're doing... Otherwise, just take the hints from my previous posting. My suggestion for a proper setup would be $ iptables -F FORWARD $ iptables -P FORWARD DROP $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules allowing for forwarding designated ports, if any You'll certainly want to keep this: $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE in place, too. Note that this trusts any box connecting via eth0, not just a single client. -hwh Thanks! In fact I'd really like to learn more about iptables but at the moment I hardly find the time to do it. When I try to apply the rules you've posted I get: $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPT iptables: No chain/target/match by that name A syntax error, maybe? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
Hi, On Tue, 11 Sep 2007 18:50:52 +0200 Florian Philipp [EMAIL PROTECTED] wrote: My suggestion for a proper setup would be $ iptables -F FORWARD $ iptables -P FORWARD DROP $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules allowing for forwarding designated ports, if any You'll certainly want to keep this: $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE in place, too. Note that this trusts any box connecting via eth0, not just a single client. [...] When I try to apply the rules you've posted I get: $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPT iptables: No chain/target/match by that name Hm, you do not seem to have your kernel configured for connection state matching. Just start with basic rules: $ iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT $ iptables -A FORWARD -o eth0 -i ppp0 -j ACCEPT (instead of the iptables -A settings mentioned before) But note that those would potentially allow inbound connections to get routed to any desired machine (desired by the party outside your network, that is). So make sure that either such requests aren't getting forwarded to your router (and this is most probably already the case for your setup -- DSL or cable, I guess?) or your LAN doesn't care (i.e. is secured). Most PPP endpoints, however, would drop such traffic anyway, so you should be secure if you trust your provider. Basically I think this is what the Gentoo wiki guide *intended* to do. -hwh -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
Hans-Werner Hilse schrieb: Hi, On Tue, 11 Sep 2007 18:50:52 +0200 Florian Philipp [EMAIL PROTECTED] wrote: My suggestion for a proper setup would be $ iptables -F FORWARD $ iptables -P FORWARD DROP $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules allowing for forwarding designated ports, if any You'll certainly want to keep this: $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE in place, too. Note that this trusts any box connecting via eth0, not just a single client. [...] When I try to apply the rules you've posted I get: $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPT iptables: No chain/target/match by that name Hm, you do not seem to have your kernel configured for connection state matching. Just start with basic rules: $ iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT $ iptables -A FORWARD -o eth0 -i ppp0 -j ACCEPT (instead of the iptables -A settings mentioned before) But note that those would potentially allow inbound connections to get routed to any desired machine (desired by the party outside your network, that is). So make sure that either such requests aren't getting forwarded to your router (and this is most probably already the case for your setup -- DSL or cable, I guess?) or your LAN doesn't care (i.e. is secured). Most PPP endpoints, however, would drop such traffic anyway, so you should be secure if you trust your provider. Basically I think this is what the Gentoo wiki guide *intended* to do. -hwh Now the kernel can handle connection state matching :) I can apply your rules with one exception: iptables -A POSTROUTING -o ppp0 -j MASQUERADE The same error message as before. I've enabled basically everything in the kernel's netfilter submenu that can be compiled as a module and since these modules were automatically inserted when necessary I don't know what's the problem right now. I'll attach lsmod and the kernel config, just in case... Oh, and I've still got 100% packet loss when trying to ping Google's IP from anywhere but the router. config.bz2 Description: application/bzip Module Size Used by xt_state3136 0 ipt_MASQUERADE 4096 3 iptable_nat 8452 1 nf_nat 19884 2 ipt_MASQUERADE,iptable_nat nf_conntrack_ipv4 18640 2 iptable_nat nf_conntrack 61980 5 xt_state,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4 iptable_filter 3712 1 ip_tables 19632 2 iptable_nat,iptable_filter x_tables 20296 4 xt_state,ipt_MASQUERADE,iptable_nat,ip_tables option 11648 1 usbserial 33968 3 option b4428236 0 sr_mod 18020 0 cdrom 35944 1 sr_mod sg 26016 0
Re: [gentoo-user] Need help with routing
Hi, On Tue, 11 Sep 2007 21:38:26 +0200 Florian Philipp [EMAIL PROTECTED] wrote: Now the kernel can handle connection state matching :) I can apply your rules with one exception: iptables -A POSTROUTING -o ppp0 -j MASQUERADE The same error message as before. But a different cause: My brain ;-) That should rather read $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE (I forgot the -t nat) There is, however, a kernel configuration needed for masquerading, too (CONFIG_IP_NF_TARGET_MASQUERADE on newer kernels, you can search for it -- or just MASQUERADE on older kernels -- using the / key in the kernel's menuconfig). So if iptables keeps complaining, check that too. BTW: I'm starting to really hate the HOWTO that much that I might even consider editing it. The HOWTO got this command wrong as well: It MASQUERADEs the connections going out to the LAN interface... For a proper durable setup, after performing all steps manually until you have iptables in the way, you should issue $ /etc/init.d/iptables save and have iptables fire up using rc-update, if not yet done. Also put the sysctl setting in /etc/sysctl.conf. Then routing/masquerading will be set up right on each boot. -hwh -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
Dan Farrell schrieb: On Sun, 02 Sep 2007 05:12:11 -0500 Dale [EMAIL PROTECTED] wrote: Florian Philipp wrote: Hi list! I'm trying to set up my laptop as the router for my PC. ... My problem: As soon as set up eth0 with ifconfig 192.168.1.1 netmask 255.255.255.0 eth0 ppp0 is no longer used. I do this too and I have this in my /etc/conf.d/net file on the one that connects to the internet. gateway=ppp0 You may want to try that. Dale Yes, this is your problem Florian. You need to make sure the default route is not set to eth0, which will probably be done automatically for eth0 when you bring it up. In other words, follow Dale's advice. Thanks! At least they can ping each other now but routing still doesn't work: Destination host unreachable. Is there anything wrong with the server script in the howto? I've already tried to deactivate ipv6 on the server. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
Florian Philipp schrieb: Dan Farrell schrieb: On Sun, 02 Sep 2007 05:12:11 -0500 Dale [EMAIL PROTECTED] wrote: Florian Philipp wrote: Hi list! I'm trying to set up my laptop as the router for my PC. ... My problem: As soon as set up eth0 with ifconfig 192.168.1.1 netmask 255.255.255.0 eth0 ppp0 is no longer used. I do this too and I have this in my /etc/conf.d/net file on the one that connects to the internet. gateway=ppp0 You may want to try that. Dale Yes, this is your problem Florian. You need to make sure the default route is not set to eth0, which will probably be done automatically for eth0 when you bring it up. In other words, follow Dale's advice. Thanks! At least they can ping each other now but routing still doesn't work: Destination host unreachable. Is there anything wrong with the server script in the howto? I've already tried to deactivate ipv6 on the server. I'll attach relevant ifconfig, route and iptables -L output. eth0 Protokoll:Ethernet Hardware Adresse 00:1A:4D:7B:9F:1B inet Adresse:10.8.0.2 Bcast:10.8.0.255 Maske:255.255.255.0 inet6 Adresse: fe80::21a:4dff:fe7b:9f1b/64 Gültigkeitsbereich:Verbindung UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:192 errors:0 dropped:0 overruns:0 frame:0 TX packets:538 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:1000 RX bytes:18818 (18.3 KiB) TX bytes:53935 (52.6 KiB) Interrupt:21 Basisadresse:0xa000 loProtokoll:Lokale Schleife inet Adresse:127.0.0.1 Maske:255.0.0.0 inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:55 errors:0 dropped:0 overruns:0 frame:0 TX packets:55 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:5221 (5.0 KiB) TX bytes:5221 (5.0 KiB) eth0 Link encap:Ethernet HWaddr 00:19:B9:7A:74:31 inet addr:10.8.0.1 Bcast:10.8.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:375 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:36156 (35.3 Kb) TX bytes:1124 (1.0 Kb) Interrupt:17 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ppp0 Link encap:Point-to-Point Protocol inet addr:10.129.141.215 P-t-P:10.64.64.64 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:7088 errors:0 dropped:0 overruns:0 frame:0 TX packets:6488 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:6071662 (5.7 Mb) TX bytes:846226 (826.3 Kb) Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.8.0.1 anywhere ACCEPT all -- anywhere 10.8.0.1 DROP all -- !10.8.0.1 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Kernel IP Routentabelle ZielRouter Genmask Flags Metric RefUse Iface 10.8.0.0* 255.255.255.0 U 0 00 eth0 link-local * 255.255.0.0 U 1000 00 eth0 default HOMER-KUBUNTU64 0.0.0.0 UG0 00 eth0 default 10.8.0.10.0.0.0 UG0 00 eth0 Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 10.64.64.64 * 255.255.255.255 UH0 00 ppp0 10.8.0.0* 255.255.255.0 U 0 00 eth0 loopback* 255.0.0.0 U 0 00 lo default 10.64.64.64 0.0.0.0 UG0 00 ppp0
Re: [gentoo-user] Need help with routing
On Mon, 10 Sep 2007 20:59:03 +0200 Florian Philipp [EMAIL PROTECTED] wrote: default HOMER-KUBUNTU64 0.0.0.0 UG0 0 0 eth0 What's this? I do not know if this should be here. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
Hi, On Mon, 10 Sep 2007 20:59:03 +0200 Florian Philipp [EMAIL PROTECTED] wrote: I'll attach relevant ifconfig, route and iptables -L output. Hm, OK. This: snip Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.8.0.1 anywhere ACCEPT all -- anywhere 10.8.0.1 DROP all -- !10.8.0.1 anywhere snip is on what computer? On the server (I guess it's the router) the last line would effectively prevent routing for the client (but I don't know why ICMP works...). I would suggest starting without it and then setting up proper rules -- and then setting the chain's policy to DROP (plus some REJECT rules for proper answers). Dan's hint is also worth investigating. BTW: use route/ifconfig/netstat/iptables' -n switch to make analysis easier! -hwh -- [EMAIL PROTECTED] mailing list
[gentoo-user] Need help with routing
Hi list! I'm trying to set up my laptop as the router for my PC. In the end it should look like this: ppp0 - laptop - eth0 --- eth0 - PC My problem: As soon as set up eth0 with ifconfig 192.168.1.1 netmask 255.255.255.0 eth0 ppp0 is no longer used. I tried to follow this howto: http://gentoo-wiki.com/HOWTO_quick_routing -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Need help with routing
Florian Philipp wrote: Hi list! I'm trying to set up my laptop as the router for my PC. In the end it should look like this: ppp0 - laptop - eth0 --- eth0 - PC My problem: As soon as set up eth0 with ifconfig 192.168.1.1 netmask 255.255.255.0 eth0 ppp0 is no longer used. I tried to follow this howto: http://gentoo-wiki.com/HOWTO_quick_routing I do this too and I have this in my /etc/conf.d/net file on the one that connects to the internet. gateway=ppp0 You may want to try that. Dale :-) :-) -- [EMAIL PROTECTED] mailing list