Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
problems with dnsmasq on nat router/firewall (SOLVED)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
59729
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 279

PostPosted: Fri Nov 18, 2016 10:36 pm    Post subject: problems with dnsmasq on nat router/firewall (SOLVED) Reply with quote

I posted this a week ago but deleted the thread quickly as there were some things I wanted to try. Im still stuck

If i set the input chain to drop , my computers or wifi accesspoint connected interface eno1 will not get an IP, my mobile phone says connecting->connected->getting ip adress but nothing happens.
With input to accept dnsmasq works as intended

Complete ruleset below that doesn't work below, any help appreciated as I don't really know what to do next as I think the corresponding ports are open "bootps/bootpc/domain" @ lan-services

Code:

nuc lappen # nft list ruleset
table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
                iif enp0s20u3 tcp dport 20000 dnat 192.168.0.202
        }

        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                oif enp0s20u3 masquerade random,persistent
        }
}
table ip filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state established,related accept
                iif lo accept
                ip protocol icmp accept
                ip saddr 192.168.0.0/24 jump lan-services
                jump public-services
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }

        chain lan-services {
                tcp dport { ssh, bootps, domain, bootpc} accept
                udp dport { bootpc, domain, bootps} accept
                tcp dport 3005 accept
                udp dport { 32414, 32413, 32410, 32412} accept
        }

        chain public-services {
                tcp dport 32400 accept
        }
}




Code:

nuc lappen # ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.1  netmask 255.255.255.0  broadcast 192.168.0.255
        ether c0:3f:d5:62:2b:3d  txqueuelen 1000  (Ethernet)
        RX packets 50964317  bytes 31539661512 (29.3 GiB)
        RX errors 0  dropped 110523  overruns 0  frame 0
        TX packets 72698934  bytes 89371496623 (83.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7c00000-f7c20000

enp0s20u3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet WANIP  netmask 255.255.240.0  broadcast WANIP
        ether XXXXXXXXXX  txqueuelen 1000  (Ethernet)
        RX packets 76074542  bytes 84999229889 (79.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 38776965  bytes 13502112873 (12.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 1471319  bytes 392972955 (374.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1471319  bytes 392972955 (374.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Last edited by 59729 on Sat Nov 19, 2016 10:18 am; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Fri Nov 18, 2016 11:33 pm    Post subject: Reply with quote

Quote:
ip saddr 192.168.0.0/24 jump lan-services

DHCP requests from new clients will not match this rule because a new client doesn't have an IP yet.

If you have multiple interfaces, it would be best to simply use one of them as the local one and accept traffic based on the interface, just like you did with
loopback.
If you don't, it's a bad pick for a router, but you can still try accepting packets sent from IP 0.0.0.0 to 255.255.255.255 (or more lax rule)
Back to top
View user's profile Send private message
brendlefly62
Tux's lil' helper
Tux's lil' helper


Joined: 19 Dec 2009
Posts: 93

PostPosted: Sat Nov 19, 2016 3:01 am    Post subject: Reply with quote

did you do this?

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward


Much more help here: https://wiki.gentoo.org/wiki/Home_Router

cheers
Back to top
View user's profile Send private message
59729
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 279

PostPosted: Sat Nov 19, 2016 10:15 am    Post subject: Reply with quote

brendlefly62 wrote:
did you do this?

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward


Much more help here: https://wiki.gentoo.org/wiki/Home_Router

cheers

Yup

szatox wrote:
Quote:
ip saddr 192.168.0.0/24 jump lan-services

DHCP requests from new clients will not match this rule because a new client doesn't have an IP yet.

If you have multiple interfaces, it would be best to simply use one of them as the local one and accept traffic based on the interface, just like you did with
loopback.
If you don't, it's a bad pick for a router, but you can still try accepting packets sent from IP 0.0.0.0 to 255.255.255.255 (or more lax rule)

Finally it works, and a great explanation why, thank you :)
Code:
iif eno1 jump lan-services
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum