Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved thanks to Hu and Mokia] Simple routing question.
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 1:46 am    Post subject: [Solved thanks to Hu and Mokia] Simple routing question. Reply with quote

I recently set up a linux router running on an Mini-ITX Atom Board, took some time figuring out iptables and such, but everything works fine.
Well except for one thing. Prior to this I was using a Linksys router with DD-WRT, and a Motorolla SB6120 Cable Modem. As i'm sure some
of you know, the SB6120 has an ip of 192.168.100.1, which I was able to access thru the Linksys without issue. However, with my gentoo box
in between instead, that no longer works. I was just curious if I had to add a route or whatnot, currently trying to google the answer as well.

The Setup is like so:
Internet
|
SB6120 - Config IP of 192.168.100.1 <-- Cannot access this through the router.
|
eth0 - DHCP
Gentoo Box
eth1 - 192.168.0.1
|
LAN

Hopefully that makes some semblance of sense

Thanks for any advice you can provide


Last edited by ispano on Sun Jul 18, 2010 8:34 pm; edited 1 time in total
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 2835
Location: Canada

PostPosted: Sun Jul 18, 2010 2:39 am    Post subject: Reply with quote

What is your DHCP server ? One would think one wants to have you computer on the same subnet as intenal interface of your router - i.e on 192.168.100.something
Back to top
View user's profile Send private message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 2:52 am    Post subject: Reply with quote

Err, the modem itself has an IP of 192.168.100.1, this is used to view signal levels and the like, then that's connected to eth0 on my router, which has dhcp running to pull an ip from comcast. Then the router has a dhcp server running on eth1, which itself has an ip of 192.168.0.1, and gives out address from 192.168.0.100 to 192.168.0.150.

This is the same setup I had with DD-WRT on the Linksys, however, I was able to access the web interface on 192.168.100.1 with the linksys, not so with my current setup.
Maybe i'm missing a route, or maybe my iptables setup is blocking it, I don't really know. But trying to figure it out.
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 2835
Location: Canada

PostPosted: Sun Jul 18, 2010 3:00 am    Post subject: Reply with quote

ispano wrote:
Err, the modem itself has an IP of 192.168.100.1, this is used to view signal levels and the like, then that's connected to eth0 on my router, which has dhcp running to pull an ip from comcast. Then the router has a dhcp server running on eth1, which itself has an ip of 192.168.0.1, and gives out address from 192.168.0.100 to 192.168.0.150.

This is the same setup I had with DD-WRT on the Linksys, however, I was able to access the web interface on 192.168.100.1 with the linksys, not so with my current setup.
Maybe i'm missing a route, or maybe my iptables setup is blocking it, I don't really know. But trying to figure it out.


OK, got it, can you access the 192.168.100.1 from your router ? Could you also print the output of "route -n" ?
Back to top
View user's profile Send private message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 3:09 am    Post subject: Reply with quote

Yes I can, but since there's no gui(haven't tried webmin or anything), all I can use is links in which I can't change sections and such.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
75.70.160.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 75.70.160.1 0.0.0.0 UG 0 0 0 eth0

Edit: Ugh that looks like crap, lemme see if I can clean it up some
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 2835
Location: Canada

PostPosted: Sun Jul 18, 2010 3:12 am    Post subject: Reply with quote

ispano wrote:
Yes I can, but since there's no gui(haven't tried webmin or anything), all I can use is links in which I can't change sections and such.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
75.70.160.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 75.70.160.1 0.0.0.0 UG 0 0 0 eth0

Edit: Ugh that looks like crap, lemme see if I can clean it up some


Yep, what your eth0 IP, BTW ?
Back to top
View user's profile Send private message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 3:14 am    Post subject: Reply with quote

75.70.165.155
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 2835
Location: Canada

PostPosted: Sun Jul 18, 2010 3:16 am    Post subject: Reply with quote

ispano wrote:
75.70.165.155


Where did that come from ? Shouldn't it be one of 192.168.100.xxx , since it is one the same subnet as the modem ?

Oh, sorry your modem is not a router ! I am getting confused what 192.168.100.1 device is, how many interfaces your modem has ?


Last edited by dmpogo on Sun Jul 18, 2010 3:20 am; edited 1 time in total
Back to top
View user's profile Send private message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 3:19 am    Post subject: Reply with quote

You know, the first time I dealt with cable here, I thought the same thing. The modem acts as a bridge pretty much, that ip is only to check signal levels and logs. The modem itself does not have a DHCP server or anything of the like, that's all done on comcasts end, and as a bridge, it well, bridges? if it was all on the same subnet already, I don't think i'd have this issue.
Back to top
View user's profile Send private message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 3:26 am    Post subject: Reply with quote

Ok, sorry for the Confusion, let's see if I can detail this a bit better.

Comcast - The ISP and assholes mind you
|
Motorola SB6120 - This has a coax connection for the connection to comcast and 1 Ethernet port, it basically bridges the two connections. It also has the 192.168.100.1 IP, used to check levels/etc
|
Gentoo Router Box - eth0 connects to the ethernet port of the modem, while eth1 connects to the switch on my lan. eth0 is set to DHCP, and is pulling 75.70.165.155 at this time. eth1 is set statically to 192.168.0.1 and gives out ips from 192.168.0.100 - 192.168.0.150. It also has an ip of 192.168.1.1 which I use for other purposes, and shouldn't matter here.

Think of the modem kind of like a wireless access point, where they have an IP for themselves, but traffic just passes through unobstructed, so the IP can be on a different subnet and not affect the functionality of the device.

Maybe that will help understand :o
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 2835
Location: Canada

PostPosted: Sun Jul 18, 2010 5:18 am    Post subject: Reply with quote

Yep, I got it, need to think :)
Back to top
View user's profile Send private message
mokia
n00b
n00b


Joined: 01 Feb 2010
Posts: 63
Location: Hungary

PostPosted: Sun Jul 18, 2010 8:14 am    Post subject: Reply with quote

You need Iptables prerouting.
iptables -t nat -A PREROUTING -d [IP] -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.1:80
and you can access the modem from every computer from your subnet (except the router) by typing IP in the webbrowser
IP cannot be a part of your subnet.
For example:
subnet 192.168.1.0
IP 192.168.1.100 will not work
IP 10.0.1.1 will work
IP some public ip adress will work too
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15977

PostPosted: Sun Jul 18, 2010 4:15 pm    Post subject: Reply with quote

mokia wrote:
You need Iptables prerouting.
iptables -t nat -A PREROUTING -d [IP] -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.1:80
and you can access the modem from every computer from your subnet (except the router) by typing IP in the webbrowser
IP cannot be a part of your subnet.
For example:
subnet 192.168.1.0
IP 192.168.1.100 will not work
IP 10.0.1.1 will work
IP some public ip adress will work too
This feels like a bad idea. Home routers are often not set up to handle malicious users, and your rule does not appear to prevent someone on the outside from leveraging this rule to reflect their connection back to the router.

OP: what do you mean that you cannot connect from internal hosts to the router? What is the error code from connect? Is the connection reaching the router and then being refused, or is it not reaching the router at all?
Back to top
View user's profile Send private message
mokia
n00b
n00b


Joined: 01 Feb 2010
Posts: 63
Location: Hungary

PostPosted: Sun Jul 18, 2010 4:37 pm    Post subject: Reply with quote

It is not a router, it is a modem, and you can not edit enithing on the site.
It displays information about the phisical layer of the connection. (not even details abaut your trafic.)
Back to top
View user's profile Send private message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 5:33 pm    Post subject: Reply with quote

>.< Whee

Ok, My router is this: http://www.newegg.com/Product/Product.aspx?Item=N82E16813182233 running gentoo set up with iptables. I will admit i'm no master at iptables, something new im delving into.
The Modem is a Motorola SB6120, which like mokia says, has a page to view signal levels and logs, not much else. It has an IP of 192.168.100.1 to access said page. If i'm directly connected to the modem, it works fine. When I was using my Linksys WRT-310N with DD-WRT it allowed me to access this IP from inside the router, so working there as well. Now my current setup, has eth0 of the board listed above as the WAN, set to whatever IP comcast gives it, routing to eth1 which has two ips, 192.168.0.1 and 192.168.1.1 which I use for internal network file transfers(I can explain this if need be). However, I now cannot access 192.168.100.1 from inside the router, like I could with the linksys. I'm thinking it's an iptables setting I have that's blocking it, but again i'm unsure.

These are all the commands I have run for iptables:
# First we flush our current rules
iptables -F
iptables -t nat -F

# Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Copy and paste these examples ...
export WAN=eth0
export LAN=eth1

# Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

# Allow access to our ssh/www server from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport www -i ${WAN} -j ACCEPT

# Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# SSH Brute Force Protection
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j DROP

# Port Forwarding
# uTorrent
iptables -t nat -A PREROUTING -p tcp --dport 49240 -i ${WAN} -j DNAT --to 192.168.0.12
iptables -t nat -A PREROUTING -p udp --dport 49240 -i ${WAN} -j DNAT --to 192.168.0.12
# VNC
iptables -t nat -A PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.12

# This is so when we boot we don't have to run the rules by hand
/etc/init.d/iptables save


You can probably tell, most of this is from the Gentoo Home Router Guide.

Sorry to bother you all! But thanks for the help.

Oh right, I tried that command with a few different ips, mokia. Didn't work for me, but I do appreciate the help.
Back to top
View user's profile Send private message
gentoo_ram
Guru
Guru


Joined: 25 Oct 2007
Posts: 418
Location: San Diego, California USA

PostPosted: Sun Jul 18, 2010 5:37 pm    Post subject: Reply with quote

On the Linux box try:
Code:
route add -host 192.168.100.1 eth0
Back to top
View user's profile Send private message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 5:40 pm    Post subject: Reply with quote

No good, would it help to toss a second IP onto the WAN interface? Something on the same subnet as the modem? Like 192.168.100.100 for example.
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 2835
Location: Canada

PostPosted: Sun Jul 18, 2010 5:58 pm    Post subject: Reply with quote

I did not play with iptables for a while, but I remember them having 'verbose' or 'debug' mode, where it will log all the actions, so that you can see if it drops any packages destined to 192.168.1.100
Back to top
View user's profile Send private message
mokia
n00b
n00b


Joined: 01 Feb 2010
Posts: 63
Location: Hungary

PostPosted: Sun Jul 18, 2010 6:29 pm    Post subject: Reply with quote

Wath have you inserted, and did it showed up in iptables-save output in the nat table?
like this:
Code:

host mokia # iptables-save
# Generated by iptables-save v1.4.6 on Sun Jul 18 20:08:36 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport xxxx -j DNAT --to-destination 127.0.0.1:80
-A PREROUTING -d 10.0.1.100/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.1:80   <-this line
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
COMMIT
Back to top
View user's profile Send private message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 7:06 pm    Post subject: Reply with quote

This is before using the command:
# Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010
*nat
:PREROUTING ACCEPT [10329:876380]
:POSTROUTING ACCEPT [8249:956756]
:OUTPUT ACCEPT [74:11634]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 49240 -j DNAT --to-destination 192.1 68.0.12
-A PREROUTING -i eth0 -p udp -m udp --dport 49240 -j DNAT --to-destination 192.1 68.0.12
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.16 8.0.12
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Jul 18 07:03:12 2010
# Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010
*mangle
:PREROUTING ACCEPT [161595311:112689267679]
:INPUT ACCEPT [1257335:303683850]
:FORWARD ACCEPT [160283041:112376610940]
:OUTPUT ACCEPT [794822:130549793]
:POSTROUTING ACCEPT [161102470:112508807474]
COMMIT
# Completed on Sun Jul 18 07:03:12 2010
# Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010
*filter
:INPUT ACCEPT [326:42359]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1999:139715]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT ! -i eth1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-un reachable
-A INPUT ! -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-un reachable
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i eth1 -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT ! -i eth1 -p udp -m udp --dport 0:1023 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set - -name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --updat e --seconds 180 --hitcount 5 --rttl --name SSH --rsource -j DROP
-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP
-A FORWARD -s 192.168.0.0/16 -i eth1 -j ACCEPT
-A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT
COMMIT
# Completed on Sun Jul 18 07:03:12 2010

This is after:

# Generated by iptables-save v1.4.6 on Sun Jul 18 07:05:14 2010
*nat
:PREROUTING ACCEPT [3:154]
:POSTROUTING ACCEPT [4:439]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 49240 -j DNAT --to-destination 192.168.0.12
-A PREROUTING -i eth0 -p udp -m udp --dport 49240 -j DNAT --to-destination 192.168.0.12
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.0.12
-A PREROUTING -d 10.0.1.1/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.1:80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Jul 18 07:05:14 2010
# Generated by iptables-save v1.4.6 on Sun Jul 18 07:05:14 2010
*mangle
:PREROUTING ACCEPT [161731831:112783335588]
:INPUT ACCEPT [1257839:303738986]
:FORWARD ACCEPT [160419057:112470623713]
:OUTPUT ACCEPT [795058:130577011]
:POSTROUTING ACCEPT [161238373:112602550425]
COMMIT
# Completed on Sun Jul 18 07:05:14 2010
# Generated by iptables-save v1.4.6 on Sun Jul 18 07:05:14 2010
*filter
:INPUT ACCEPT [5:409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [91:9729]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT ! -i eth1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT ! -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i eth1 -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT ! -i eth1 -p udp -m udp --dport 0:1023 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH --rsource -j DROP
-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP
-A FORWARD -s 192.168.0.0/16 -i eth1 -j ACCEPT
-A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT
COMMIT
# Completed on Sun Jul 18 07:05:14 2010
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15977

PostPosted: Sun Jul 18, 2010 7:19 pm    Post subject: Reply with quote

ispano wrote:

# Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010
*filter
:FORWARD DROP [0:0]
-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP
-A FORWARD -s 192.168.0.0/16 -i eth1 -j ACCEPT
-A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT
COMMIT
# Completed on Sun Jul 18 07:03:12 2010
Perhaps you should not drop traffic that you want to work? ;) You said the modem is at a 192.168.x.x address, yet your first rule in the FORWARD chain is to drop any internal traffic going to 192.168.x.x addresses.
Back to top
View user's profile Send private message
mokia
n00b
n00b


Joined: 01 Feb 2010
Posts: 63
Location: Hungary

PostPosted: Sun Jul 18, 2010 7:33 pm    Post subject: Reply with quote

additional to previsorius rules insert:
iptables -A FORWARD -d 192.168.100.1/32 -i eth2 -j ACCEPT

Edit.
Looks lik i wasted too muth time with testing. XD

Edit again!
Sory not -A! and not eth2. The rule is:
iptables -I FORWARD -d 192.168.100.1/32 -i eth1 -j ACCEPT
Back to top
View user's profile Send private message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 7:54 pm    Post subject: Reply with quote

Hu wrote:
ispano wrote:

# Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010
*filter
:FORWARD DROP [0:0]
-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP
-A FORWARD -s 192.168.0.0/16 -i eth1 -j ACCEPT
-A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT
COMMIT
# Completed on Sun Jul 18 07:03:12 2010
Perhaps you should not drop traffic that you want to work? ;) You said the modem is at a 192.168.x.x address, yet your first rule in the FORWARD chain is to drop any internal traffic going to 192.168.x.x addresses.


That was the one. Taking that out let's it get through fine. Just one question, is there a reason you'd normally use a rule like that? I haven't had alot of free time to tweak the settings and learn iptables more in depth, for the most part I just used what was in the Gentoo Home Router Guide. http://www.gentoo.org/doc/en/home-router-howto.xml

This is the part of the guide I got most of the chains from.

Code Listing 5.2: Setting up iptables

First we flush our current rules
# iptables -F
# iptables -t nat -F

Setup default policies to handle unmatched traffic
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD DROP

Copy and paste these examples ...
# export LAN=eth0
# export WAN=eth1

Then we lock our services so they only work from the LAN
# iptables -I INPUT 1 -i ${LAN} -j ACCEPT
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
# iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

Drop TCP / UDP packets to privileged ports
# iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

Finally we add the rules for NAT
# iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
# iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
Tell the kernel that ip forwarding is OK
# echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

This is so when we boot we don't have to run the rules by hand
# /etc/init.d/iptables save
# rc-update add iptables default
# nano /etc/sysctl.conf
Add/Uncomment the following lines:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1

If you have a dynamic internet address you probably want to enable this:
net.ipv4.ip_dynaddr = 1


Thanks for the help. *bows*
Back to top
View user's profile Send private message
mokia
n00b
n00b


Joined: 01 Feb 2010
Posts: 63
Location: Hungary

PostPosted: Sun Jul 18, 2010 8:12 pm    Post subject: Reply with quote

You not deleted this rule, right?
-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP

"is there a reason you'd normally use a rule like that?"
YES
Back to top
View user's profile Send private message
ispano
n00b
n00b


Joined: 18 Jul 2010
Posts: 13

PostPosted: Sun Jul 18, 2010 8:28 pm    Post subject: Reply with quote

I took it out to see if it was the reason I was having an issue. But until I know it's safe to completely remove it, I'll just disable it when I need access to the modem.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum