I have an old Debian box and I've been trying to use it as a router for a while with no success. My cabling:
[modem] --- [debian] --- [switch] ----- other computers {LAN}
All cables are straight-forward RJ-45. MY 'other computers' include two gentoo boxes.
My Gentoo box (client) /etc/conf.d/net:
Code:
config_eth0=( "dhcp" )
dhcp_eth0="nodns nontp nonis"
routes_eth0=( "default via 192.168.1.1" )
In Debian box /etc/network/interfaces
Code:
auto lo
iface lo inet loopback
# WAN
auto eth0
iface eth0 inet ppp
provider dsl
pre-up /sbin/ifconfig eth0 up
#LAN
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
I've tried it setting server's iptables firewall settings as follows (taken from
http://www.gentoo.org/doc/en/home-router-howto.xml)
Code:
First we flush our current rules
# iptables -F
# iptables -t nat -F
Setup default policies to handle unmatched traffic
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD DROP
Copy and paste these examples ...
# export LAN=eth1
# export WAN=eth0
Then we lock our services so they only work from the LAN
# iptables -I INPUT 1 -i ${LAN} -j ACCEPT
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
# iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
Drop TCP / UDP packets to privileged ports
# iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
Finally we add the rules for NAT
# iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
# iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
Also I've done the following (router), also from
http://www.gentoo.org/doc/en/home-router-howto.xml:
Code:
Tell the kernel that ip forwarding is OK
# echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
This is so when we boot we don't have to run the rules by hand
# /etc/init.d/iptables save
# rc-update add iptables default
# nano /etc/sysctl.conf
Add/Uncomment the following lines:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
If you have a dynamic internet address you probably want to enable this:
net.ipv4.ip_dynaddr = 1
After running /etc/init.d/networking restart on router its ifconfig says:
Code:
eth0 Link encap:Ethernet HWaddr 00:0E:2E:8E:B1:AC
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:378 errors:0 dropped:0 overruns:0 frame:0
TX packets:406 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44997 (43.9 KiB) TX bytes:35668 (34.8 KiB)
Interrupt:5 Base address:0xb800
eth1 Link encap:Ethernet HWaddr 00:E0:29:0F:5E:68
inet addr:192.168.1.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:184 (184.0 b) TX bytes:0 (0.0 b)
Interrupt:5 Base address:0x8000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
ppp0 Link encap:Point-to-Point Protocol
inet addr:some-ip P-t-P:10.10.9.7 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:52 errors:0 dropped:0 overruns:0 frame:0
TX packets:74 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:7962 (7.7 KiB) TX bytes:5392 (5.2 KiB)
I've tried both dnsmasq and dhcp in router.
/etc/dnsmasq.conf:
Code:
dhcp-range=192.168.0.100,192.168.0.250,72h
interface=eth1
domain-needed
bogus-priv
and /etc/dhcpd.conf:
Code:
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.99;
option domain-name-servers 192.168.1.1;
#option netbios-name-servers 192.168.1.110;
option routers 192.168.1.1;
}
In /var/log/messages I cannot see anything DHCP-related like "DHCPREQUEST" or like.