Debian: Home router problems

JussiKp · 01-02-2007, 02:05 PM

I have an old Debian box and I've been trying to use it as a router for a while with no success. My cabling:

[modem] --- [debian] --- [switch] ----- other computers {LAN}

All cables are straight-forward RJ-45. MY 'other computers' include two gentoo boxes.

My Gentoo box (client) /etc/conf.d/net:

Code:

config_eth0=( "dhcp" )

dhcp_eth0="nodns nontp nonis"

routes_eth0=( "default via 192.168.1.1" )

In Debian box /etc/network/interfaces

Code:

auto lo
iface lo inet loopback

# WAN
auto eth0
iface eth0 inet ppp
provider dsl
pre-up /sbin/ifconfig eth0 up

#LAN

auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0

I've tried it setting server's iptables firewall settings as follows (taken from http://www.gentoo.org/doc/en/home-router-howto.xml)

Code:

First we flush our current rules
# iptables -F
# iptables -t nat -F

Setup default policies to handle unmatched traffic
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD DROP

Copy and paste these examples ...
# export LAN=eth1
# export WAN=eth0

Then we lock our services so they only work from the LAN
# iptables -I INPUT 1 -i ${LAN} -j ACCEPT
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
# iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

Drop TCP / UDP packets to privileged ports
# iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

Finally we add the rules for NAT
# iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
# iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

Also I've done the following (router), also from http://www.gentoo.org/doc/en/home-router-howto.xml:

Code:

Tell the kernel that ip forwarding is OK
# echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

This is so when we boot we don't have to run the rules by hand
# /etc/init.d/iptables save
# rc-update add iptables default
# nano /etc/sysctl.conf
Add/Uncomment the following lines:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1

If you have a dynamic internet address you probably want to enable this:
net.ipv4.ip_dynaddr = 1

After running /etc/init.d/networking restart on router its ifconfig says:

Code:

eth0      Link encap:Ethernet  HWaddr 00:0E:2E:8E:B1:AC
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:378 errors:0 dropped:0 overruns:0 frame:0
          TX packets:406 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:44997 (43.9 KiB)  TX bytes:35668 (34.8 KiB)
          Interrupt:5 Base address:0xb800

eth1      Link encap:Ethernet  HWaddr 00:E0:29:0F:5E:68
          inet addr:192.168.1.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:184 (184.0 b)  TX bytes:0 (0.0 b)
          Interrupt:5 Base address:0x8000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:some-ip  P-t-P:10.10.9.7  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:52 errors:0 dropped:0 overruns:0 frame:0
          TX packets:74 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:7962 (7.7 KiB)  TX bytes:5392 (5.2 KiB)

I've tried both dnsmasq and dhcp in router.

/etc/dnsmasq.conf:

Code:

dhcp-range=192.168.0.100,192.168.0.250,72h
interface=eth1

domain-needed
bogus-priv

and /etc/dhcpd.conf:

Code:

subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.10 192.168.1.99;
        option domain-name-servers 192.168.1.1;
        #option netbios-name-servers 192.168.1.110;
        option routers 192.168.1.1;

}

In /var/log/messages I cannot see anything DHCP-related like "DHCPREQUEST" or like.

acid_kewpie · 01-02-2007, 02:20 PM

you're not really clear on which part of this is not working.. you've an awful lot of conceptually seperate things going on there. let me recommend taking a step back and getting a few basics working...

1) statically assing a LAN ip address to the client pc.
2) ping the router.
3) ping google by ip address.
4) ping google by name.

if you get to step 4 ok then you have a working router, if you don't get that far, then you need to explore the relevant features depending on how far you DO get. if you can't dfo step 2, are all cables plugged in? is it a firewall on the router? do your arp records show the router is visible at mac level? If your going to confuse the solution with DHCP and lcoal DNS too, then treat them as seperate entities until such time as you are confident in the rest of the solution.

JussiKp · 01-03-2007, 06:11 PM

Now I think I understand the whole thing better and started from the beginning.

I have a ethernet switch and I connect two computers to it with straight through cables. I assign IP 192.168.0.100 to one machine doing this:

Code:

# /etc/conf.d/net
config_eth0=( "null" )
config_eth0=( "192.168.0.100 netmask 255.255.255.0" )

and an IP of 192.168.0.101 to the another machine doing this:

Code:

# /etc/network/interfaces
# *snip* lo and eth0 (WAN) stuff

auto eth1
iface eth1 inet static
  address 192.168.0.101
  netmask 255.255.255.0

Then I try to ping 192.168.0.101 from another machine — "Destination host unreachable". Same for another IP too.

ifconfigs seems to be OK.

What am I doing wrong? Let's forget the router / DHCP / NAT / Firewalling etc inappropriate stuff for now.

acid_kewpie · 01-04-2007, 01:57 AM

well logically that seems fine, i'm no longer familiar with gentoo's net configuration syntax, so the actual ifconfig outputs would be more useful, along with the outputs of "route -n" you're also checking real basics like the cables themselves. are there lights on the nic's, try using ethtool to examine the layer 1 and 2 connectivity of the nics too. can you remove the switch and use a crossover cable temporarily too?