LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Using RedHat 8.x with PPPoE as a router/firewall (http://www.linuxquestions.org/questions/linux-networking-3/using-redhat-8-x-with-pppoe-as-a-router-firewall-96171/)

tnine9 09-24-2003 12:51 AM

Using RedHat 8.x with PPPoE as a router/firewall
 
OK, I have a server/workstation with 2 Ethernet cards in it, both work fine and are recognized by redhat (linksys). The hardware is Dual Xeons, 750 Mb ram, 100 Gb disk space.

Here is a diagram of my physical wiring

---->SBC DSL(pppoe) --- > eth1 -----> eth0-------->switch ---> windows clients

NOTE: eth0 has not configuration and is part of ppp0.

I have downloaded and installed the latest stable rpm of rp-pppoe 3.5.2. This works like a champ, I can connect to the net, and I have no problems browsing the web, pinging etc. from the server. However, if I configure eth0 with the following settings:

IP 192.168.0.1
SubNet 255.255.255.0

as soon as I bring eth0 up ("ifup eth0") I lose all connectivity until I completely remove eth0 from my system and do a "network restart". I would like to use my server as a firewall and a router for all of my internal home machines. I'm not very savvy with NAT /ipchains/iptables so some help would be great.

Thanks,
Todd

P.S. I have tried using firestarter as a tool for newbies, the concept is great however I still can't route my traffic from eth0 to ppp0.

born4linux 09-24-2003 02:21 AM

this one is a good start:

http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html

tnine9 09-29-2003 07:23 PM

No Dice
 
Sorry about the delayed response, I had 2 CS test last week and I just haven't had the time to set things up.

OK I would like to make a revision to the first diagram, it should be.

---->SBC DSL(pppoe) --- > eth0 -----> eth1-------->switch ---> windows clients


Now, I went to
http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html where I followed the tutorial for iptables. I set up iptables with the following script

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward


Now I can get online from the RH8 system via PPPoE, and with eth1 up. However, I still cannot connect to the public net with my Windows client computers. I turned on debugging for iptables and this is what was written.

thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=00:04:5a:7b:a4:fe:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=9247 DF PROTO=TCP SPT=4538 DPT=20 WINDOW=64240 RES=0x00 ACK URGP=0
Sep 29 18:26:26

thornine kernel: OUTPUT_DROP: IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.2 LEN=1039 TOS=0x08 PREC=0x00 TTL=64 ID=10829 DF PROTO=TCP SPT=20 DPT=4538 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Sep 29 18:26:26

thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=00:04:5a:7b:a4:fe:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=9248 DF PROTO=TCP SPT=4538 DPT=20 WINDOW=64240 RES=0x00 ACK URGP=0


It seems to me that the packets are simply being dropped, I have no idea how to fix this. Can anyone give me a hand?

bentz 09-29-2003 08:06 PM

These logs are showing an FTP session from (I can only guess) your Windows machine to the Linux machine.

If what you are concerned with is Internet access, try to simply browse the web from the Windows machine and see if that works.

Make sure that the TCP/IP configuration points to the IP of the Linux machine as the Default Gateway.

yocompia 09-29-2003 08:07 PM

you might want to post your "#ifconfig -a" output. it seems like everything is setup correctly, but i had a problem like this when i setup my wireless stuff. it ended up being really retarded (didn't have a default gateway set correctly) and i think it's probably the same for you.

my current suspect is the broadcast on the card that interfaces with the windows computers (eth1).

just to give you some forwarding rules that work to compare with:

$IPTABLES -A FORWARD -i ppp0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i wlan0 -o ppp0 -m state ! --state INVALID -m mac --mac-source 00:09:5b:6c:53:8b -j ACCEPT

in your case, you might not need the MAC matching and the replacements (ppp0-->eth0) and (wlan0-->eth1) should give you rules you can use for your setup.

also note that --append = -A and --in-interface = -i is a bit more succinct.

HTH,
y-p

tnine9 09-30-2003 11:02 PM

Still No Dice
 
Here is what I have acomplished thus far.

I tried the new iptables commands with this script.

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCE
PT
iptables -A FORWARD -i wlan0 -o ppp0 -m state ! --state INVALID -j ACCEPT


I still couldn't get any info through. Here is what was logged.

Sep 30 22:02:36 thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=00:04:5a:7b:a4:fe:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=15854 PROTO=UDP SPT=3831 DPT=53 LEN=40

Sep 30 22:02:37 thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=00:04:5a:7b:a4:fe:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=15855 PROTO=UDP SPT=3831 DPT=53 LEN=40

Sep 30 22:02:37 thornine kernel: OUTPUT_DROP: IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.2 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=54854 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.0.2 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=15855 PROTO=UDP SPT=3831 DPT=53 LEN=40 ]

Sep 30 22:02:37 thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=15856 PROTO=UDP SPT=137 DPT=137 LEN=58

Sep 30 22:02:37 thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=15857 PROTO=UDP SPT=137 DPT=137 LEN=58

Sep 30 22:02:38 thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=15858 PROTO=UDP SPT=137 DPT=137 LEN=58


This is what I get from "ifconfig -a"

eth0 Link encap:Ethernet HWaddr 00:04:5A:82:E1:6E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3206 errors:0 dropped:0 overruns:0 frame:0
TX packets:3471 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:935813 (913.8 Kb) TX bytes:327493 (319.8 Kb)
Interrupt:18 Base address:0xe000

eth1 Link encap:Ethernet HWaddr 00:04:5A:7B:A4:FE
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:852 errors:0 dropped:0 overruns:0 frame:0
TX packets:780 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:66110 (64.5 Kb) TX bytes:663879 (648.3 Kb)
Interrupt:19 Base address:0x400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:700 (700.0 b) TX bytes:700 (700.0 b)

ppp0 Link encap:Point-to-Point Protocol
inet addr:65.42.230.185 P-t-P:65.42.231.254 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:102 (102.0 b) TX bytes:94 (94.0 b)


My windows client computer is configured as follows

IP : 192.168.0.2
Subnet 255.255.255.0
GateWay 192.168.0.1

Primary DNS 192.168.0.1

Thanks,
Todd

yocompia 10-01-2003 01:19 PM

here are a few things you can change:

NOTE: external quotes denote commands and phrases in files, so remove them before inserting into files

0) you may want to write "/sbin/iptables" in place of "iptables", as i'm not certain invoking an executable without a path works in an iptables script; check that the rules are there by looking at the output of "iptables -L" from the command line

1) make sure you have a line in your firewall like "echo "1" > /proc/sys/net/ipv4/ip_forward" to setup IP forwarding

2) set the DNS for the remote computers to that of your ISP

3) change the rule you transcribed (incorrectly) from

iptables -A FORWARD -i wlan0 -o ppp0 -m state ! --state INVALID -j ACCEPT

to
VVV
iptables -A FORWARD -i eth1 -o ppp0 -m state ! --state INVALID -j ACCEPT ^^^^

4) i'd also add a masquerading line for the outgoing packets:

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

5) once things are working (or even before that), you may want to setup basic tables and policies to protect you from the internet, so add these to your script:

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A OUTPUT -o ppp0 -m state ! --state INVALID -j ACCEPT

try all these things out, and let me know how it goes.

gl

tnine9 10-01-2003 03:10 PM

Routing problems still
 
OK
here is the entire script I execute called routerSetup.sh
<File>

/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o ppp0 -m state ! --state INVALID -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A OUTPUT -o ppp0 -m state ! --state INVALID -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

</File>

Here is what I recieve from "iptables -L"
<Output>

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

</Output>


As far as assigning the DNS to my windows clients, I can't do it. The ppp0(DSL modem to eth0) uses PPPoE, so my DNS server IP is assigned to me dynamically.

I also can no longer ping my windows client 192.168.0.2, nor can I ping my router from my windows box. However, I can ping the Internet from my router. Here is that output

<Ping internet>
PING www.google.akadns.net (216.239.39.99) from 65.42.228.59 : 56(84) bytes of data.
64 bytes from 216.239.39.99: icmp_seq=1 ttl=49 time=44.3 ms
64 bytes from 216.239.39.99: icmp_seq=2 ttl=49 time=45.2 ms
</Ping>

<Ping client>
PING 192.168.0.2 (192.168.0.2) from 192.168.0.1 : 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
</Ping>


Thanks for all the help thus far, I really appreciate it.

Todd

hakcenter 10-01-2003 05:38 PM

/sbin/iptables -A INPUT -i lo -j ACCEPT

just after that add

/sbin/iptables -A INPUT -i eth1 -j ACCEPT

I have a good link in my Sig if you want to read it a bit.

yocompia 10-01-2003 06:27 PM

i think you should have the quotes around the 1 for line listed below:

echo "1" > /proc/sys/net/ipv4/ip_forward

apologies if this confusion arose based on my NOTE.

what hak has written above is a good idea, because i didn't allow for incoming signals on eth1, so add that rule too. i don't do this, as i prefer that clients behind the firewall cannot ping or access the firewall.

oh, and to allow pinging of the network, add this rule (same idea as for ppp0)

/sbin/iptables -A OUTPUT -o eth1 -m state ! --state INVALID -j ACCEPT

we're getting closer, i can smell it. just a bit more work...

tnine9 10-02-2003 03:58 PM

Hell Yeah!
 
Thanks for all the help, it is finally working! Now I just have to re-arrange all the cables and clean up the office.

Thanks!
Todd

yocompia 10-03-2003 02:14 AM

righteous. have fun.

chris_wn 07-31-2005 02:27 PM

THX!
 
This documentation helped me out too!!!!!

Many THANX on that!!!!

Shalom,
chris


All times are GMT -5. The time now is 12:50 AM.