Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Let's suppose I want my Ubuntu 16.04 to be a router.
I'll have pppoe (ppp0 = WAN) over eth0 and eth1 (LAN) acting also as gateway for its LAN. I could set a static ip for eth1 and also its gateway to point to pppoe_ip (the dynamically allocated ip for ppp0) -> this would be annoying because I'll have to do it every time ppp0 gets a new ip.
Or I could use net.ipv4.ip_forward=1 and iptables e.g.:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
q1: are these 2 solutions equivalent or I just confuse notions here?
q2: for the iptables solution do I really need the FORWARD rules or would work without them anyway?
Last edited by adrhc; 04-16-2017 at 07:36 PM.
Reason: misleading formulation
I don't use any helper programs to configure my firewall so I do not know what ufw does or doesn't do without seeing the rules it sets up. I suggest that all firewalls be setup using STATEFUL inspection. The less the firewall has to filter through when processing packets the faster it will be.
Using a STATEFUL firewall allows you to do a lot more. For example you can distinguish between a new connection and a connection that has already been made and filter accordingly. With a STATELESS firewall you can only filter on the packet and not see the state of the connection.
Ufw it's a very simple firewall based on iptables rules - kind of a friendly & limited iptables editor.
I put the link above pointing to the exact iptables excerpt I used.
Though your answer is somehow helpful it doesn't answer to my initial questions so I consider the topic open.
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
so I guess with my previous rules I'd have the full package.
Good guide, thanks.
The guide has a very confusing part for me: it talks about eth0 (LAN) and ppp0 (WAN) and no additional network interface. From my experience when I use ppp0 than ifconfig doesn't even shows an ip for eth0 so it can't be used for LAN (that's why I associated WAN with eth0 though indeed I should with ppp0). So I suppose there's an additionally e.g. eth1 used by ppp0 (is it?).
@lazydog
Quote:
... you will need to turn on forwarding ...
This part I understand/agree. But if I enabled the forwarding than why this rule:
Code:
-A FORWARD -i eth1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
Turning the forwarding on doesn't mean that linux will forward from eth1 to eth0 everything eth1 can't resolve?
You need to adjust the commands for your configuration by swapping eth0 and eth1 for your LAN. In a nutshell pppoe runs over ethernet and creates a virtual interface i.e. ppp0 which is your WAN interface.
The guide has a very confusing part for me: it talks about eth0 (LAN) and ppp0 (WAN) and no additional network interface.
Because it isn't used. Although the author does not provide any additional information about their hardware I would guess that the pppoe connection is over eth1.
Its probably to advanced but the posted link has the default policies as drop which means that nothing is allowed in or out unless there is a rule. By your configuration I mean that you need to allows traffic on eth1 for the LAN versus eth0 as written in the guide.
This part I understand/agree. But if I enabled the forwarding than why this rule:
Code:
-A FORWARD -i eth1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
Turning the forwarding on doesn't mean that linux will forward from eth1 to eth0 everything eth1 can't resolve?
Turning on Forwarding allows traffic to pass freely between interfaces. Do you really want to take the chance that nothing will get thought?
As to the firewall rules:
NEW - IF a session is NEW it will place the session into the connection db
RELATED - If there is a current connection and for some reason needs to jump ports this part of the rule kicks in.
ESTABLISHED - This part of the rule is for all allowed connections that are past the initial setup stage.
In the end it is your system and you can do whatever you choose. If you are going to run a STAEFUL firewall then you need rules with NEW, RELATED and ESTABLISHED in them. If you are going to run a STATELESS firewall then you don't. I would strongly advise against running a system without a firewall.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.