Need help with Gentoo router set-up

NeddySeagoon · Posted: Wed May 20, 2020 8:57 pm Post subject:

Tony0945,

You have two problems here. One is getting to grips with shorewall.
The other is setting up routing the way you need it. The are different separate unrelated problems.

Keep it simple. Remove all the network cards from the box except one.
Get that on the internet without shorewall.

That will ensure that your routing is correct.

With routing fixed, when you start shorewall, you will have two zones, I would call them fw (thats fixed anyway) and net, short for internet.
Now you can play with the shorewall setup. There's not a lot you can do with only the two zones but you can dip a toe in the water.

Next up is to add another interface so you can adjust shorewall over ssh and use it as a router for the downstream ssh controller.
At this point, you want the Gentoo Home Router Guide but where it uses IPtables, you use shorewall.
You will use IPTables but not in the raw.

Its very easy shut down remote access, once you are using ssh.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Tony0945 · Posted: Wed May 20, 2020 9:14 pm Post subject:

Obvious why the script failed:

pietinger · Posted: Wed May 20, 2020 9:42 pm Post subject:

NeddySeagoon · Posted: Wed May 20, 2020 10:02 pm Post subject:

Tony0945,

If you think of writing hex code to program a PC, that's akin to wiriting raw rules for IPtables.
One level up, you write assembler for your PC and shorewall for IPtables.

Shorewall assumes that if you add a rule to allow traffic out, you will also want a rule to allow the responses back in.
You might not, but lets ignore that for now, you get the allow responses rule without asking.

With IPTables, its two rules to write.

Both ways do the same thing.

Like pietinger says, shorewall generates lots of chains that do nothing.
It has a setting to optimise these away when the shorewall rules are converted to IPtables rules.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

pietinger · Posted: Wed May 20, 2020 10:44 pm Post subject:

Tony0945 · Posted: Thu May 21, 2020 2:37 pm Post subject:

OK, I surrender. maybe I'm just too stupid like pietinger says. I can't understand why wheh I tell shorewall to allow all local traffic that ssh immediately stalls.

NeddySeagoon · Posted: Thu May 21, 2020 5:50 pm Post subject:

Tony0945,

You are trying to eat an elephant. That's best done one plateful at a time.

Divide your elephant up into manageable platefuls.
Be sure you digest one plateful before you start another.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

pietinger · Posted: Thu May 21, 2020 6:30 pm Post subject:

Tony0945 · Posted: Fri May 22, 2020 12:51 am Post subject:

Tony0945 · Posted: Fri May 22, 2020 1:07 am Post subject:

This is the script from 2018 that works, but I know that I should start with DROPS and add ACCEPTS instead of the other way around. But there is a lot to accept.

pietinger · Posted: Fri May 22, 2020 10:25 am Post subject:

pietinger · Posted: Fri May 22, 2020 4:00 pm Post subject:

[continue from above]

Before I go on, I want to explain WHY we use a script. This had two reasons - one is historical. So, today it is only because of one reason.

Perhaps you already know, what you do when you type in an iptables command: You configure your kernel at runtime, like you configure your kernel at runtime with the command "sysctl". But the kernel doesnt store these settings. After a reboot they are all gone. So you have to load them again when you startup your computer. All settings you want to set with sysctl is done from the init-script: "/etc/init.d/sysctl" (you know this already).

A) A long time ago we had no script for setting the filtering settings (with iptables) at startup. Therefore you had to do it by yourself. An old example of such a script you find here: https://wiki.gentoo.org/wiki/Security_Handbook/Firewalls
Please dont use it - its outdated (I would delete it, to not confuse people reading this page) ! Today we have our own script for saving and restoring the settings: "/etc/init.d/iptables". Use only this one !

B) So, today we use a script only for one reason: If you want to change or add some rules for an existant setting. Theoretical you can use "iptables -D ..." or "-I" or -R" to delete, insert or replace some lines of your rules, but nobody does this. It is too complicated. It is easier to delete all existing rules and send all (with the new rule(s)) again to the kernel. So we use only "iptables -A" (for append) in our script. And we run the script only one time and the do an initial "/etc/init.d/iptables save". (this script must be add to the runlevel "default" also). Or a second time, if you change something ...

-----

Back to our router: We configure the kernel for our simple example (and expand it later for your wishes). What we have to do ? First we delete all existing rules (1). We have no user-definied chaines, but we want to be absolut sure there is nothing left, so (2) doesnt harm. (at this point I recommend to take a look into the manpage of iptables). Then we set a default policy to every table (3). At this point you must know some important behavior of the kernel:

1. When the kernel receives a packet, it "put it in" one of 3 tables and then compares the packet with the first rule of THIS table.
2. When this compare was successful, the kernel "jumps" to a target. We have two build-in targets: DROP and ACCEPT. These targets are "end-station"-targets. The kernel doesnt proof any other rules after this. Another target is "LOG". This is NOT an end-station. The kernel just log something and proceed with the next rule.
4. When this compare was not successful, the kernel does nothing and proceed with the next rule.
3. If there is/was no "end-station-rule" for the specific packet, the kernel does what the default policy say.

Side-Note: Because of 1. it makes no difference if you define first all the rules for INPUT and then for OUTPUT or reverse. For performance reasons it is only important to think about the order of the rules WITHIN one table.

Next we think about which ways (of which protocols) would induce the most traffic ? This we set at first for performance reasons. We allow all traffic from LAN to WAN (4) and allow all packets "answering back" (5). Now we have two of our 6 lines allowed. The next is our ssh from LAN into the router (6) and back (7). Al last ( 8 ) we have to allow the internal communication of the loopback interface of the router (this you have to do always for every firewall-type, so it is usually at the beginning of every script you will find). Now we are finished.

Dont forget: (5) and (7) you define only one time. If you want allow, for example, additional "http" from LAN into the router, you need only allow this unidirectional, because "the way back" is handled from (7) again.

Tony0945 · Posted: Fri May 22, 2020 8:10 pm Post subject:

pietinger, WOW! I read it all through, I think I understand every step, but will have to re-read several times. That was an excellent exposition and you should put it in the Gentoo Wiki.
That must have taken a lot of time to write. Thank you very much.

For reference, here is where the wan0, lan0 names come from. On my workstations I use mdev with a few extensions, but on this particular machine, I use an old version of eudev. I think it's the same one that anon-a-moose uses. Here is the custom eudev rule that assigns the names by MAC address.:

pietinger · Posted: Fri May 22, 2020 9:23 pm Post subject:

Thank you very much for your big compliment !

Let me say something ...

I dont know which connection you have to the internet. In germany private people (today) always have a DSL-Line. Maybe you call it ADSL or SDSL (this is more exactly). On this line we have connected a Router which is a combined Router and a DSL-Modem in a box (and we can connect an ip-telephone directly to this box also). Some of these routers have 4 or 8 ethernet ports and you can use it as a switch also. You can lease this Router from the telecommunication company or buy one by yourself. All routers have a built-in ip adress from one of the 256 private class-C networks 192.168.0.0. So, the most common adress is 192.168.0.1 or 192.168.1.1 (https://en.wikipedia.org/wiki/IPv4#Addressing

This router is doing the whole NAT for any computer in my private network, so I dont need to do "NATing" (or masquerade) by any of my computers.

And almost any of these routers have a built-in firewall also (with stateful inspection). I dont trust my box from "TeleKom Germany", but I see the firewall in this box is working. I see it, because I log (on my linux workstation) every incoming dropped packet. And for weeks I had none. (I can produce some, if I close my browser in the middle of a transfer. My DSL-Modem accepts the next incoming packet from the webserver because it belongs to an existent session (this is a correct behavier). But my linux kernel knows, the session was just closed and therefore this incoming packet DOESNT belong to an existent session and must be dropped.)

Why I tell you this ?

Because, I dont know the situation in the USA for private people. And I didnt understand in your first post, whether you want to eliminate your "box" (?) - you already have - and exchange it with your computer, or just install this computer BETWEEN your "box" and your LAN (for more security ?). I didnt unserstand for what you need 3 interfaces in this computer. So, if you can explain what you have and what you want (to do) AND what is your actual problem, I will help you for sure. But for now, I even dont know if your network (networks ?) work and which adresses your networks and hosts have. An (actual) "ifconfig" would help much.

So, I go in "waiting state" for now ;-)

Tony0945 · Posted: Sat May 23, 2020 1:10 am Post subject:

Yes. My daughter and my sister have an ADSL connection from AT&T as you describe. My sister's is a standalone and, as you say, is a DSL modem, NAT gateway and wireless AP all in one. Her service is billed as "up to 50Mbps". The installing tech measured it as 3Mbps. He said "we promised up to 50Mbps, so as long as you are getting less than that we are keeping our promise. My daughter is at the end of the line and gets a little over 1 Mbps.
They live a thousand miles South of me in a rural county. I live in a suburb of Chicago and have three providers available. I have cable internet where there is a cable modem that transmits and receives packets of a set of bonded television frequencies on a coaxial cable. this one I have a very old combination router, four port switch, and wireless AP,this one, now EOL My service is 30MBps up and 5 down. I've heard that in Europe service is symmetrical but in the USA it's much more common for the down-link speed to be much higher than the up-link speed.

My intent is to use an old Gentoo computer as a router and put the router into AP mode. The router has not had firmware updates or security fixes for many years. I update my Gentoo boxes weekly, although lately it seems to take all weekend to resolve blockers.

"Why?" is a more philosophical question. certainly I could buy one of these. After all, the US government just sent me $2400 that I don't need instead of sending it to someone that needs it. But I'm veering into politics. About face!
Why? Why did I buy an old Chevy station wagon with 100,000 miles on it and a flat cam. I then had the block rebuilt (I have the training but not the equipment) add a set of big valve aftermarket heads, an aftermarket aluminum manifold , four barrel carburetor and high lift cam? Just to watch a guy driving a late model Mustang try to cut me off and see the driver's jaw drop when I put the hammer down and flashed by him like he was standing still?
Yeah, that was rather adolescent of me and it was nearly thirty years ago. Maybe now I like to hot rod computers instead of cars. I suspect that is so.

A more practical reason is to get better logging. The commercial router has pretty much all or nothing. On the low setting I see the router rebooting, the modem attaching and detaching and that's about it. The other setting quickly loads up with reports of attackers knocking on the door, day and night, all ports. Some may be legitimate gamers looking for a game, others are probably up to no good. I would like to log traffic but just drop these unrelated unconnected packets drop silently without losing track of MY traffic. And to feel in control instead of having a black box.

EDIT:
The three interfaces. An accident of history. One (slower) is built on the motherboard. The other two are add-in cards. Why two? One Realtek, one Intel? I was going to use one for WAN and one for LAN, then realized that even the slow built-in at 100MBps is still three times faster than the internet connection. In another post two years ago, NeddySeagoon pointed out that the PCI (not PCI-e) bus was the real bottleneck. I really keep the old machine up for sentiment. My middle grandson and I built it out of discarded scraps and a $20 e-bay motherboard when I was unemployed 17 years ago. The k6-3 was pretty hot then. The guy selling it was buying a k-7. Half a Gig of memory, 32-bits and an ancient IDE hard drive (7200 RPM) aren't much now. I don't run a GUI. This is now an experimental setup. if i get it working, I'll put it on a 64-bit box with at least 4G memory. Maybe I'll even buy a motherboard and CPU. I saw a Ryzen 3 APU for $80 with 4.0Ghz burst speed. Used motherboards are pretty cheap. i have a bulldozer AM4 chip if a BIOS update is needed. When she's angry my wife will say things like "We would have lots of room in the basement if we got rid of all that car and computer #$%^&!" Two guesses who that stuff belongs to.

ifconfig, (I only am initializing one right now), see the udev rules posted above for more identification.

Tony0945 · Posted: Sat May 23, 2020 3:47 am Post subject:

Ok, removed the r8169 card (lan2). There are now only two ethernet devices
1. Built-in 100Mbps "Fast Ethernet" using Realtek 8139too driver.
2. PCI card 1000Mbps "Gigabit Ethernet" using Intel e1000 driver.

yellow cat 6 cable plugged into the PCI card, nothing into the onboard

lspci and ifconfig:

NeddySeagoon · 192.168.0.0/24 192.168.1.0/24

Tony0945,

With both interfaces in the same subnet you are going to have routing problems.
Don't do that.

Tony0945 · Posted: Sat May 23, 2020 4:49 pm Post subject:

Here is the configuration when used as a router.

pietinger · Posted: Sat May 23, 2020 5:32 pm Post subject:

NeddySeagoon · routes_wan0="default gw 64.53.168.1"

Tony0945,

To avoid confusion and to save you the exercise connect wan0 to your existing router and leave the#configure WAN

Tony0945 · Posted: Tue May 26, 2020 2:46 am Post subject:

NeddySeagoon, that's a natural progression. At first I balked at changing the network addresses. It seemed to error-prone to change them back. Then I realized that my firewall script that sets up the tables is just that - a shell script. There is no need to hard code addresses everywhere. Simple shell variables at the top can make the changes at one spot. And the program, shellcheck, can check to scrpting errors and some typo's.
As usual, you are right and I've been hacking instead of designing - a cardinal sin that I blast others for. mea culpa.

EDIT:
I also made the mistake of reading the iptables manpage, which disoriented me even more.

Tony0945 · Posted: Fri May 29, 2020 11:34 pm Post subject:

OK. Sorry for the delay.

On the k6:
/etc/dnsmasq.conf {stripped of comments}

Tony0945 · Posted: Sat May 30, 2020 1:13 am Post subject:

UPDATE: Ran the test. The laptop was dead! And I couldn't find the charger or carrying bag. It would have been perfect.
So, Plan B. Unplugged a very long (50 ft?) cat 5e cable going to a nearby wireless AP. Plugged it into than lan0 card, with the yellow cat 6 still plugged into wan0 (upper, on board socket). Unplugged the other end of the blue cable from the 10 port switch and into a nearby ancient (Athlon64) Win 7 computer after shutting said computer down. Rebooted the k6. Turned the Windows computer back on. "ipconfig" on Win7 showed address 10.0.0.104 received from gateway 10.0.0.1 Could ping the gateway (k6) and vice versa. The wan port received address 192.168.0.199 from gateway 192.168.0.1 (the Dlink router on the other end of the wan0 yellow cable. I could ssh into computers 192.168.0.104 and 192.168.0.100. From computer 192.168.0.102 I could ssh into the k6 at 192.168.0.199, I used 102 because it's there in the basement and the other two are on the first and second floors.
From the k6 I could ping 8.8.8.8 but I could not ping any address not on the lan from the Win7 computer connected to lan0.