Need help with Gentoo router set-up

Tony0945 · Posted: Tue Jun 02, 2020 3:28 pm Post subject:

FANTASTIC! I ran the following command on the k6 "iptables -t nat -A POSTROUTING -p tcp -o wan0 -j SNAT --to 198.168.0.199"
I even think I understand it. I then went down into the basement and told the laptop's Pale Moon browser to check for updates. It checked, found one (I knew it would), downloaded it.
I was then at Pale Moon's web site at the page describing the changes. I typed forums.gentoo.org into the address bar and got the forum login page. Unfortunately I don't remember my password, a random hex number, so I had to come back upstairs to post this. But I'm positive I could have logged in. My browser remembers the password, I'll jot it down and put it in the laptop browser and save it.

At this point we are double NATed and the default POLICY is ACCEPT, but I'm relying on the DLINk's firewall to stop unwanted incoming traffic.

Is the --to clause required? I made it a shell variable so it can be changed at one place "iptables -t nat -A POSTROUTING -p tcp -o wan0 -j SNAT --to ${WAN0_ADDRESS}"

Hmmm! Can I ping 8.8.8.8? I doubt it because of the "-p tcp" I need another line with "-p icmp" don't I? Or I could maybe use "-p any"?

NeddySeagoon · Posted: Tue Jun 02, 2020 3:33 pm Post subject:

Tony0945

Raw IPTables ... shudder.
I'll leave that to others.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Tony0945 · Posted: Tue Jun 02, 2020 3:52 pm Post subject:

pietinger · Posted: Tue Jun 02, 2020 4:21 pm Post subject:

pietinger · Posted: Tue Jun 02, 2020 4:24 pm Post subject:

NeddySeagoon · Posted: Tue Jun 02, 2020 4:29 pm Post subject:

Tony0945,

That's your call. Everyone else but me in this topic appears to support writing IPtables rules.

Does this reddit post matter?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

pietinger · Posted: Tue Jun 02, 2020 4:37 pm Post subject:

pietinger · Posted: Tue Jun 02, 2020 5:04 pm Post subject:

pietinger · Posted: Tue Jun 02, 2020 6:14 pm Post subject:

User-defined Chains

For which constellations you should use one or more user-defined chains ?

If you are a programmer, you know what is a subroutine or function. And you also know when it is worthwhile to use a subroutine. A chain is something similar to a subroutine. You use it if you want define the same rules for more than one "way" in your firewall. If you have a personal firewall (one interface), I can hardly find a reason to use a user-defined chain. At least you need two interfaces in your host. And even then it matters what you want allow or disallow for every way a data-packet could go. If you want your host acting as a passive firewall, you maybe didnt find enough rules which will be used doubled. Because you need 4 Rules (doubled 8 ) to skimp 1 line. I explain:

You need one line for creating your user-defined chain with "iptables -N MYCHAIN",
PLUS 2 lines for jumping in it,
PLUS 4 lines you want to define.
= 7 lines

If you have 2 interfaces, but allow all outgoing traffic and filtering only incoming traffic (e.g. from the internet), it is also hard to find doubled rules. And even if you filters your outgoing traffic from your LAN-side to the internet, but dont allow your router outgoing traffic, its hard to find doubled rules. So in my example we allow our workstations in our LAN AND our router some outgoing traffic: DNS, NTP, Ping, traceroute and ssh. Without a user-defined chain you would need 10 lines. With a user-defined chain we need 8 lines:

nick_gentoo · Tux's lil' helper Joined: 07 Jan 2019 Posts: 140

NeddySeagoon · Posted: Wed Jun 03, 2020 4:25 pm Post subject:

nick_gentoo,

Shorewall is OSS, its quite possible that other developers will take it on.
That's old news and I'm not up to date with the current status of the project.

I've been a shorewall user for almost 10 years, so I'll be reluctant to learn something new.
Someone new to Shorewall may want to look into its future before investing time in learning it.
That notice was on the Shorewall site at one time but its gone now.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Tony0945 · Posted: Wed Jun 03, 2020 6:46 pm Post subject:

Meh! I run a lot of old software. The quesion is can I understand it enough to do EAPI updates when they occur?
At worst, I can do a genric build with an old portage and repackage it as a binary package, IF if doesn't depend on old libraries not consistent with new libraries.

I do like the logging with shorewall. None of the suggested methods on the internet are working correctly. They were aimed at Fedora/Ubuntu/Debian. Right now the k6 is not logging to any of /var/log/messages/ or /var/log/kern.log.
It's logging to dmesg. Shorewall logged to it's own log.

nick_gentoo · Tux's lil' helper Joined: 07 Jan 2019 Posts: 140

I guess it's not so easy to look into shorewall's future today

I had also started with an iptables-only script, like pietinger is describing, but for a single machine. I read about some iptables stuff, and yes, it made sense and it was pretty simple. But this was a script that only needed updates very rarely, maybe once every few years. And after a few years of not looking at it, it did not make so much sense anymore, and I had to go back at re-reading the iptables stuff.
And now I feel that, for a simple setup at least, the shorewall config files fit better to the little iptables stuff that is still stuck into my memory. But I can see that, if I would work with it on a daily basis, I could prefer the direct scripting approach.

NeddySeagoon · Posted: Wed Jun 03, 2020 9:13 pm Post subject:

Tony0945,

Shorewall runs once at startup to set up IPTables then exits. It doesn't do logging itself because its not running.
If you like its logging, its the way it sets up the IPTables LOG target.

You can do the same thing by hand is look at what shorewall does and copy it.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Tony0945 · Posted: Fri Jun 05, 2020 6:01 pm Post subject:

Made another stab at shorewall.

Right off the bat, I find a discrepancy between the wiki and the shorewall documentation regarding the interfaces in the zones file.
The wiki puts the device name in the second column like this:

Tony0945 · Posted: Fri Jun 05, 2020 6:21 pm Post subject:

Started shorewall "service shorewall start". Didn't get kicked out of ssh. That's good.
Went down to the laptop. Couldn't ping anything. That's bad. Examined the laptop. It's an HP 1444.
It actually has a built-in CD drive unlike my sister's netbook. I scared up the first sysrescuecd I could find v 3.0.0.1
I know I have much later versions but that's what's was in the basement. It booted handily and net-setup eth0 (No persistent garbage in the old version). Ifconfig shows ip address 10.0.0.110 All good. But didn't get any farther with ping. Much encouraged that we can proceed with Gentoo Linux on all cable connections now.

Seeing this in dmesg on the k6 (lots and lots of lines)

pietinger · Posted: Fri Jun 05, 2020 6:36 pm Post subject:

NeddySeagoon · Posted: Fri Jun 05, 2020 6:45 pm Post subject:

Tony0945,

It looks like you have 3 zones net, loc and fw.

The REJECTed packets are DNS requests (DPT=53).
Why are they in the loc-fw chain?

Tony0945 · Posted: Fri Jun 05, 2020 6:53 pm Post subject:

Tony0945 · Posted: Fri Jun 05, 2020 7:01 pm Post subject:

pietinger · Posted: Fri Jun 05, 2020 7:24 pm Post subject:

pietinger · Posted: Fri Jun 05, 2020 8:17 pm Post subject:

I have zeroed iptables before 2 days. Look to my output-chain and the numbers of packets:

- 1.117.000 in my 2nd rule: "ctstate RELATED,ESTABLISHED" (the first is allowing loopback")

- 9.000 packets alltogether the rest

Tony0945 · Posted: Fri Jun 12, 2020 10:35 pm Post subject:

Putting this on hold as the latest python nonsense is taking all my time.