| View previous topic :: View next topic |
| Author |
Message |
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
 Posted: Mon Mar 08, 2004 8:06 pm Post subject: how to set up a dhcp server behind an adsl modem [solved] |
 |
|
i tried for two days now to get this working, but it doesn't. i can't find any useful HOWTO for beginners although i'm sure a lot of guys have done this already.
either way, here my description:
i want to set up a dhcp server which will be a router for every client in my private network. the server/router is connected to the adsl via NAT and receives ip's from 192.168.20.2-192.168.20.5 (if i don't reset the modem the server/router keeps/gets the same ip). i set my server/router up to distribute ip's, here my dhcpd.conf:
| Code: | option domain-name "homeLAN.nowhere";
option domain-name-servers 10.10.10.1;
option routers 192.168.20.1;
default-lease-time 86400;
max-lease-time 604800;
ddns-update-style interim;
authorative;
subnet 10.10.10.0 netmask 255.255.255.0 {
range 10.10.10.10 10.10.10.30;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
} |
my clients get ip's from 10.10.10.10 to 10.10.10.30 - and i'm able to connect to the server/router (i.e. scp, ping).
summary:
as i understand i need to do another NAT from my server/router to the clients.
adsl-modem: 192.168.20.1
server/router: 192.168.20.2-5 (eth1), 10.10.10.1 (eth0)
client(s): 10.10.10.10-30
client route:
| Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.20.1 * 255.255.255.255 UH 0 0 0 eth0
10.10.10.0 * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 10.10.10.1 0.0.0.0 UG 0 0 0 eth0 |
server/router route:
| Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.20.0 * 255.255.255.248 U 0 0 0 eth1
10.10.10.0 * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 192.168.20.1 0.0.0.0 UG 0 0 0 eth1
|
ifconfig server/router:
| Code: | eth0 Link encap:Ethernet HWaddr 00:0E:A6:6A:E8:1C
inet addr:10.10.10.1 Bcast:10.10.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3576 errors:0 dropped:0 overruns:0 frame:0
TX packets:99 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:360427 (351.9 Kb) TX bytes:11848 (11.5 Kb)
Interrupt:17 Memory:fbe00000-0
eth1 Link encap:Ethernet HWaddr 00:E0:7D:A0:B0:90
inet addr:192.168.20.5 Bcast:192.168.20.7 Mask:255.255.255.248
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3759 errors:0 dropped:0 overruns:0 frame:0
TX packets:3188 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2570769 (2.4 Mb) TX bytes:223191 (217.9 Kb)
Interrupt:16 Base address:0x7000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1220 (1.1 Kb) TX bytes:1220 (1.1 Kb)
|
ifconfig client:
| Code: | eth0 Link encap:Ethernet HWaddr 00:E0:18:AE:5C:CF
inet addr:10.10.10.20 Bcast:10.10.10.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19389 errors:0 dropped:0 overruns:0 frame:0
TX packets:39668 errors:0 dropped:0 overruns:0 carrier:20
collisions:0 txqueuelen:1000
RX bytes:10274186 (9.7 Mb) TX bytes:3556940 (3.3 Mb)
Interrupt:18
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:881 errors:0 dropped:0 overruns:0 frame:0
TX packets:881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:89702 (87.5 Kb) TX bytes:89702 (87.5 Kb) |
i'm looking for the easiest way to access WAN via my server/router from my clients.
i tried the following (don't blame me, i don't understand much of iptables): | Code: | | iptables -v -t nat -A POSTROUTING -o eth1 -j MASQUERADE |
the problem remains: i can browse with lynx from the server/router but not from any of my clients.
would someone be kind enough to help me out?
Last edited by BlinkEye on Fri May 21, 2004 10:59 am; edited 3 times in total |
|
| Back to top |
|
 |
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon Mar 08, 2004 8:09 pm Post subject: |
|
|
Apart from the -v flag, that is exactly the line you need.
EDIT:
What is the 192.168.0.1 line doing in your client routing table?
That does not belong there!
Remove it - routing works on a hop-by-hop basis.
You can't push any traffic past the router - that's what a router is for!
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Mon Mar 08, 2004 11:00 pm Post subject: |
|
|
| adaptr wrote: | | Apart from the -v flag, that is exactly the line you need. |
good to know.
EDIT: the -v flag provides some output if you execute the command. this is quite useful if you don't know what is being done 
| adaptr wrote: |
EDIT:
What is the 192.168.0.1 line doing in your client routing table?
That does not belong there!
Remove it - routing works on a hop-by-hop basis.
You can't push any traffic past the router - that's what a router is for! |
i guess you mean the entry in my client route tables which reads | Code: | Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.20.1 * 255.255.255.255 UH 0 0 0 eth0 |
well, if you could tell me how to disable that i would gladly do it.
Last edited by BlinkEye on Mon Mar 08, 2004 11:53 pm; edited 1 time in total |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon Mar 08, 2004 11:21 pm Post subject: |
|
|
It is the default route you distribute via DHCP.
This should point to the gateway on the 10.10.10.x network, nowhere else!
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
9uSt00
n00b
Joined: 23 Feb 2004
Posts: 24
Location: 59.9.9 ° N
|
| Posted: Mon Mar 08, 2004 11:21 pm Post subject: Re: how to set up a dhcp server behind an adsl modem |
|
|
I've set up the very same configuration, and all the additions here are extracts from my own config files.
| BlinkEye wrote: | | Code: | option domain-name "homeLAN.nowhere";
option domain-name-servers 10.10.10.1;
option routers 192.168.20.1;
default-lease-time 86400;
max-lease-time 604800;
ddns-update-style interim;
authorative;
subnet 10.10.10.0 netmask 255.255.255.0 {
range 10.10.10.10 10.10.10.30;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
} |
|
I'd change it to something like this:
| Code: | option domain-name "homeLAN.nowhere";
option domain-name-servers 10.10.10.1;
# do you really have a DNS server running on your gateway?! if not, comment out the line above this one
# INSERT YOUR DOMAIN NAME SERVERS HERE (read from /etc/resolv.conf)
# option domain-name-servers xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;
default-lease-time 86400;
max-lease-time 604800;
ddns-update-style interim;
authorative;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 192.168.20.0 netmask 255.255.255.0 {
}
# your subnet config
subnet 10.10.10.0 netmask 255.255.255.0 {
# this is what you want your dhcp clients to use as default router
option routers 10.10.10.1;
range 10.10.10.10 10.10.10.30;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
# we want the nameservers to appear as fixed addresses
host ns {
fixed-address 217.13.4.24, 217.13.7.140;
}
} |
| Quote: | summary:
as i understand i need to do another NAT from my server/router to the clients. |
yeah, that's a bit of a harder thing to do. First of all make sure the kernel on your router/gateway has IPforwarding set (do a 'cat /proc/sys/net/ipv4/ip_forward' the result of this should be 1). If you can't cat this at all, you need to configure your kernel to support NAT, so go to /usr/src/linux and type 'make menuconfig'. On my server i'm running the 2.4 kernel (still), so in order to make NAT work, the following settings need to be enabled (not all of them are necessary for NAT, but they're good to have for advanced packet matching) :
| Code: |
Networking Options
[*] Network packet filtering (replaces ipchains)
<M> IP: tunneling
IP Netfilter Configuration
<M> Connection tracking (required for masq/NAT)
<M> IP tables support (required for filtering/masq/NAT)
< > limit match support
<M> MAC address match support
<M> Packet type match support
<M> Multiple port match support
<M> LENGTH match support
<M> TTL match support
<M> stealth match support
<M> Connection state match support
<M> Connection tracking match support
<M> Unclean match support (EXPERIMENTAL)
<M> Owner match support (EXPERIMENTAL)
<M> Packet filtering
<M> REJECT target support
<M> Full NAT
<M> MASQUERADE target support
|
Make sure support for ipchains and ipfwadm are not selected
| Quote: |
client route:
| Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.20.1 * 255.255.255.255 UH 0 0 0 eth0
10.10.10.0 * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 10.10.10.1 0.0.0.0 UG 0 0 0 eth0 |
|
ya, this is somewhat wrong.. but don't worry too much about that the DHCP client should set this up correctly when the DHCPd provides the correct info. Has to be said, though, that the first entry should not appear. This is the routing table on my laptop behind the server (keep in mind that my internal network is 192.168.50.0) :
| Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 192.168.50.1 0.0.0.0 UG 0 0 0 eth0
|
| Quote: |
server/router route:
| Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.20.0 * 255.255.255.248 U 0 0 0 eth1
10.10.10.0 * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 192.168.20.1 0.0.0.0 UG 0 0 0 eth1
|
|
that looks fine.
| Quote: |
ifconfig server/router:
| Code: | eth0 Link encap:Ethernet HWaddr 00:0E:A6:6A:E8:1C
inet addr:10.10.10.1 Bcast:10.10.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3576 errors:0 dropped:0 overruns:0 frame:0
TX packets:99 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:360427 (351.9 Kb) TX bytes:11848 (11.5 Kb)
Interrupt:17 Memory:fbe00000-0
eth1 Link encap:Ethernet HWaddr 00:E0:7D:A0:B0:90
inet addr:192.168.20.5 Bcast:192.168.20.7 Mask:255.255.255.248
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3759 errors:0 dropped:0 overruns:0 frame:0
TX packets:3188 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2570769 (2.4 Mb) TX bytes:223191 (217.9 Kb)
Interrupt:16 Base address:0x7000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1220 (1.1 Kb) TX bytes:1220 (1.1 Kb)
|
|
I notice that you have your eth0 set to your internal network address. Is this on purpose? normally eth0 is the NIC that goes out to the world (i.e. your ADSL router), Just make sure your cables are connected correctly and that your DHCPd runs on eth1 instead of eth0. no worries, though.. it's just a manner of what you're used to.
| Quote: |
i tried the following (don't blame me, i don't understand much of iptables): | Code: | | iptables -v -t nat -A POSTROUTING -o eth1 -j MASQUERADE |
the problem remains: i can browse with lynx from the server/router but not from any of my clients.
|
heh.. here's the problem, i guess... the iptables rules need to be somewhat more complicated than that...
here's a modified extract of my firewall script to match your settings:
| Code: |
#!/bin/bash
IPTABLES="/sbin/iptables"
EXT_NIC="eth1"
INT_NIC="eth0"
INT_IP="10.10.10.0/255.255.255.0"
echo "starting firewall..."
### set default rules (DENY, ACCEPT) ###
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
### allow all incoming packets from internal net ###
${IPTABLES} -A INPUT -i ! ${EXT_NIC} -j ACCEPT
### allow incoming realated packets on external NIC ###
${IPTABLES} -A INPUT -i ${EXT_NIC} -m state --state ESTABLISHED,RELATED -j ACCEPT
### enables masquerading of internal hosts ###
echo "* enabling ip forwarding in kernel"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "* enabling masquerading of internal hosts"
${IPTABLES} -t nat -P PREROUTING ACCEPT
${IPTABLES} -t nat -P POSTROUTING ACCEPT
${IPTABLES} -t nat -P OUTPUT ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o ${EXT_NIC} -j MASQUERADE
|
hope that helps. 
_________________
"wild nights! wild nights! were i with thee, wild nights should be our luxury!"
-- emily dickinson
adopt an unanswered post today! |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon Mar 08, 2004 11:24 pm Post subject: |
|
|
| Quote: | | heh.. here's the problem, i guess... the iptables rules need to be somewhat more complicated than that... |
Oh really ?
Why ?
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Mon Mar 08, 2004 11:51 pm Post subject: Re: how to set up a dhcp server behind an adsl modem |
|
|
| 9uSt00 wrote: | I'd change it to something like this:
| Code: | option domain-name "homeLAN.nowhere";
option domain-name-servers 10.10.10.1;
# do you really have a DNS server running on your gateway?! if not, comment out the line above this one
# INSERT YOUR DOMAIN NAME SERVERS HERE (read from /etc/resolv.conf)
# option domain-name-servers xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;
default-lease-time 86400;
max-lease-time 604800;
ddns-update-style interim;
authorative;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 192.168.20.0 netmask 255.255.255.0 {
}
# your subnet config
subnet 10.10.10.0 netmask 255.255.255.0 {
# this is what you want your dhcp clients to use as default router
option routers 10.10.10.1;
range 10.10.10.10 10.10.10.30;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
# we want the nameservers to appear as fixed addresses
host ns {
fixed-address 192.168.20.1;
}
} |
|
juhuuu. that did the trick. thanks a lot for this great answer/howto. i'm really glad you explained elaborately.
my final /etc/dhcp/dhcpd.conf looks like this:
| Code: | option domain-name "homeLAN.ch";
option domain-name-servers 192.168.20.1;
option routers 192.168.20.1;
default-lease-time 86400;
max-lease-time 604800;
ddns-update-style interim;
authorative;
subnet 192.168.20.0 netmask 255.255.255.0 {
}
subnet 10.10.10.0 netmask 255.255.255.0 {
option routers 10.10.10.1;
range 10.10.10.10 10.10.10.30;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
host ns {
fixed-address 192.168.20.1;
}
} |
really great.
| 9uSt00 wrote: | | heh.. here's the problem, i guess... the iptables rules need to be somewhat more complicated than that... |
alltough a bit irritated adaptr is right,
| Code: | | iptables -v -t nat -A POSTROUTING -o eth1 -j MASQUERADE |
does the trick.
i see you provided a adjusted script for me. well, let's see if i figure it out. again, thank you both for the quick answers |
|
| Back to top |
|
|
9uSt00
n00b
Joined: 23 Feb 2004
Posts: 24
Location: 59.9.9 ° N
|
| Posted: Mon Mar 08, 2004 11:58 pm Post subject: Re: how to set up a dhcp server behind an adsl modem |
|
|
| BlinkEye wrote: | | 9uSt00 wrote: | | heh.. here's the problem, i guess... the iptables rules need to be somewhat more complicated than that... |
alltough a bit irritated adaptr is right,
| Code: | | iptables -v -t nat -A POSTROUTING -o eth1 -j MASQUERADE |
does the trick. |
well.. that's is the essiential part.. i have to agree.. it's been a while since i set it up. I'm glad it helped.
adaptr: dude, relax.. no need to get 
9uSt00
_________________
"wild nights! wild nights! were i with thee, wild nights should be our luxury!"
-- emily dickinson
adopt an unanswered post today! |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Tue Mar 09, 2004 12:02 am Post subject: Re: how to set up a dhcp server behind an adsl modem |
|
|
| 9uSt00 wrote: | | Code: |
#!/bin/bash
IPTABLES="/sbin/iptables"
EXT_NIC="eth1"
INT_NIC="eth0"
INT_IP="10.10.10.0/255.255.255.0"
echo "starting firewall..."
### set default rules (DENY, ACCEPT) ###
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
### allow all incoming packets from internal net ###
${IPTABLES} -A INPUT -i ! ${EXT_NIC} -j ACCEPT
### allow incoming realated packets on external NIC ###
${IPTABLES} -A INPUT -i ${EXT_NIC} -m state --state ESTABLISHED,RELATED -j ACCEPT
### enables masquerading of internal hosts ###
echo "* enabling ip forwarding in kernel"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "* enabling masquerading of internal hosts"
${IPTABLES} -t nat -P PREROUTING ACCEPT
${IPTABLES} -t nat -P POSTROUTING ACCEPT
${IPTABLES} -t nat -P OUTPUT ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o ${EXT_NIC} -j MASQUERADE
|
hope that helps. |
yeah. this script rocks! you saved me a lot of time. thank you for your efforts |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Tue Mar 09, 2004 3:49 pm Post subject: Re: how to set up a dhcp server behind an adsl modem |
|
|
| 9uSt00 wrote: |
adaptr: dude, relax.. no need to get
|
I did not get evil at any time - I corrected you.
You stated that his inability to connect to the internet with his clients had something to do with his firewall settings - bollocks.
The only reason his clients cannot connect is the bogus 192.168.0.1 route in the clients' routing tables.
He already had the minimal NAT required - the line I showed you.
Since I know that to be absolutely and unequivocally enough to do proper PAT on a single host, I asked you why you thought it had to be more complicated.
If you find that evil then I have of course learned my lesson
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
9uSt00
n00b
Joined: 23 Feb 2004
Posts: 24
Location: 59.9.9 ° N
|
| Posted: Tue Mar 09, 2004 4:49 pm Post subject: Re: how to set up a dhcp server behind an adsl modem |
|
|
| adaptr wrote: | | 9uSt00 wrote: |
adaptr: dude, relax.. no need to get
|
I did not get evil at any time - I corrected you. |
Fair enough.. but you have to say that saying "why, why?" can be interpreted as a bit harsh. no worries, though.. (oh, and btw i meant angry, not evil)
| Quote: | You stated that his inability to connect to the internet with his clients had something to do with his firewall settings - bollocks.
The only reason his clients cannot connect is the bogus 192.168.0.1 route in the clients' routing tables.
He already had the minimal NAT required - the line I showed you. |
true enough, but that wasn't the only problem..
| Quote: | | If you find that evil then I have of course learned my lesson |
ya, so did i. i learned that that is the only iptables rule needed for forwarding.
_________________
"wild nights! wild nights! were i with thee, wild nights should be our luxury!"
-- emily dickinson
adopt an unanswered post today! |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Tue Apr 27, 2004 7:18 pm Post subject: |
|
|
any suggestion on how to secure my box while providing access from the outside? what i need is a open ssh and a http (apache) port.
so i changed | Code: | | ${IPTABLES} -P INPUT DROP |
to | Code: | | ${IPTABLES} -P INPUT ACCEPT |
but i guess this isn't a good solution as i don't have any firewalling besides this routing/nat(ting)/masquerading script. |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Tue Apr 27, 2004 8:09 pm Post subject: |
|
|
Changing the policy means you have essentially no security.
Any service that's listening on the box will respond to anything from the outside, which is probably not what you want.
You can easily let only those two ports through with a few additional lines:
| Code: | iptables -A INPUT -i ${EXT_NIC} -p tcp -d ${EXT_IP} --dport 22 -j ACCEPT
iptables -A INPUT -i ${EXT_NIC} -p tcp -d ${EXT_IP} --dport 80 -j ACCEPT
iptables -A INPUT -i ${EXT_NIC} -m state --state ESTABLISHED,RELATED -j ACCEPT |
The last line is a beautifully simple solution to having to provide a way for all packets to go back out the way they came in...
If you want to forward those ports to a machine on the LAN you will have to duplicate the first two in the nat PREROUTING chain and jump to the REDIRECT target, which will rewrite the address.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Tue Apr 27, 2004 8:32 pm Post subject: |
|
|
this is exactly what i've been looking for. thanks for the quick reply. i'm currently trying to get through the man page of iptables as the above lines seem to have a minor mistake: | Code: | Bad argument `22'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `80'
Try `iptables -h' or 'iptables --help' for more information.
|
fortunately i don't have to forward ports at the moment (or i would have asked again as i don't get iptables yet). |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Tue Apr 27, 2004 8:35 pm Post subject: |
|
|
another question: if i start the script i get the following messages: | Code: | # start_routing
starting firewall...
iptables: No chain/target/match by that name
* enabling ip forwarding in kernel
* enabling masquerading of internal hosts |
is there something wrong with that? |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Fri May 14, 2004 6:02 pm Post subject: |
|
|
You may have to load the iptables modules for them specifically, since these are extensions to the basic iptables functionality.
Alternatively, maybe something went wrong in the kernel config ?
If you've built iptables as modules, could you post an lsmod ?
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Fri May 14, 2004 8:55 pm Post subject: |
|
|
well, maybe the problem is that i built in all iptables function?
| Code: | # cat .config |grep CONFIG_IP
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IP_NF_CONNTRACK=y
# CONFIG_IP_NF_FTP is not set
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
# CONFIG_IP_NF_MATCH_PKTTYPE is not set
# CONFIG_IP_NF_MATCH_MARK is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
# CONFIG_IP_NF_MATCH_TCPMSS is not set
# CONFIG_IP_NF_MATCH_HELPER is not set
# CONFIG_IP_NF_MATCH_STATE is not set
# CONFIG_IP_NF_MATCH_CONNTRACK is not set
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_FILTER=y
# CONFIG_IP_NF_TARGET_REJECT is not set
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
# CONFIG_IP_NF_MANGLE is not set
# CONFIG_IP_NF_TARGET_LOG is not set
# CONFIG_IP_NF_TARGET_ULOG is not set
# CONFIG_IP_NF_TARGET_TCPMSS is not set
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
|
i thought i built in the extension of iptables too. but if you say that your above commands work i'm able to solve this problem alone. i'll try to load the specific iptables as modules instead of built in, maybe that helps...
thanks for pointing me into the right direction!
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon May 17, 2004 12:35 pm Post subject: |
|
|
Well, yeah - you need at least the STATE match module
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Tue May 18, 2004 11:29 am Post subject: |
|
|
just to be sure i generated a firewall script from http://easyfwgen.morizot.net/gen/
and built all concerning iptable options as modules - still no luck:
| Code: | firewall.sh
Loading kernel modules ...
FATAL: Module ip_conntrack not found.
net.ipv4.ip_forward = 1
error: 'net.ipv4.tcp_syncookies' is an unknown key
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
Create and populate custom rule chains ...
Process INPUT chain ...
Process FORWARD chain ...
Process OUTPUT chain ...
Load rules for nat table ...
Load rules for mangle table ...
|
so, what's wrong with that ip_conntrack module?
these are my available modules:
| Code: | # ls /lib/modules/2.6.5-mm6/kernel/net/ipv4/netfilter/
arp_tables.ko ip_tables.ko ipt_ULOG.ko ipt_owner.ko
arpt_mangle.ko ipt_CLASSIFY.ko ipt_ah.ko ipt_pkttype.ko
arptable_filter.ko ipt_DSCP.ko ipt_conntrack.ko ipt_recent.ko
ip_conntrack_amanda.ko ipt_ECN.ko ipt_dscp.ko ipt_state.ko
ip_conntrack_ftp.ko ipt_LOG.ko ipt_ecn.ko ipt_tcpmss.ko
ip_conntrack_irc.ko ipt_MARK.ko ipt_esp.ko ipt_tos.ko
ip_conntrack_tftp.ko ipt_MASQUERADE.ko ipt_helper.ko ipt_ttl.ko
ip_nat_amanda.ko ipt_NETMAP.ko ipt_iprange.ko iptable_filter.ko
ip_nat_ftp.ko ipt_REDIRECT.ko ipt_length.ko iptable_mangle.ko
ip_nat_irc.ko ipt_REJECT.ko ipt_limit.ko iptable_nat.ko
ip_nat_snmp_basic.ko ipt_SAME.ko ipt_mac.ko
ip_nat_tftp.ko ipt_TCPMSS.ko ipt_mark.ko
ip_queue.ko ipt_TOS.ko ipt_multiport.ko |
and my loaded ones:
| Code: | # lsmod
Module Size Used by
ipt_MASQUERADE 3968 1
iptable_nat 24748 2 ipt_MASQUERADE
ipt_state 2176 1
iptable_filter 3072 1
ip_tables 17536 4 ipt_MASQUERADE,iptable_nat,ipt_state,iptable_filter
ppp_synctty 9472 0
ppp_async 12160 1
ppp_generic 29460 6 ppp_synctty,ppp_async
slhc 8192 1 ppp_generic
uhci_hcd 31388 0
ehci_hcd 27400 0
ohci_hcd 19996 0
usbcore 106548 5 uhci_hcd,ehci_hcd,ohci_hcd
|
which one am i missing?
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
|
| Back to top |
|
|
pharaoh
Apprentice
Joined: 20 Nov 2003
Posts: 211
Location: Pennsylvania
|
| Posted: Tue Jun 01, 2004 10:30 pm Post subject: |
|
|
| This thread hooked me up too, thanks guys! |
|
| Back to top |
|
|
|
Networking & Security
