| View previous topic :: View next topic |
| Author |
Message |
rem7
n00b
Joined: 14 Oct 2005
Posts: 14
Location: USA, Los Angeles CA
|
 Posted: Mon Aug 21, 2006 9:44 pm Post subject: setting up a router/firewall |
 |
|
Hello everyone.
I want to setup my gentoo machine as a router/firewall. I have emerged iptables and configured my kernel (for the most part, kernel config below).
eth0 = LAN
eth1 = Internet
I have dhcpd server running on eth1 and it works fine it goes from 192.168.0.100 to 192.168.0.149. I also setup DHCP server to assign 192.168.0.150 to a machine with X MAC ADDRESS. That machine connects to the DHCP server and gets 192.168.0.150 successfuly, this same machine has a ventrilo server on port 3784 so im trying to forward the trafic to that computer with the following rule:
| Code: | -t nat -A PREROUTING -p tcp -m tcp --dport 3784 -i eth0 -j DNAT --to-destination 192.168.0.150
-A INPUT -p tcp -m tcp --dport 3784 -i eth0 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3784 -i eth0 -j ACCEPT
|
but I get this error
| Code: |
iptables-restore v1.3.5: Line 19 seems to have a -t table option.
|
I'm not sure if eth0 and eth1 are talking to each other, also I have enabled tables in the kernel, or maybe I didn't enable the right ones so I don't know whats wrong.
This is what ip tables looks like:
| Code: |
# Generated by iptables-save v1.3.5 on Sun Aug 20 23:31:44 2006
*filter
:INPUT ACCEPT [1287:133885]
:FORWARD ACCEPT [5:240]
:OUTPUT ACCEPT [17753:2041226]
# ACCEPT LOCALHOST TRAFIC
-A INPUT -s 127.0.0.1 -j ACCEPT
# ACCEPT ESTABLISHED CONNECTIONS
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# SSH
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# NAT stuff COMMENTED OFF -t table error
#-t nat -A PREROUTING -p tcp -m tcp --dport 3784 -i eth0 -j DNAT --to-destination 192.168.0.150
#-A INPUT -p tcp -m tcp --dport 3784 -i eth0 -j ACCEPT
#-A FORWARD -p tcp -m tcp --dport 3784 -i eth0 -j ACCEPT
# REJECT everything else
-A INPUT -p tcp -i eth0 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -i eth0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Aug 20 23:31:44 2006
|
Kernel Config:
| Code: |
CORE NETFILTER CONFIGURATION --->
│ │ <*> Netfilter netlink interface
│ │ <*> Netfilter NFQUEUE over NFNETLINK interface
│ │ <*> Netfilter LOG over NFNETLINK interface
│ │ <*> Netfilter Xtables support (required for ip_tables)
│ │ <*> "CLASSIFY" target support
│ │ <*> "MARK" target support
│ │ <*> "NFQUEUE" target Support
│ │ <*> "NOTRACK" target support
│ │ <*> "comment" match support
│ │ <*> "conntrack" connection tracking match support
│ │ <*> "DCCP" protocol match support
│ │ < > "ESP" match support
│ │ < > "helper" match support
│ │ <*> "length" match support
│ │ <*> "limit" match support
│ │ <*> "mac" address match support
│ │ <*> "mark" match support
│ │ <*> Multiple port match support
│ │ <*> "pkttype" packet type match support
│ │ <*> "realm" match support
│ │ <*> "sctp" protocol match support
│ │ <*> "state" match support
│ │ <*> "string" match support
│ │ <*> "tcpmss" match support
IP: Net Filter configuration
│ │ <*> Connection tracking (required for masq/NAT)
│ │ [ ] Connection tracking flow accounting
│ │ [ ] Connection mark tracking support
│ │ [ ] Connection tracking events (EXPERIMENTAL)
│ │ < > Connection tracking netlink interface (EXPERIMENTAL)
│ │ < > SCTP protocol connection tracking support (EXPERIMENTAL)
│ │ <*> FTP protocol support
│ │ < > IRC protocol support
│ │ < > NetBIOS name service protocol support (EXPERIMENTAL)
│ │ < > TFTP protocol support
│ │ < > Amanda backup protocol support
│ │ < > PPTP protocol support
│ │ < > H.323 protocol support (EXPERIMENTAL)
│ │ < > IP Userspace queueing via NETLINK (OBSOLETE)
│ │ <*> IP tables support (required for filtering/masq/NAT)
│ │ <*> IP range match support
│ │ <*> TOS match support
│ │ <*> recent match support
│ │ <*> ECN match support
│ │ <*> DSCP match support
│ │ <*> AH match support
│ │ <*> TTL match support
│ │ <*> Owner match support
│ │ <*> address type match support
│ │ <*> hashlimit match support
│ │ <*> Packet filtering
│ │ <*> REJECT target support
│ │ <*> LOG target support
│ │ < > ULOG target support
│ │ < > TCPMSS target support
│ │ <*> Full NAT
│ │ <*> MASQUERADE target support
│ │ <*> REDIRECT target support
│ │ <*> NETMAP target support
│ │ <*> SAME target support
│ │ < > Basic SNMP-ALG support (EXPERIMENTAL)
│ │ < > Packet mangling
│ │ <*> raw table support (required for NOTRACK/TRACE)
│ │ <*> ARP Tables support
│ │ <*> ARP packet filtering
│ │ <*> ARP payload mangling
|
I've been getting my info from here:
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
and here:
http://www.gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls
_________________
- rem7 - |
|
| Back to top |
|
 |
Ast0r
Guru
Joined: 11 Apr 2006
Posts: 404
Location: Dallas, Tx - USA
|
| Posted: Tue Aug 22, 2006 2:08 am Post subject: |
|
|
| I follow this howto and got my router up and working, with DHCP, DNS, and port forwarding. It took me a couple hours to get it working and then a couple more to get things the way I wanted, but it worked pretty well. |
|
| Back to top |
|
|
rem7
n00b
Joined: 14 Oct 2005
Posts: 14
Location: USA, Los Angeles CA
|
| Posted: Tue Aug 22, 2006 6:30 am Post subject: |
|
|
oh, neat!!! thanks I'll have to give it a try.
_________________
- rem7 - |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
