| View previous topic :: View next topic |
| Author |
Message |
donjames
Apprentice
Joined: 19 Dec 2004
Posts: 251
Location: 32°9'50" N 94°50'54" W
|
 Posted: Fri Sep 04, 2020 8:41 pm Post subject: Home router not working |
 |
|
Hi,
I am trying to make a home router using the instructions found here: https://wiki.gentoo.org/wiki/Home_router
eth1 is connected directly to the internet.
eth0 is connected to my local area network.
With both interfaces active, I cannot ping the public internet. It gives a name resolution error.
With eth0 not active, I can ping the public internet.
My script for setting up the router:
#!/bin/bash
# After IPtables is installed, flush the current rules:
| Code: |
iptables -F
iptables -t nat -F
# Setup default policies to handle unmatched traffic:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Copy and paste the following:
export LAN=eth0
export WAN=eth1
# locks the services so they only work from the LAN:
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT
# Allow access to the ssh server from the WAN:
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
# Drop TCP / UDP packets to privileged ports:
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
# Finally add the rules for NAT:
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/16 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/16 -j ACCEPT
# iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# Inform the kernel that IP forwarding is OK:
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
#Instruct the IPtables daemon to save the changes to the rules, then add IPtables to the default runlevel:
/etc/init.d/iptables save
|
iptables rules list:
| Code: |
# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT ! -i eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT ! -i eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i eth0 -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT ! -i eth0 -p udp -m udp --dport 0:1023 -j DROP
-A FORWARD -d 192.168.0.0/16 -i eth0 -j DROP
-A FORWARD -s 192.168.0.0/16 -i eth0 -j ACCEPT
-A FORWARD -d 192.168.0.0/16 -i eth1 -j ACCEPT
|
lsmod is here:
| Code: |
# lsmod
Module Size Used by
l2tp_netlink 24576 0
l2tp_core 32768 1 l2tp_netlink
ip6_udp_tunnel 16384 1 l2tp_core
udp_tunnel 16384 1 l2tp_core
ipt_REJECT 16384 2
nf_reject_ipv4 16384 1 ipt_REJECT
iptable_nat 16384 1
iptable_filter 16384 1
ip_tables 24576 2 iptable_filter,iptable_nat
bpfilter 28672 0
xt_MASQUERADE 20480 2
ipv6 442368 19 l2tp_core
crc_ccitt 16384 1 ipv6
cfg80211 610304 0
rfkill 24576 1 cfg80211
8021q 28672 0
garp 16384 1 8021q
mrp 20480 1 8021q
stp 16384 1 garp
llc 16384 2 garp,stp
joydev 24576 0
ppdev 24576 0
powernow_k7 20480 0
ax88179_178a 24576 0
snd_intel8x0 40960 0
via_rhine 32768 0
usbnet 45056 1 ax88179_178a
snd_ac97_codec 110592 1 snd_intel8x0
mii 16384 3 usbnet,ax88179_178a,via_rhine
ac97_bus 16384 1 snd_ac97_codec
pcspkr 16384 0
serio_raw 20480 0
snd_pcm 90112 2 snd_ac97_codec,snd_intel8x0
ata_generic 16384 0
snd_timer 32768 1 snd_pcm
ohci_pci 20480 0
i2c_sis96x 20480 0
snd 69632 4 snd_ac97_codec,snd_timer,snd_intel8x0,snd_pcm
nf_nat 40960 2 xt_MASQUERADE,iptable_nat
parport_pc 24576 0
i2c_core 73728 1 i2c_sis96x
ohci_hcd 49152 1 ohci_pci
nf_conntrack 131072 2 xt_MASQUERADE,nf_nat
soundcore 16384 1 snd
parport 49152 2 parport_pc,ppdev
nf_defrag_ipv4 16384 1 nf_conntrack
pata_acpi 16384 0
mac_hid 16384 0
nf_defrag_ipv6 24576 2 nf_conntrack,ipv6
libcrc32c 16384 2 nf_conntrack,nf_nat
crc32c_generic 16384 4
ext4 589824 2
mbcache 16384 1 ext4
jbd2 102400 1 ext4
uas 24576 0
usb_storage 61440 1 uas
sd_mod 45056 4
pata_sis 16384 3
|
I suspect that there is a missing module, but I don't know which one.
Can someone give me a little help?
Thanks,
donjames |
|
| Back to top |
|
 |
alamahant
Guru
Joined: 23 Mar 2019
Posts: 551
|
| Posted: Fri Sep 04, 2020 9:11 pm Post subject: |
|
|
Hi
in
/etc/conf.d/net please make sure that you only define a gateway for the internet facing interface.
The internal iface should NOT have this
| Code: |
routes_eth0="default via ................."
|
Use routing for the internal interface to reach the external network.NOT a default gateway.
You seem to be missing routing config.
Something like
| Quote: |
ip route add 192.168.0.0/16 via <your-eth1-ip>
|
Are you sure that /16 is the correct cidr for your network?
If tou have name resolution issues look at your dns configuration.
Both external and internal ifaces should be assigned dns nameservers.
Something like
| Code: |
dns_servers_eth1=.....
dns_servers_eth0=.....
|
If it still doesnt work then look at missing kernel config.
Please post you /etc/conf.d/net..
Your script may complicate things a bit.
At the VERY core of the matter you only just need 3 iptables rules:
A masquerade on the public facing iface and 2 forward rules to enable trafic from and to lan-wan
| Code: |
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
|
First check if it works like that.
Then you can add INPUT or OUTPUT rules...
Last edited by alamahant on Fri Sep 04, 2020 9:32 pm; edited 1 time in total |
|
| Back to top |
|
|
donjames
Apprentice
Joined: 19 Dec 2004
Posts: 251
Location: 32°9'50" N 94°50'54" W
|
| Posted: Fri Sep 04, 2020 9:31 pm Post subject: |
|
|
| alamahant wrote: | Hi
Wecome to Gentoo!!!!
in
/etc/conf.d/net please make sure that you only define a gateway for the internet facing interface.
The internal iface should NOT have this
| Code: |
routes_eth0="default via ................."
|
Use routing for the internal interface to reach the external network.NOT a default gateway.
You seem to be missing routing config.
Something like
| Quote: |
ip route add 192.168.0.0/24 via <your-eth1-ip>
|
If tou have name resolution issues look at your dns configuration.
Both external and internal ifaces should be assigned dns nameservers.
Something like
| Code: |
dns_servers_eth1=.....
dns_servers_eth0=.....
|
If it still doesnt work then look at missing kernel config.
Please post you /etc/conf.d/net..
|
Hi,
Here it is:
| Code: |
cat /etc/conf.d/net
# config_enp0s10="192.168.1.2 netmask 255.255.255.0 brd 192.168.1.255"
# routes_enp0s10="default via 192.168.1.1"
# config_enp0s3f2u1="dhcp"
# config_eth0="192.168.1.1 netmask 255.255.255.0 brd 192.168.1.255"
# routes_eth0="default via 192.168.1.1"
config_eth1="dhcp"
config_eth0="192.168.1.2 netmask 255.255.255.0 brd 192.168.1.255"
routes_eth0="default via 192.168.1.1"
|
Let me know what you think.
Thanks,
donjames
Last edited by donjames on Fri Sep 04, 2020 9:37 pm; edited 1 time in total |
|
| Back to top |
|
|
alamahant
Guru
Joined: 23 Mar 2019
Posts: 551
|
| Posted: Fri Sep 04, 2020 9:36 pm Post subject: |
|
|
Hi sorry for the "Welcome to Gentoo" comment ...
I was mistaken.
Your internet facing iface is getting a default gateway by dhcp.
And your internal iface is assigned one by you...
This CANT happen.
Please it would be better if you used static ip config for your external iface...........
And remove the "route" line for the internal.
Also you are missing dns servers........
I am confused now.
Which is your wan and which is your lan ifaces????
Use gateway ONLY for the wan.
For the lan use ROUTING instead...
Can you please post the ips of eth0 and eth1 and lan and wan networks with their netmasks?
Last edited by alamahant on Fri Sep 04, 2020 9:45 pm; edited 1 time in total |
|
| Back to top |
|
|
donjames
Apprentice
Joined: 19 Dec 2004
Posts: 251
Location: 32°9'50" N 94°50'54" W
|
| Posted: Fri Sep 04, 2020 9:45 pm Post subject: |
|
|
| alamahant wrote: | Hi sorry for the "Welcome to Gentoo" comment ...
I was mistaken.
Your internet facing iface is getting a default gateway by dhcp.
And your internal iface is assigned one by you...
This CANT happen.
Please it would be better if you used static ip config for your external iface...........
And remove the "route" line for the internal.
Also you are missing dns servers........
I am confused now.
Which is your wan and which is your lan ifaces????
Use gateway ONLY for the wan.
For the lan use ROUTING instead...
|
Hi,
No problem with the "Welcome to gentoo" comment
I was wondering if it would work if I comment out the
routes_eth0="default via 192.168.1.1"
line in /etc/conf.d/net.
donjames |
|
| Back to top |
|
|
alamahant
Guru
Joined: 23 Mar 2019
Posts: 551
|
| Posted: Fri Sep 04, 2020 9:47 pm Post subject: |
|
|
Yes
You SHOULD.
Use instead
| Code: |
ip route add wan/cidr via wan-iface-ip
|
NOT in /etc/conf.d/net.
Just type it in the terminal...
|
|
| Back to top |
|
|
pietinger
Guru
Joined: 17 Oct 2006
Posts: 353
Location: Bavaria
|
| Posted: Fri Sep 04, 2020 10:05 pm Post subject: Re: Home router not working |
|
|
| donjames wrote: | | eth1 is connected directly to the internet. |
- What do you mean by that ? Do you have a leased line or do you have DSL and therefore a DSL-Modem/-Router ?
- You should give both interfaces a static adress.
I dont know your knowledge of networking, but you can check this by yourself after reading this recommended documentation:
Post 2 - chapters: "Stateful Inspection", "Routing a packet and NAT" and "Learning iptables / example with 2 interfaces" from this thread:
https://forums.gentoo.org/viewtopic-t-1112806.html
Then look into this thread: https://forums.gentoo.org/viewtopic-t-1114432.html
Maybe it helps you to understand your firewall-rules (and why you should throw them away). |
|
| Back to top |
|
|
donjames
Apprentice
Joined: 19 Dec 2004
Posts: 251
Location: 32°9'50" N 94°50'54" W
|
| Posted: Fri Sep 04, 2020 10:11 pm Post subject: |
|
|
| alamahant wrote: | Yes
You SHOULD.
Use instead
| Code: |
ip route add wan/cidr via wan-iface-ip
|
NOT in /etc/conf.d/net.
Just type it in the terminal...
|
Hi alamahant,
I commented out
routes_eth0="default via 192.168.1.1"
and now ...
The /etc/conf.d/net file:
| Code: |
config_eth1="dhcp"
7 config_eth0="192.168.1.1 netmask 255.255.255.0 brd 192.168.1.255"
8 # routes_eth0="default via 192.168.1.1"
|
it works!!!!!!!!
Thanks a whole lot,
donjames
Henderson, Texas USA
Last edited by donjames on Sat Sep 05, 2020 3:38 am; edited 1 time in total |
|
| Back to top |
|
|
donjames
Apprentice
Joined: 19 Dec 2004
Posts: 251
Location: 32°9'50" N 94°50'54" W
|
| Posted: Fri Sep 04, 2020 10:34 pm Post subject: Re: Home router not working |
|
|
| pietinger wrote: | | donjames wrote: | | eth1 is connected directly to the internet. |
- What do you mean by that ? Do you have a leased line or do you have DSL and therefore a DSL-Modem/-Router ?
- You should give both interfaces a static adress.
I dont know your knowledge of networking, but you can check this by yourself after reading this recommended documentation:
Post 2 - chapters: "Stateful Inspection", "Routing a packet and NAT" and "Learning iptables / example with 2 interfaces" from this thread:
https://forums.gentoo.org/viewtopic-t-1112806.html
Then look into this thread: https://forums.gentoo.org/viewtopic-t-1114432.html
Maybe it helps you to understand your firewall-rules (and why you should throw them away). |
Hi,
My router is connected to cable internet through a cable modem.
I looked at your references. Looks good. I will study it.
Thanks for the response.
Regards,
donjames |
|
| Back to top |
|
|
alamahant
Guru
Joined: 23 Mar 2019
Posts: 551
|
| Posted: Fri Sep 04, 2020 10:39 pm Post subject: |
|
|
I am glad it does!!
A Few caveats:
1.Maybe in your router machine you do not need to add custom routes.
By virtue of both ifaces being in the same machine their respective networks will know how to reach one another.
Please check it out yourself.
2.If you want OTHER machine in your external network to reach the internal network--to INITIATE a connection THEN you will need to add custom routes in these machines
| Code: |
ip route add lan/cidr via router-wan-iface-ip.
|
......AND also masquerade on the internal iface of the router.
| Code: |
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
|
And a more liberal iptables rule
| Code: |
iptables -A FORWARD -i eth1 -o eth0 -m -j ACCEPT
|
You see not only "related and established"
3.If you want your machines in the INTERNAL network to reach the internet in that case you can use routing also.
| Code: |
ip route add wan/cidr via router-lan-iface-ip
|
4.In the router machine you can add more ifaces or virtual ips to route many internal networks......
|
|
| Back to top |
|
|
|
Networking & Security
