# Need help with Gentoo router set-up

## Tony0945

I'm trying to setup shorewall using the standard two-zone setup. I used the shorewall home page and the gentoo wiki shorewall article.

I already had interfaces named with eudev as "lan0" and wan0".  My first attempt complained about missing module LOG in the kernel. I rebuilt the kernel enabling all the LOG modules in the ethernet section. Shorewall service now starts (OpenRC) but when I then ran iptables -L the output looked odd.

I did change from the default config that seemed to let the firewall be wide open to the internet when shorewall is down. I want the opposite.

Nothing fancy, no DMZ, not treating the devices like printer & roku differently. I do want to do fancy stuff later, but right now I just want to replace my aging D-LINK router.

The hardware is an old AMD k6-3 with Tyan mobo, very limited memory and an old WD Caviar IDE hard drive. There is an on-board Realtek 8139 10/100MHz ethernet renamed to wan0. And two PCI (not PCI-e) Gigabit ethernet cards, an Intel (module e1000) renamed as wan0 and a Realtek 8169 with the module currently blacklisted.  This hardware is for test only, proof of concept and setup, not for production. 

Output of iptables -L : http://dpaste.com/2PS4RAT

/var/log/messages: https://pastebin.com/7uCa8Upe

Output of dmesg: https://pastebin.com/i5VL8wgd

/proc/config.gz: https://pastebin.com/vrvug9RG

WAN connection was looped back to the router, not the cable modem. I wanted to check the firewall before going live.

The next step is to plug into the cable modem with lan0 connected to a Win 8 laptop.

P.S. what's with this "smurftab"?Last edited by Tony0945 on Tue May 26, 2020 2:47 am; edited 2 times in total

----------

## NeddySeagoon

Tony0945,

The idea behind shorewall is to stay away from iptables.

Shorewall has some very nice list commands. try shorewall with no parameters to get help. 

```
shorewall ls zones

shorewall ls policies

shorewall ls
```

and others.

If you want to post the output, you may want to hide your public IP.

----------

## Tony0945

 *NeddySeagoon wrote:*   

> If you want to post the output, you may want to hide your public IP.

 

It does come from dhcp and occasionally changes. But the warning is taken to heart.

I thought shorewall is a front end to iptables. The web site says to check with iptables -L.

I did reverse the settings in post-shorewall (or something like that). It looked to me like it opened up the internet, so I reversed it. Now I can't ssh in again, so I guess I shouldn't have done that. I'll have to go to the basement and reboot. I usually leave it sitting on a root login. I know. I know.

But if some stranger is rooting around in my basement I have bigger problems than him having root access to an ancient computer!

Maybe I should test with the WAN cable connected to the laptop (on a bench next to it).?  Or just connect it to the internet (only) and see what happens. I do have a complete backup on my build partition on the Phenom II. Worst case, I have to boot sysresuecd, wipe the drive, repartition and restore from the backup.

----------

## Tony0945

The file I was referring to was /etc/shorewall/stoppedrules

it now reads (sans comments)

```
#ACTION         SOURCE                  DEST            PROTO   DPORT   SPORT

DROP            wan0                      -

ACCEPT          -                       lan0

ACCEPT          lan0                      -

ACCEPT          -                       wan0

```

----------

## Tony0945

Had a lot of trouble reestablishing communications. That leads to an interesting general question that I can't find the answer to on the internet.

When a PC has two or more ethernet devices, call them eth0, eth1 ... How do programs like ping, or ssh select which one to use? Randomly? alphanumeric order? Something else?

```
k6 ~ # ifconfig

lan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        inet 192.168.0.106  netmask 255.255.255.0  broadcast 192.168.0.255

        ether 90:e2:ba:ed:ef:4c  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lan2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.109  netmask 255.255.255.0  broadcast 192.168.0.255

        ether 6c:19:8f:9a:61:77  txqueuelen 1000  (Ethernet)

        RX packets 895  bytes 74389 (72.6 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 462  bytes 84627 (82.6 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        loop  txqueuelen 1  (Local Loopback)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether 00:50:bf:ed:e3:14  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

  In this example only lan0 is physically connected. Both lan0 and lan2 have static addresses. But they could both be connected by cable to the same network switch.Last edited by Tony0945 on Tue May 19, 2020 6:14 pm; edited 1 time in total

----------

## Anon-E-moose

 *Tony0945 wrote:*   

> When a PC has two or more ethernet devices, call them ewth0, eth1 ... How do programs like ping, or ssh select which one to use? Randomly? alphanumeric order? Something else?

 

Usually one ethernet/wifi device is "default" (based on metric IIRC) and you address the others, like ping, with the interface flag.

ping -I <secondary adapter> some-address

Edit to add:

```
$ ip route

default via 192.168.1.1 dev eth0 metric 2
```

If I turn on the vpn, it sets the default to it's address with a metric of 1 or 0 (IIRC) which takes precedence (If I don't have the numerical order reversed)

----------

## Tony0945

Ah! That explains many problems.

```
k6 ~ # ip route

default via 192.168.0.1 dev lan0 metric 3 linkdown

default via 192.168.0.1 dev lan2 metric 4

127.0.0.0/8 dev lo scope host

192.168.0.0/24 dev lan2 proto kernel scope link src 192.168.0.109

192.168.0.0/24 dev lan0 proto kernel scope link src 192.168.0.106 linkdown
```

Thet should not both be default, should they?  I've been assuming all these years that "default" applied to the gateway, not the interface. Only one interface should be default, correct?

From another machine on the lan:

```
MSI ~ # ping 192.168.0.106

PING 192.168.0.106 (192.168.0.106) 56(84) bytes of data.

64 bytes from 192.168.0.106: icmp_seq=1 ttl=64 time=0.507 ms

64 bytes from 192.168.0.106: icmp_seq=2 ttl=64 time=0.466 ms

64 bytes from 192.168.0.106: icmp_seq=3 ttl=64 time=0.451 ms

^C

--- 192.168.0.106 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2099ms

rtt min/avg/max/mdev = 0.451/0.474/0.507/0.023 ms

MSI ~ # ping 192.168.0.109

PING 192.168.0.109 (192.168.0.109) 56(84) bytes of data.

64 bytes from 192.168.0.109: icmp_seq=1 ttl=64 time=0.533 ms

64 bytes from 192.168.0.109: icmp_seq=2 ttl=64 time=0.455 ms

64 bytes from 192.168.0.109: icmp_seq=3 ttl=64 time=0.492 ms

64 bytes from 192.168.0.109: icmp_seq=4 ttl=64 time=0.453 ms

^C

--- 192.168.0.109 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3157ms

rtt min/avg/max/mdev = 0.453/0.483/0.533/0.032 ms

```

  A cable is only connected to lan0 (192.168.0.106) but lan2, without a physical connection also responds! (Using the default device?)

All three interfaces were started by OpenRC, but lan0 & lan2 are static addresses and the third, wan0, is waiting for a dhcp response which it will never get because it has no cable connected!

```
k6 ~ # grep -v ^# /etc/conf.d/net

rc_verbose="no"

config_wan0="dhcp" #get ip address and route from ISP

config_lan0="192.168.0.106 netmask 255.255.255.0"

routes_lan0="default gw 192.168.0.1"

dns_servers_lan0="192.168.0.102  8.8.8.8 "

config_lan2="192.168.0.109 netmask 255.255.255.0"

routes_lan2="default gw 192.168.0.1"

dns_servers_lan2="127.0.0.1 8.8.8.8 "

modules="${modules} !adsl !br2684ctl !bridge !clip !netplugd !ifplugd "

modules="${modules} !ipppd !pump !pppd    "

modules="ethtool !iproute2"      #prefer ifconfig

carrier_timeout_lan0=10   #fix for e1000

ifdown_lan0="no"

ethtool_change_lan0="wol g"

ifdown="no"

postdown() {

      [ "${IFACE}" = "lan0" ] && ethtool -s "${IFACE}" wol g

             return 0

       }

```

----------

## NeddySeagoon

Tony0945,

"default" applies to the route. If you have more that one default route, only the first encountered in the routing table will be used. 

```
$ route 

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         router          0.0.0.0         UG    2      0        0 eth0

loopback        0.0.0.0         255.0.0.0       U     0      0        0 lo

loopback        localhost       255.0.0.0       UG    0      0        0 lo

192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
```

Routing table rules are applied from the bottom up. The  destination default matches anything, so any packets that get there are sent out of eth0, on the assumption that whatever gets them will know what to do with them.

When you have several default entries, they appear one above the other in the routing table. Only the bottom one will be used.

That's a little simplistic but it will do to get you started.

Why do you think you want two interfaces in the same subnet?

----------

## Tony0945

 *NeddySeagoon wrote:*   

> Why do you think you want two interfaces in the same subnet?

 

Don't need them now. But if the machine is to be a router then the second one is the interface into the machine while the first is the gateway to the router. That's the rationale anyway. The real mundane reason? I had two cards lying around. I turned the second one on when I couldn't ssh in. 

Still don't know what I did to lose ssh and ping, nor really what I did to bring it back. Because I did so many things.

The final step, out of frustration was to power don every last device including switch cable modem, router, AP's and all PC's. That did work, but was it only because I followed advice on the internet to run

```
iptables -P INPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -P OUTPUT ACCEPT

iptables -F
```

  That STILL didn't work, nor did a reboot afterward. Shutting down everything did. Why? I dunno.

However I did do one experiment relevant to the original post. I connected the wan0 port directly to the cablemodem after shutting the other two off. Then I fired up shorewall. I did get an ip address from the ISP and could ping various places. Then I shut down shorewall, transferred the cables back to their original slots and rebooted. PC worked OK but I couldn't ping anyone or be pinged, nor ssh in or out.

----------

## Anon-E-moose

 *Tony0945 wrote:*   

> Ah! That explains many problems.
> 
> ```
> k6 ~ # ip route
> 
> ...

 

Think default per interface. 

If you wanted to ping something by way of lan2 you would do something like "ping -I lan2 google.com"

----------

## Tony0945

 *Anon-E-moose wrote:*   

> If you wanted to ping something by way of lan2 you would do something like "ping -I lan2 google.com"

 

Now I know to do that.  Actually, since dhcp, whether from the D-link router or DNSmasq (no, not both on at the same time) will assign that same address to the ethernet card's mac address, I probably should just set all the interfaces to "dhcp" and let their connections assign the address. I'm surprised that I got a connection from my ISP, but I also did when I first got the replacement cable modem. Connection speed was only 100kbps, but they did have line troubles. Still having them, Chicago is having record rains not seen for 140 years. Flooding everywhere. However, perhaps they let unknown devices to connect but very slow so that one can report the new equipment to the ISP, which I did and two hours later they provisioned the modem and I got yet another ip address.

----------

## Tony0945

shorewall rejecting attempts to ping computers on the LAN and WAN. Is this expected? is a policy required?

```
May 19 10:05:04 k6 root[1365]: Shorewall started

May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.102 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=50010 DF PROTO=UDP SPT=36933 DPT=53 LEN=29

May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=8.8.8.8 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=6931 DF PROTO=UDP SPT=35454 DPT=53 LEN=29

May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.102 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=50011 DF PROTO=UDP SPT=56181 DPT=53 LEN=29

May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=8.8.8.8 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=6932 DF PROTO=UDP SPT=55859 DPT=53 LEN=29

May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25464 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=1

May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.102 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=50016 DF PROTO=UDP SPT=38093 DPT=53 LEN=52

May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=8.8.8.8 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=6934 DF PROTO=UDP SPT=52797 DPT=53 LEN=52

May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.102 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=50017 DF PROTO=UDP SPT=36128 DPT=53 LEN=52

May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=8.8.8.8 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=6935 DF PROTO=UDP SPT=42391 DPT=53 LEN=52

May 19 10:05:12 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25552 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=2

May 19 10:05:13 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25590 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=3

May 19 10:05:14 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25626 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=4

May 19 10:05:15 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25627 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=5

May 19 10:05:16 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25714 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=6

May 19 10:05:17 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25766 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=7

May 19 10:05:18 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25792 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=8

May 19 10:05:19 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25879 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=9

May 19 10:05:20 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25888 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=10

May 19 10:05:21 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25964 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=11

```

----------

## pietinger

Hello Tony,

I never used shorewall, but I am shocked what it produces (rules from your first post). The whole crap with chains makes it really difficult to understand (even for me). This is more complicated than doing native iptables by yourself. Iptables is easy and I want to suggest you trying it native. You only have to know a little bit about networking. What is an IP adress, which protocols (tcp, udp, icmp) and which ports ? https://en.wikipedia.org/wiki/Port_(computer_networking)  

We have an excelent Wiki https://wiki.gentoo.org/wiki/Iptables

and I wrote an installation guide (in german). Look there only to the passage "skelett" and I hope many questions will be answered: https://forums.gentoo.org/viewtopic-t-1112806-highlight-.html

A ping is an ICMP protocol and in the skelett you see how to enable it.

I recommend using "iptables -L -v -n" for investigating the actual rules (instead of only -L)

Many regards, Peter

----------

## nick_gentoo

 *Tony0945 wrote:*   

> shorewall rejecting attempts to ping computers on the LAN and WAN. Is this expected? is a policy required?

 

I also started to use shorewall recently.

As I understand it so far, the policy is defined in /etc/shorewall/policy for each zone, and it's probably REJECT in this case. A rule (or the Ping macro) should be added in /etc/shorewall/rules to allow pings.

----------

## Tony0945

policy, default:

```
#SOURCE DEST POLICY LOGLEVEL RATE    CONNLIMIT

loc     net             ACCEPT

net     all             DROP            $LOG_LEVEL

# the next two are optional

#loc $FW ACCEPT

#$FW loc ACCEPT

# THE FOLOWING POLICY MUST BE LAST

all     all REJECT $LOG_LEVEL

```

I thinkj I want a line that says:

```

loc     loc   ACCEPT
```

  Or should that be in the rules file? documentation is not clear.

----------

## nick_gentoo

That last line is probably not needed, according to the man page the intra-zone policies are predefined: https://shorewall.org/manpages/shorewall-policy.html

But according to the last log, it looks like the firewall is rejecting the packets because it sees them as going from 'fw' to 'loc'. Here I also would like to check for myself, but: shorewall.conf might be establishing a default inter-zone policy of Reject, and your policy file does not specify a policy for fw-to-loc.

----------

## Tony0945

new policy

```
#SOURCE DEST POLICY LOGLEVEL RATE    CONNLIMIT

loc     net                             ACCEPT

fw   net             ACCEPT          info     # added

net     all             DROP            $LOG_LEVEL

loc     loc             ACCEPT                     # added by me, allow all traffic between locals

# the next two are optional

#loc $FW ACCEPT

#$FW loc ACCEPT

# THE FOLOWING POLICY MUST BE LAST

all     all             REJECT          $LOG_LEVEL

```

Didn't help. Machine was locked out of the local net until reboot. At least stopping shorewall and rebooting restored communication

I'll try adding the optional lines next.

Result of "iptables -L" https://pastebin.com/aRNNg0Mf

shorewall-init.log  https://pastebin.com/LayNwiet

----------

## albright

just butting in without a lot of knowledge, but

don't you need a policy of:

 *Quote:*   

> fw              loc             ACCEPT
> 
> loc         fw            ACCEPT
> 
> 

 

----------

## Tony0945

 *nick_gentoo wrote:*   

>  but: shorewall.conf might be establishing a default inter-zone policy of Reject, and your policy file does not specify a policy for fw-to-loc.

 

There is an option (default off) to have the firewall part of the local zone. Maybe I should turn that on.

----------

## Tony0945

 *albright wrote:*   

> just butting in without a lot of knowledge, but
> 
> don't you need a policy of:
> 
>  *Quote:*   fw              loc             ACCEPT
> ...

   Quite possibly. I'm following these guildes

Basic Two-Interface Firewall

and Gentoo wiki

From the first website: *Quote:*   

> Some people want to consider their firewall to be part of their local network from a security perspective. If you want to do this, add these two policies:
> 
> #SOURCE    DEST        POLICY      LOGLEVEL     LIMIT
> 
> loc        $FW         ACCEPT
> ...

 

I didn't quite understand "from a security perspective". Why isn't this the default"

----------

## nick_gentoo

I would guess it's because the firewall is directly connected to the internet, and one reason for using the firewall is precisely because the internet is not trustworthy.

Does it work now?

I use shorewall for now with the "single system" scenario, and I would like to try soon this two-interface configuration.

----------

## Tony0945

 *nick_gentoo wrote:*   

> I would guess it's because the firewall is directly connected to the internet, and one reason for using the firewall is precisely because the internet is not trustworthy..

 

No, by default the firewall is a separate zone. With the changes the firewall is part of the local zone, not the internet zone.

No, it didn't work. This time I took the precaution of running a background script first before starting shorewall. The script sleeps for 1800 seconds, then stops shorewall and reboots.

----------

## pietinger

Building a firewall wihthout any knowledge about networks and how paket filtering in the kernel works, is like driving a car without any knowledge how to drive and what are the rules of the road.

But, hey, this is not a problem: I tell you, take a monster-truck instead a car ... and you will have no problems ...

Do you really know for what shorewall is used ?

Let me quote from: https://shorewall.org/Introduction.html

 *Quote:*   

> Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful. So if you are looking for a simple point-and-click set-and-forget Linux firewall solution that requires a minimum of networking knowledge, I would encourage you to check out the following alternatives:
> 
> UFW (Uncomplicated Firewall)
> 
> ipcop
> ...

 

I am a network engineer (or I was until I got retired) and I would take native iptables even for complex solution with 2 firewalls, a DMZ, and 3 internal networks and 2 external friendly networks, rather than this complex software I had to learn additionally how it works.

Let me say it clear: If you want to drive a truck you have to learn the rules of the road and how to drive. If you dont want to learn this, drive a bike (=>UFW).

----------

## NeddySeagoon

Tony0945,

You haze one more zone that you think you do.

```
#ZONE           TYPE            OPTIONS         IN_OPTIONS      OUT_OPTIONS

fw              firewall

green           ipv4

dmz             ipv4

blue            ipv4

net             ipv4
```

The firewall is its own zone.

```
#SOURCE         DEST            POLICY          LOGLEVEL        RATE

net             dmz             DROP            $LOG

net             blue            DROP            $LOG

net             green           DROP            $LOG

net             $FW             DROP            $LOG

all             all     REJECT          $LOG
```

That policy file says that anything coming from the outside world (net), wherever its going is DROPped and logged.

and that anything else (it has to be from inside) is REJECTed and logged.

The difference is that the outside world is silently dropped an things on my network get an error message. That makes debugging easier.

So far so good. Nothing comes in and nothing goes out. Everything that is not expressly permitted by entries in the rules file, is forbidden.

There is an old joke there but I'll skip it. 

The firewall zone $FW, should have its connections limited.

```
#ACTION         SOURCE          DEST                    PROTO   DPORT   SPORT    

ACCEPT      green      fw         tcp   ssh

# fw accepts from the internet - its anti social to drop ping

ACCEPT          fw              net                     udp     domain

ACCEPT          fw              net                     udp     ntp

# fw will get updates from the dmz, so need to allow those outgoing

# fw to dmz

ACCEPT          fw              dmz:$Portage           tcp     rsync

ACCEPT          fw              dmz:$Source             tcp     8080   

ACCEPT       fw      net         tcp   www

ACCEPT          fw              net                     tcp     https
```

The only incoming connection accepted is on ssh from the wired network (green)

The outgoing connections are required for maintainace.

DNS, NTP, my private ::gentoo rsync server, http-replicator.

I've forgotten why www and https were required. 

All that translates into the fw- chains

To the outside world

```
Shorewall 5.2.3.6 Chain fw-net at router - Wed 20 May 19:47:41 BST 2020

Counters reset Wed May 13 21:34:16 BST 2020

Chain fw-net (1 references)

 pkts bytes target     prot opt in     out     source               destination         

57374 4672K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

 1911  145K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,123

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "Shore4:fw-net:REJECT:"

    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 
```

To the wired network

```
 Chain fw-green (1 references)

 pkts bytes target     prot opt in     out     source               destination         

   33 10923 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68

 1261  585K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "Shore4:fw-green:ACCEPT:"

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0 
```

To WiFi

```
Chain fw-blue (1 references)

 pkts bytes target     prot opt in     out     source               destination         

19254 1146K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

  218 10464 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "Shore4:fw-blue:REJECT:"

    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

```

To the dmz. (For http-replicator, and the rsync mirror

```
Chain fw-dmz (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.10.119       multiport dports 873,8080

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST

    2    80 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "Shore4:fw-dmz:REJECT:"

    2    80 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 
```

Its mostly ping and accept replies to things you asked for.

All the magic happens in the rules between the other zones.

The fw zone should not be communicating with things it doesn't need to, so most things should be rejected, which is what you report.

Now, 

```
May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.102 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=50010 DF PROTO=UDP SPT=36933 DPT=53 LEN=29 
```

Thats a DNS lookup. (UDP on port 53) so it should probably be going to the outside world, not loc.

That's what my  

```
ACCEPT          fw              net                     udp     domain
```

permits.

Routing is a separate topic. That rule permits traffic. It says noting about how to route it.

Looking some more,  the destination IP is DST=8.8.8.8, which is a public nameserver.

Now the question becomes why is traffic for the outside world being  sent to lan0 ?

The firewall should sit between your router and everything else.

Is 192.168.0.106 (lan0) the firewalls interfare to the outside world?

----------

## Tony0945

 *NeddySeagoon wrote:*   

> The firewall is its own zone.

  Yes, I don't understand why.

 *NeddySeagoon wrote:*   

> Now the question becomes why is traffic for the outside world being  sent to lan0 ?

  Because lan0 is intended to be local network interface to the cable modem.

 *NeddySeagoon wrote:*   

> Is 192.168.0.106 (lan0) the firewalls interface to the outside world?

  No,that is the interface to the Local area network.

The rules I initially want for the firewall are:

1. Reject (or drop) all unsolicited traffic from the WAN (port wan0)

2. ACCEPT all WAN traffic that is a response to a LAN solicitation (web pages, e-mail, DNS queries ...)

3. ACCEPT all traffic from the LAN (this last could be restricted to a few listed ip addresses)

I also don't understand why the LAN zone is defined as 0.0.0.0/0 (any address, right?) instead of say 192.168.0.0/25

----------

## Tony0945

 *NeddySeagoon wrote:*   

> 
> 
> Now, 
> 
> ```
> ...

 

192.168.0.102 Is another box running DNSMasq for DNS service and shortly DHCP. The router, 192.168.0.1 is currently doing DHCP and not badly. DNSMasq can do that function. I'm just finishing up a nice GUI application duplicating the functions. It just gathers the data, writes the appropriate lines into  /etc/dnsmasq.conf, restarting DNSmasq. A web page would be nice but I have zero experience or training. I have a grandson who did webpages in school. He could probably use some cash with this COVID shutdown. It might be nicer to hire him rather than give him a gift.

----------

## Tony0945

 *pietinger wrote:*   

> ...

 

The High Priest philosophy. If I subscribed to that I would just run Windows and Windows Firewall.  Possibly Ubuntu without apt-get

Shorewall is supposed to be simpler than iptables. I went down this road before but the forum participants said it was not secure.

At least shorewall is logging. I just wish I didn't have to walk up and down two flights of stairs to reboot the computer.

Perhaps I can figure out from NedySeagoon's examples how to punch a hole for ssh.

My timer script to shutdown and reboot isn't working.

----------

## NeddySeagoon

Tony0945,

You have two problems here. One is getting to grips with shorewall.

The other is setting up routing the way you need it. The are different separate unrelated problems.

Keep it simple. Remove all the network cards from the box except one.

Get that on the internet without shorewall.

That will ensure that your routing is correct.

With routing fixed, when you start shorewall, you will have two zones, I would call them fw (thats fixed anyway) and net, short for internet.

Now you can play with the shorewall setup. There's not a lot you can do with only the two zones  but you can dip a toe in the water.

Next up is to add another interface so you can adjust shorewall over ssh and use it as a router for the downstream ssh controller.

At this point, you want the Gentoo Home Router Guide but where it uses IPtables, you use shorewall.

You will use IPTables but not in the raw.

Its very easy shut down remote access, once you are using ssh.

----------

## Tony0945

Obvious why the script failed:

```
#! /bin/bash

sleep 1800

service shortwall stop && reboot

```

I need two new eyes and two new hands.

----------

## pietinger

 *Tony0945 wrote:*   

> At least shorewall is logging

 

No ! It doesnt log. The kernel is doing it ... because of a directive from an iptables command like: iptables -A INPUT -j LOG --log-prefix "Explanation Text"

So shorewall just translate something in native iptables commands.

 *Tony0945 wrote:*   

> Perhaps I can figure out from NedySeagoon's examples how to punch a hole for ssh.

 

If you would use a simple script, it would be only one simple line ...

 *Tony0945 wrote:*   

> Shorewall is supposed to be simpler than iptables. 

 

Yes, I see ...

Neddy told you one important thing: You must distinguish between networking and the firewall. First set up the network, like Neddy told you. Afterwords it is the first step to decide what you want. A pure Firewall with 2 Interfaces between a LAN and the world (internet) OR a firewall with 3 Interfaces; the 3rd one for a DMZ (or only one server) or a WLAN Network for you and guests. CHAINS do you really need only with 3 interfaces, with 2 interfaces it isnt really needed and confuses only. I am a big fan of KISS also, so I can write you a script (with explanations) for what you want to do.

----------

## NeddySeagoon

Tony0945,

If you think of writing hex code to program a PC, that's akin to wiriting raw rules for IPtables.

One level up, you write assembler for your PC and shorewall for IPtables.

Shorewall assumes that if you add a rule to allow traffic out, you will also want a rule to allow the responses back in.

You might not, but lets ignore that for now, you get the allow responses rule without asking.

With IPTables, its two rules to write.

Both ways do the same thing.

Like pietinger says, shorewall generates lots of chains that do nothing.

It has a setting to optimise these away when the shorewall rules are converted to IPtables rules.

----------

## pietinger

 *NeddySeagoon wrote:*   

> If you think of writing hex code to program a PC, that's akin to wiriting raw rules for IPtables.
> 
> One level up, you write assembler for your PC and shorewall for IPtables.

 

Not quite ... iptables is like writing a simple "PRINT 'hello world'" in BASIC, and shorewall does the same in C++ with many Objects created ...

 *NeddySeagoon wrote:*   

> With IPTables, its two rules to write.

 

I cant remember how long ago it is. Yes there was a time (I think until kernel 2.0) you had to explicitly allow an outgoing ping-request and the incoming ping-response (yes, I had to configure it, when I was young). And the same for every protocol or target host, or target net. But then we had a (great) upcoming with a new kernel (2.2 I believe): the STATEFUL inspection ! What does this mean ?

Every communication between two computers begins with sending out the FIRST packet to the target, e.g. saying "hello, its me, I want to talk with your web-server". The answer from this web-server and all other packets related to this session, must be allowed also in the firewall, because the kernel filters EVERY packet. With the new kernel you was able to allow all RELATED packets for this session automatically. So, TODAY, when we configure a firewall, we simply allow only the INITIATING of a session (or just the first packet when using a session-less protocol like UDP) and the kernel checks by itself what is a packet belonging to this. This is why you see in every Firewall-script at minimum always these two lines:

```
iptables -A INPUT       -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT      -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
```

and today you only allow the initiating of ssh or https or even a ICMP-ping ... without explicit allowing the responses / receive packets.

And because the kernel filters really every packet - even the internal communication on loopback - you must allow this also in every case with:

```
iptables -A INPUT       -i lo -j ACCEPT

iptables -A OUTPUT      -o lo -j ACCEPT
```

And because the most packets (99%) will be filtered (=allowed) by these rules, you should put these rules to the very beginning.

----------

## Tony0945

OK, I surrender. maybe I'm just too stupid like pietinger says. I can't understand why wheh I tell shorewall to allow all local traffic that ssh immediately stalls.

----------

## NeddySeagoon

Tony0945,

You are trying to eat an elephant. That's best done one plateful at a time.

Divide your elephant up into manageable platefuls.

Be sure you digest one plateful before you start another.

----------

## pietinger

 *Tony0945 wrote:*   

> OK, I surrender. maybe I'm just [...] like pietinger says.

 

No, I didnt say this - and I didnt mean this !

With my first post I wanted to help you, recommending something I think it would be more simple (for me it is). If you would tell me (/us) what you want to do with your computers (what is your goal), I could help you with the network settings.

----------

## Tony0945

 *pietinger wrote:*   

> No, I didn't say this - and I didn't mean this !

 

I'm sorry. I guess I was overly touchy. I'm sorry I misinterpreted your remarks. Living in lockdown with nothing but COVID-19 news and nothing to do but bang my head on shorewall for days must be getting on my nerves.

What I'm trying to do is Gentoo as Home Router

The DHCP and DNS were easy. About halfway through with a wxGTK interface that looks like my ten year old DLink router. TheGUI part is done. What's left is reading, writing and text manipulation of the configuration files in C++. Duck soup.

The NAT and firewall functions are where I fell down. I've gone back to my iptables script from ten years ago. I abandoned that because of many remarks on the forum that my rules made no sense. But at least I'm not locked out of ssh!

----------

## Tony0945

This is the script from 2018 that works, but I know that I should start with DROPS and add ACCEPTS instead of the other way around. But there is a lot to accept.

```
#! /bin/bash

cp /etc/conf.d/net.router /etc/conf.d/net

cp /etc/dnsmasq.conf-router /etc/dnsmasq.conf

iptables -F

iptables -t nat -F

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

#lock services so they only work from the LAN

iptables -I INPUT 1 -i lan0 -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps ! -i lan0 -j REJECT

iptables -A INPUT -p UDP --dport domain ! -i lan0  -j REJECT

#Drop TCP / UDP packets to privileged ports

iptables -A INPUT -p TCP ! -i lan0 -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP ! -i lan0 -d 0/0 --dport 0:1023 -j DROP

#Finally add the rules for NAT

iptables -I FORWARD -i lan0 -d 192.168.0.0/255.255.0.0 -j DROP

iptables -A FORWARD -i lan0 -s 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -A FORWARD -i wan0 -d 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE

#Inform the kernel that IP forwarding is OK

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

/etc/init.d/iptables save

```

And this script is running right now, but doesn't have NAT

```
#! /bin/bash

cp /etc/conf.d/net.pc /etc/conf.d/net

cp /etc/dnsmasq.conf-pc /etc/dnsmasq.conf

#Inform the kernel that IP forwarding is not OK

echo 0 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $f ; done

#flush all, delete all user-defined and zero all counters

iptables -F

iptables -X

iptables -Z

iptables -t raw -F OUTPUT

#set default policies

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT  ACCEPT

# Now add rules

echo "everything local is OK"

iptables -A INPUT   -s 127.0.0.1 -j ACCEPT

#keep everything currently connected

#echo "keep everything currently connected"

iptables -A INPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

echo "accept HTTP, HTTPS"

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

echo "SSH/SSL only from LAN"

iptables -A INPUT -p tcp --dport 22 -s 192.168.0.100/27 -j ACCEPT

#for netbios

echo "keep netbios broadcasts"

iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j ACCEPT

# NetBIOS Name Service (name resolution)

iptables -A INPUT -i eth0 -p udp --dport 137 -s 192.168.0.0/24 -j ACCEPT

# NetBIOS Datagram Service (BROWSER service)

iptables -A INPUT -i eth0 -p udp --dport 138 -s 192.168.0.0/24 -j ACCEPT

# NetBIOS Session Service (data transfer legacy SMB/NetBIOS/TCP)

iptables -A INPUT -i eth0 -p tcp --dport 139 -s 192.168.0.0/24 -j ACCEPT

# Microsoft Directory Service (data transfer SMB/TCP)

iptables -A INPUT -i eth0 -p tcp --dport 445 -s 192.168.0.0/24 -j ACCEPT

# All NetBIOS clients must have the netbios-ns helper enabled for broadcast name resolution to work

iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

# NetBIOS Name Service (name resolution)

iptables -A INPUT -i eth0 -p udp --dport 137 -s 192.168.0.0/24 -j ACCEPT

# NetBIOS Datagram Service (BROWSER service)

iptables -A INPUT -i eth0 -p udp --dport 138 -s 192.168.0.0/24 -j ACCEPT

# NetBIOS Session Service (data transfer legacy SMB/NetBIOS/TCP)

iptables -A INPUT -i eth0 -p tcp --dport 139 -s 192.168.0.0/24 -j ACCEPT

# Microsoft Directory Service (data transfer SMB/TCP)

iptables -A INPUT -i eth0 -p tcp --dport 445 -s 192.168.0.0/24 -j ACCEPT

# All NetBIOS clients must have the netbios-ns helper enabled for broadcast name resolution to work

iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

echo "stop malformed auth packets"

iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

echo "allow icmp"

iptables -A INPUT -p icmp  -j ACCEPT --log-level debug --log-prefix "IPT="

echo "allow pings"

iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

echo "allow traceroute"

iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT

echo "allow DNS"

iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p udp --dport 53 -j ACCEPT

iptables -A INPUT -p tcp --dport 53 -j ACCEPT

echo "everything can access DLNA"

iptables -A INPUT -p tcp  --dport 8200 -j ACCEPT

iptables -A INPUT -p udp  --dport 1900 -j ACCEPT

#that's it for the TV & Firestick

iptables -A INPUT -s 192.168.0.190 -j DROP

iptables -A INPUT -s 192.168.0.192 -j DROP

iptables -A INPUT -s 192.168.0.193 -j DROP

#permanent network computers can do anything

#permanent network computers can do anything

iptables -A INPUT -s 192.168.0.100 -j ACCEPT

iptables -A INPUT -s 192.168.0.101 -j ACCEPT

iptables -A INPUT -s 192.168.0.102 -j ACCEPT

iptables -A INPUT -s 192.168.0.104 -j ACCEPT

iptables -A INPUT -s 192.168.0.105 -j ACCEPT

iptables -A INPUT -s 192.168.0.106 -j ACCEPT

iptables -A INPUT -s 192.168.0.108 -j ACCEPT

#including the wireless computers

iptables -A INPUT -s 192.168.0.103 -j ACCEPT

iptables -A INPUT -s 192.168.0.109 -j ACCEPT

# and Maggi

iptables -A INPUT -s 192.168.0.170 -j ACCEPT

echo "accept  router multicast messages"

iptables -A INPUT -s 192.168.0.1  -d 224.0.0.1 -j ACCEPT

echo " and broadcast messages"

iptables -A INPUT -s 192.168.0.1  -d 255.255.255.255 -j ACCEPT

echo ignore uPNP requests except for TV

iptables -A INPUT -s 192.168.0.193 -d 239.255.255.250 -j ACCEPT

iptables -A INPUT -d 239.255.255.250 -j REJECT

echo "drop DHCP requests, we are not a router"

iptables -A INPUT -s 0.0.0.0 -d 255.255.255.255 -j REJECT

LOG_DROP=${LOG_DROP:=DROP:}

iptables -A FORWARD -p tcp -j LOG --log-level debug --log-prefix "IPT="

iptables  -N logdrop

iptables  -A logdrop -j LOG --log-prefix "${LOG_DROP}"

iptables  -A logdrop -j DROP

echo " This is the last rule in the chain, it logs and drops everything that got through the gauntlet"

iptables  -A INPUT -m conntrack --ctstate NEW -j logdrop

iptables -A INPUT -j DROP

/etc/init.d/iptables save
```

Logging isn't working.

----------

## pietinger

 *Tony0945 wrote:*   

> I'm sorry. I guess I was overly touchy. I'm sorry I misinterpreted your remarks. Living in lockdown with nothing but COVID-19 news and nothing to do but bang my head on shorewall for days must be getting on my nerves.

 

Its okay, Tony - I am living in lockdown also ...  :Sad: 

I will help you, as good as I can (and with my poor school english). When I explain something you already know, then I do it only because for all readers of this post. First of all, I want to explain for what a firewall is good for. What it can do and what it cant do ?

A firewall has two sides: 

1.) It can prevent you from the Internet, allowing only communications to a dedicate server you have.

2.) If you have a bad program (virus, rootkit) on your computer, it can TRY to disallow this bad program communicating with a bad server somewhere in the internet.

First look on (2). Why I wrote: "TRY" ? Because a firewall alone cant do this. Why ? The answer is: You want to go with your browser into the internet and read some webpages from "https://forums.gentoo.org". Therefore you must allow outgoing https-traffic (this is port: 443). Now you have a bad program, who wants to communicate with a bad server. This bad program communicate also over the same (open) port to its bad server ... and the firewall (must) allow this. What you would need, is a proxy server for websurfing, who log all communications into the internet for the port 443 (and 80 for normal http), so you dont go directly with your browser into the internet. Without a proxy server, the whole crap: "filtering outgoing packets" doesnt help you in any case against bad programs ... and therefore is complete senseless. Whithout a proxy you can simply allow ALL outgoing traffic and use the firewall only for (1).

In a workstation with 1 interface (e.g. ethernet) a packet can go 2 WAYS: From your computer to the net (outgoing), or from the net into your computer (ingoing).

On a router with 2 interfaces (e.g. one for LAN and one for WAN) you have 6 WAYS (with used iptables chains in brackets):

- From LAN to router (INPUT -i $LAN)

- From LAN to WAN (FORWARD -i $LAN)

- From router to LAN (OUTPUT -o $LAN)

- From router to WAN (OUTPUT -o $WAN)

- FROM WAN to router (INPUT -i $WAN)

- FROM WAN to LAN (FORWARD -i $WAN)

On a router with 3 interfaces (e.g. one for LAN, one for WAN and one for a DMZ) you have 12 WAYS (I dont want to explain now, maybe later).

Sidestep: There was a time (long long ago), a packet which should be routed, was put in first in INPUT, then in FORWARD and 3rd in OUTPUT. TODAY such a packet is put ONLY in the table "FORWARD".

So we look to a router with 2 interfaces. What do you want allow and what you want disallow ? First, we make it simple and say: We have no Server inside our LAN, AND the router itself should not talk with the internet AND the LAN - just be a passive thing. Only exception: I want to go with ssh from a workstation (inside my LAN) to the router. If we set the standard action to "DROP" for all tables, what we have to allow ? I would say:

- From LAN to router (INPUT -i $LAN) => SSH (and all packets belonging to an existing session)

- From LAN to WAN (FORWARD -i $LAN) => ALL

- From router to LAN (OUTPUT -o $LAN) => only packets belonging to an existing session (should be ssh answers only)

- From router to WAN (OUTPUT -o $WAN) =>  ... nothing (or maybe NTP for the time in the router)

- FROM WAN to router (INPUT -i $WAN) =>  ... nothing (or maybe only packets belonging to an existing session (if NTP))

- FROM WAN to LAN (FORWARD -i $WAN) => only packets belonging to an existing session

(BREAK: I must go away now. I will continue in some hours. Sorry. Please wait)

----------

## pietinger

[continue from above]

Before I go on, I want to explain WHY we use a script. This had two reasons - one is historical. So, today it is only because of one reason.

Perhaps you already know, what you do when you type in an iptables command: You configure your kernel at runtime, like you configure your kernel at runtime with the command "sysctl". But the kernel doesnt store these settings. After a reboot they are all gone. So you have to load them again when you startup your computer. All settings you want to set with sysctl is done from the init-script: "/etc/init.d/sysctl" (you know this already). 

A) A long time ago we had no script for setting the filtering settings (with iptables) at startup. Therefore you had to do it by yourself. An old example of such a script you find here: https://wiki.gentoo.org/wiki/Security_Handbook/Firewalls

Please dont use it - its outdated (I would delete it, to not confuse people reading this page) ! Today we have our own script for saving and restoring the settings: "/etc/init.d/iptables". Use only this one !

B) So, today we use a script only for one reason: If you want to change or add some rules for an existant setting. Theoretical you can use "iptables -D ..." or "-I" or -R" to delete, insert or replace some lines of your rules, but nobody does this. It is too complicated. It is easier to delete all existing rules and send all (with the new rule(s)) again to the kernel. So we use only "iptables -A" (for append) in our script. And we run the script only one time and the do an initial "/etc/init.d/iptables save". (this script must be add to the runlevel "default" also). Or a second time, if you change something ...

-----

Back to our router: We configure the kernel for our simple example (and expand it later for your wishes). What we have to do ? First we delete all existing rules (1). We have no user-definied chaines, but we want to be absolut sure there is nothing left, so (2) doesnt harm. (at this point I recommend to take a look into the manpage of iptables). Then we set a default policy to every table (3). At this point you must know some important behavior of the kernel:

1. When the kernel receives a packet, it "put it in" one of 3 tables and then compares the packet with the first rule of THIS table.

2. When this compare was successful, the kernel "jumps" to a target. We have two build-in targets: DROP and ACCEPT. These targets are "end-station"-targets. The kernel doesnt proof any other rules after this. Another target is "LOG". This is NOT an end-station. The kernel just log something and proceed with the next rule.

4. When this compare was not successful, the kernel does nothing and proceed with the next rule.

3. If there is/was no "end-station-rule" for the specific packet, the kernel does what the default policy say.

Side-Note: Because of 1. it makes no difference if you define first all the rules for INPUT and then for OUTPUT or reverse. For performance reasons it is only important to think about the order of the rules WITHIN one table.

Next we think about which ways (of which protocols) would induce the most traffic ? This we set at first for performance reasons. We allow all traffic from LAN to WAN (4) and allow all packets "answering back" (5). Now we have two of our 6 lines allowed. The next is our ssh from LAN into the router (6) and back (7). Al last ( 8 ) we have to allow the internal communication of the loopback interface of the router (this you have to do always for every firewall-type, so it is usually at the beginning of every script you will find). Now we are finished.

Dont forget: (5) and (7) you define only one time. If you want allow, for example, additional "http" from LAN into the router, you need only allow this unidirectional, because "the way back" is handled from (7) again.

```
#!/bin/sh

# Defines

# please edit this with your real interface-names you will find with "ifconfig" (your names maybe begins with "enp....")

LAN=eth0

WAN=eth1

### (1)

iptables -F

### (2)

iptables -X

### (3)

iptables -P INPUT       DROP

iptables -P OUTPUT      DROP

iptables -P FORWARD     DROP

### (4)

iptables -A FORWARD     -i $LAN -j ACCEPT

### (5)

iptables -A FORWARD     -i $WAN -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

### (6)

iptables -A INPUT       -i $LAN -p tcp --dport 22 -j ACCEPT

### (7)

iptables -A OUTPUT      -o $LAN -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

### (8)

iptables -A INPUT       -i lo -j ACCEPT

iptables -A OUTPUT      -o lo -j ACCEPT
```

Now we make one change: We allow our ntp-daemon in our router to communicate with a time-server from the internet. You have 3 options to do that:

a) You allow your router ONLY NTP-traffic out to ALL Servers in the internet, or

b) You allow your router ALL traffic out to ONE Time-Server in the internet, or

c) You allow your router ONLY NTP-traffic out to ONE Time-Server.

I must not say which is the most secure option (c), but if we trust our ntp-client AND we have more than ONE time-server we want to ask for the time, it is practically to allow (a) because this will be one rule and (c) would be a rule for every time-server we want to connect. I give you (c) as example (you could simply add to the script, but wait a little bit):

```
NTPSERVER="a.b.c.d"

iptables -A OUTPUT      -o $WAN -d $NTPSERVER -p udp --dport 123 -j ACCEPT

iptables -A INPUT       -i $WAN -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
```

You should be able now to change this, if you want solution (a) ... =>

```
iptables -A OUTPUT      -o $WAN -p udp --dport 123 -j ACCEPT

iptables -A INPUT       -i $WAN -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
```

In this two examples we did something which is not absolutely necessary: Differentiate between LAN and WAN in the "conntrack lines". Usually you have only 3 lines at the beginning of your script and then only your special allows. So, our next example has an other sequence.

Now we want to log something. You have 4 options for what you want to log:

a) Every connection from X to Y, or

b) One specific action, or

c) Some specific actions (but not too much), or

d) Almost every connection, except some specific actions

We can shorten this list, because for (b) and (c) we do the same. First we want to log every ssh-connection to our router. You see, the matching is identically, only the target is LOG instead of ACCEPT =>

```
#!/bin/sh

LAN=eth0

WAN=eth1

iptables -F

iptables -X

iptables -P INPUT       DROP

iptables -P OUTPUT      DROP

iptables -P FORWARD     DROP

iptables -A INPUT       -i lo -j ACCEPT

iptables -A OUTPUT      -o lo -j ACCEPT

iptables -A INPUT       -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT      -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD     -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD     -i $LAN -j ACCEPT

### this is the line we need AND it MUST be BEFORE the "end-station-accept":

iptables -A INPUT       -i $LAN -p tcp --dport 22 -j LOG --log-prefix "ssh-connect from my LAN "

iptables -A INPUT       -i $LAN -p tcp --dport 22 -j ACCEPT
```

Now you want to log all connections going outside to the internet (e.g. only for troubleshooting):

```
#!/bin/sh

LAN=eth0

WAN=eth1

iptables -F

iptables -X

iptables -P INPUT       DROP

iptables -P OUTPUT      DROP

iptables -P FORWARD     DROP

iptables -A INPUT       -i lo -j ACCEPT

iptables -A OUTPUT      -o lo -j ACCEPT

iptables -A INPUT       -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT      -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD     -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT       -i $LAN -p tcp --dport 22 -j LOG --log-prefix "ssh-connect from my LAN "

iptables -A INPUT       -i $LAN -p tcp --dport 22 -j ACCEPT

### this is the line we need AND it MUST be BEFORE the "end-station-accept":

iptables -A FORWARD     -i $LAN -j LOG --log-prefix "connect from my LAN to internet "

iptables -A FORWARD     -i $LAN -j ACCEPT
```

At last, the most difficult: You want to log every connection, except all http and https (web-surfing). This is a little bit trickier, because you have to allow first all, you dont want to log; then log all the rest, and then allowing all the rest =>

```
#!/bin/sh

LAN=eth0

WAN=eth1

iptables -F

iptables -X

iptables -P INPUT       DROP

iptables -P OUTPUT      DROP

iptables -P FORWARD     DROP

iptables -A INPUT       -i lo -j ACCEPT

iptables -A OUTPUT      -o lo -j ACCEPT

iptables -A INPUT       -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT      -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD     -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT       -i $LAN -p tcp --dport 22 -j LOG --log-prefix "ssh-connect from my LAN "

iptables -A INPUT       -i $LAN -p tcp --dport 22 -j ACCEPT

# Allow all outgoing http and https without logging:

iptables -A FORWARD     -i $LAN -p tcp --dport 80 -j ACCEPT

iptables -A FORWARD     -i $LAN -p tcp --dport 443 -j ACCEPT

# Now we log the rest (with the same line from above)

iptables -A FORWARD     -i $LAN -j LOG --log-prefix "connect from my LAN to internet "

# and allow the rest (with the same line from above)

iptables -A FORWARD     -i $LAN -j ACCEPT
```

I recommend to work with "iptables -L -v -n" in combination with "iptables -Z" because you can see the count of packets for every rule (-Z set it to zero).

You can find an actual example of a script for a computer with ONE interface with filtering OUTGOING traffic (because I use a proxy) here: https://forums.gentoo.org/viewtopic-t-1112806-highlight-.html

If you have any specific question, please be free and ask me here.

Stay healthy and have a good time,

Peter

----------

## Tony0945

pietinger,  WOW!   I read it all through, I think I understand every step, but will have to re-read several times. That was an excellent exposition and you should put it in the Gentoo Wiki.

That must have taken a lot of time to write. Thank you very much.

For reference, here is where the wan0, lan0 names come from. On my workstations I use mdev with a few extensions, but on this particular machine, I use an old version of eudev. I think it's the same one that anon-a-moose uses.  Here is the custom eudev rule that assigns the names by MAC address.:

```
k6 ~ # cat /etc/udev/rules.d/ethernet.rules

## NOTES

# wan0  Realtek 8139too driver on-board "fast ethernet" 10/100

# lan0  Intel e1000 driver  PCI card "Gigabit ethernet 10/100/1000

# lan2  Realtek r8169 driver PCI card "Gigabit ethernet 10/100/1000

SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:50:bf:ed:e3:14", NAME="wan0"

SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="90:e2:ba:ed:ef:4c", NAME="lan0"

SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="6c:19:8f:9a:61:77", NAME="lan2"

```

In dmesg one can see the kernel assigning eth0 than renaming it. Apparently that frees the eth0 name because it assigns eth0 three times. With a rename in between, but I think the process is actually asynchronous so it just happens that way by coincidence.

----------

## pietinger

Thank you very much for your big compliment !

Let me say something ...

I dont know which connection you have to the internet. In germany private people (today) always have a DSL-Line. Maybe you call it ADSL or SDSL (this is more exactly). On this line we have connected a Router which is a combined Router and a DSL-Modem in a box (and we can connect an ip-telephone directly to this box also). Some of these routers have 4 or 8 ethernet ports and you can use it as a switch also. You can lease this Router from the telecommunication company or buy one by yourself. All routers have a built-in ip adress from one of the 256 private class-C networks 192.168.0.0. So, the most common adress is 192.168.0.1 or 192.168.1.1 (https://en.wikipedia.org/wiki/IPv4#Addressing

This router is doing the whole NAT for any computer in my private network, so I dont need to do "NATing" (or masquerade) by any of my computers.

And almost any of these routers have a built-in firewall also (with stateful inspection). I dont trust my box from "TeleKom Germany", but I see the firewall in this box is working. I see it, because I log (on my linux workstation) every incoming dropped packet. And for weeks I had none. (I can produce some, if I close my browser in the middle of a transfer. My DSL-Modem accepts the next incoming packet from the webserver because it belongs to an existent session (this is a correct behavier). But my linux kernel knows, the session was just closed and therefore this incoming packet DOESNT belong to an existent session and must be dropped.)

Why I tell you this ?

Because, I dont know the situation in the USA for private people. And I didnt understand in your first post, whether you want to eliminate your "box" (?) - you already have - and exchange it with your computer, or just install this computer BETWEEN your "box" and your LAN (for more security ?). I didnt unserstand for what you need 3 interfaces in this computer. So, if you can explain what you have and what you want (to do) AND what is your actual problem, I will help you for sure. But for now, I even dont know if your network (networks ?) work and which adresses your networks and hosts have. An (actual) "ifconfig" would help much.

So, I go in "waiting state" for now   :Wink: 

----------

## Tony0945

Yes.  My daughter and my sister have an ADSL connection from AT&T as you describe. My sister's is a standalone and, as you say, is a DSL modem, NAT gateway and wireless AP all in one. Her service is billed as "up to 50Mbps". The installing tech measured it as 3Mbps. He said "we promised up to 50Mbps, so as long as you are getting less than that we are keeping our promise. My daughter is at the end of the line and gets a little over 1 Mbps.

They live a thousand miles South of me in a rural county. I live in a suburb of Chicago and have three providers available. I have cable internet where there is a cable modem that transmits and receives packets of a set of bonded television frequencies on a coaxial cable. this one  I have a very old combination router, four port switch, and wireless AP,this one, now EOL  My service is 30MBps up and 5 down. I've heard that in Europe service is symmetrical but in the USA it's much more common for the down-link speed to be much higher than the up-link speed.

My intent is to use an old Gentoo computer as a router and put the router into AP mode. The router has not had firmware updates or security fixes for many years. I update my Gentoo boxes weekly, although lately it seems to take all weekend to resolve blockers.

"Why?" is a more philosophical question. certainly I could buy one of these. After all, the US government just sent me $2400 that I don't need instead of sending it to someone that needs it. But I'm veering into politics. About face!

Why? Why did I buy an old Chevy station wagon with 100,000 miles on it and a flat cam. I then had the block rebuilt (I have the training but not the equipment) add a set of big valve aftermarket heads, an aftermarket aluminum manifold , four barrel carburetor and high lift cam? Just to watch a guy driving a late model Mustang try to cut me off and see the driver's jaw drop when I put the hammer down and flashed by him like he was standing still?

Yeah, that was rather adolescent of me and it was nearly thirty years ago.  Maybe now I like to hot rod computers instead of cars. I suspect that is so.

A more practical reason is to get better logging. The commercial router has pretty much all or nothing. On the low setting I see the router rebooting, the modem attaching and detaching and that's about it. The other setting quickly loads up with reports of attackers knocking on the door, day and night, all ports. Some may be legitimate gamers looking for a game, others are probably up to no good. I would like to log traffic but just drop these unrelated unconnected packets drop silently without losing track of MY traffic.  And to feel in control instead of having a black box.

EDIT:

The three interfaces. An accident of history. One (slower) is built on the motherboard. The other two are add-in cards. Why two? One Realtek, one Intel? I was going to use one for WAN and one for LAN, then realized that even the slow built-in at 100MBps is still three times faster than the internet connection. In another post two years ago, NeddySeagoon pointed out that the PCI (not PCI-e) bus was the real bottleneck. I really keep the old machine up for sentiment. My middle grandson and I built it out of discarded scraps and a $20 e-bay motherboard when I was unemployed 17 years ago. The k6-3 was pretty hot then. The guy selling it was buying a k-7.  Half a Gig of memory, 32-bits and an ancient IDE hard drive (7200 RPM) aren't much now. I don't run a GUI.  This is now an experimental setup. if i get it working, I'll put it on a 64-bit box with at least 4G memory. Maybe I'll even buy a motherboard and CPU. I saw a Ryzen 3 APU for $80 with 4.0Ghz burst speed. Used motherboards are pretty cheap. i have a bulldozer AM4 chip if a BIOS update is needed.  When she's angry my wife will say things like "We would have lots of room in the basement if we got rid of all that car and computer #$%^&!"  Two guesses who that stuff belongs to. 

ifconfig, (I only am initializing one right now), see the udev rules posted above for more identification.

```
lan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        inet 192.168.0.106  netmask 255.255.0.0  broadcast 192.168.255.255

        ether 90:e2:ba:ed:ef:4c  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lan2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.109  netmask 255.255.255.0  broadcast 192.168.0.255

        ether 6c:19:8f:9a:61:77  txqueuelen 1000  (Ethernet)

        RX packets 9099  bytes 581792 (568.1 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 14770  bytes 1824334 (1.7 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        loop  txqueuelen 1  (Local Loopback)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

----------

## Tony0945

Ok, removed the r8169 card (lan2). There are now only two ethernet devices

1. Built-in 100Mbps "Fast Ethernet" using Realtek 8139too driver.

2. PCI card 1000Mbps "Gigabit Ethernet" using Intel e1000 driver.

yellow cat 6 cable plugged into the PCI card, nothing into the onboard

lspci and ifconfig:

```
k6 ~ # lspci

00:00.0 Host bridge: VIA Technologies, Inc. VT82C598 [Apollo MVP3] (rev 04)

00:01.0 PCI bridge: VIA Technologies, Inc. VT82C598/694x [Apollo MVP3/Pro133x AGP]

00:07.0 ISA bridge: VIA Technologies, Inc. VT82C586/A/B PCI-to-ISA [Apollo VP] (rev 47)

00:07.1 IDE interface: VIA Technologies, Inc. VT82C586A/B/VT82C686/A/B/VT823x/A/C PIPC Bus Master IDE (rev 06)

00:07.2 USB controller: VIA Technologies, Inc. VT82xx/62xx UHCI USB 1.1 Controller (rev 02)

00:07.3 Host bridge: VIA Technologies, Inc. VT82C586B ACPI (rev 10)

00:08.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8100/8101L/8139 PCI Fast Ethernet Adapter (rev 10)

00:09.0 Ethernet controller: Intel Corporation 82541PI Gigabit Ethernet Controller (rev 05)

00:0b.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] RV100 [Radeon 7000 / Radeon VE]

k6 ~ # ifconfig

lan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.106  netmask 255.255.0.0  broadcast 192.168.255.255

        ether 90:e2:ba:ed:ef:4c  txqueuelen 1000  (Ethernet)

        RX packets 799  bytes 69275 (67.6 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 561  bytes 76811 (75.0 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        loop  txqueuelen 1  (Local Loopback)

        RX packets 20  bytes 1340 (1.3 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 20  bytes 1340 (1.3 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        inet 192.168.0.107  netmask 255.255.0.0  broadcast 192.168.255.255

        ether 00:50:bf:ed:e3:14  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

I need to change /etc/conf.d/net for actual wan use.

If I'm right, wan0 should get it's address from DHCP

lan0 should be the gateway.

```
k6 ~ # grep -v ^# /etc/conf.d/net

rc_verbose="no"

config_wan0="192.168.0.107 netmask 255.255.0.0"

routes_wan0="default gw 192.168.0.1"

config_lan0="192.168.0.106 netmask 255.255.0.0"

routes_lan0="default gw 192.168.0.1"

dns_servers_lan0="127.0.0.1 "

dns_servers_wlan0="127.0.0.1"

dns_servers_lo="127.0.0.1 "

modules="ethtool !iproute2"      #prefer ifconfig

modules_wlan0=" ${modules} wpa_supplicant"

carrier_timeout_lan0=10   #fix for e1000

ifdown_lan0="no"

ethtool_change_lan0="wol g"

ifdown="no"

postdown() {

      [ "${IFACE}" = "lan0" ] && ethtool -s "${IFACE}" wol g

             return 0

       }

```

----------

## NeddySeagoon

Tony0945,

With both interfaces in the same subnet you are going to have routing problems.

Don't do that.

```
inet 192.168.0.106  netmask 255.255.0.0

inet 192.168.0.107  netmask 255.255.0.0
```

That's the 192.168.0.0/16 network.

You will do better with 

```
inet 192.168.0.106  netmask 255.255.255.0

inet 192.168.1.107  netmask 255.255.255.0
```

That's two different subnets.

```
192.168.0.0/24

192.168.1.0/24
```

You must get your routing in order before you add a firewall.

----------

## Tony0945

Here is the configuration when used as a router. 

```
configure WAN

config_wan0="dhcp" #get ip address and route from ISP

routes_wan0="default gw 64.53.168.1"

#configure LAN

config_lan0="192.168.0.1 netmask 255.255.255.0"

routes_lan0="default gw 192.168.0.1"

```

 wan0's gateway is some computer at my ISP's location in Naperville Illinois. Thousands of people have that gateway. I read it off my D-link router's WAN page. Per your advice, I did not list my cable modem's IP address but it is received by dhcp and does change at random intervals.  The DLink router is set to obtain address and gateway by dhcp. Should I leave "routes_wan0" line out? Will dhcp get them then?

The lan0 address is likewise copied from the router, but it is a standard default. 

To run with this configuration I have disconnect the router or there will be an address conflict.   

When testing, I connect wan0 directly to the cable modem. That's an easy switch although the k6 computer is some 20 feet or so away because the cable modem & router are only a few feet apart and it's easy to switch.

For testing, lan0 is attached by a short cat-5e cable to a Windows 7 laptop. 

During development, lan0 is connected to the local net via Dlink router and wan0 is disconnected. I physically removed the lan2 card to remove all confusion. Then I put back a USB card that caused all sorts of boot problems (although sysrescuecd could boot XP okay). I have removed the USB card and just left the slot empty.  I should examine /boot/grub/grub.conf and boot by UUID or label. There is only one hard drive, but the CD-ROM drive is on the same IDE cable.

----------

## pietinger

 *Tony0945 wrote:*   

> Here is the configuration when used as a router. 
> 
> ```
> configure WAN
> 
> ...

 

Tony, a gateway is a router (simply said). And you can use ONLY a router inside your own network. It is impossible to use a router (as router) which is in another network. So, at home I have the network 192.168.2.0. My workstation is 192.168.2.4 and my (default) gw for my workstation is 192.168.2.1. This is my TeleKom-Router. On the other side  (internet) of my router, it is in a complete different network with its own ip-adress belonging to that network.

Maybe you mix it with a DNS-Server (nameserver) ?

If yes, you set your DNS-Server in /etc/resolv.conf

----------

## NeddySeagoon

Tony0945,

To avoid confusion and to save you the exercise connect wan0 to your existing router and leave the#configure WAN

```
config_wan0="dhcp" #get ip address and route from ISP 
```

 entry.

It will get a default route via dhcp too so rewove the 

```
routes_wan0="default gw 64.53.168.1"
```

As the interface is known to your router, I expect to see it get  192.168.0.107 an its IP address.

On the lan side, use a completely different IP range, so you have to make routing work.

This is how it will actually work when it routing to the big bad internet.

```
config_lan0="10.0.0.1 netmask 255.255.255.0" 
```

will do nicely.

Do not set any routes yet.

If you have a dhcp server installed, make it serve IP addresses in the range 10.0.0.101 to 10.0.0.200. That's plenty.

Make it serve 10.0.0.1 as a default route.

Your setup is 

```
+----------+        +----------+        +----------+

| Existing |        | New      |        | Testing  |

| Router   +------A-+|Router   +-B------+ Box      |

|          |        | K6-2 Box |        |          |

+----------+        +----------+        +----------+

A IP is   192.168.0.107

B IP Is   10.0.0.1
```

The Testing Box is only there so you can make routing work. It won't be able connect to the internet yet. That will come.

The new router will serve the Testing Box an IP  in the range 10.0.0.101 to 10.0.0.200 and default route of 10.0.0.1.

You should be able to connect from the Testing Box to the New Router. Test with ping, ssh and so on but the connections stop there. That's as expected.

Check that that much works.

From the New Router, you should be able to connect anywhere. It can get to the internet. It can reach the Testing Box too.

It uses wan0 to get to the internet and lan0 to get to the Testing Box.

Check that works too.

There is as yet no route between wan0 and lan0.  That comes later.

----------

## Tony0945

NeddySeagoon, that's a natural progression. At first I balked at changing the network addresses. It seemed to error-prone to change them back. Then I realized that my firewall script that sets up the tables is just that - a shell script. There is no need to hard code addresses everywhere. Simple shell variables at the top can make the changes at one spot. And the program, shellcheck, can check to scrpting errors and some typo's. 

As usual, you  are right and I've been hacking instead of designing - a cardinal sin that I blast others for. mea culpa.

EDIT:

I also made the mistake of reading the iptables manpage, which disoriented me even more.

----------

## Tony0945

OK. Sorry for the delay.

On the k6:

/etc/dnsmasq.conf {stripped of comments}

```
domain-needed

bogus-priv

filterwin2k

resolv-file=/etc/dnsmasq.conf.resolv

address=/double-click.net/0.0.0.0

interface=lan0

dhcp-range=10.0.0.101,10.0.0.200,1h

```

/etc/conf.d/net{likewise stripped}

```
rc_verbose="no"

config_wan0="dhcp" #get ip address and route from ISP

config_lan0="10.0.0.1 netmask 255.255.255.

modules="ethtool !iproute2"      #prefer ifconfig

modules_wlan0=" ${modules} "

dns_servers_lan0="127.0.0.1 "

dns_servers_wan0="127.0.0.1 "

dns_servers_lo="127.0.0.1 "

carrier_timeout_lan0=10   #fix for e1000

ifdown_lan0="no"

ethtool_change_lan0="wol g"

ifdown="no"

postdown() {

      [ "${IFACE}" = "lan0" ] && ethtool -s "${IFACE}" wol g

             return 0

       }

```

Ok. Going down to run a test.

----------

## Tony0945

UPDATE:  Ran the test. The laptop was dead! And I couldn't find the charger or carrying bag. It would have been perfect.

So, Plan B. Unplugged a very long (50 ft?) cat 5e cable going to a nearby wireless AP.  Plugged it into than lan0 card, with the yellow cat 6 still plugged into wan0 (upper,  on board socket). Unplugged the other end of the blue cable from the 10 port switch and into a nearby ancient (Athlon64) Win 7 computer after shutting said computer down. Rebooted the k6. Turned the Windows computer back on. "ipconfig" on Win7 showed address 10.0.0.104 received from gateway 10.0.0.1  Could ping the gateway (k6) and vice versa.  The wan port received address 192.168.0.199 from gateway 192.168.0.1 (the Dlink router on the other end of the wan0 yellow cable. I could ssh into computers 192.168.0.104 and 192.168.0.100. From computer 192.168.0.102 I could ssh into the k6 at 192.168.0.199, I used 102 because it's there in the basement and the other two are on the first and second floors.

From the k6 I could ping 8.8.8.8 but I could not ping any address not on the lan from the Win7 computer connected to lan0.

```
login as: root

root@192.168.0.199's password:

k6 ~ # ifconfig -a

lan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255

        ether 90:e2:ba:ed:ef:4c  txqueuelen 1000  (Ethernet)

        RX packets 339  bytes 40513 (39.5 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 46  bytes 5006 (4.8 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        loop  txqueuelen 1  (Local Loopback)

        RX packets 2  bytes 432 (432.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 2  bytes 432 (432.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.199  netmask 255.255.255.0  broadcast 192.168.0.255

        ether 00:50:bf:ed:e3:14  txqueuelen 1000  (Ethernet)

        RX packets 998  bytes 89843 (87.7 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 211  bytes 25447 (24.8 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

I think the next step is to setup NAT and try to use the Win7 browser to access the apache2 webpage  at 192.168.0.102

That page just displays the default "IT WORKS!". It's real function is to serve distfiles to the Gentoo boxes. If I can fire up Pale Moon for windows on the Win7 box, type in http://192.168.0.102 and see "IT WORKS!", that's a milestone. If I can do it with the domain name, that's icing on the cake. Dnsmasq should resolve the domain name because it's in the k6's /etc/hosts file.

Meanwhile, I'm looking for that bag and charger because I want to use that laptop as a TV relay (tested that a few months ago). And there's that evil voice in the back of my head saying that one of my spare 2.5" SATA 500GB SSD's would be perfect for Gentoo on the laptop.  Sorry, my ADDHD is showing.

----------

## NeddySeagoon

Tony0945,

There is another step before you sut up NAT.

At the moment, the k6-2 box does not know what to do with packet from the 10.0.0.0 net going off that net.

There are two ways to fix that.

The first in to enable IPv4 Forwarding. You will want that for NAT anyway.

Its a kernel option and a sysctrl

With just  IPv4 Forwarding working, your 10.0.0.0 net packets will pass through the k6-2 unNATed.

That is, they will appear on the wiring carrying the 192.168.0.0 traffic.

That might not appear to be useful at first sight but if you manually assign say 10.0.0.2 to an existing system on the wiring carrying the 192.168.0.0, as well as its 192.168.0.x address, it will respond to that traffic.

You will also need a manual static route on that system that says to reach the 10.0.0.0 network, use 192.168.0.199 an a gateway.

Now your k6-2 is forwarding traffic between the two interfaces and you cant test it. Once forwarding works, you add NAT.

Baby steps ... build on what you know works.

Expect to poke about with wireshark.

----------

## Tony0945

Aha!   I have seen that command in guides and wondered why it is default off. So, If I turn it on, with no other changes, i.e no NAT, that Win7 computer wth the 10.0... address could access the webpage at 192.168.0102 but not 204.187.15.12 (forums.gentoo.org) ?   I'll have to experiment.

But wait, that packet on the other network would also be routed by the switch to the DLINK router, so maybe it would come back.  I'll have to experiment.

----------

## NeddySeagoon

Tony0945,

Correct, your D-Link router will got the 10.0.0.0 packets too but it won't know what to do with them.

It expects to provide NAT for 192.169.0.0, thats all.

Making the k6-2 forward packets allows traffic on one interface to appear on the other but it appears unchanged.

That's why you also need a static route and a static (10.0.0.x) IP on hosts on the physical 192.168.0.0 net to reach hosts on the 10.0.0.0 physical network.

After IPv4 Forwarding works, add NAT.

No, filtering ... just NAT. When the K6-2 provides NAT, the Testing Box will be able to reach the internet.

You will have two layers of NAT for the 10.0.0.0 net but that's OK. Your D-Link router will NAT the 192.168.0.0 range. The k6-2 has on IP in that range and it will NAT its 192.168.x.y address for the system(s) on the 10.0.0.0 network.

That's not a problem. 

At this point, you have a k6-2 router.

----------

## Tony0945

I set a second address with "ip addr" but it only worked one way.

Then I changed conf.d/net on the third box as follows

```
config_eth0="192.168.0.102 netmask 255.255.255.0 10.0.0.102 netmask 255.255.255.0"

routes_eth0="default via 192.168.0.1 nexthop 10.0.0.1"

dhcp_eth0="nodns"

dns_servers="127.0.0.1 198.192.0.1 10.0.0.1"

```

But only the 192.168 side sees it.    

I do have the laptop running now (found the charger) it can be pinged from the wan side but can't get out. It's running Win 7

EDIT:

Started over.  "ip route add 10.0.0.0/24 via 192.168.0.199" "ip addr add 10.0.0.102 dev eth0"

Still no joy

On the k6 

```
k6 ~ # ip route

default via 192.168.0.1 dev wan0 metric 2 

10.0.0.0/24 dev lan0 proto kernel scope link src 10.0.0.1 

127.0.0.0/8 dev lo scope host 

192.168.0.0/24 dev wan0 proto kernel scope link src 192.168.0.199
```

On the server box attached to wan0

```
ip route

10.0.0.0/24 via 192.168.0.199 dev eth0 

127.0.0.0/8 dev lo scope host 

127.0.0.0/8 via 127.0.0.1 dev lo 

192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.102 

```

----------

## NeddySeagoon

Tony0945,

To make it work both ways you need a static route and a 10.0.0.2, say on the 192.168.0.0 system you are usiny to tes with the Tesitng box.

```
routes_eth0="default via 192.168.0.1

                      10.0.0.0/8 via 192.168.0.199"
```

10.0.0.1 can't be reached from the 192.168.0.0 network. It doesn't now how.

10.0.0.0/8 via 192.168.0.199 says to send anything in the 10.0.0.0/8 subnet to 192.168.0.199, which I think is the IP of the k6-2 on the 192.168.0.0 network. Its supposed to be.

The k6-2 will forward the packets to its other interface, where the Testing Box is waiting.

Nothing on the 10.0.0.0/8 can get to the outside world yet. Your D-Link router will see the 10.0.0.0 packets but will not NAT them to the outside world.

Once you can work through the k6-2 in both directions, then IPv4 Forwarding is working both ways.

-- edit in response to your edit --

How does the Testing Box know now to reach the 192.168.0.0 net.

----------

## Tony0945

OK, sitting back thinking about this.

A low level driver sits in the kernel turning pulses in three twisted pairs attached to an RJ-45 socket into bits. A higher layer turns those bits into bytes and packets. 

As I dimly remember from experimenting in the '90s, those packets have fields, including a field for source ip address and destination ip address. What do we mean by forwarding? I think forwarding means that if a packet has a destination address that is not ours, we kick it back onto the ethernet network to find it's target. Normally forwarding is off and we ignore targets that are not our unique ip address.

In the context of this project, I think FORWARDING means that if we are not the target and the target is not on the network that the receiving device is connected to (because we don't want to act as a switch), we should re-emit it on a different device that is connected to that network.

Therefore, all packets arriving on wan0 that are targeted  to the 10.0.0.x network should be re-emitted out the lan0 device which is  connected to that sub-net. Packets addressed to neither (i.e. somewhere on the internet) are ignored for now.

The same in reverse applies to the lan0 port. If we ever put the lan2 card back in, it might connect to a third sub-net, perhaps reserved for wireless devices, perhaps for IOT. But that's for the far future.

Therefore I think these two rules should be added to the k6 pseudo-router.

```

iptables -i wan0 -d 10.0.0.0/24 -o lan0 -A INPUT -j FORWARD

iptables -i lan0 -d 192.168.0/24 -o wan0 -A INPUT -j FORWARD
```

Then, whatever kernel code handles the forwarding will presumably forward it.

I'm not sure of that syntax. It's what I glean from "man 8 iptables"

EDIT:

syntax errors: This was accepted:

```
iptables -i lan0 -d 192.168.0/24 -o wan0 -A FORWARD

iptables -i wan0 -d 10.0.0.0/24 -o lan0 -A FORWARD

```

 But it doesn't dop what I thought it would do. It doesn't seem to discriminate between devices

```
Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

           all  --  anywhere             10.0.0.0/24         

           all  --  anywhere             10.0.0.0/24         

           all  --  anywhere             192.168.0.0/24   
```

----------

## Hu

Your reasoning is correct, but your command is not.  First, your command's syntax is slightly wrong.  Second, and more importantly, you probably don't want to forward all traffic coming from the Internet to the LAN.  You want to forward only traffic that you want the LAN users to receive.  I would start with:

```
iptables -P FORWARD DROP

iptables -A FORWARD -i wan0 -o lan0 -m conntrack --ctstate ESTABLISHED -p tcp -j ACCEPT

iptables -A FORWARD -i wan0 -o lan0 -m conntrack --ctstate ESTABLISHED -p udp -j ACCEPT

iptables -A FORWARD -i wan0 -o lan0 -m conntrack --ctstate ESTABLISHED -p icmp -j ACCEPT

iptables -A FORWARD -i lan0 -o wan0 -m conntrack --ctstate NEW,ESTABLISHED -p tcp -j ACCEPT

iptables -A FORWARD -i lan0 -o wan0 -m conntrack --ctstate NEW,ESTABLISHED -p udp -j ACCEPT

iptables -A FORWARD -i lan0 -o wan0 -m conntrack --ctstate NEW,ESTABLISHED -p icmp -j ACCEPT
```

Note that outbound traffic is allowed in state NEW, but inbound is not.  This is also the place to add rules if you want to restrict Internet usage, such as denying access at certain times of day, or on certain ports.

With regard to your edit: iptables --list does not, by default, show the device restrictions.  This is one of several reasons that I always tell people to show me iptables-save when they are trying to post their rules for my review.  iptables-save is designed to produce an output that can be read by iptables-restore to recreate the rules, so it must print everything.  iptables --list tries to hide what it thinks you don't need to see.  Adding --verbose can help some, but I prefer getting the machine-readable form.

Also, note that your rules match traffic, but apply no action, so all you have now is a traffic counter that tells you how many packets are trying to traverse.  You need a -j ACTION if you want to modify the default kernel behavior.

----------

## NeddySeagoon

Tony0945,

Forwarding is normally off as it serves no purpose on a system with a single interface.

Its only required when the system will act as a router.

----------

## Tony0945

```
k6 ~ # iptables-save     

# Generated by iptables-save v1.6.1 on Sun May 31 14:50:10 2020

*filter

:INPUT ACCEPT [777:74915]

:FORWARD ACCEPT [298:26608]

:OUTPUT ACCEPT [718:82929]

-A INPUT -d 10.0.0.0/24 -i wan0

-A FORWARD -d 10.0.0.0/24 -i wan0

-A FORWARD -d 10.0.0.0/24 -i wan0 -o lan0

-A FORWARD -d 192.168.0.0/24 -i lan0 -o wan0

COMMIT

# Completed on Sun May 31 14:50:10 2020

# Generated by iptables-save v1.6.1 on Sun May 31 14:50:10 2020

*nat

:PREROUTING ACCEPT [4844:680121]

:INPUT ACCEPT [2566:470764]

:OUTPUT ACCEPT [752:81497]

:POSTROUTING ACCEPT [3024:289535]

COMMIT

# Completed on Sun May 31 14:50:10 2020

```

Hu, I'm aware f what you are saying, but in this case "wan" is a network already behind a commercial router firewall. 

Otherwise, I would start with a REJECT policy instead of an ACCEPT policy.

My gal at this point is to just ping from one subnet to the other, net to shh and then to access the webserver on the pseudo-WAN

I'm testing how to build the router, step-by-step.

----------

## Tony0945

I put this inot a bash script so that schellcheck can find typo's and other script errors

```

 # cat testscript

#! /bin/bash

WAN_CIDR=192.168.0/24

LAN_CIDR=10.0.0.0/24

iptables -F

#base policy, all open for now, later switch to all closed

iptables -P INPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -P OUTPUT ACCEPT

iptables -i lan0 -d ${WAN_CIDR} -o wan0 -A FORWARD

iptables -i wan0 -d ${LAN_CIDR} -o lan0 -A FORWARD

```

No big from either side to the other. hu, anyone else, I'm testing with a win7 laptop on the 10.x side and a Gentoo workstation on the 192.x side.

I'm going to try using the CIDR's instead of lan0, wan0.

Tried. No joy.[/code]

----------

## pietinger

Tony, please forget iptables for some moments. Think only about your network.

Your are correct with your thinking about source and destination adresses in fields in a layer of a packet. We have two layers with adresses: Layer 2 with its MAC adresses and layer 3 with IP adresses. Your ethernet adapter reads only incoming packets when the destination MAC adress of a packet is the MAC adress of your own ethernet adapter. All data "behind" the MAC adresses - layer 3 and layer 4 and "real" data in higher layers - are only DATA for your ethernet adapter.

But with a layer 2 adress you cannot send packets in other networks - only to MAC adresses you are LOCALLY connected. This means you must have at least ONE station which is connected to your local network AND is connected to another network: Called "Gateway" or "Router" (a router is a level-3-gateway).

What happens when you want to browse forums.gentoo.org ?

1. Your PC doesnt know the ip adress of "forums.gentoo.org" and have to ask a DNS Server. This ip adress it gets from /etc/resolv.conf (or maybe prior to that from a dhcp request). Let it be 8.8.8.8 in this example.

2. The IP adress of this DNS Server is NOT in your own LOCAL network, so a packet to 8.8.8.8

3. must be send to a gateway/router.

4. Which one ?

5a. If you have "only" one Router in your local network, it is the DEFAULT GATEWAY.

5b. If you have two Routers - one to the internet and the other to a neighbor network - you have two ROUTES: One SPECIFIC route pointing to the neighbor network; the other route points to the internet-router as DEFAULT gateway.

(5c. If you have two router for two neighbor networks and no own direct connection to the internet, because you go into the internet over your neighbors connect, you have also (like in 5b) ONE specific route pointing to the neighbor without the internet connect and a DEFAULT route to the neighbor with the internet connect.)

(5.d If you have 3 routers, one for the internet connect and the other two for two neighbors, then you have two SEPECIFIC routes to your two neighbors and a DEFAULT route pointing to the router with the internet connect)

Summary of 5: First your Computer checks if there is a SPECIFIC route to the destination network; if not it sends ALL the rest to the default router.

6. After your Computer has desided which is the needed Router, it sends a packet to this router; BUT NOT to the IP adress of this router. It sends the packet to the MAC adress of this router. Lets say your IP adress is 192.168.1.7 and your router has 192.168.1.1, then a packet would look like =>

```
Layer 2: TO MAC router-if-1 FROM MAC mine [...] Layer 3: SRC IP 192.168.1.7 TARGET IP 8.8.8.8
```

So, you wont see the IP adress of your router in this packet.

NOW - WHAT DOES YOUR ROUTER ?

IF your router has "only" 2 interfaces (one into your local network 192.168.1.0; the other into a internet network from your provider), then your router has a default route to your provider and a specific route into your local network.

7. Again: Your router gets a packet with target IP adress 8.8.8.8 and source IP adress 192.168.1.7

8. Your router "throw away" the old MAC adresses of this packet (layer 2) and copy the rest of the date onto a NEW pair of MAC-adresses =>

```
Layer 2: TO MAC provider FROM MAC router-if-2 [...] Layer 3: SRC IP 192.168.1.7 TARGET IP 8.8.8.8
```

and sends this to the next hop in your providers network (ok, there a some more fields which must be changed also, like the checksum at the end of the packet)...

... This would be the USUALLY behavior IF ... if your ip adress would be a global IP internet adress. But you have a private IP adress:

https://en.wikipedia.org/wiki/IP_address#Private_addresses

A private IP adress is not allowed to be routed into the internet and therefore your Router must do something we call: NAT network adress translation. Now your router does not only changes the layer 2; it changes the SOURCE IP adress in layer 3 also. Your router sets its own GLOBAL IP adress as SRC adress in layer 3 and sends this new packet out to your provider - PLUS - your router keeps in mind that all answers from 8.8.8.8 should go to IP adress 192.168.1.7. This packet now looks like (a.b.c.d is a global IP internet adress of your router) =>

```
Layer 2: TO MAC provider FROM MAC router-if-2 [...] Layer 3: SRC IP a.b.c.d TARGET IP 8.8.8.8
```

This change is called SNAT (source network adress translation); the most routers do not only changes this, they change also the port number in layer-4-protocols. This is called NAPT (network address and port translation) -OR- SNAPT -OR- SNAT/PAT -OR- ... IP masquerading.

https://en.wikipedia.org/wiki/Network_address_translation

The way back:

9. Your router receives a packet from your provider with this data =>

```
Layer 2: TO MAC router-if-2 FROM MAC provider [...] Layer 3: SRC IP 8.8.8.8 TARGET IP a.b.c.d
```

10. Your router knows: This is not for me, it is for host 192.168.1.7, and therefore changes the target ip adress back to your host ip adress (PLUS again the layer 2 adresses, because it is sent out on the other (inner) interface) =>

```
Layer 2: TO MAC mine FROM MAC router-if-1 [...] Layer 3: SRC IP 8.8.8.8 TARGET IP 192.168.1.7
```

(If you now think, if there is a SNAT, then there must exist a DNAT also, then you are absolutely on the right way. DNAT is used if you have a server in your private network, which must be reached from the internet side. In an ADSL-Modem/-Router this is callled: "Port forwarding"; and it is the same as DNAT/PAT)

Now go back to ipfilter !

The kernel provides two mechanism in its netfilter submodules: Filtering packets and Changing packets.

With filtering you can do FireWalling; and with "Changing" you can do NAT   (... and of course you can do both, if you want).

Filtering you can do ALWAYS. On your local Computer, then its called a "Personal FireWall". On a Router, then it is a FireWall for a whole network segment.

NATing you can do only on Stations with at least two interfaces ... 

... you CAN do it, when your router connects two networks with PRIVATE IP adresses, and

... you MUST DO it, if you want connect a network with PRIVATE IP adresses (directly) to the Internet.

Now got back to your ADSL-MODEM/-Router.

Usually this Router does the NATting for you (because it must). On the private side of this router you have at least ONE PRIVATE network. Mostly 192.168.x.0; some routers allow to set another PRIVATE network ranges, like 10.0.0.0 or 172.16.0.0-172.31.0.0. "High-end-routers" allow more than ONE private network, so you can set e.g. 10.0.1.0 on eth1 of this router, and 10.0.2.0 on eth2, and 172.20.0.0 on eth3 (.. and so on). Your ADSL-Router dont allow this. You can only set ONE private network. As far as I know, you have 192.168.1.0.

Now you want to set a "private" Router between your private network and your ADSL-Router. What will be the problem ?

Your "private" Router has two sides: The side 192.168.1.0 (to your ADSL) and another side ... lets say 10.0.0.0. (of course you have enabled "forwarding" in your private router). What happens when a host with 10.0.0.7 sends a packet to 8.8.8.8 ?

Look above. These two adresses will be in layer-3 of the ip header. When your "private" router just do routing, this packet gets unchanged (on layer-3) to your ADSL-Router. But your ADSL-Router doesnt know anything about a network 10.0.0.0 or a host 10.0.0.7. It can do NATting only for hosts in network 192.168.1.0

So, the solution is ... you must do NATting also in your "private" router: From 10.0.0.0 to 192.168.1.0 ... with netfiler/iptables.

If this is done ... the LAST STEP (if you want) is FILTERING (as Neddy said absolutely correct: First the network, then NAT and at last filtering).

(I hope this will help you; if not or if you have more questions, please let me know)

----------

## pietinger

P.S.: Of course there is another possible way, you can go, but I dont want to confuse you too much (you could do bridging your "private" router between a private network 192.168.1.0 and your ADSL. Then your "router" would be only a firewall-and-bridge but not a router).

----------

## Tony0945

Pietinger,  thank you again for the detail. I do recall now that the packets are nested (layered). I didn't realize the MAC addresses were in anything but dhcp packets.

Many, maybe most, commercial routers use 192.168.1.x network. DLink uses 192.168.0.x with the router defaulting to 192.168.0.1

I have never changed the address. I have another router on the network, a Buffalo N600, but it has been put into Access Point mode (a simple button on the setup screen) and I gave it the fixed address of 192.168.0.3  That's all needed to do use it as a wireless access point. It was nice and cheap and dual band. The 2.4 band is crowded by my house but the 5.0 band is relatively empty. 

It sounds like forwarding won't work without NATing. Is that correct?

EDIT:

I do bridge virtual machines on one workstation, but again, that was just checking a box on the Virtualbox setup screen.

----------

## Hu

Forwarding can work without NAT, if certain conditions are met.  Each side must have a route which can return the traffic to the other.  To facilitate this, there can be no overlap of addresses, since otherwise the routes for the traffic within one group would conflict with the routes for returning traffic to the peer group.

----------

## Tony0945

Spent 5 hours screwing around with this this morning. Did some more reading and came up with this. I hope someone can interpret it for me.

On a Windows XP computer, address 192.168.0.100, I puTTY'd into the k6 at address 192.168.0.199

In a separate window on the XP, I puTTY'd into a Gentoo computer at 192.168.104. I had already from the morning added a route from that computer to the laptop using "ip route ..." (don't have my notes handy, they are at that computer).  From the Gentoo computer (via puTTY) I pinged 192.168.0.199 (the k6 on it's 192.168... address) (got responses) and also 10.0.0.110 (the laptop) no response.

```

k6 ~ # cat /proc/net/nf_conntrack

ipv4     2 icmp     1 29 src=192.168.0.104 dst=192.168.0.199 type=8 code=0 id=5108 src=192.168.0.199 dst=192.168.0.104 type=0 code=0 id=5108 mark=0 use=2

ipv4     2 icmp     1 14 src=192.168.0.104 dst=10.0.0.110 type=8 code=0 id=5102 [UNREPLIED] src=10.0.0.110 dst=192.168.0.104 type=0 code=0 id=5102 mark=0 use=2

ipv4     2 tcp      6 299 ESTABLISHED src=192.168.0.100 dst=192.168.0.199 sport=21489 dport=22 src=192.168.0.199 dst=192.168.0.100 sport=22 dport=21489 [ASSURED] mark=0 use=2

ipv4     2 unknown  2 539 src=192.168.0.1 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=192.168.0.1 mark=0 use=2

```

  Duh! I had shut the laptop off in frustration at noon!

So, turned back on added (Windows command) "route add 192.168.104 10.0.0.1" verified with "route show" that it took.

Again pinged the k6 and the laptop

```
k6 ~ # cat /proc/net/nf_conntrack

ipv4     2 icmp     1 29 src=192.168.0.104 dst=10.0.0.110 type=8 code=0 id=5179 [UNREPLIED] src=10.0.0.110 dst=192.168.0.104 type=0 code=0 id=5179 mark=0 use=2

ipv4     2 udp      17 0 src=10.0.0.110 dst=10.0.0.255 sport=137 dport=137 [UNREPLIED] src=10.0.0.255 dst=10.0.0.110 sport=137 dport=137 mark=0 use=2

ipv4     2 udp      17 1 src=10.0.0.110 dst=10.0.0.1 sport=53633 dport=53 src=10.0.0.1 dst=10.0.0.110 sport=53 dport=53633 mark=0 use=2

ipv4     2 udp      17 1 src=10.0.0.110 dst=192.168.0.40 sport=49154 dport=161 [UNREPLIED] src=192.168.0.40 dst=10.0.0.110 sport=161 dport=49154 mark=0 use=2

ipv4     2 tcp      6 115 SYN_SENT src=10.0.0.110 dst=172.217.6.3 sport=49168 dport=443 [UNREPLIED] src=172.217.6.3 dst=10.0.0.110 sport=443 dport=49168 mark=0 use=2

ipv4     2 udp      17 26 src=192.168.0.104 dst=192.168.0.255 sport=137 dport=137 [UNREPLIED] src=192.168.0.255 dst=192.168.0.104 sport=137 dport=137 mark=0 use=2

ipv4     2 tcp      6 299 ESTABLISHED src=192.168.0.100 dst=192.168.0.199 sport=21489 dport=22 src=192.168.0.199 dst=192.168.0.100 sport=22 dport=21489 [ASSURED] mark=0 use=2

ipv4     2 icmp     1 16 src=192.168.0.104 dst=192.168.0.199 type=8 code=0 id=5175 src=192.168.0.199 dst=192.168.0.104 type=0 code=0 id=5175 mark=0 use=2

ipv4     2 tcp      6 100 SYN_SENT src=10.0.0.110 dst=172.217.6.3 sport=49167 dport=443 [UNREPLIED] src=172.217.6.3 dst=10.0.0.110 sport=443 dport=49167 mark=0 use=2

ipv4     2 unknown  2 580 src=192.168.0.1 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=192.168.0.1 mark=0 use=2

```

I have no idea who 192.168.0.40 is.

----------

## NeddySeagoon

Tony0945,

Post the following for all three system and tell us which is which.

```
ifconfig 
```

```
route -n
```

ping relies on working routing both ways. thats hard to get right until you have done it a few times.

If you put wireshark on one end and and ping from the other, you can see if pings are received or not.

If there are no unidirectional pings, move wireshark up the pipe until you discover where its getting lost.

----------

## Tony0945

Computer named MSI. This is a Gentoo desktop kernel 5.4.42. it is on the original 192.168.0.x network. it is connected to the k6 computer's port named wan0 (intel e1000) via a 10-port switch as is the Dlink router at 192.168.0.1 and a bunch of other computers.

```
 ~ # ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.104  netmask 255.255.255.0  broadcast 192.168.0.255

        ether 30:9c:23:1b:42:51  txqueuelen 1000  (Ethernet)

        RX packets 5200456  bytes 3120888617 (2.9 GiB)

        RX errors 0  dropped 22  overruns 0  frame 0

        TX packets 18345441  bytes 23622221906 (21.9 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 667679  bytes 155942818 (148.7 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 667679  bytes 155942818 (148.7 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

MSI ~ # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.0.1     0.0.0.0         UG    2      0        0 eth0

10.0.0.0        192.168.0.199   255.255.255.0   UG    0      0        0 eth0

10.0.0.110      192.168.0.199   255.255.255.255 UGH   0      0        0 eth0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

```

This is the k6 computer being used as a pseudo-router. Our target. kernel 4.4.212 It has two ethernets, an Intel PCI card attached to MSI via the switch and labeled "wan0" by eudev MAC address rule. It also has an omboard realtek 8139too labeled lan0 by eudev MAC address rule. 

```
k6 ~ # ifconfig

lan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255

        ether 90:e2:ba:ed:ef:4c  txqueuelen 1000  (Ethernet)

        RX packets 1003  bytes 98353 (96.0 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 792  bytes 89718 (87.6 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        loop  txqueuelen 1  (Local Loopback)

        RX packets 1  bytes 76 (76.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 1  bytes 76 (76.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.199  netmask 255.255.255.0  broadcast 192.168.0.255

        ether 00:50:bf:ed:e3:14  txqueuelen 1000  (Ethernet)

        RX packets 6898  bytes 567426 (554.1 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 3257  bytes 325315 (317.6 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

k6 ~ # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.0.1     0.0.0.0         UG    2      0        0 wan0

10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 lan0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 wan0

```

 I'll have to take a USB stick and get the equivalents from the laptop attached to the lan0 port.

```

                                                                four other computers 

                                                                      | | | | 

------------                  ---------------------------            _|_|_|_|_        ___________        

|           |  10.0.0.0/24   |                           |          |        |       |          |

| laptop    |--------------- | lan0      k6         wan0 |----------| switch |-------|    MSI   | 

|           |                |                           |          |______ _|       |__________|

------------                  ---------------------------|               | 

                                                                         |

                                                                         |

                                                           Dlink router (network 192.168.0.0/24)

                                                                         |

                                                                         |

                                                                    Cable modem 

```

You can see why I switched from Mechanical Engineering to Physics Freshman year.

Equations - oui Drawings - non

----------

## Tony0945

k6 kernel config   https://pastebin.com/MqWTkcNm

EDIT:

Windows ipconfig from laptop: 

```

Windows IP Configuration

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : Road2hell

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 

   Link-local IPv6 Address . . . . . : fe80::9909:5142:9d19:6481%10

   IPv4 Address. . . . . . . . . . . : 10.0.0.110

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 10.0.0.1

Tunnel adapter isatap.{C05AD519-926E-46DA-A286-D6B3A0E85834}:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : 

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : 

Tunnel adapter 6TO4 Adapter:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : 

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : 

```

laptop Windws "route print"

```
===========================================================================

Interface List

 12...18 f4 6a 9e 5e c2 ......Qualcomm Atheros AR9285 802.11b/g/n WiFi Adapter

 10...78 ac c0 55 9e f2 ......Realtek PCIe FE Family Controller

  1...........................Software Loopback Interface 1

 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

 11...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter

 15...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #2

 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0         10.0.0.1       10.0.0.110     20

         10.0.0.0    255.255.255.0         On-link        10.0.0.110    276

       10.0.0.110  255.255.255.255         On-link        10.0.0.110    276

       10.0.0.255  255.255.255.255         On-link        10.0.0.110    276

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

    192.168.0.104  255.255.255.255         10.0.0.1       10.0.0.110     21

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link        10.0.0.110    276

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link        10.0.0.110    276

===========================================================================

Persistent Routes:

  None

IPv6 Route Table

===========================================================================

Active Routes:

 If Metric Network Destination      Gateway

  1    306 ::1/128                  On-link

 10    276 fe80::/64                On-link

 10    276 fe80::9909:5142:9d19:6481/128

                                    On-link

  1    306 ff00::/8                 On-link

 10    276 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

```

----------

## Hu

For the system you are attempting to ping (the Windows XP laptop), is its Windows Firewall sufficiently permissive?  You may have the network topology correct, and be suffering from the Windows system refusing to respond to the pings that it receives.

----------

## Tony0945

 *Hu wrote:*   

> For the system you are attempting to ping (the Windows XP laptop), is its Windows Firewall sufficiently permissive?  You may have the network topology correct, and be suffering from the Windows system refusing to respond to the pings that it receives.

 

Good point! I'll try shutting down the Firewall. it's Win 7 pre-installed so it might be on.

----------

## NeddySeagoon

Tony0945,

Thats mostly OK.

The laptop has an IP of 10.0.0.110.

and routes to 

```
10.0.0.0    255.255.255.0

192.168.0.104  255.255.255.255
```

That 192.168.0.104   255.255.255.255 is a host route, not a net route so the laptop can only reach 192.168.0.104 , not the entire 192.168.0.0 subnet.

That will matter later. Its OK now if 192.168.0.104 is the only host in the  192.168.0.0 subnet that you want to test with.

ping 192.168.0.104 will send packets to  192.168.0.104  with a return address of 10.0.0.110.

Wireshark on 192.168.0.104 should show those packets arriving.

The default route on 192.168.0.104 will send packets addressed to 10.0.0.110 to your router at 192.168.0.1, which will drop them.

To get packets back to 10.0.0.110,  192.168.0.104 needs to know how to route them. Does it?

That's why I wanted 

```
ifconfig
```

 and 

```
route -n
```

from all three boxes involved in the test.

----------

## Tony0945

The Windows Firewall was set completely open for local networks, shut for all but a few programs to the public network.

Apparently stupid Windows doesn't recognize 192.168 addresses as local network, even though a few months ago I used the same laptop to contact a Gentoo television server and watch the program. I suppose Windows uses DHCP to get it's LAN info and at that time both machines were plugged into the same LAN. 

I shut the public Firewall completely off and now can ping the laptop from MSI through the k6 (refer to diagram above). I could add the routes to the computer at 192.168.0.102 which is running an apache2 web server and see if I can access it, but I think I need NAT for that, correct?

So, is adding NAT the next step? DNAT or SNAT? I never knew there were two kinds of NAT. Pietinger's explanations above made it much clearer to me how NAT works (or could work). I never knew how the NATing machine kept packets straight. knowing that the MAC address is embedded makes it much clearer. The incoming packets are checked against a table of MAC addresses and real local ipaddresses. These are broadcast all the time from the dhcp server according to wireshark. So the router doesn't have to keep track of what he sent out, only the local dhcp MAC/ip table, substituting the real ip address and recomputing the checksums. Only about a page of C code. that's how I would do it anyway.

```
MSI ~ # ping 10.0.0.110

PING 10.0.0.110 (10.0.0.110) 56(84) bytes of data.

64 bytes from 10.0.0.110: icmp_seq=1 ttl=127 time=0.916 ms

64 bytes from 10.0.0.110: icmp_seq=2 ttl=127 time=1.32 ms

64 bytes from 10.0.0.110: icmp_seq=3 ttl=127 time=0.764 ms

^C

--- 10.0.0.110 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2021ms

rtt min/avg/max/mdev = 0.764/1.001/1.323/0.235 ms

MSI ~ # ssh gayle@10.0.0.110

ssh: connect to host 10.0.0.110 port 22: Connection refused

```

  I'm not even sure that it's possible to ssh into a Windows box. I use portable puTTY from Windows to connect to Linux.  It would have been a lot easier to test this if I had a Gentoo drive to pop unto the laptop. At least I know how to install Gentoo!  :Smile: 

```
k6 ~ # cat /proc/net/nf_conntrack

ipv4     2 icmp     1 24 src=192.168.0.104 dst=10.0.0.110 type=8 code=0 id=8668 src=10.0.0.110 dst=192.168.0.104 type=0 code=0 id=8668 mark=0 use=2

ipv4     2 udp      17 19 src=10.0.0.110 dst=192.168.0.40 sport=49154 dport=161 [UNREPLIED] src=192.168.0.40 dst=10.0.0.110 sport=161 dport=49154 mark=0 use=2

ipv4     2 udp      17 18 src=192.168.0.3 dst=192.168.0.255 sport=138 dport=138 [UNREPLIED] src=192.168.0.255 dst=192.168.0.3 sport=138 dport=138 mark=0 use=2

ipv4     2 tcp      6 299 ESTABLISHED src=192.168.0.100 dst=192.168.0.199 sport=21489 dport=22 src=192.168.0.199 dst=192.168.0.100 sport=22 dport=21489 [ASSURED] mark=0 use=2

ipv4     2 unknown  2 556 src=192.168.0.1 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=192.168.0.1 mark=0 use=2

```

 192.168.3  is a wireless AP on the regular LAN. 192.168.0.1 is the Dlink router. I have NO idea who 192.168.0.40 is. Possibly the 10 port switch?

port 161 is SNMP ? Port 138 is netBios, that's a reply to broadcast isn't it?

----------

## NeddySeagoon

Tony0945,

Yes, now that works add NAT.

It must be SNAT. as you want to NAT outgoing packets.

I use DNAT to do NAT on incoming packets to send them to various KVMs.

----------

## Tony0945

This is probably obvious to you but this is what I found.

I could not access the webpage at 192.168.0.102, but when I added a route to 10.0.0.110 with the same commands I used on MSI, I can reach the webpage from laptop and to my surprise the address bar changed from 192.168.0.102 to it's FQDN. So, on to researching adding NAT.

----------

## NeddySeagoon

Tony0945,

Once NAT is going, the k6-2 will NAT all the 10.0.0.0 packets, so they will appear to originate from the k6-2 itself.

You will no longer need the 10.0.0.0 routes on the systems in the 192.168.0.0 net.

----------

## Tony0945

FANTASTIC!   I ran the following command on the k6 "iptables -t nat -A POSTROUTING -p tcp -o wan0 -j SNAT --to 198.168.0.199"

I even think I understand it. I then went down into the basement and told the laptop's Pale Moon browser to check for updates. It checked, found one (I knew it would), downloaded it.

I was then at Pale Moon's web site at the page describing the changes. I typed forums.gentoo.org into the address bar and got the forum login page. Unfortunately I don't remember my password, a random hex number, so I had to come back upstairs to post this. But I'm positive I could have logged in. My browser remembers the password, I'll jot it down and put it in the laptop browser and save it.

At this point we are double NATed and the default POLICY is ACCEPT, but I'm relying on the DLINk's firewall to stop unwanted incoming traffic.

Is the --to clause required? I made it a shell variable so it can be changed at one place "iptables -t nat -A POSTROUTING -p tcp -o wan0 -j SNAT --to ${WAN0_ADDRESS}"

Hmmm! Can I ping 8.8.8.8? I doubt it because of the "-p tcp" I need another line with "-p icmp" don't I? Or I could maybe use "-p any"?Last edited by Tony0945 on Tue Jun 02, 2020 3:45 pm; edited 1 time in total

----------

## NeddySeagoon

Tony0945

Raw IPTables ... shudder.  

I'll leave that to others.

----------

## Tony0945

 *NeddySeagoon wrote:*   

> Tony0945
> 
> Raw IPTables ... shudder.  
> 
> I'll leave that to others.

 

On the laptop.   

When NeddySeagoon shudders, angels fear to tread. Not that I'm an angel. Just ask my wife and daughter. My grandsons, that's a different story. They always come to me when they are in trouble.

Is it time to re-try shorewall now that I know rules that work?

----------

## pietinger

 *Tony0945 wrote:*   

> FANTASTIC!   I ran the following command on the k6 "iptables -t nat -A POSTROUTING -p tcp -o wan0 -j SNAT --to 198.168.0.199"
> 
> I even think I understand it.

 

My congratulation ! Now we make it better ...  :Wink: 

 *Tony0945 wrote:*   

> Hmmm! Can I ping 8.8.8.8? I doubt it because of the "-p tcp" I need another line with "-p icmp" don't I? Or I could maybe use "-p any"?

 

Better ... just omit it; it isnt needed  :Smile: 

 *Tony0945 wrote:*   

> Is the --to clause required? I made it a shell variable so it can be changed at one place "iptables -t nat -A POSTROUTING -p tcp -o wan0 -j SNAT --to ${WAN0_ADDRESS}"

 

When you are doing SNAT, THEN it is required. When using Masquerading, you must not / can not set a --to clause, because the kernel sets the ip adress automaticaly to the ip of the interface. Please try this instead your command above:

```
iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE
```

Please check all your connections and tell me the results and then 2. tell me also what you want to filter in your Router.

In the meantime I consider whether I should write something about using user-defined chains.

But I think, it will be easy for you to understand, because you are a programmer also. I can tell you in advance: It is the same like using subroutines (or functions) in a programm. You dont write a subroutine for one or two commands. You write a subroutine only when it is worthwhile, not programming the same 10 lines again and again in your main programm.

----------

## pietinger

 *Tony0945 wrote:*   

> Is it time to re-try shorewall now that I know rules that work?

 

I would suggest you to wait a little bit. I will do the firewall with you (if you want).

----------

## NeddySeagoon

Tony0945,

That's your call.  Everyone else but me in this topic appears to support writing IPtables rules.

Does this reddit post matter?

----------

## pietinger

 *Tony0945 wrote:*   

> At this point we are double NATed and the default POLICY is ACCEPT, but I'm relying on the DLINk's firewall to stop unwanted incoming traffic.

 

With your actual setup you can only secure your windows laptop.

If you want to use your K6 as FireWall for ALL your computers you have to rearrange your network =>

```

                                                                four other computers 

                                                                         | | | 

                          +-------------------------------------------+

------------              |   ---------------------------            _|_|_|_|_        ___________        

|           |  10.0.0.0/24|  |                           |          |        |       |          |

| laptop    |-------------+  | lan0      k6         wan0 |         -| switch |-------|    MSI   | 

|           |                |                           |<--+      |______ _|       |__________|

------------                  ---------------------------|   |           |  

                               |                             |           |

                               +-----------------------------------------+

                                                             |                               

                                                             +-----------+

                                                                         |

                                                           Dlink router (network 192.168.0.0/24)

                                                                         |

                                                                         |

                                                                    Cable modem                                                                    

```

----------

## pietinger

 *pietinger wrote:*   

> Please try this instead your command above:
> 
> ```
> iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE
> ```
> ...

 

P.S.: Dont forget to delete your rule ... (iptables -F)

----------

## pietinger

User-defined Chains

For which constellations you should use one or more user-defined chains ?

If you are a programmer, you know what is a subroutine or function. And you also know when it is worthwhile to use a subroutine. A chain is something similar to a subroutine. You use it if you want define the same rules for more than one "way" in your firewall. If you have a personal firewall (one interface), I can hardly find a reason to use a user-defined chain. At least you need two interfaces in your host. And even then it matters what you want allow or disallow for every way a data-packet could go. If you want your host acting as a passive firewall, you maybe didnt find enough rules which will be used doubled. Because you need 4 Rules (doubled 8 ) to skimp 1 line. I explain:

You need one line for creating your user-defined chain with "iptables -N MYCHAIN",

PLUS 2 lines for jumping in it,

PLUS 4 lines you want to define.

= 7 lines

If you have 2 interfaces, but allow all outgoing traffic and filtering only incoming traffic (e.g. from the internet), it is also hard to find doubled rules. And even if you filters your outgoing traffic from your LAN-side to the internet, but dont allow your router outgoing traffic, its hard to find doubled rules. So in my example we allow our workstations in our LAN AND our router some outgoing traffic: DNS, NTP, Ping, traceroute and ssh. Without a user-defined chain you would need 10 lines. With a user-defined chain we need 8 lines:

```
iptables -N MY

# we allow some outgoing protocols in our user-defined chain named MY

# DNS

iptables -A MY      -p udp --dport 53 -j ACCEPT

# NTP

iptables -A MY      -p udp --dport 123 -j ACCEPT

# pings

iptables -A MY      -p icmp --icmp-type 8/0 -j ACCEPT

# traceroute

iptables -A MY      -p udp --dport 33434:33524 -j ACCEPT

# ssh

iptables -A MY      -p tcp --dport 22 -j ACCEPT

# now we jump from our 2 ways we want to allow (accept) in our MY chain

# first we allow our router to do DNS, NTP, Ping, traceroute and ssh

iptables -A OUTPUT  -o $WAN -j MY

# then we allow all hosts in our LAN the same

iptables -A FORWARD  -i $LAN -j MY
```

(This example is not complete; its only for demonstration purposes)

If you ask me now, what if I want allow my hosts in my LAN a little bit MORE than my router. What I have to do then ?

The same as always: You allow it only for the way you want. (additionly/beside your chain)

```
# Allow all outgoing http and https without logging:

iptables -A FORWARD     -i $LAN -p tcp --dport 80 -j ACCEPT

iptables -A FORWARD     -i $LAN -p tcp --dport 443 -j ACCEPT
```

Before or after the jump to my CHAIN ?

You CAN set these rules before OR after your jump to your chain, but you SHOULD set the rules in dependence which rule will be asked more often. For example: You have massive web-browsing, then you should allow outgoing https-traffic BEFORE you jump into your chains (in reallity the performance difference in private installations is soooo little, it rather doesnt much matters).

Must I define the rules in my user chain before I jump in it ?

YES !

What does netfilter when no rule in my chain was selected ?

Netfilter goes back, where it came from (there is an invisible "return") and matches the rules in the next lines ... and at the end it does the DEFAULT action if not even one rule matched.

----------

## nick_gentoo

 *NeddySeagoon wrote:*   

> Tony0945,
> 
> That's your call.  Everyone else but me in this topic appears to support writing IPtables rules.
> 
> Does this reddit post matter?

 

Hi, I'm not sure, what do you mean? I understood that your advice is to use Shorewall (which I also like, but after only a little use).

But the reddit post says that the development is stopping, so how do you propose take this into account?

----------

## NeddySeagoon

nick_gentoo,

Shorewall is OSS, its quite possible that other developers will take it on.

That's old news and I'm not up to date with the current status of the project.

I've been a shorewall user for almost 10 years, so I'll be reluctant to learn something new.

Someone new to Shorewall may want to look into its future before investing time in learning it.

That notice was on the Shorewall site at one time but its gone now.

----------

## Tony0945

Meh! I run a lot of old software. The quesion is can I understand it enough to do EAPI updates when they occur?

At worst, I can do a genric build with an old portage and repackage it as a binary package, IF if doesn't depend on old libraries not consistent with new libraries.

I do like the logging with shorewall. None of the suggested methods on the internet are working correctly. They were aimed at Fedora/Ubuntu/Debian. Right now the k6 is not logging to any of /var/log/messages/ or /var/log/kern.log.

It's logging to dmesg. Shorewall logged to it's own log.

----------

## nick_gentoo

I guess it's not so easy to look into shorewall's future today   :Smile: 

I had also started with an iptables-only script, like pietinger is describing, but for a single machine. I read about some iptables stuff, and yes, it made sense and it was pretty simple. But this was a script that only needed updates very rarely, maybe once every few years. And after a few years of not looking at it, it did not make so much sense anymore, and I had to go back at re-reading the iptables stuff.

And now I feel that, for a simple setup at least, the shorewall config files fit better to the little iptables stuff that is still stuck into my memory. But I can see that, if I would work with it on a daily basis, I could prefer the direct scripting approach.

----------

## NeddySeagoon

Tony0945,

Shorewall runs once at startup to set up IPTables then exits. It doesn't do logging itself because its not running.

If you like its logging, its the way it sets up the IPTables LOG target.

You can do the same thing by hand is look at what shorewall does and copy it.

----------

## Tony0945

Made another stab at shorewall.

Right off the bat, I find a discrepancy between the wiki and the shorewall documentation regarding the interfaces in the zones file.

The wiki puts the device name in the second column like this:

```
net     enp4s0          tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
```

The docs do this:

```
net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
```

I'm following the docs

```
net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=wan0

loc     LOC_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,physical=lan0
```

However, also note that I added dhcp to the second line per the wiki, not the docs

The wiki adds this to /etc/shorewall/policy

```
dhcp,tcpflags,nosmurfs,routefilter,logmartians
```

The docs do not and I did not. If I understand correctly, that would open the firewall to internaet manipulation which would be good for external maintenance but I do all maintenance locally.

Per the docs set /etc/shorewall/snat tp: 

```
MASQUERADE 192.168.0.0/8      wan0
```

Stopped_rules: I did not understand the syntax so I left the shorewall default.

Rules: The default looked good to me. Unsure whether to change net & loc to wan0 & lan0 so I didn't

The wiki refers to file /etc/shorewall/masq but that file doesn't exist in 5.2.4.4

I made both the shorewall.conf wiki changes since my ISP does not support IPv6

----------

## Tony0945

Started shorewall "service shorewall start". Didn't get kicked out of ssh. That's good.

Went down to the laptop. Couldn't ping anything. That's bad.  Examined the laptop. It's an HP 1444.

It actually has a built-in CD drive unlike my sister's netbook. I scared up the first sysrescuecd I could find v 3.0.0.1

I know I have much later versions but that's what's was in the basement. It booted handily and net-setup eth0 (No persistent garbage in the old version). Ifconfig shows ip address 10.0.0.110  All good. But didn't get any farther with ping. Much encouraged that we can proceed with Gentoo Linux on all cable connections now. 

Seeing this in dmesg on the k6 (lots and lots of lines)

```
[   35.990579] e1000: lan0 NIC Link is Up 100 Mbps Full Duplex, Flow Control: RX

[   35.997515] 8139too 0000:00:08.0 wan0: link up, 100Mbps, full-duplex, lpa 0xC5E1

[   36.649294] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

[238775.290288] xt_CT: No such helper "ftp"

[238775.331839] xt_CT: No such helper "ftp-0"

[238775.382619] xt_CT: No such helper "amanda"

[238775.567703] xt_CT: No such helper "snmp"

[238775.610281] xt_CT: No such helper "RAS"

[238804.983627] loc-fw REJECT IN=lan0 OUT= MAC=90:e2:ba:ed:ef:4c:78:ac:c0:55:9e:f2:08:00 SRC=10.0.0.110 DST=10.0.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=30364 PROTO=UDP SPT=54402 DPT=53 LEN=44

[238804.985938] loc-fw REJECT IN=lan0 OUT= MAC=90:e2:ba:ed:ef:4c:78:ac:c0:55:9e:f2:08:00 SRC=10.0.0.110 DST=10.0.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=128 ID=30365 PROTO=UDP SPT=56181 DPT=53 LEN=45

[239064.933911] loc-fw REJECT IN=lan0 OUT= MAC=90:e2:ba:ed:ef:4c:78:ac:c0:55:9e:f2:08:00 SRC=10.0.0.110 DST=10.0.0.1 LEN=67 TOS=0x00 PREC=0x00 TTL=128 ID=30404 PROTO=UDP SPT=56159 DPT=53 LEN=47

[239064.942083] loc-fw REJECT IN=lan0 OUT= MAC=90:e2:ba:ed:ef:4c:78:ac:c0:55:9e:f2:08:00 SRC=10.0.0.110 DST=10.0.0.1 LEN=67 TOS=0x00 PREC=0x00 TTL=128 ID=30405 PROTO=UDP SPT=60114 DPT=53 LEN=47

[239079.952730] loc-fw REJECT IN=lan0 OUT= MAC=90:e2:ba:ed:ef:4c:78:ac:c0:55:9e:f2:08:00 SRC=10.0.0.110 DST=10.0.0.1 LEN=67 TOS=0x00 PREC=0x00 TTL=128 ID=30413 PROTO=UDP SPT=53243 DPT=53 LEN=47

```

Before shutting down shorewall with "service shorewall stop" I ran iptables -L with this result http://dpaste.com/18CX6RM

And /var/log/shorewall-init.log http://dpaste.com/2KPVDYT

----------

## pietinger

 *Tony0945 wrote:*   

> 
> 
> ```
> [...]tcpflags,nosmurfs,routefilter,logmartians,[...]
> ```
> ...

 

I dont know how Shorewall works, but I would like to see what it produces with this flags ...

... logmartians ... haha ... when it is what I think, then I wold like to ask, who needs this (and who want this), because I dont know anybody sitting before the log and saying: "hey, we have a martian here, great !" ...

```
MASQUERADE 192.168.0.0/8      wan0
```

[/quote]

I dont know why you try doing supernetting here, but it is wrong, because you could only use 16 bit. I would try /24 instead of /8

Please show me the rules Shorewall made. I am very interested.

----------

## NeddySeagoon

Tony0945,

It looks like you have 3 zones net, loc and fw.

The REJECTed packets are DNS requests (DPT=53).

Why are they in the loc-fw chain?

```
Jun  5 11:38:17 Compiling /etc/shorewall/policy...

Jun  5 11:38:17    Policy for loc to net is ACCEPT using chain loc-net

Jun  5 11:38:17    Policy for net to fw is DROP using chain net-all

Jun  5 11:38:17    Policy for net to loc is DROP using chain net-all

Jun  5 11:38:17    Policy for fw to net is REJECT using chain all-all

Jun  5 11:38:17    Policy for fw to loc is REJECT using chain all-all

Jun  5 11:38:17    Policy for net to fw is REJECT using chain all-all

Jun  5 11:38:17    Policy for net to loc is REJECT using chain all-all

Jun  5 11:38:17    Policy for loc to fw is REJECT using chain all-all

Jun  5 11:38:17    Policy for loc to net is REJECT using chain all-all
```

Hmm loc to net appears twice there.  I would expect DNS requests to be in the loc to net chain.

----------

## Tony0945

 *pietinger wrote:*   

>  I would try /24 instead of /8

 

Argggh! That's what I meant to do. When my little grandson was in elementary school and screwed up bad, he would hang his little head and say "I don't know where my mind went."

 *pietinger wrote:*   

> Please show me the rules Shorewall made. I am very interested.

  http://dpaste.com/18CX6RM

----------

## Tony0945

 *NeddySeagoon wrote:*   

> It looks like you have 3 zones net, loc and fw.

 

Should I move fw to loc per shorewall's webpage?

 *NeddySeagoon wrote:*   

> The REJECTed packets are DNS requests (DPT=53).
> 
> Why are they in the loc-fw chain?

  I tried "ping www.gentoo.org" from the laptop.

I burned v 5.3.2 of sysrescuecd. Will do future work booting on this, saving Windows for last.

That laptop has a 320G 5400RPM Toshiba drive, really tempted to put that Crucial MX500 SSD in there. (wait wait Tony, one thing at a time)

----------

## pietinger

 *Tony0945 wrote:*   

> http://dpaste.com/18CX6RM

 

The rule "ctstate RELATED,ESTABLISHED" should be the first rule, because 99 % (or even more) of all traffic matches this rule.

Shorewall let the kernel proof 16 rules before this ... hard work ... poor kernel ...

Ok. It is because you set:

1. "smurf" ... this is TODAY not a thema, because no router forwards a broadcast-ping and the standard configuration of a host is also not to answer to a broadcast-ping.

2. "tcpflags" ... nobody needs this.

3. "logmartians" ... nobody needs this.Last edited by pietinger on Fri Jun 05, 2020 11:08 pm; edited 1 time in total

----------

## pietinger

I have zeroed iptables before 2 days. Look to my output-chain and the numbers of packets:

- 1.117.000 in my 2nd rule: "ctstate RELATED,ESTABLISHED" (the first is allowing loopback")

- 9.000 packets alltogether the rest

```
Chain OUTPUT (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

2225K 3003M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           

1117K  122M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

 4193  252K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 owner UID match 104

  296 17760 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 owner UID match 104

 4861  338K ACCEPT     udp  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       udp dpt:53

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       tcp dpt:53

    1    63 ACCEPT     udp  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       udp dpt:53

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       tcp dpt:53

   25  1500 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       tcp dpt:995

   27  1620 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       tcp dpt:995

   52  3120 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       tcp dpt:995

   51  3060 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       tcp dpt:995

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxxx      tcp dpt:587

    2   152 ACCEPT     udp  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       udp dpt:123

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 code 0

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx      

    2   120 LOG        all  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       LOG flags 0 level 4 prefix "ACCEPT OUT spDYN "

    2   120 ACCEPT     all  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx      

    0     0 LOG        all  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx       LOG flags 0 level 4 prefix "ACCEPT OUT XMPP "

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            xxxxxxxxxxxxxx      

    0     0 LOG        all  --  *      *       0.0.0.0/0            77.86.229.90         LOG flags 0 level 4 prefix "ACCEPT OUT download QTWebKit "

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            77.86.229.90        

    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 LOG flags 0 level 4 prefix "ACCEPT OUT SSH "

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:11371 LOG flags 0 level 4 prefix "ACCEPT OUT HKP "

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:11371

    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:33434:33524 LOG flags 0 level 4 prefix "ACCEPT OUT TRCR "

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:33434:33524

    2   120 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:873 LOG flags 0 level 4 prefix "ACCEPT OUT RSYNC "

    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:873

    6   240 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "REJECT !!! "

    6   240 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
```

This should show, how important the sequence of rules is. And yes I could optimize it a little bit more by changing the order of http (80) and DNS (53), but this is so 0,0000000001% ... I am too lazy  :Wink: 

----------

## Tony0945

Putting this on hold as the latest python nonsense is taking all my time.

----------

