# A Firewalled Internet Access to Internal Subnet

## miroR

title: A Firewalled Internet Access to Internal Subnet

---

My old iptables rules I put in a separate ADDENDUM post to this post:

https://forums.gentoo.org/viewtopic-t-1041028.html#7895454

(or simply just the very next post)

That script is based on this article:

Configuring iptables firewall on Gentoo

http://gentoovps.net/configuring-iptables-firewall/

I keep it in /root . And when I change things in it, I simply run it:

```

# ./rules.sh

```

and the changes are taken into` the system.

I'm trying to mix filtering (the above linked rules is that) and NAT. First time doing NAT.

After lots of other tries, I decided to start as simple as possible.

By the book:

Linux 2.4 NAT HOWTO

(section: I just want masquerading! Help!)

http://netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1

which refers to:

Linux 2.4 Packet Filtering HOWTO

(section: Mixing NAT and Packet Filtering)

http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-9.html

A note: those books are still the main references from http://netfilter.org  :Wink:  . (No newer wisdom has replaced those in the way of complete replacement tutorials.)

On host by the name of g0n I have eth0 (not used here), eth1, and eth2.

eth1

====

some 7 yrs old aDSL router, with disabled DHCP server, working (I hope) as

simply static network local router, set to:

```

192.168.2.0/24

192.168.2.1   the router itself (interface is there on http://192.168.2.1/ to deal with it, and I hope it's not getting in the way ;-) )

192.168.2.2 g0n's IP on it

192.168.2.3 a Devuan-to-be host (currently 1 yr old Debian machine there)

```

All pingable, all working before the simple by-the-book NAT deployed.

eth2

====

newer aDSL router, with regular settings as providers ship it to users in Croatia, sure, with DHCP

```

192.168.1.0/24

192.168.1.1 the router itself (with the interface similar to the one on eth1 above)

192.168.1.X the host g0n gets an IP dynamically, usually 192.168.1.2, or 192.168.1.3

```

I want to be able to go to the internet with my future Devuan machine.

I want to do it through my Gentoo host.

Why?

Because I want to be able to dumpcap all and anything that happens when I go online, since the environment is still very censored/intruded upon/hostile in Croatia from the old regime that hasn't been routed yet at all, and if I don't keep track of what happens, I could be rigged again

(

that claim is far from being without substance, have a look:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion

( the post about my provider, who out of thin air, accuses me for spamming and blocks my emailing)

https://forums.gentoo.org/viewtopic-t-999436.html#7682770

or:

( the post where Schmoog and Yooch try to clickjack me )

https://forums.gentoo.org/viewtopic-t-999436.html#7685200

among others  :Wink: 

).

I also want to be able to attach M$ Windows machines and go to the internet with it, to check pages when I work them, how they look, and stuff, and only ignorants and fools trust M$...

So I read a lot, and made quite a few attempts to little to no avail.

And eventually I decided to start as simple as possible.

My kernel is grsecurity-hardened, but I have temporarily disabled the Role Based Access Control, and will keep it disabled during these tries. to have less suspects why it doesn't work. 

Combining the info from Rusty's books aforementioned with just the minimal entries from my formerly used script, I put together my new rules.sh in /root:

```

#!/bin/bash

# vars

ipt=/sbin/iptables

# Flush old rules, old custom tables

echo " * flushing old rules"

$ipt --flush

$ipt --delete-chain

# Masquerade out eth2

$ipt -t nat -A POSTROUTING -o eth2 -j MASQUERADE

# Disallow NEW and INVALID incoming or forwarded packets from eth2.

$ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP

$ipt -A FORWARD -i eth2 -m state --state NEW,INVALID -j DROP

#

# Save settings #

echo " * saving settings"

/etc/init.d/iptables save

```

And I ran it (from the /root where I keep it):

```

# ./rules.sh

```

And now the rules look like this, and right there I might have some clue why it works half-way only, have a look:

```

# iptables -S

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-A INPUT -i eth2 -m state --state INVALID,NEW -j DROP

-A FORWARD -i eth2 -m state --state INVALID,NEW -j DROP

#

```

The clue could be that the simple example from the 14 to 16 yrs old "books" (tutorials) can not be applied, because the rules that show to have been set, the:

```

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

```

have not been set by my script, but are either Gentoo's defaults, or iptables upstream package defaults, maybe since who knows how many yrs ago, but surely not since Rusty coded the iptables and wrote those books. Or they are some malfunction of something in my machine...

What got in those "-P INPUT DROP" and "-P FORWARD DROP". Not the rules that I applied as above!

Anyway, how do I modify the advice from the books to get the NAT, along with the filtering, working... ?

Those couldn not be Gentoo's defaults. I looked up /etc/init.d/iptables, and while I only partly understand it, that still doesn't look to be the case for me...

Here is how it (doesn't) work, in full technical detail:

Take the dumpcap and verify it from here:

http://www.croatiafidelis.hr/foss/cap/cap-160321-NAT/

or the solo link:

http://www.croatiafidelis.hr/foss/cap/cap-160321-NAT/dump_160321_0112_g0n_SOLO.pcap

And now I noticed something in the logs that complicates this issue even more.

Even more, so I'll post it separately on its own, in the next post, id est after the ADDENDUM post with the rules.sh.Last edited by miroR on Mon Mar 21, 2016 3:43 pm; edited 1 time in total

----------

## miroR

This is the /root/rules.sh script that has  worked fine for me (or at least I believe so) for longer than a year.

It is based on:

Configuring iptables firewall on Gentoo 

http://gentoovps.net/configuring-iptables-firewall/

[*]

and surely, the lines with " -s 192.168.3.0/24" are mostly unused in my online Gentoo clone, but may be good to have them for my Air-Gapped (

Air-Gapped Gentoo Install, Tentative

https://forums.gentoo.org/viewtopic-t-987268.html

)

, which this online clone, that I browse online and post with, is cloned from (

how I clone my system is in the PART 2 of

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion

https://forums.gentoo.org/viewtopic-t-999436.html#7613044

).

```

#!/bin/bash

# vars

ipt=/sbin/iptables

# Flush old rules, old custom tables

echo " * flushing old rules"

$ipt --flush

$ipt --delete-chain

# Set default policies for all three default chains

echo " * setting default policies"

$ipt -P INPUT DROP

$ipt -P FORWARD DROP

$ipt -P OUTPUT ACCEPT

# Enable free use of loopback interfaces

echo " * allowing loopback devices"

$ipt -A INPUT -i lo -j ACCEPT

$ipt -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN

$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level error --log-prefix mrfw_no_syn

$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established (NOT: and related) packets

#$ipt -A INPUT -m state --state ESTABLISHED -j LOG --log-level error --log-prefix mrfw_est

$ipt -A INPUT -m state --state ESTABLISHED -j ACCEPT

# Open the following ports, gXn

echo " * allowing ssh on eth0 on port 22"

$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level error --log-prefix mrfw_soho_ssh

$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo " * allowing http in from SOHO"

$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level error --log-prefix mrfw_soho_tcp

$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo " * allowing udp in from SOHO"

$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p udp -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level error --log-prefix mrfw_soho_udp

$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo " * allowing dns on port 53"

$ipt -A INPUT -p udp -m udp --dport 53 -j LOG --log-level error --log-prefix mrfw_dns

$ipt -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing http on port 80"

$ipt -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j LOG --log-level error --log-prefix mrfw_http_80

$ipt -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT

echo " * allowing https on port 443"

$ipt -A INPUT -p tcp --dport 443 -m state --state ESTABLISHED -j LOG --log-level error --log-prefix mrfw_https_443

$ipt -A INPUT -p tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT

echo " * allowing ping sendmsg"

$ipt -A OUTPUT -p ICMP --icmp-type 8 -j LOG --log-level error --log-prefix mrfw_ping

$ipt -A OUTPUT -p ICMP --icmp-type 8 -j ACCEPT

echo " * allowing ping responses"

$ipt -A INPUT -p ICMP --icmp-type 8 -j LOG --log-level error --log-prefix mrfw_ping

$ipt -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it

$ipt -A INPUT -j LOG --log-level error --log-prefix mrfw_drop

$ipt -A INPUT -j DROP

#

# Save settings #

echo " * saving settings"

/etc/init.d/iptables save

```

---

[*] Somewhat related to the above iptables but possibly more related to VPN, I could't open anything form that http://gentoovps.net today, and the logs (from my /var/log/messages) were:

```

Mar 21 10:23:33 g0n kernel: [33400.060236] mrfw_dropIN=eth2 OUT= MAC=00:0e:2e:ec:10:5b:2c:95:7f:14:4e:c6:08:00 SRC=72.11.150.106 DST=192.168.1.2 LEN=88 TOS=0x00 PREC=0x00 TTL=55 ID=47196 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.1.2 DST=206.253.165.112 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=27534 DF PROTO=TCP SPT=39310 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 ] 

..[10 very similar lines --but for the ID=XXXXX and little if any else-- cut out here]...

Mar 21 10:24:03 g0n kernel: [33430.109303] mrfw_dropIN=eth2 OUT= MAC=00:0e:2e:ec:10:5b:2c:95:7f:14:4e:c6:08:00 SRC=72.11.150.106 DST=192.168.1.2 LEN=88 TOS=0x00 PREC=0x00 TTL=55 ID=47207 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.1.2 DST=206.253.165.112 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=54489 DF PROTO=TCP SPT=39312 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 ] 

```

Tell that to the Gentooer who owns that site. I believe he'll want to know about it! And he'll want to fix it. Or tell me if anything in my iptables is to blame  :Wink:  , but the former is more likely  :Wink:  .

Why am I almost confident it's not my iptables to blame? Not just because I can open anything else as soon as I plug into the aDSL router, but also because I have:

206.253.165.112	

```

$ grep 206.253.165.112  dump_160321_1012_g0n_SOLO.hosts 

206.253.165.112   gentoovps.net

```

but I don't have:

```

$ grep 72.11.150.106  dump_160321_1012_g0n_SOLO.hosts 

$

```

( and the hosts file in question I got like this:

```

# tshark -r dump_160321_1012_g0n_SOLO.pcap -qz hosts > dump_160321_1012_g0n_SOLO.hosts

```

where dump_160321_1012_g0n_SOLO.pcap was at the time of the online bout, when I also tried to open pages from gentoovps.net , taken simply with this script:

```

#!/bin/bash

dumpcap=dump_$(date +%y%m%d_%H%M)_$(hostname)_SOLO.pcap

echo $dumpcap

sudo -s touch $dumpcap

sudo dumpcap -i any -w $dumpcap &

```

)

----------

## miroR

From my /var/log/rc.log (

to which iptables log into, because there is

the line:

```

rc_use="logger"

```

in /etc/conf.d/iptables (which is by default commented out)

):

```

rc default logging started at Mon Mar 21 01:07:08 2016

...

 * Loading iptables state and starting firewall ...

Warning: weird character in interface `192.168.1.0/24' ('/' and ' ' are not allowed by the kernel).

Warning: weird character in interface `192.168.1.0/24' ('/' and ' ' are not allowed by the kernel).

 [ ok ]

```

But there is nothing in the iptables rules in the previous post with 192.168.1.0/24 string, except that that is my eth2 interface.

(

But I never specified it in any conf files. It just gets recognized and gives my online connected host its 192.168.1.X as explained in the first post, when I simply run:

```

# /etc/init.d/net.eth2 start

```

where:

```

# ls -l /etc/init.d/net.eth2

lrwxrwxrwx 1 root root 6 2016-03-18 13:08 /etc/init.d/net.eth2 -> net.lo

#
```

(I didn't add it to rc.)

)

Here's the listing of the iptables:

```

# iptables -L -n

Chain INPUT (policy DROP)

target     prot opt source               destination         

DROP       all  --  0.0.0.0/0            0.0.0.0/0            state

INVALID,NEW

Chain FORWARD (policy DROP)

target     prot opt source               destination         

DROP       all  --  0.0.0.0/0            0.0.0.0/0            state

INVALID,NEW

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

#
```

and the:

```

# iptables -S

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-A INPUT -i eth2 -m state --state INVALID,NEW -j DROP

-A FORWARD -i eth2 -m state --state INVALID,NEW -j DROP

# 
```

just as already given in te first post.

From /usr/portage/profiles/use.local.desc:

```

net-firewall/iptables:conntrack - Build against net-libs/libnetfilter_conntrack when enables the connlabel matcher

net-firewall/iptables:netlink - Build against libnfnetlink which enables the nfnl_osf util

net-firewall/iptables:nftables - Support nftables kernel interface

net-firewall/iptables:pcap - Build against net-libs/libpcap which enables the nfbpf_compile util

```

And I have it:

```

# emerge -p iptables

These are the packages that would be merged, in order:

Calculating dependencies                   ... done!     

[ebuild   R    ] net-firewall/iptables-1.6.0:0/11::gentoo  USE="ipv6 -conntrack -netlink -nftables -pcap -static-libs" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

#

```

That doesn't seem to be wrong, that I built it without those, as:

```

net-firewall/iptables:conntrack - Build against net-libs/libnetfilter_conntrack when enables the connlabel matcher

```

seems to be about some advanced labeling of connections as I partly understood

from 'man iptables-extensions', and having:

```

# equery l conntrack-tools

 * Searching for conntrack-tools ...

[IP-] [  ] net-firewall/conntrack-tools-1.4.3:0

#
```

the conntrack-tools installed, my /var/log/conntrackd-stats.log writes

down all the connections fine, I check that log from time to time...

And also the " -netlink -nftables -pcap" are for some advanced stuff.

So what causes the error at the top of this post, and why the:

```

# iptables -S

-P INPUT DROP

-P FORWARD DROP

```

which appears to invalidate the

```

-A INPUT -i eth2 -m state --state INVALID,NEW -j DROP

-A FORWARD -i eth2 -m state --state INVALID,NEW -j DROP

#
```

which rules I gave by the Rusty's books?

Namely, if all is dropped anyway with "-P INPUT DROP" and "-P FORWARD DROP", what's the use of the two

lines:

```

$ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP

$ipt -A FORWARD -i eth2 -m state --state NEW,INVALID -j DROP

```

that I put in my /root/rules.sh script?

There, the issue that I have. Surely now I have to go back to my for-longer-than-a-year by now used set of rules.sh, and enable the grsec RBAC, and connect online to post this.

I have to do that because I can't connect with these settings above described.

----------

## miroR

In short, my error is not because of my system malfunctioning, but my lack of knowledge.

When I introduced a new table, actually two, the NAT table and the MANGLE tables, I ought to have inserted the commands to flush those tables too [*], because this command:

[from my /root/rules.sh which I explained in the first two or three posts:]

```

# Flush old rules, old custom tables

echo " * flushing old rules"

$ipt --flush

$ipt --delete-chain

```

only flushes the FILTER table.

And here's how flushing it does it

```

g0n ~ # iptables -t nat --flush

g0n ~ # iptables -t nat -S

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

g0n ~ # iptables -t nat -S^C

g0n ~ # /etc/init.d/iptables status

 * status: started

g0n ~ # /etc/init.d/iptables restart

 * Saving iptables state ...                                              [ ok ]

 * Stopping firewall ...                                                  [ ok ]

 * Loading iptables state and starting firewall ...                       [ ok ]

g0n ~ # 

```

And here's when all is flushed:

```

g0n ~ # iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

g0n ~ # iptables -t nat -S

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

g0n ~ # iptables -t mangle -S

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

g0n ~ #

```

So, in the rules.sh, at the top (and I like better the short -F and -X instead of --flush and  --delete-chain), I should have inserted after these lines: 

```

# Flush old rules, old custom tables

echo " * flushing old rules"

$ipt -F

$ipt -X

```

other lines for NAT and MANGLE:

```

echo " * flushing old rules in nat table"

$ipt -t nat -F

$ipt -t nat -X

echo " * flushing old rules in mangle table"

$ipt -t mangle -F

$ipt -t mangle -X

```

But there is more missing for the firewall and access to internal network to work. I still have issue, and wasn't able to deploy it.

But I think I'll be moving to nftables as it appears to be gaining more and more acceptance over iptables and there already is ample documentation and there should be more and more examples and tutorials to benefit from worldwide, as iptables is removed keeping for its developers an honorable place in history.

---

[*] Here's how it looked like without the flushing of the mangle and nat tables, upon trying to deploy new rules that didn't have the below:

```

# iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           

MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           

MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           

MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           

MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           

MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           

MASQUERADE  all  --  192.168.2.3          0.0.0.0/0           

MASQUERADE  all  --  192.168.2.3          0.0.0.0/0           

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

#

```

Last edited by miroR on Wed Mar 23, 2016 2:23 pm; edited 2 times in total

----------

## miroR

Let's see how to learn about nftables...

These pieces of correspondence by true FOSS people to me feel like important events in history. I mean it.

http://marc.info/?l=netfilter&m=144615512521885&w=2

the author of the Nftables Arch Wiki that I think I'll have to be studying

http://marc.info/?l=netfilter&m=144615614622429&w=2

> Happy to add to the wiki -- but how do I get an account?

Just contacted you in private to pass you the account information.

That was the main developer of Nftables, Pablo Neira Ayuso, to Johannes Ernst.

And I got there from Gentoo Forums, from this topic:

from iptables to nftables: I need serious guidance.

https://forums.gentoo.org/viewtopic-t-987148.html

where SirRobin2318's posts are at:

https://forums.gentoo.org/viewtopic-t-987148.html#7523282

and

https://forums.gentoo.org/viewtopic-t-987148.html#7524106

both worth reading carefully.

I think the above connects in the way that it means that I'll probably thank him if I manage to learn it. If I manage. It doesn't look easy at all...

Both for the Arch Linux Nftables wiki page:

https://wiki.archlinux.org/index.php/Nftables#Limit_rate_and_tcp_flags_IP.2FIPv6_Firewall

, and for the contributions at:

http://people.netfilter.org/wiki-nftables/index.php/Main_Page

And surely I'll study the Gentoo Nftables Wiki pages:

https://wiki.gentoo.org/wiki/Nftables

and

https://wiki.gentoo.org/wiki/Nftables/Examples

--

Oh, I'm sorry for this post being a little upside down. Kind readers, forgive

me, I'm overwhelmed with this work. I mean it. It feels so interesting, but it

also feels so hard to understand...

What I should have said first, in this post, is that:

It's probably time to embrace Nftables and leave Iptables.

The issue that I have could be buggy behavior by Iptables, since you can read

similarly here:

http://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables

where find:

Note that iptables comes with tables with a predefined number of base chains, you get them in an all or nothing fashion. Thus, all chains are registered even if you only need one of them. We got reports in the past that unused base chains are harming performance, even if you add no rules at all. 

But I'm only guessing, I don't know the why of my issue with Iptables described in the previous post.

NOTE 2016-03-23 15h+01:00: I figured out some of what I was doing wrong, and I posted it, in the post previous to this.

Currently still not many users of Nftables... Just a handful of topics found on Gentoo Forums with the search word "nftables".

----------

## miroR

I need to move to using persistent ethers.

As per the Gentoo Install Handbook,

```

# rm /etc/udev/rules.d/80-net-name-slot.rules

# rmdir /etc/udev/rules.d

```

removed. And a little more work close to trivial for even me. So, what

previously were, are now:

```

eth0 -->  enp5s0

eth1 -->  enp6s0

eth2 -->  enp4s6

```

And the nftables install, which has been, since only faily recently, available in all the testing branches (but is not yet available for users of stable), is fresh:

```

# equery k nftables

* Checking net-firewall/nftables-0.5-r2 ...

   32 out of 32 files passed

g0n ~ # 

```

 :Wink: 

Won't be unchanged for long!

```

# bzcat /usr/share/doc/nftables-0.5-r2/TODO.bz2 

...

- kill mangle table, make rerouting a configurable table/chain property

- kill nat table? harder because of more special handling

...

```

means I may be trying to test incomplete features...

Had already done this:

```

rc-update delete iptables default

```

and now:

```

# rc-update add nftables default

 * service nftables added to runlevel default

#

```

In quick terms, I followed the guides. It cleared out to work with the tips from Nftables Gentoo Wiki, main, and Examples pages, but the links were useful too.

For my detailed use, I'll be making the backups like this (this is expanded from the main Ntfables page on Gentoo Wiki):

```

# nft_bak=nft_$(date +%y%m%d_%H%M).nft

# echo "nft flush ruleset" > $nft_bak

# nft list ruleset >> $nft_bak

```

With the use of this method, I have currently only:

```
# ls -l nft*.nft

-rw-r--r-- 1 root root  384 2016-03-23 19:28 nft_160323_1927.nft

-rw-r--r-- 1 root root 3099 2016-03-23 21:40 nft_160323_2140.nft

g0n ~ # 

```

but I'll likely have'em galore in some time and be going back to reuse my backups in painstaking attempts to get the NAT working for my interior subnet... Aaaarghhh!! I already feel the headache killing me...

Otherwise, all the instructions are there, some of them the nft binary tells you, e.g. when there is no /var/lib/nftables/rules-save from any previous runs, it will instruct you to like this:

```

g0n ~ # /etc/init.d/nftables start

 * Caching service dependencies ...                                        [ ok ]

 * Not starting nftables.  First create some rules then run:

 * rc-service nftables save

 * ERROR: nftables failed to start

g0n ~ #

```

I think I can try and go online, with this protection for my machine (sure I also have I believe properly deployed grsec RBAC policies and generally care to keep to true *nix programs only: no systemd, no dbus and affiliates, but that does not have to be the reader's way).

I'll be having more questions or solutions.

Because I've only yet, hopefully successfully (first time going online with it) deployed Nftables, and I want so much more, as the title of this topic says...

----------

## miroR

Studying:

( the main Nftables Wiki)

http://people.netfilter.org/wiki-nftables/index.php/Main_Page

where after you look for title "Performing Network Address Translation (NAT)",

and use that link:

http://people.netfilter.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29

in bottom it reads:

 *Quote:*   

> 
> 
> Incompatibilities
> 
> You cannot use iptables and nft to perform NAT at the same time. So make sure
> ...

 

First of all, I don't use modules. Instead I put in "=y" where some guides tell to put "=m". I suppose that doesn't make much of a difference. (As it hasn't made any for, say, installing my TV-cards.)

I looked it up in my:

```

# ls -l /usr/src/linux

lrwxrwxrwx 1 root root 20 2016-03-08 13:45 /usr/src/linux -> linux-4.4.4-hardened

#

```

kernel, and there is no such conf option to be found (I've already done some

reconfiguration, but I'm left perplexed just a little; I'm showing you, and

grep'ing on, the previous configuration):

```

g0n linux # pwd

/usr/src/linux

g0n linux # grep -i iptable .config.old 

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP6_NF_IPTABLES=y

# iptables trigger is under Netfilter config (LED target)

g0n linux # 

```

Implicitly that tells you there is no "iptable_nat" module. But conflicts, incompatibilities, may be there, just under different names...

Here's what I've done, can be seen from the two different kernel .config files, the old, .config.old, and the new, .config:

```

g0n linux # ls -l .config*

-rw-r--r-- 1 root root 111106 2016-03-25 08:26 .config

-rw-r--r-- 1 root root 112446 2016-03-22 16:58 .config.old

g0n linux # 

```

Here:

```

g0n linux # diff .config*

53c53

< CONFIG_LOCALVERSION="-160325"

---

> CONFIG_LOCALVERSION="-160322"

786a787

> # CONFIG_NF_CONNTRACK_ZONES is not set

819a821

> CONFIG_NETFILTER_SYNPROXY=y

849a852

> # CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set

852a856,858

> CONFIG_NETFILTER_XT_TARGET_CT=y

> CONFIG_NETFILTER_XT_TARGET_DSCP=y

> CONFIG_NETFILTER_XT_TARGET_HL=y

861a868

> # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set

864a872,873

> # CONFIG_NETFILTER_XT_TARGET_TPROXY is not set

> # CONFIG_NETFILTER_XT_TARGET_TRACE is not set

866a876

> # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set

957,958c967,986

< # CONFIG_IP_NF_IPTABLES is not set

< # CONFIG_IP_NF_ARPTABLES is not set

---

> CONFIG_IP_NF_IPTABLES=y

> CONFIG_IP_NF_MATCH_AH=y

> CONFIG_IP_NF_MATCH_ECN=y

> CONFIG_IP_NF_MATCH_RPFILTER=y

> CONFIG_IP_NF_MATCH_TTL=y

> CONFIG_IP_NF_FILTER=y

> CONFIG_IP_NF_TARGET_REJECT=y

> # CONFIG_IP_NF_TARGET_SYNPROXY is not set

> CONFIG_IP_NF_NAT=y

> CONFIG_IP_NF_TARGET_MASQUERADE=y

> CONFIG_IP_NF_TARGET_NETMAP=y

> CONFIG_IP_NF_TARGET_REDIRECT=y

> CONFIG_IP_NF_MANGLE=y

> CONFIG_IP_NF_TARGET_CLUSTERIP=y

> CONFIG_IP_NF_TARGET_ECN=y

> CONFIG_IP_NF_TARGET_TTL=y

> CONFIG_IP_NF_RAW=y

> CONFIG_IP_NF_ARPTABLES=y

> CONFIG_IP_NF_ARPFILTER=y

> CONFIG_IP_NF_ARP_MANGLE=y

977c1005,1023

< # CONFIG_IP6_NF_IPTABLES is not set

---

> CONFIG_IP6_NF_IPTABLES=y

> CONFIG_IP6_NF_MATCH_AH=y

> CONFIG_IP6_NF_MATCH_EUI64=y

> CONFIG_IP6_NF_MATCH_FRAG=y

> CONFIG_IP6_NF_MATCH_OPTS=y

> CONFIG_IP6_NF_MATCH_HL=y

> CONFIG_IP6_NF_MATCH_IPV6HEADER=y

> CONFIG_IP6_NF_MATCH_MH=y

> CONFIG_IP6_NF_MATCH_RPFILTER=y

> CONFIG_IP6_NF_MATCH_RT=y

> CONFIG_IP6_NF_TARGET_HL=y

> CONFIG_IP6_NF_FILTER=y

> CONFIG_IP6_NF_TARGET_REJECT=y

> CONFIG_IP6_NF_TARGET_SYNPROXY=y

> CONFIG_IP6_NF_MANGLE=y

> CONFIG_IP6_NF_RAW=y

> CONFIG_IP6_NF_NAT=y

> CONFIG_IP6_NF_TARGET_MASQUERADE=y

> CONFIG_IP6_NF_TARGET_NPT=y

g0n linux # 

```

I achieved it actually all by disabling only three options that were previously enabled, theses:

```

g0n linux # diff .config .config.old  | grep '< '

< CONFIG_LOCALVERSION="-160325"

< # CONFIG_IP_NF_IPTABLES is not set

< # CONFIG_IP_NF_ARPTABLES is not set

< # CONFIG_IP6_NF_IPTABLES is not set

g0n linux # 

```

And, maybe for more clarity, here's how they look like in the menuconfig:

```

 → Networking support → Networking options → Network packet filtering framework (Netfilter) → IP: Netfilter Configuration

    < > IP tables support (required for filtering/masq/NAT) 

   < > ARP tables support

```

and:

```

 → Networking support → Networking options → Network packet filtering framework (Netfilter) → IPv6: Netfilter Configuration

    < > IP6 tables support (required for filtering)

```

And that got all the diff btwn the (my my two local versions):

```

< CONFIG_LOCALVERSION="-160325"

---

> CONFIG_LOCALVERSION="-160322"

```

above.

Is that correct thing to do? Along with emerge -C iptables ? Namely I see there are issues with iproute2:

sys-apps/iproute2-4.5.0[-iptables]: error: redeclaration of enumerator ‘IFF_*’

https://bugs.gentoo.org/show_bug.cgi?id=577464#attach_428450

and I'm slow, so I will updated in a day or two, when this is likely fixed, and keep with the old:

```

# equery l iproute2 

 * Searching for iproute2 ...

[IP-] [  ] sys-apps/iproute2-4.4.0:0

#

```

So since:

```

g0n ~ # equery  d iptables

 * These packages depend on iptables:

sys-apps/iproute2-4.4.0 (iptables ? >=net-firewall/iptables-1.4.20)

g0n ~ # cat >> /etc/portage/package.use 

sys-apps/iproute2 -iptables

g0n ~ # emerge -tuDN iproute2

```

which appeared to have compiled and installed correctly, I could show the log,

but equery didn't pick it up yet, have a look:

```

g0n ~ # equery  d iptables

 * These packages depend on iptables:

sys-apps/iproute2-4.4.0 (iptables ? >=net-firewall/iptables-1.4.20)

g0n ~ # emerge -p iproute2

These are the packages that would be merged, in order:

Calculating dependencies                    ... done!           

[ebuild   R    ] sys-apps/iproute2-4.4.0::gentoo  USE="berkdb ipv6 -atm -iptables -minimal (-selinux)" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

g0n ~ # 

```

Never mind, I'll try and compile the not-the-newest in testing kernel, and reboot, and see if this inexistent dependency still shows in equery line...

Done:

```

# uname -r

4.4.4-hardened-160325

# 

```

Very courious I am now. Will the equery see the change? Suspense, suspense.

Silence... What will happen...

```

# equery d iptables

 * These packages depend on iptables:

```

It's a slow system... Nothing for a while... And then:

```

# equery d iptables

 * These packages depend on iptables:

sys-apps/iproute2-4.4.0 (iptables ? >=net-firewall/iptables-1.4.20)

```

That's not right...

Will it break iproute2 if I remove iptables? Don't know... Somebody tell me!

I'm not removing it for now... Should not do harm to my tentatives with nftables, I hope.

According to:

ERROR: sys-apps/iproute2-4.5.0::gentoo failed (compile phase

https://forums.gentoo.org/viewtopic-t-1040708.html#7896308

it should be a build time dependency only...

I read carefully most of the:

http://people.netfilter.org/wiki-nftables/

with an eye on NAT, of course...

but I still need more guides. Will be searching for more NAT and MASQUERADE related Nftables guide now, I think...

If you know of some good ones that I could use for my purpose, do tell!

----------

## miroR

BTW, to be out of doubt on things, here the nftables deployed in my system, by following and using:

https://wiki.gentoo.org/wiki/Nftables/Examples

I used what was given as a typical workstation example.

This is the file (from which nftables reloads, and into which it saves its rules):

/var/lib/nftables/rules-save:

```

table ip filter {

   chain input {

      type filter hook input priority 0; policy drop;

      ct state invalid counter packets 0 bytes 0 drop  comment "drop invalid packets"

      ct state { related, established} counter packets 15169 bytes 13242959 accept  comment "accept all connections related to connections made by us"

      iifname "lo" accept  comment "accept loopback"

      iifname != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop  comment "drop connections to loopback not coming from loopback"

      ip protocol icmp counter packets 0 bytes 0 accept  comment "accept all icmp types"

      tcp dport ssh counter packets 0 bytes 0 accept  comment "accept ssh"

      counter packets 44 bytes 1408  comment "count dropped packets"

   }

   chain output {

      type filter hook output priority 0; policy accept;

      counter packets 14758 bytes 1475767  comment "count accepted packets"

   }

   chain forward {

      type filter hook forward priority 0; policy drop;

      counter packets 0 bytes 0  comment "count dropped packets"

   }

}

table ip nat {

   chain prerouting {

      type nat hook prerouting priority 0; policy accept;

      counter packets 0 bytes 0  comment "count accepted packets"

   }

   chain input {

      type nat hook input priority 0; policy accept;

      counter packets 0 bytes 0  comment "count accepted packets"

   }

   chain output {

      type nat hook output priority 0; policy accept;

      counter packets 0 bytes 0  comment "count accepted packets"

   }

   chain postrouting {

      type nat hook postrouting priority 0; policy accept;

      counter packets 1661 bytes 106346  comment "count accepted packets"

   }

}

table ip6 filter6 {

   chain input {

      type filter hook input priority 0; policy drop;

      ct state invalid counter packets 0 bytes 0 drop  comment "drop invalid packets"

      ct state { established, related} counter packets 1 bytes 60 accept  comment "accept all connections related to connections made by us"

      iifname "lo" accept  comment "accept loopback"

      iifname != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop  comment "drop connections to loopback not coming from loopback"

      ip6 nexthdr ipv6-icmp counter packets 96 bytes 7312 accept  comment "accept all icmp types"

      tcp dport ssh counter packets 0 bytes 0 accept  comment "accept ssh"

      counter packets 97 bytes 10864  comment "count dropped packets"

   }

   chain output {

      type filter hook output priority 0; policy accept;

      counter packets 188 bytes 23182  comment "count accepted packets"

   }

   chain forward {

      type filter hook forward priority 0; policy drop;

      counter packets 0 bytes 0  comment "count dropped packets"

   }

}

table ip6 nat6 {

   chain prerouting {

      type nat hook prerouting priority 0; policy accept;

      counter packets 0 bytes 0  comment "count accepted packets"

   }

   chain input {

      type nat hook input priority 0; policy accept;

      counter packets 0 bytes 0  comment "count accepted packets"

   }

   chain output {

      type nat hook output priority 0; policy accept;

      counter packets 0 bytes 0  comment "count accepted packets"

   }

   chain postrouting {

      type nat hook postrouting priority 0; policy accept;

      counter packets 29 bytes 5064  comment "count accepted packets"

   }

}

```

I haven't noticed anything not to work as expected, so far. But I have to admit I don't understand what is being counted in the postrouting, e.g. ...

And even if this is all correct, of course I need more that this, as the title of this topic says.

----------

## miroR

The already mentioned:

https://wiki.archlinux.org/index.php/Nftables

contributed, it appears to me, by Johannes Ernst, is, upon second read, a superb tutorial.

Upon second read, as I don't get new languages in one read  :Wink:  ; nftables is a nifty programming language in its own right.

I first found this trailblazer thread:

http://www.spinics.net/lists/netfilter/threads.html#56405

http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.general/48255

(same thread, from two different, reliable, archives)

and figured out that the issue that Johannes solved there is exactly the kind of issue that I proposed to myself to accomplish, and have been working on for a few days already, most of the time.

Here is that issue which is just like mine, and it makes the first message of that thread:

http://article.gmane.org/gmane.comp.security.firewalls.netfilter.general/48255

http://www.spinics.net/lists/netfilter/msg56405.html

(same message, from two different, reliable, archives)

And so, I'll try and move from Gentoo Wiki Nftables Examples' Typical Workstation Ruleset that I currently have set up and working, to the Ruleset similar to Johannes', in that trailblazer thread on Netfilter ML, and which is also explained in the Archlinux Wiki (it's the same author who also mostly wrote that Arch wiki page, in all appearances).

I'll use the method such as explained here:

https://wiki.archlinux.org/index.php/Nftables#Atomic_Reloading

Except I'll combine in my creating of a timestamped ruleset file, and I won't be doing it in the /tmp, but in /root.

I'll apply for my case:

https://wiki.archlinux.org/index.php/Nftables#Different_rules_for_different_interfaces

and:

https://wiki.archlinux.org/index.php/Nftables#Masquerading

I already have the current set up backed up.

```

# nft_bak=nft_$(date +%y%m%d_%H%M).nft

#
```

gives it now the name:

```
# echo $nft_bak

nft_160325_1711.nft

#
```

I just copied and pasted into it the code given under:

Practical examples

Different rules for different interfaces

on Archlinux.

```
# cat > $nft_bak

 < I pasted it here >

#
```

And I modified it like this:

```

flush ruleset

table inet filter {

  chain input { # this chain serves as a dispatcher

    type filter hook input priority 0;

    iifname lo accept # always accept loopback

    iifname enp4s6 jump input_enp4s6

    iifname enp6s0 jump input_enp6s0

    reject with icmp type port-unreachable # refuse traffic from all other interfaces

  }

  chain input_enp4s6 { # rules applicable to public interface interface

    ct state {established,related} accept

    ct state invalid drop

    udp dport bootpc accept

    tcp dport bootpc accept

    reject with icmp type port-unreachable # all other traffic

  }

  chain input_enp6s0 {

    ct state {established,related} accept

    ct state invalid drop

    udp dport bootpc accept

    tcp dport bootpc accept

    tcp port http accept

    tcp port https accept

    reject with icmp type port-unreachable # all other traffic

  }

  chain ouput { # we let everything out

    type filter hook output priority 0;

    accept

  }

 }

```

Nothing else in this first attempt, but add the:

```

flush ruleset

```

at top to flush all the current ruleset, and changed the interface names to my real-life current interfaces.

And trying to load it:

```

# nft -f nft_160325_1711.nft

nft_160325_1711.nft:23:19-24: Error: syntax error, unexpected accept

    tcp port http accept

                  ^^^^^^

nft_160325_1711.nft:24:20-25: Error: syntax error, unexpected accept

    tcp port https accept

                   ^^^^^^

```

gets me this error above. Why?

I really not sure, all my understanding of Nftables is still fuzzy, but "tcp port" is probably a typo. Shouldn't it be "tcp dport"?

```

# cat  nft_160325_1711.nft | sed 's/tcp port/tcp dport/' >  nft_160325_$(date +%H%M).nft 

# diff  nft_160325_1711.nft nft_160325_1730.nft 

23,24c23,24

<     tcp port http accept

<     tcp port https accept

---

>     tcp dport http accept

>     tcp dport https accept

# 

```

Was I right?

```

# nft -f nft_160325_1730.nft 

#

```

No errors. And it took a second or longer to load. Maybe successful?

Let's see. It does appear so.

```

# nft list ruleset

table inet filter {

   chain input {

      type filter hook input priority 0; policy accept;

      iifname "lo" accept 

      iifname "enp4s6" jump input_enp4s6 

      iifname "enp6s0" jump input_enp6s0 

      meta nfproto ipv4 reject 

   }

   chain input_enp4s6 {

      ct state { related, established} accept 

      ct state invalid drop 

      udp dport bootpc accept 

      tcp dport bootpc accept 

      meta nfproto ipv4 reject 

   }

   chain input_enp6s0 {

      ct state { related, established} accept 

      ct state invalid drop 

      udp dport bootpc accept 

      tcp dport bootpc accept 

      tcp dport http accept 

      tcp dport https accept 

      meta nfproto ipv4 reject 

   }

   chain ouput {

      type filter hook output priority 0; policy accept;

      accept 

   }

}

```

I'll post this, and, being Good Friday today, and me a faithful, will first be away to church for some time.

It's good to post this sooner and see if other readers see this as a typo, or whether I imagine it.

And if it is a typo, and if nobody else reports it to Archlinux Wiki in the meantime, I'll try and report it so Archlinux people correct it...

----------

## miroR

I reported the typo (in only second attempt did I do it correctly   :Wink:  ):

http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.general/48566

http://www.spinics.net/lists/netfilter/msg56695.html

(on spinics only the first incorrect report shows to me yet)

---

But importantly, I think I only now have grasped  :Embarassed:  why my setup couldn't work without extra configuration...

The enp6s0 interface, through which I want to connect my local network machines to the internet is served, as I explained in the opening post (under eth1 which it then was):

 *Quote:*   

> 
> 
> some 7 yrs old aDSL router, with disabled DHCP server, working (I hope) as
> 
> simply static network local router
> ...

 

And I was attempting, all this time, to get the members of that network to get their connection into an internet connection...

No! It's still not clear to me how to do it, but I'm pretty sure that the network that would be, in its members mangled-connected to the internet through the aDSL router seen on the enp4s6 interface, that must be a network that I have to set up on this machine!

It can't be a network served from another machine.

----------

## miroR

Note: this is just an entire one-day leg of my journey. Skip this post if you rush for (at the time of writing) likely solution

---

I was thinking. I mostly understand the basics of networking, and I have, although very slowly, solved a few obstacles so far on my journey to achieve a "Firewalled Internet Access to Internal Subnet" as the title of the topic says.

And I was thinking, remembering how some of the unmanaged ethernet switches that I had, used to suggest in their manuals, that the rest of the machines on the 4-port or 8-port switch that they were, could connect to the internet if the port no. 1 was connected to the aDSL router.

I know this is not a territory for the faint-hearted and I may be stubborn enough to keep trying.

However, it's not about only connecting other machines to the internet. It's about doing it in such a way to be able to capture and analyze all the traffic. I explained that the outside is potentially hostile, in the opening post.

I want to access, be it from my Windoze machine, or from a future Devuan machine the internet and do things, in such way as to be able to see all the traffic for myself. Windoze I don't trust (and am not a wizard who could control it fully, far from), and when I install on a new machine such as I will, hopefully, install Devuan, I don't see how I can have complete sight of all the traffic to and from that machine, to have control over it, other than if I somehow get it to pass through my Gentoo machine, where I can capture and analyze it before I conclude all is clean... Through my Gentoo machine which I'm pretty confident is likely sufficiently secure (grsec-hardened, RBAC deployed...)...

A switch I have:

http://dlink.com.sg/products/?idproduct=273

http://www.dlink.com/-/media/Consumer_Products/DGS/DGS%201008D/Manual/DGS%201008D_B1_Manual_v201.pdf

(but my model doesn't look like that; it was made around 2005 or so, it's more squarely made, will blunted edges)

I have been reluctant to use it anywhere near online, because I lost another one, because of something that happened online. (It was somehow b0rked from online, as were some of my ethers, else how come I only lost them when I connected online, and as long as I used them in the SOHO, nothing whatsoever happened.)

---

But I have recently changed direction, I think i have found my way. Will be clear in the next post.

----------

## miroR

And, after I've searched and read, searched and read... I think the solution for my case lies somewhere in this direction:

https://www.debian.org/doc/manuals/securing-debian-howto/ap-bridge-fw.en.html

applied to my Gentoo of course.

Will expand on this. Just wanted to give it for the impatient courious. Give me time to install things, study the matter and then elaborate, and to see if I need help about it, or if this will be a solution such that occasional others may find useful yoo.

----------

## miroR

From:

D.1 A bridge providing NAT and firewall capabilities

https://www.debian.org/doc/manuals/securing-debian-howto/ap-bridge-fw.en.html#sD.1

```

Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)

                                          |

                                          |

                                          |---- WWW Server (62.3.3.27 gw 62.3.3.25)

                                          |

                                          |

                                         LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)

```

Translating into my situation.

Note: I'll be struggling to grasp the concept. Help is welcome. Will try and give all the info I have.

Therefore the continuation of a line that I verbosely extended in my translation will be marked with square brackets on a repeated "----", but at start of line, like this: "[----]".

The setup on g0n before setting up bridge (non clearly put for lack of complete understanding of the concept yet).

```

Internet ---- router ( 192.168.1.1 )  ----

```

( provider's aDSL router serving local network 192.168.1.0/24 )

( the dynamic internet IPs that get assigned are never seen in userland )

( in "192.168.1.X" below the "X" is whatever this host gets by router's DHCP, usually 1-4 )

```

                                [----] bridge br0 (<192.168.1.X> gw 192.168.1.1 / 192.168.2.2)

                                          |

                                          |

```

I cut out the server here.

```

                                          |

                                         LAN --- my_lan (192.168.2.2 gw * )

```

Actually it can have LAN on my_lan, because I tried it previosly.

Here is how it looks on that my_lan from a machine running 1yr old Debian, in which I waant to install, probably from scratch, a minimalist Devuan, but in completely protected way, via my Gentoo box setup that I'm struggling to reach in this topic.

```

root@naibd6:/home/mr# ip route show

192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.3 

root@naibd6:/home/mr# route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.2.0     *               255.255.255.0   U     0      0        0 eth0

root@naibd6:/home/mr# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

root@naibd6:/home/mr# 

```

Take notice that there is no gateway yet on that interface. Some more info on it:

I had tried in this topic-tentative to set enp6s0 (previusly eth1) to 192.168.2.2 and I could ping it (now can't ping it, but only because I will, but have not set br0 on it yet) just like I can ping this old router's local network (192.168.2.1) below:

```

root@naibd6:/home/mr# ping -c1 192.168.2.2

PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.

From 192.168.2.3 icmp_seq=1 Destination Host Unreachable

--- 192.168.2.2 ping statistics ---

1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

root@naibd6:/home/mr# ping 192.168.2.1

PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.

64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.943 ms

64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.404 ms

64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=0.401 ms

^C

--- 192.168.2.1 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2001ms

rtt min/avg/max/mdev = 0.401/0.582/0.943/0.256 ms

root@naibd6:/home/mr# 

```

Here's the setup on g0n without verbosity:

```

Internet ---- router ( 192.168.1.1 )  ----  enp4s6 (192.168.1.X by DHCP)

                                               |

                                               |

                                               |

                                            enp6s0 --- my_lan (192.168.2.2)

```

Here it is more fully (except I deleted the lines in all the pastes for the interface 192.168.3.0/24, because that is an inactive interface on enp5s0 --previously eth0--, at this time):

```

g0n ~ # ip route show

default via 192.168.1.1 dev enp4s6  src 192.168.1.3  metric 5 

127.0.0.0/8 dev lo  scope host 

192.168.1.0/24 dev enp4s6  proto kernel  scope link  src 192.168.1.3  metric 5 

g0n ~ # route 

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         192.168.1.1     0.0.0.0         UG    5      0        0 enp4s6

loopback        0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.1.0     0.0.0.0         255.255.255.0   U     5      0        0 enp4s6

g0n ~ # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.1.1     0.0.0.0         UG    5      0        0 enp4s6

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.1.0     0.0.0.0         255.255.255.0   U     5      0        0 enp4s6

g0n ~ #

```

So far enp6s0 is not even in the route, as you can see.

This is how it looks like when I start that interface:

```

g0n ~ # /etc/init.d/net.enp4s6 start

 * Bringing up interface enp4s6

 *   config_enp4s6 not specified; defaulting to DHCP

 *   dhcp ...

 *     Running dhcpcd ...

DUID 00:01:00:01:1a:e5:27:80:8e:64:d7:e7:d3:d8

enp4s6: IAID 2e:7d:55:62

enp4s6: soliciting an IPv6 router

enp4s6: rebinding lease of 192.168.1.3

enp4s6: NAK: from 192.168.1.1

enp4s6: soliciting a DHCP lease

enp4s6: Router Advertisement from fe80::1

enp4s6: ignoring RA from fe80::1 (no public prefix, no managed address)

enp4s6: requesting DHCPv6 information

enp4s6: applying ignored RA from fe80::1

enp4s6: adding default route via fe80::1

enp4s6: offered 192.168.1.4 from 192.168.1.1

enp4s6: probing address 192.168.1.4/24

enp4s6: leased 192.168.1.4 for 86400 seconds

enp4s6: adding route to 192.168.1.0/24

enp4s6: adding default route via 192.168.1.1

forked to background, child pid 4040                                         [ ok ]

 *     received address 192.168.1.4/24                                       [ ok ]

g0n ~ # route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         192.168.1.1     0.0.0.0         UG    5      0        0 enp4s6

loopback        0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.1.0     0.0.0.0         255.255.255.0   U     5      0        0 enp4s6

g0n ~ # ip route 

default via 192.168.1.1 dev enp4s6  src 192.168.1.4  metric 5 

127.0.0.0/8 dev lo  scope host 

192.168.1.0/24 dev enp4s6  proto kernel  scope link  src 192.168.1.4  metric 5 

g0n ~ # ifconfig enp6s0

enp6s0: flags=4098<BROADCAST,MULTICAST>  mtu 1500

        ether 00:30:4f:31:4b:18  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 17  

```

I'm really struggling. And really tried to give sufficient, and still not superfluous information.

Next is, if the information is sufficient for me to decide how to do it (meaning more thinking hard on this first)...

Next is, setting up the bridge.Last edited by miroR on Sun Mar 27, 2016 11:29 am; edited 1 time in total

----------

## miroR

My new topic (not much time for it, but I wanted to report it):

kernel panic not anymore logged as it used to be

https://forums.gentoo.org/viewtopic-t-1041336.html

which I first posted here into this exact post you are reading, but decided to move it into a new topic.

----------

## miroR

There's a little more here for kind readers:

PPPoE and static subnet setup

https://forums.gentoo.org/viewtopic-t-1040272.html

(the entire topic is relevant for my quest, and here is where I join in:

https://forums.gentoo.org/viewtopic-t-1040272.html#7899134

And here's the question, and offer to Netfilter ML:

Nftables or Iptables/Ebtables for a simple linux bridge?

http://marc.info/?l=netfilter&m=145928820814936&w=2

My offer may not be perfect at all. And that may be the reason it has not been replied to yet, or it may have not been replied, so far, for other reason. What do I know. I feel a little sad for that.

I feel a little sad for that, but have to go on. Before I  start rolling my system back to Iptables  setup, let my query more  at one other place... In case those advanced users are around....

Wait...

----------

## miroR

 *miroR wrote:*   

> Before I  start rolling my system back to Iptables  setup, let my query more  at one other place... In case those advanced users are around....
> 
> Wait...

 

Well, a post of mine that I posted in this topic:

ERROR: sys-apps/iproute2-4.5.0::gentoo failed (compile phase

https://forums.gentoo.org/viewtopic-t-1040708.html

which is exactly, underneath, about Nftables vs Iptables...

was moved over into dustbin:

Offtopic "answer" is a beg for help

https://forums.gentoo.org/viewtopic-t-1041598.html

Well, I don't know what to do.

Just those looked like over here:

http://www.croatiafidelis.hr/foss/cap/cap-160321-NAT/for-Gentoo-folks/README.txt

and open the dir and browse, if you care:

http://www.croatiafidelis.hr/foss/cap/cap-160321-NAT/for-Gentoo-folks/

I will try and see if other admins think that I hijacked eccerr0r's topic here:

https://forums.gentoo.org/viewtopic-t-1040272.html#7899134

and that maybe he replied out of fear, or what? C'mon! Have a look:

https://forums.gentoo.org/viewtopic-t-1040272.html#7899154

As well as that it was out of what? that I got a kind reply from nativemad:

https://forums.gentoo.org/viewtopic-t-1040272-postdays-0-postorder-asc-start-25.html#7899368

And... don't know really....

----------

