# setting up a router !!!

## TheX

I've got a simple homenetwork. 

A small PC(called OXO) (333Mhz; 32 MB RAM; 8MB Graphic Card; 2 Network Cards) 

And 2 Bigger PC's which are waiting for traffic from the worldwideweb.

The oxo is a dhcp an apache server. It opens the adsl connection with rp-pppoe. 

Ipchains and some necessary stuff is compiled into the kernel.

Now it should route all stuff (later i'll set some iptable rules) to the Big PC's.   :Exclamation: 

( I forgot to say ; OXO is running Gentoo (What else   :Very Happy:   :Shocked: ?!?))

So, my Problem is that oxo isn't routing the traffic from card eth0 (www) to card eth1 (LAN 192.168.99.0).

I emerged :

dhcp

iptables

dnsmasq

Now I'll paste some config's from OXO, to make it easier to know where the prob. is.

/etc/conf.d/net

```
iface_eth1="192.168.99.99 broadcast 192.168.99.255 netmask 255.255.255.0"
```

/etc/conf.d/dhcp

```
IFACE="eth1"

DHCPD_OPTS="-q"

#CHROOT="/chroot/dhcp"
```

/etc/dhcp/dhcp.conf

```
authoritative;

ddns-update-style ad-hoc;

subnet 192.168.99.0 netmask 255.255.255.0 {

        range 192.168.99.10 192.168.99.50;

                default-lease-time 259200;

                max-lease-time 518400;

                option subnet-mask 255.255.255.0;

                option broadcast-address 192.168.99.255;

                option routers 192.168.99.99;

                option domain-name-servers 192.168.99.99;

}

######################################

# FIXED IP-s

host hansa {

  hardware ethernet 00:E0:4C:02:41:85;

  fixed-address 192.168.99.1;
```

/etc/conf.d/local.start

```
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmt
```

Now the config from the Client-PC (hansa), which shoulld get the routed (http) traffic.:

```
iface_eth0="dhcp";

gateway="eth0/192.168.99.99";
```

This may not be 100% right, because i'm in windows now and can't access the configs on hansa now.

I hope this is enough information to solve the problem.  :Rolling Eyes: 

Please help me to get my  OXO working, and routing all stuff to the LAN.

I had a Debian System Running on OXO, and wanted to make it work with Gentoo. This Can Be done !!!!!!!! HELP ME !!!!

OH; my firewall-and-routing-script on the Debian - System looked like this:

```
#! /bin/sh

##                      ---MINI NETFILTER CONFIG---

##                 This Dokument was written by an IHKA

## V.02

 PATH=/usr/sbin:/sbin:/usr/bin:/bin

 export PATH

LAN_ADR=192.168.99.0/24

INTERFACE="ppp0"

IF_LAN="eth1"

HOST1=192.168.99.1

HOST2=192.168.99.7

 # Adresse des Nameservers automatisch feststellen:

 nameserver=`grep '^nameserver' /etc/resolv.conf | head -1 | awk '{print $2}'`

 ##### Kernel-Tuning ###########################################################

 for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_r$

echo 0 >$i

done

echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

 echo 1 >/proc/sys/net/ipv4/tcp_syncookies

 echo 1 >/proc/sys/net/ipv4/ip_forward

 ##### POLICIES ################################################################

 # Bereits existierende Regeln löschen

 iptables -F

 iptables -X

 # Voreinstellung: Unbekannte Pakete dürfen nicht passieren

 iptables -P INPUT DROP

 iptables -P FORWARD DROP

 iptables -P OUTPUT DROP

 ##### INPUT-Chain #############################################################

 # NUR ZUM TESTEN: Nameserver-Antworten von überall erlauben

 # iptables -A INPUT -p udp --sport 53 -j ACCEPT

 # NUR ZUM TESTEN: Alle Pakete annehmen

 #iptables -A INPUT -j ACCEPT

 # NUR ZUM TESTEN: Alle Pakete protokollieren

 # iptables -A INPUT -j LOG

 # vom Loopback-Interface ist alles erlaubt

 iptables -A INPUT -i lo -j ACCEPT

 #iptables -A INPUT -i $IF_LAN -j ACCEPT

# Falls -m state gewünscht ist: erkannte Verbindungen erlauben

 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 # X11 sperren

 iptables -A INPUT -p tcp --dport 6000:6020 --syn -j LOG

 iptables -A INPUT -p tcp --dport 6000:6020 --syn -j DROP

 # NFS und SOCKS sperren

 iptables -A INPUT -p tcp -m multiport --dport 1080,2049 --syn -j LOG

 iptables -A INPUT -p tcp -m multiport --dport 1080,2049 --syn -j DROP

 iptables -A INPUT -p udp -m multiport --dport 2049,4045 -j LOG

 iptables -A INPUT -p udp -m multiport --dport 2049,4045 -j DROP

 # Bestehende Verbindungen zu oberen Ports sind erlaubt

 iptables -A INPUT -p tcp --dport 1024: ! --syn -j ACCEPT

 # Einzelne Server-Ports sind ebenfalls erlaubt

 iptables -A INPUT -p tcp -s $LAN_ADR --dport 631 -j ACCEPT # CUPS

 iptables -A INPUT -p tcp -s $LAN_ADR --dport 901 -j ACCEPT

 #iptables -A INPUT -p tcp -s $LAN_ADR --dport 10000 -j ACCEPT # Webmin

 #iptables -A INPUT -p tcp -s $LAN_ADR --dport 80 -j ACCEPT #Apache Web Server

 iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh

 iptables -A INPUT -p tcp -s $LAN_ADR -m multiport --dport 137,139 -j ACCEPT

 iptables -A INPUT -p udp -s $LAN_ADR -m multiport --dport 137,139 -j ACCEPT

 #iptables -A INPUT -p tcp --dport 80 -j ACCEPT # http

 #iptables -A INPUT -p udp -s $LAN_ADR --dport 514 -j ACCEPT # syslog v.LAN

 #iptables -A INPUT -p udp --dport 6970 -j ACCEPT # RealPlayer / nautilus

 # auth-Anfragen werden mit einer Fehlermeldung an den Absender verweigert.

 # Das beschleunigt den Aufbau zu Servern, die eine ident-Anfrage durchführen.

 iptables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset

 # Drei Varianten für DNS:

 # (1) DNS-Pakete nur von einem einzigen Nameserver

 iptables -A INPUT -p tcp -s $nameserver --sport domain -j ACCEPT

 iptables -A INPUT -p udp -s $nameserver --sport domain -j ACCEPT

 # (3) UDP-DNS-Pakete von überall zu unserem DNS-Cache. Hier brauchen wir

 # keine eigene TCP-Regel, weil BIND für TCP-Anfragen einen unprivilegierten

 # Port benutzt.

 #iptables -A INPUT -p udp --sport domain --dport 7531 -j ACCEPT

 # Fragmentierte ICMP-Pakete blockieren

 iptables -A INPUT -p icmp --fragment -j LOG

 iptables -A INPUT -p icmp --fragment -j DROP

 # Bestimmte ICMP-Pakete erlauben

 iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

 iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

 iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT

 iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

 iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

 iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

 # Manche Ereignisse kommen so häufig vor, dass ich sie im Protokoll nicht

 # sehen will.

 iptables -A INPUT -p udp --dport netbios-ns -j DROP

 iptables -A INPUT -p udp --dport netbios-dgm -j DROP

 iptables -A INPUT -p tcp --dport netbios-ssn -j DROP

 # Alles andere wird zunächst protokolliert und dann gesperrt.

 iptables -A INPUT -j LOG

 iptables -A INPUT -j DROP

 ##### OUTPUT-Chain ############################################################

 # NUR ZUM TESTEN: Alle Pakete senden

 # iptables -A OUTPUT -j ACCEPT

 # Pakete nach Loopback

 iptables -A OUTPUT -o lo -j ACCEPT

 # Bestimmte UDP-Pakete

 iptables -A OUTPUT -p udp --sport 1024: --dport 53 -j ACCEPT # domain/udp

 #iptables -A OUTPUT -p udp --dport 7091 -j ACCEPT # nautilus

 # Wir betreiben ein paar Server

iptables -A OUTPUT -p tcp -d $LAN_ADR -m multiport --sport 137,139 -j ACCEPT

 iptables -A OUTPUT -p udp -d $LAN_ADR -m multiport --sport 137,139 -j ACCEPT

 iptables -A OUTPUT -p udp -d $LAN_ADR --sport 756 -j ACCEPT

 iptables -A OUTPUT -p tcp -d $LAN_ADR --sport 901 -j ACCEPT

 # TCP-Pakete von lokalen Client-Programmen

 iptables -A OUTPUT -p tcp --sport 1024: --dport 21 -j ACCEPT # ftp

 iptables -A OUTPUT -p tcp --sport 1024: --dport 22 -j ACCEPT # ssh

 #iptables -A OUTPUT -p tcp --sport 1024: --dport 23 -j ACCEPT # telnet

 #iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT # smtp

 #iptables -A OUTPUT -p tcp --sport 1024: --dport 37 -j ACCEPT # time

 #iptables -A OUTPUT -p tcp --sport 1024: --dport 43 -j ACCEPT # whois

 #iptables -A OUTPUT -p tcp --sport 1024: --dport 53 -j ACCEPT # domain/tcp

 #iptables -A OUTPUT -p tcp --sport 1024: --dport 79 -j ACCEPT # finger

 iptables -A OUTPUT -p tcp --sport 1024: --dport 80 -j ACCEPT # www

 #iptables -A OUTPUT -p tcp --sport 1024: --dport 110 -j ACCEPT # pop-3

 iptables -A OUTPUT -p tcp --sport 1024: --dport 123 -j ACCEPT # ntp

 #iptables -A OUTPUT -p tcp --sport 1024: --dport 143 -j ACCEPT # imap2

 #iptables -A OUTPUT -p tcp --sport 1024: --dport 443 -j ACCEPT # https

 iptables -A OUTPUT -p tcp --sport 1024: --dport 756 -j ACCEPT # SMB unknown

 # Abgehende TCP-Verbindungen sind erlaubt, wenn auf beiden Enden der

 # Verbindung ein unsicherer Port benutzt wird. Unsicher, aber für

 # passives FTP notwendig, sofern -m state nicht benutzt wird.

 iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -j ACCEPT

 # Alternative: Das Zustandsmodul erlaubt aktives und passives FTP

 # (beachten Sie auch die entsprechende Regel in der INPUT-Chain!)

 #iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 # Bestimmte ICMP-Pakete erlauben

 iptables -A OUTPUT -p icmp -d $LAN_ADR --icmp-type echo-reply -j ACCEPT

 iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

 iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

 # Der Rest wird protokolliert und gesperrt. Bei TCP-Verbindungen senden

 # wir eine Fehlermeldung an unser eigenes Programm, damit wir nicht auf

 # den langwierigen Timeout warten müssen.

 iptables -A OUTPUT -j LOG

 iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset

 iptables -A OUTPUT -j DROP

 ##### FORWARD-Chain ###########################################################

 # NUR ZUM TESTEN: Alle Pakete protokollieren

 # iptables -A FORWARD -j LOG

# Adressübersetzung: nat-Tabelle!

 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

 #Router darf Pakete zerhacken (MTU Problem - Bsp. www.gmx.de)

 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

 # Abgehende Pakete

 iptables -A FORWARD -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

 iptables -A FORWARD -o ppp0 -p tcp -m multiport --sport 136,139 -j REJECT

 # Ankommende Pakete

 iptables -A FORWARD -o $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables -A FORWARD -o $IF_LAN -p tcp --dport 22 -j ACCEPT

 iptables -A FORWARD -o $IF_LAN -p tcp --dport 4659 -j ACCEPT

 iptables -A FORWARD -o $IF_LAN -p tcp --dport 4662 -j ACCEPT

 iptables -A FORWARD -o $IF_LAN -p tcp -m multiport --dport 5504,5553 -j ACCEPT

 iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to $HOST1:4662

# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4659 -j DNAT --to $HOST2:4659

# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 26 -j DNAT --to $HOST1:22

 #Portmapping HOST1

# iptables -t nat -A PREROUTING -i ppp0 -p tcp -m multiport --dport 5504,5553 -j DNAT --to $HOST1:5$

echo -e "\t\t FIREWALL UP =)"
```

Perhaps somebody knows some corrections, to this script do what i want.

At the moment it echoes on Gentoo : 

```
sh /firewall-routing

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

/firewall-routing: line 26: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

                 FIREWALL UP =)
```

OXO's rc-status:

```

  local                                                                                 [ started ]

  netmount                                                                              [ started ]

  hotplug                                                                               [ started ]

  syslog-ng                                                                             [ started ]

  vixie-cron                                                                            [ started ]

  sshd                                                                                  [ started ]

  net.eth1                                                                              [ started ]

  hdparm                                                                                [ started ]

  mysql                                                                                 [ started ]

  verynice                                                                              [ started ]

  iptables                                                                              [ started ]

  dhcp                                                                                  [ started ]

  dnsmasq                                                                               [ started ]

```

That's all !!!!!!!!  I've posted everything i thought that could be nessesary.

Thank you for reading as far as you are now !!

I hope that you got any suggestions ...

TheX   :Cool: 

----------

## Steven Robertson

I would recommend using net-firewall/firehol.  It's got an awesomely easy syntax, but is still incredibly powerful.  The documentation is easy to understand, so I'll let you peruse it on your own.  However, my custon firehol config is posted below.  I've modified it to fit your setup, but it may not be exactly right (it's late).  I recommend it above raw iptables rules because it's much easier to spot problems and make changes to a firehol config.

Once you've emerged firehol, drop this script in as /etc/firehol/firehol.conf, run 'firehol start', then run '/etc/init.d/iptables save'.  Make sure iptables is in your rc-scripts.  It's that simple.

```
version 5

# The variable NAT_FORWARD_IP tells firehol to forward a specific port to a specific

# host.  The variable is stored in the format "host-port,port:range;[host...]"  I

# use it for stuff like bittorrent.

# Example:

#NAT_FORWARD_IP="192.168.0.9-4600:4699,5400,5500,3632;192.168.0.7-5800:5999"

for IP_PORT in $(echo $NAT_FORWARD_IP | tr ";" " ")

do

        IP=$(echo $IP_PORT | grep -o "^[1234567890.]\{7,15\}-" | tr -d "-")

        for PORT in $(echo $IP_PORT | grep -o "[-,][1234567890:]*" | tr -d -- "-,")

        do

                dnat to $IP proto tcp dport $PORT

                dnat to $IP proto udp dport $PORT

        done

done

interface eth1 local

        server all                                      accept

        client all                                      accept

interface eth0 inet

        protection strong 20/sec 50

        server "ssh http ping"   accept

        #NAT_FORWARD stuff

        for PORT in $(echo $NAT_FORWARD_IP | grep -o "[-,][1234567890:]*" | tr -d -- "-,")

        do

                server custom forward "tcp/$PORT udp/$PORT" default accept

        done

        server ident                                    reject with tcp-reset

        client all                                      accept

router inet2local inface eth0 outface eth1

        masquerade reverse

        server ident                                    reject with tcp-reset

        #NAT_FORWARD stuff

        for PORT in $(echo $NAT_FORWARD_IP | grep -o "[-,][1234567890:]*" | tr -d -- "-,")

        do

                route custom forward "tcp/$PORT udp/$PORT" default accept

        done

        client all                                      accept

```

HTH!

----------

## pjp

Moved from Other Things Gentoo.

----------

