# [SOLVED] Gentoo Home Router not forwarding correctly?

## Crimjob

Hi All,

I built a Gentoo system, and then followed this guide to set it up as a home router:

http://www.gentoo.org/doc/en/home-router-howto.xml

I used the iptables examples on that page as it stated you should have a workable system by using these:

```
First we flush our current rules

# iptables -F

# iptables -t nat -F

Setup default policies to handle unmatched traffic

# iptables -P INPUT ACCEPT

# iptables -P OUTPUT ACCEPT

# iptables -P FORWARD DROP

Copy and paste these examples ...

# export LAN=eth0

# export WAN=eth1

Then we lock our services so they only work from the LAN

# iptables -I INPUT 1 -i ${LAN} -j ACCEPT

# iptables -I INPUT 1 -i lo -j ACCEPT

# iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT

# iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

(Optional) Allow access to our ssh server from the WAN

# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

Drop TCP / UDP packets to privileged ports

# iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

Finally we add the rules for NAT

# iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP

# iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT

# iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT

# iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

Tell the kernel that ip forwarding is OK

# echo 1 > /proc/sys/net/ipv4/ip_forward

# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

This is so when we boot we don't have to run the rules by hand

# /etc/init.d/iptables save

# rc-update add iptables default

# nano /etc/sysctl.conf

Add/Uncomment the following lines:

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

If you have a dynamic internet address you probably want to enable this:

net.ipv4.ip_dynaddr = 1

```

I've performed all that, and all the machines on the LAN are able to communicate with the router, but not any further. Any HTTP requests (google.com for example) just get timed out.

Is there anything clearly wrong with that example above? Where can I begin to troubleshoot?

I've been working on getting this system up and running for about 18 hours now (kernel panics and hardware incompatibilities), gotta work tomorrow, so I'm hoping someone will have some insight for me when I'm fresh minded returning home.

Thanks in advanced for any assistance.

----------

## Veldrin

Does the router have a proper internet connection? (i.e ssh to router, and e.g ping google.com, if it works you have at least a working internet connection, if not you have to get you router to the net first.)

Second (or first if you like) recheck your howto, if you did not skip any step.

just my .02$

V.

----------

## Crimjob

Yes I can SSH to the router, ping the router etc. from any workstation, and the router can contact the WAN, ping google, etc.

I did an iptables -L and confirmed all the rules were there, I'm just not sure how to paste the output here without completely retyping all the lines.

----------

## doctork

Did you check that forwarding is acutally set on your router?

```
# cat /proc/sys/net/ipv4/ip_forward
```

 This should give you a 1 response.

--

doc

----------

## OldTango

 *Crimjob wrote:*   

> Hi All,
> 
> I built a Gentoo system, and then followed this guide to set it up as a home router:
> 
> http://www.gentoo.org/doc/en/home-router-howto.xml
> ...

 

Same problem here.  Only I had a working Firewall/Router after following this guide a year or so ago.  I wanted to add a rule the to file to open up a couple of ports and went back to the guide and after following it and simply adding one additional rule, my server no longer allows any computers on the LAN access to the internet.

Looking at the rules file created by the command

```

/etc/init.d/iptables save 
```

it is showing FORWARD DROP in the mangle section where it used to show as FORWARD ACCEPT

Old Rules-save output

```

# Generated by iptables-save v1.4.3.2 on Wed Nov 11 09:41:26 2009

*nat

:PREROUTING ACCEPT [69801464:22657512931]

:POSTROUTING ACCEPT [2917523:540099672]

:OUTPUT ACCEPT [7386146:1156587717]

[6800092:743443209] -A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Wed Nov 11 09:41:26 2009

# Generated by iptables-save v1.4.3.2 on Wed Nov 11 09:41:26 2009

*mangle

:PREROUTING ACCEPT [491815113:288728119527]

:INPUT ACCEPT [142832889:54736971829]

:FORWARD ACCEPT [348885089:233898935208]

:OUTPUT ACCEPT [73406699:22087243112]

:POSTROUTING ACCEPT [429800867:257374403841]

COMMIT

# Completed on Wed Nov 11 09:41:26 2009

# Generated by iptables-save v1.4.3.2 on Wed Nov 11 09:41:26 2009

*filter

:INPUT ACCEPT [23054098:15376961151]

:FORWARD DROP [220:40086]

:OUTPUT ACCEPT [67756404:20796768833]

[60711:104499428] -A INPUT -i lo -j ACCEPT

[25962625:10270196615] -A INPUT -i eth1 -j ACCEPT

[0:0] -A INPUT ! -i eth1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

[51:3391] -A INPUT ! -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

[20290330:1868598507] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

[348868:26513968] -A INPUT -p udp -m udp --sport 123 -j ACCEPT

[27542:1338527] -A INPUT ! -i eth1 -p tcp -m tcp --dport 0:1023 -j DROP

[38766268:13509408245] -A INPUT ! -i eth1 -p udp -m udp --dport 0:1023 -j DROP

[25:1630] -A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP

[103251606:11486596414] -A FORWARD -s 192.168.0.0/16 -i eth1 -j ACCEPT

[141727806:164512827181] -A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT

COMMIT

# Completed on Wed Nov 11 09:41:26 2009
```

Newly Created using the same guide

```

# Generated by iptables-save v1.4.3.2 on Sat Nov 14 20:18:06 2009

*nat

:PREROUTING ACCEPT [69945632:22695858936]

:POSTROUTING ACCEPT [2930213:542582744]

:OUTPUT ACCEPT [7446525:1164033728]

[102:13252] -A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Sat Nov 14 20:18:06 2009

# Generated by iptables-save v1.4.3.2 on Sat Nov 14 20:18:06 2009

*mangle

:PREROUTING ACCEPT [492742747:289169420016]

:INPUT ACCEPT [3434:2323852]

:FORWARD DROP [22:1320]

:OUTPUT ACCEPT [2360:241361]

:POSTROUTING ACCEPT [430629982:257790279254]

COMMIT

# Completed on Sat Nov 14 20:18:06 2009

# Generated by iptables-save v1.4.3.2 on Sat Nov 14 20:18:06 2009

*filter

:INPUT ACCEPT [1687:2061936]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [2258:228975]

[58:4860] -A INPUT -i lo -j ACCEPT

[908:74331] -A INPUT -i eth1 -j ACCEPT

[0:0] -A INPUT ! -i eth1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-$

[0:0] -A INPUT ! -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-$

[203:19592] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A INPUT -p udp -m udp --dport 27960:27962 -j ACCEPT

[0:0] -A INPUT ! -i eth1 -p tcp -m tcp --dport 0:1023 -j DROP

[448:143225] -A INPUT ! -i eth1 -p udp -m udp --dport 0:1023 -j DROP

[0:0] -A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP

[0:0] -A FORWARD -s 192.168.0.0/16 -i eth1 -j ACCEPT

[0:0] -A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT

COMMIT

# Completed on Sat Nov 14 20:18:06 2009
```

I am still try to figure out what has gone wrong.  Any advice is welcome.

TIA....  :Idea: 

----------

## Darkshine

The same problem here. My router used to work properly but after the kernel upgrade or after moving some iptables modules into the kernel it is not able to forward HTTP traffic from the local machine. From the local machine I cannot load any sites using hostname in the URL (http://<hostname>), but I can load them using IP address (http://<IP>). Other traffic is forwarded correctly.

My iptables rules are very simple (eth2 - local network, ppp0 - internet):

```
$ iptables-save

# Generated by iptables-save v1.4.5 on Sun Nov 15 21:20:12 2009

*raw

:PREROUTING ACCEPT [256862576:67493629169]

:OUTPUT ACCEPT [301388988:327682471553]

COMMIT

# Completed on Sun Nov 15 21:20:12 2009

# Generated by iptables-save v1.4.5 on Sun Nov 15 21:20:12 2009

*nat

:PREROUTING ACCEPT [19747980:1759005174]

:POSTROUTING ACCEPT [293229:30370974]

:OUTPUT ACCEPT [6204660:391892148]

-A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT

# Completed on Sun Nov 15 21:20:12 2009

# Generated by iptables-save v1.4.5 on Sun Nov 15 21:20:12 2009

*mangle

:PREROUTING ACCEPT [256862539:67493641969]

:INPUT ACCEPT [223618080:55055877772]

:FORWARD ACCEPT [28781810:11890928146]

:OUTPUT ACCEPT [301389022:327682486456]

:POSTROUTING ACCEPT [330618330:339650382922]

COMMIT

# Completed on Sun Nov 15 21:20:12 2009

# Generated by iptables-save v1.4.5 on Sun Nov 15 21:20:12 2009

*filter

:INPUT ACCEPT [223618080:55055877772]

:FORWARD ACCEPT [3858324:335654842]

:OUTPUT ACCEPT [301389021:327682486404]

-A FORWARD -i ppp0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i eth2 -o ppp0 -j ACCEPT

-A FORWARD -j LOG

COMMIT

# Completed on Sun Nov 15 21:20:12 2009

```

```
$ uname -a

Linux faust 2.6.31-gentoo-r3 #10 SMP Wed Oct 28 03:27:23 EET 2009 x86_64 Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz GenuineIntel GNU/Linux
```

any ideas?

----------

## Crimjob

 *doctork wrote:*   

> Did you check that forwarding is acutally set on your router?
> 
> ```
> # cat /proc/sys/net/ipv4/ip_forward
> ```
> ...

 

I did indeed. Forgot to mention it but that was my first suspect over the rules.

Perhaps this guide is in need of an edit, as it seems I'm not the only one now.

----------

## Hu

This thread could use some cleanup.  We have three completely different problems here.

Crimjob's rules look like they ought to work.  More debugging is required.  The output of iptables-save -c would be a good start.  As OldTango demonstrated, this can quickly show many potential problem sites.

OldTango already diagnosed the problem with his rules: the FORWARD chain policy has been set to DROP.  I do not know why that happened, but I can say that it will disrupt proper forwarding, as evidenced by the lack of any hits on any components in the filter table FORWARD chain.

Darkshine has a completely different problem.  For purposes of IP forwarding, the router is not aware of whether you used a hostname or an IP address in the browser.  Your problem is probably that DNS is broken.  Also, your rules are not dropping anything, so your system is acting purely as a router, with no firewall features.

----------

## Crimjob

If I could clean it up I would  :Razz: 

I believe it is similar issue to OldTango though, as the guide states to set FORWARD to DROP (I thought this was strange, but I would have thought the guide was reviewed before being put online).

```
Linux Dominator 2.6.28-hardened-r9 #17 SMP Sun Nov 15 17:27:53 EST 2009 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux

# Generated by iptables-save v1.4.3.2 on Sun Nov 15 17:33:07 2009

*nat

:PREROUTING ACCEPT [1887:189896]

:POSTROUTING ACCEPT [105:8675]

:OUTPUT ACCEPT [195:15866]

[1535:126561] -A POSTROUTING -o eth1 -j MASQUERADE 

COMMIT

# Completed on Sun Nov 15 17:33:07 2009

# Generated by iptables-save v1.4.3.2 on Sun Nov 15 17:33:07 2009

*mangle

:PREROUTING ACCEPT [4492:658492]

:INPUT ACCEPT [548:327367]

:FORWARD ACCEPT [3563:272834]

:OUTPUT ACCEPT [509:39371]

:POSTROUTING ACCEPT [2702:209180]

COMMIT

# Completed on Sun Nov 15 17:33:07 2009

# Generated by iptables-save v1.4.3.2 on Sun Nov 15 17:33:07 2009

*filter

:INPUT ACCEPT [338:297709]

:FORWARD DROP [1370:103025]

:OUTPUT ACCEPT [430:32447]

[55:5985] -A INPUT -i lo -j ACCEPT 

[79:9427] -A INPUT -i eth0 -j ACCEPT 

[8:2768] -A INPUT ! -i eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable 

[0:0] -A INPUT ! -i eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable 

[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 

[2:88] -A INPUT ! -i eth0 -p tcp -m tcp --dport 0:1023 -j DROP 

[16:5754] -A INPUT ! -i eth0 -p udp -m udp --dport 0:1023 -j DROP 

[0:0] -A FORWARD -d 192.168.0.0/16 -i eth0 -j DROP 

[2193:169809] -A FORWARD -s 192.168.0.0/16 -i eth0 -j ACCEPT 

[0:0] -A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT 

COMMIT

# Completed on Sun Nov 15 17:33:07 2009

```

----------

## OldTango

Well I got tired of all the typing I had to do and created a little script to load the rules from the home router guide.  I believe the rules are almost exactly the same as the guide so I can only assume my problems were from mistakes I made during the process of inputing each rule by hand.

CAUTION: Use this script at your own risk.  I make no warranties as it is the first script I have written and even though it works on my system I can't promise it will for anyone else.

ALSO NOTE: Change the export LAN=your nic and export WAN=your nic to match your setup.

Mine is different than the Home Router Guide.  I consider the internet the first network connection there by assigning it to the first nic and using standard naming practices it becomes eth0

```

#!/bin/bash

#File Name = firewall-rules.sh

#First we flush our current rules:

iptables -F

iptables -t nat -F

#default policies to handle unmatched traffic:

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

#Export our NIC's:

export LAN=eth1

export WAN=eth0

#Lock our services so they only work from the LAN:

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

#Allow access to our ssh server from the WAN:

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

#Drop TCP / UDP packets to privileged ports:

iptables -t filter -A INPUT -p udp -m udp --sport 123 -j ACCEPT

iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:5000 -j DROP

iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:5000 -j DROP

#Add the rules for NAT:

iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

#Tell the kernel that ip forwarding is OK:

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

#Save our rules:

/etc/init.d/iptables save
```

I saved the file as firewall-rules.sh in /root.  Made sure it was executable and ran it from there.  I instantly had my LAN computers back accessing internet normally.  I also extended the privileged port range to 5000 for DROP.

After running the script you can reload the firewall but I don't think it is necessary

```

/etc/init.d/iptables reload
```

You can also run

```

/etc/init.d/iptables panic
```

to stop the fire wall and set the default of ALL to ACCEPT in the event the script fails or you have errors.

The line

```

iptables -t filter -A INPUT -p udp -m udp --sport 123 -j ACCEPT
```

was added for NTP, however I am not sue it woks properly even though iptaples -L show the port as open it appears as closed from the internet.  You can check your firewall status HERE if you are interested in how it performs.

I am pretty sure NTP is no longer working so if anyone knows the proper rule for it to have access to port 123 and how to open ports 27960:27962 propery for the quake3 server.  I would welcome their advise.

TIA...  :Smile: 

----------

## Hu

 *Crimjob wrote:*   

> I believe it is similar issue to OldTango though, as the guide states to set FORWARD to DROP (I thought this was strange, but I would have thought the guide was reviewed before being put online).

 

Not necessarily.  Setting FORWARD to DROP is good practice though, since it means mistakes deny legitimate access, rather than allow illegitimate access.

 *Crimjob wrote:*   

> 
> 
> ```
> *filter
> 
> ...

 

Traffic which comes in on the LAN, but which should have been routed directly, is dropped.  Traffic from the LAN to the outside world is allowed.  Traffic which matched the first rule, and therefore never makes it to the third rule, is then accepted by the third rule.  Anything else, such as the outside world responding to you, is then dropped.  Perhaps you forgot to allow traffic for established connections?

These rules conflict with the rules shown by the script in your first post.  Did you retype one of these by hand?

----------

## Crimjob

I did, perhaps that's the problem. I redid them again:

```
# Generated by iptables-save v1.4.3.2 on Sun Nov 15 23:30:10 2009

*nat

:PREROUTING ACCEPT [2145:232872]

:POSTROUTING ACCEPT [107:8843]

:OUTPUT ACCEPT [197:16034]

[0:0] -A POSTROUTING -o eth1 -j MASQUERADE 

COMMIT

# Completed on Sun Nov 15 23:30:10 2009

# Generated by iptables-save v1.4.3.2 on Sun Nov 15 23:30:10 2009

*mangle

:PREROUTING ACCEPT [4769:703451]

:INPUT ACCEPT [597:332271]

:FORWARD ACCEPT [3563:272834]

:OUTPUT ACCEPT [568:44075]

:POSTROUTING ACCEPT [2761:213884]

COMMIT

# Completed on Sun Nov 15 23:30:10 2009

# Generated by iptables-save v1.4.3.2 on Sun Nov 15 23:30:10 2009

*filter

:INPUT ACCEPT [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

[0:0] -A INPUT -i lo -j ACCEPT 

[0:0] -A INPUT -i eth0 -j ACCEPT 

[2:656] -A INPUT ! -i eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable 

[0:0] -A INPUT ! -i eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable 

[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 

[0:0] -A INPUT ! -i eth0 -p tcp -m tcp --dport 0:1023 -j DROP 

[0:0] -A INPUT ! -i eth0 -p udp -m udp --dport 0:1023 -j DROP 

[0:0] -A FORWARD -d 192.168.0.0/16 -i eth0 -j DROP 

[0:0] -A FORWARD -s 192.168.0.0/16 -i eth0 -j ACCEPT 

[0:0] -A FORWARD -d 192.168.0.0/16 -i eth1 -j ACCEPT 

COMMIT

# Completed on Sun Nov 15 23:30:10 2009

```

----------

## Crimjob

That seems to have done it. Thanks for all the assistance.

----------

