# Homemade router... setup....

## -davros-

using the Homemade router guide, i have it running servers online, only thing thats working is ssh. dhcp is handing out ip's but still the only box able to reach the internet is the server.

To set up eth0 when I ran..rc-update add net.eth0 default it said file not found so I did...

ln -s  net.lo /etc/init.d/net.eth0

rc-update add net.eth0 default

resolv

```
#Generated by dhcpcd from eth1

# /etc/resolv.conf.head can replace this line

nameserver 66.189.0.100

nameserver 24.159.64.23

nameserver 24.247.24.53

# /etc/resolv.conf.tail can replace this line
```

----------

## John R. Graham

Do you mean the Home Router Guide? Where are you in that? You won't get access to the Internet from other machines until you complete section 5.

- John

----------

## -davros-

ive completed the whole thing... 

no access

----------

## nasaiya

 *-davros- wrote:*   

> ive completed the whole thing... 
> 
> no access

 

Most likely the problem is with your iptables configuration... double check the FORWARD and nat POSTROUTING rules and make sure they are correct. You can see what rules are currently in use with

```

# /sbin/iptables -vnL

```

Stupid as this may sound make sure iptables is actually started... I forgot to start it once a long time ago and it took me a bit to figure out why nothing was working!

----------

## -davros-

Ok when its loading net.eth1 and net.eth0

It says... bringing up interface eth1

You are using a bash array for the configur_eth1

This will be removed in the future.

Please see net.example for the correct format for config_eth1

And I just reentered all the iptables and still no access

Let me give the rules a look

```
server etc # /sbin/iptables -vnL

Chain INPUT (policy ACCEPT 166 packets, 32434 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

 1184  101K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

    0     0 REJECT     udp  --  !eth0  *       0.0.0.0/0            0.0.0.0/0            udp dpt:67 reject-with icmp-port-unreachable

    0     0 REJECT     udp  --  !eth0  *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 reject-with icmp-port-unreachable

    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

    0     0 DROP       tcp  --  !eth0  *       0.0.0.0/0            0.0.0.0/0            tcp dpts:0:1023

  112 37660 DROP       udp  --  !eth0  *       0.0.0.0/0            0.0.0.0/0            udp dpts:0:1023

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

  159 11792 DROP       all  --  eth0   *       0.0.0.0/0            192.168.0.0/16      

 1129  134K ACCEPT     all  --  eth0   *       192.168.0.0/16       0.0.0.0/0           

  718 75251 ACCEPT     all  --  eth1   *       0.0.0.0/0            192.168.0.0/16      

Chain OUTPUT (policy ACCEPT 923 packets, 126K bytes)

 pkts bytes target     prot opt in     out     source               destination         

```

----------

## nasaiya

 *-davros- wrote:*   

> 
> 
> It says... bringing up interface eth1
> 
> You are using a bash array for the configur_eth1
> ...

 

That just means your /etc/conf.d/net entries are something like this:

```
#config_eth0=( "192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255" )
```

The parenthesis make config_eth0 in that case a bash array...

Remove the parenthesis and that should fix it.

----------

## -davros-

It will fix the errors or the whole thing?

----------

## Jaglover

What errors, you haven't provided any error messages yet. You are getting a warning telling to fix your config or it will not work in the future.

----------

## -davros-

Oh no, no error just the bash array message, which I see is now gone. But wife is home so server is offline ... facebook addict. 

I wannted to get this to work before she got home......

----------

## nasaiya

You might want to google around for a good iptables example... 

I would recommend at least setting the policies on INPUT to drop ( #iptables -P INPUT DROP ) then specifically allow incoming connections that you need, if any. Also you might have more luck with stateful rules. 

I'm not sure about the example rules, stateful rules make things much easier I think. In my working configuration I have something like this:

```

# flush/clear previous rules

iptables -F FORWARD

# set default policy to DROP

iptables -P FORWARD DROP

# state matching

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state --state INVALID -j DROP

# now you only need to allow outgoing because the stateful rules above will take care of necessary incoming packets.

# assuming eth1 is your external WAN interface, this should allow all traffic from your lan (eth0) to reach the WAN (eth1):

iptables -A FORWARD -o eth1 -j ACCEPT

# and of course the NAT rule...

# MASQUERADE traffic going out eth1 (WAN interface)

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

```

You can verify the nat rule is there with

```
# iptables -t nat -vnL
```

Maybe you'll have better luck with that...

Edit: And sorry, I meant fixing /etc/conf.d/net would get rid of the warning about bash arrays, not fix your whole problem...

----------

## -davros-

Cool I'll try those too after flushing these 

Thx

More work tomorrow

----------

## -davros-

Ok with those iptables I still don't gain access to the web.....

Ssh still working....

Pings working also....

Dns problems?

hmmm..... maybe these will work..... 

```

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \ -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 80 --sport 1024:65535 \ -m state --state NEW -j ACCEPT

iptables -A OUTPUT -j ACCEPT -m state \ --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \ -m multiport --dports 80,443 --sport 1024:65535

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED  \ -i eth0 -p tcp

iptables -A INPUT   -j ACCEPT -p all -s 192.168.0.1/24 -i eth1

iptables -A OUTPUT  -j ACCEPT -p all -d 192.168.0.1/24 -o eth1

iptables -A OUTPUT -p udp -o eth1 --dport 53 --sport 1024:65535 \ -j ACCEPT

 

iptables -A INPUT -p udp -i eth1 --sport 53 --dport 1024:65535 \ -j ACCEPT

iptables -A FORWARD -t filter -o eth1 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i eth1 -m state \ --state ESTABLISHED,RELATED -j ACCEPT

 

```

----------

## nasaiya

Well it's hard to say what's going on...

My only other guess would be maybe your routes are incorrect.

I would check the output of the "route" command on your client that can't connect to the internet and see if the default gateway IP is the LAN ip of your server (ie. 192.168.0.1 if you followed that router guide exactly).

If not try restarting the network interface on the client machine to re-obtain settings from the dhcp server 

and check the route again. 

If that's correct then I'm afraid I'm out of ideas... maybe someone else can help...

----------

## -davros-

Odd that I can ping -c 3 www.google.com from a client and it reaches access.

----------

## Hu

Please provide the output of iptables-save -c ; ip addr ; ip route ; cat /proc/sys/net/ipv4/ip_forward.  Please generate a failure via a command line program from an internal machine and post both the command you executed and all of its output.

----------

## -davros-

ok...

iptables-save -c

```
iptables-save

# Generated by iptables-save v1.4.12.1 on Wed Feb  1 06:15:20 2012

*nat

:PREROUTING ACCEPT [5767:829091]

:INPUT ACCEPT [201:20189]

:OUTPUT ACCEPT [130:8856]

:POSTROUTING ACCEPT [1:328]

-A POSTROUTING -o eth1 -j MASQUERADE

COMMIT

# Completed on Wed Feb  1 06:15:20 2012

# Generated by iptables-save v1.4.12.1 on Wed Feb  1 06:15:20 2012

*filter

:INPUT ACCEPT [192944:111104442]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [141433:12494979]

:DROPl - [0:0]

:REJECTl - [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT ! -i eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

-A INPUT ! -i eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT ! -i eth0 -p tcp -m tcp --dport 0:1023 -j DROP

-A INPUT ! -i eth0 -p udp -m udp --dport 0:1023 -j DROP

-A INPUT -i eth1 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT

-A FORWARD -d 192.168.0.0/16 -i eth0 -j DROP

-A FORWARD -s 192.168.0.0/16 -i eth0 -j ACCEPT

-A FORWARD -d 192.168.0.0/16 -i eth1 -j ACCEPT

-A OUTPUT -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT

COMMIT

# Completed on Wed Feb  1 06:15:20 2012
```

route (server)

```
route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         68-116-192-1.dh 0.0.0.0         UG    1      0        0 eth1

default         68-116-192-1.dh 0.0.0.0         UG    203    0        0 eth1

68-116-192-0.dh *               255.255.252.0   U     203    0        0 eth1

loopback        localhost       255.0.0.0       UG    0      0        0 lo

link-local      *               255.255.0.0     U     202    0        0 eth0

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

```

route   (client)

```
$ route 

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 p34p1

192.168.0.0     0.0.0.0         255.255.255.0   U     1      0        0 p34p1

[davros@fedora16 ~]$ 
```

iptables -t nat -vnL

```
 iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 5947 packets, 864K bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 256 packets, 26566 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 178 packets, 11934 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 328 bytes)

 pkts bytes target     prot opt in     out     source               destination         

  432 27166 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0   
```

lsmod

```
     lsmod

Module                  Size  Used by

xt_multiport            1574  0 

xt_state                1127  0 

nf_nat_ftp              1436  0 

nf_conntrack_ftp        5309  1 nf_nat_ftp

ipv6                  226721  16 

ipt_MASQUERADE          1522  1 

iptable_nat             3520  1 

nf_nat                 12985  3 nf_nat_ftp,ipt_MASQUERADE,iptable_nat

nf_conntrack_ipv4       9945  3 iptable_nat,nf_nat

nf_conntrack           48910  7 xt_state,nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4

nf_defrag_ipv4          1171  1 nf_conntrack_ipv4

xt_TCPMSS               2903  0 

ipt_REJECT              2017  2 

xt_tcpudp               2271  7 

iptable_filter          1336  1 

ip_tables              13777  2 iptable_nat,iptable_filter

x_tables               14191  9 xt_multiport,xt_state,ipt_MASQUERADE,iptable_nat,xt_TCPMSS,ipt_REJECT,xt_tcpudp,iptable_filter,ip_tables

ppdev                   4934  0 

parport_pc             27566  0 

processor              24495  0 

thermal_sys            12594  1 processor

i2c_amd756              4257  0 

container               2293  0 

button                  4247  0 

i2c_amd8111             3717  0 

i2c_core               16207  2 i2c_amd756,i2c_amd8111

k8temp                  3075  0 

pcspkr                  1699  0 

libiscsi               29675  0 

scsi_transport_iscsi    30559  1 libiscsi

tg3                   118187  0 

libphy                 14435  1 tg3

e1000                  84266  0 

fuse                   56106  1 

nfs                   134480  0 

lockd                  61683  1 nfs

sunrpc                164209  3 nfs,lockd

jfs                   159922  0 

zlib_deflate           17856  0 

raid10                 22488  0 

raid456                42949  0 

async_raid6_recov       1209  1 raid456

async_memcpy            1166  1 raid456

async_pq                3051  1 raid456

async_xor               2169  2 raid456,async_pq

xor                     4425  1 async_xor

async_tx                1718  5 raid456,async_raid6_recov,async_memcpy,async_pq,async_xor

raid6_pq               77146  2 async_raid6_recov,async_pq

raid1                  21882  0 

raid0                   6014  0 

dm_snapshot            24138  0 

dm_crypt               13663  0 

dm_mirror              11350  0 

dm_region_hash          6156  1 dm_mirror

dm_log                  7428  2 dm_mirror,dm_region_hash

dm_mod                 57890  4 dm_snapshot,dm_crypt,dm_mirror,dm_log

scsi_wait_scan           695  0 

hid_sunplus             1377  0 

hid_sony                2496  0 

hid_samsung             2822  0 

hid_pl                  1297  0 

hid_petalynx            1906  0 

hid_monterey            1473  0 

hid_microsoft           2771  0 

hid_logitech            6829  0 

hid_gyration            2012  0 

hid_ezkey               1306  0 

hid_cypress             1810  0 

hid_chicony             1689  0 

hid_cherry              1441  0 

hid_belkin              1606  0 

hid_apple               4945  0 

hid_a4tech              1884  0 

sl811_hcd               8863  0 

usbhid                 21739  0 

ohci_hcd               19196  0 

ssb                    37220  1 ohci_hcd

uhci_hcd               18800  0 

usb_storage            40180  0 

ehci_hcd               32610  0 

usbcore               121430  8 hid_sony,sl811_hcd,usbhid,ohci_hcd,uhci_hcd,usb_storage,ehci_hcd

usb_common               850  1 usbcore

aic94xx                64512  0 

libsas                 45117  1 aic94xx

lpfc                  430390  0 

qla2xxx               313370  0 

megaraid_sas           66526  0 

megaraid_mbox          23998  0 

megaraid_mm             6921  1 megaraid_mbox

megaraid               35832  0 

aacraid                65674  0 

sx8                    11188  0 

DAC960                 62036  0 

cciss                  43533  0 

3w_9xxx                29209  0 

3w_xxxx                20771  0 

mptsas                 33089  0 

scsi_transport_sas     21329  3 aic94xx,libsas,mptsas

mptfc                  10429  0 

scsi_transport_fc      36658  3 lpfc,qla2xxx,mptfc

scsi_tgt                8328  1 scsi_transport_fc

mptspi                 11311  0 

mptscsih               16717  3 mptsas,mptfc,mptspi

mptbase                54664  4 mptsas,mptfc,mptspi,mptscsih

atp870u                23993  0 

dc395x                 26851  0 

qla1280                19355  0 

imm                     8756  0 

parport                25159  3 ppdev,parport_pc,imm

dmx3191d                9044  0 

sym53c8xx              63212  0 

gdth                   73123  0 

advansys               51810  0 

initio                 15391  0 

BusLogic               19341  0 

arcmsr                 23395  0 

aic7xxx               106128  0 

aic79xx               110288  0 

scsi_transport_spi     17592  5 mptspi,dmx3191d,sym53c8xx,aic7xxx,aic79xx

sg                     21012  0 

pdc_adma                5314  0 

sata_inic162x           6378  0 

sata_mv                23902  0 

ata_piix               20839  0 

ahci                   19101  0 

libahci                16938  1 ahci

sata_qstor              5081  0 

sata_vsc                3934  0 

sata_uli                2905  0 

sata_sis                3554  0 

sata_sx4                8109  0 

sata_nv                18295  0 

sata_via                7480  0 

sata_svw                4094  0 

sata_sil24             10108  0 

sata_sil                7172  0 

sata_promise            9741  0 

pata_sl82c105           3539  0 

pata_cs5530             4173  0 

pata_cs5520             3603  0 

pata_via                8241  0 

pata_jmicron            2312  0 

pata_marvell            2817  0 

pata_sis                9996  1 sata_sis

pata_netcell            2110  0 

pata_sc1200             2919  0 

pata_pdc202xx_old       4307  0 

pata_triflex            3085  0 

pata_atiixp             3609  0 

pata_opti               2687  0 

pata_amd                9908  3 

pata_ali                8887  0 

pata_it8213             3279  0 

pata_pcmcia             9685  0 

pcmcia                 29388  2 ssb,pata_pcmcia

pcmcia_core            10509  1 pcmcia

pata_ns87415            3193  0 

pata_ns87410            2685  0 

pata_serverworks        4993  0 

pata_artop              4733  0 

pata_it821x             8269  0 

pata_optidma            4426  0 

pata_hpt3x2n            5330  0 

pata_hpt3x3             2949  0 

pata_hpt37x            10721  0 

pata_hpt366             4950  0 

pata_cmd64x             5805  0 

pata_efar               3395  0 

pata_rz1000             2642  0 

pata_sil680             4470  0 

pata_radisys            2823  0 

pata_pdc2027x           6137  0 

pata_mpiix              2779  0 

libata                137497  52 

```

Last edited by -davros- on Thu Feb 02, 2012 5:29 am; edited 1 time in total

----------

## Hu

You missed the -c, the ip (twice), the cat command, and the output from the failed command.  I do not need iptables -t nat -L, since that is a limited subset of the output of iptables-save.  Your lsmod requires an exceptionally wide browser to avoid skewing the thread layout.  This is not nice for people with small screens.

----------

## -davros-

The iptables-save is iptables-save -c but I will post it again with the -c I thought any ways... ooops

And the ip addr and ip route said ip command not found

As far as the final conman and error I don't understand what you mean by that exactlyLast edited by -davros- on Thu Feb 02, 2012 5:31 am; edited 1 time in total

----------

## -davros-

iptables-save -c

```
server ~ # iptables-save -c

# Generated by iptables-save v1.4.12.1 on Wed Feb  1 14:49:30 2012

*filter

:INPUT ACCEPT [273967:157731378]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [197270:17318113]

:DROPl - [0:0]

:REJECTl - [0:0]

[48:2912] -A INPUT -i lo -j ACCEPT

[1660:180528] -A INPUT -i eth0 -j ACCEPT

[67:22016] -A INPUT ! -i eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

[0:0] -A INPUT ! -i eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

[29971:1304285] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A INPUT ! -i eth0 -p tcp -m tcp --dport 0:1023 -j DROP

[463:153554] -A INPUT ! -i eth0 -p udp -m udp --dport 0:1023 -j DROP

[287:61823] -A INPUT -i eth1 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT

[0:0] -A FORWARD -d 192.168.0.0/16 -i eth0 -j DROP

[7366:658582] -A FORWARD -s 192.168.0.0/16 -i eth0 -j ACCEPT

[2111:240449] -A FORWARD -d 192.168.0.0/16 -i eth1 -j ACCEPT

[287:18204] -A OUTPUT -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT

COMMIT

# Completed on Wed Feb  1 14:49:30 2012

# Generated by iptables-save v1.4.12.1 on Wed Feb  1 14:49:30 2012

*nat

:PREROUTING ACCEPT [15955:1927361]

:INPUT ACCEPT [638:77079]

:OUTPUT ACCEPT [301:20396]

:POSTROUTING ACCEPT [20:1688]

[3051:196706] -A POSTROUTING -o eth1 -j MASQUERADE

COMMIT

# Completed on Wed Feb  1 14:49:30 2012

server ~ # 

```

```
cat /proc/sys/net/ipv4/ip_forward

1
```

----------

## Hu

 *-davros- wrote:*   

> And the ip addr and ip route said ip command not found

 emerge --noreplace --verbose sys-apps/iproute2

 *-davros- wrote:*   

> As far as the final conman and error I don't understand what you mean by that exactly

 You have some program or set of programs which do not work correctly when used on a machine behind the Gentoo machine.  I would like to see the command you use to invoke that program and the error messages it generates, so that I can determine in what way it is failing.

----------

