1 |
vapier 05/08/14 04:38:49 |
2 |
|
3 |
Modified: xml/htdocs/doc/en home-router-howto.xml |
4 |
Log: |
5 |
replace eth0 with $LAN and eth1 with $WAN and rename Debugging section to Troubleshooting #102450 by Arnold Miller |
6 |
|
7 |
Revision Changes Path |
8 |
1.30 +35 -27 xml/htdocs/doc/en/home-router-howto.xml |
9 |
|
10 |
file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/home-router-howto.xml?rev=1.30&content-type=text/x-cvsweb-markup&cvsroot=gentoo |
11 |
plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/home-router-howto.xml?rev=1.30&content-type=text/plain&cvsroot=gentoo |
12 |
diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/home-router-howto.xml.diff?r1=1.29&r2=1.30&cvsroot=gentoo |
13 |
|
14 |
Index: home-router-howto.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v |
17 |
retrieving revision 1.29 |
18 |
retrieving revision 1.30 |
19 |
diff -u -r1.29 -r1.30 |
20 |
--- home-router-howto.xml 4 Aug 2005 00:18:20 -0000 1.29 |
21 |
+++ home-router-howto.xml 14 Aug 2005 04:38:48 -0000 1.30 |
22 |
@@ -1,5 +1,5 @@ |
23 |
<?xml version='1.0' encoding='UTF-8'?> |
24 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.29 2005/08/04 00:18:20 vapier Exp $ --> |
25 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.30 2005/08/14 04:38:48 vapier Exp $ --> |
26 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
27 |
|
28 |
<guide link="/doc/en/home-router-howto.xml"> |
29 |
@@ -15,8 +15,8 @@ |
30 |
for connecting your home network to the internet. |
31 |
</abstract> |
32 |
|
33 |
-<version>1.9</version> |
34 |
-<date>2005-08-03</date> |
35 |
+<version>1.10</version> |
36 |
+<date>2005-08-14</date> |
37 |
|
38 |
<chapter> |
39 |
<title>Introduction</title> |
40 |
@@ -206,7 +206,7 @@ |
41 |
# <i>nano /etc/conf.d/net</i> |
42 |
<comment>Add an entry for config_eth1 and set it to adsl:</comment> |
43 |
config_eth1=( "adsl" ) |
44 |
-# <i>ln -s net.eth0 /etc/init.d/net.eth1</i> |
45 |
+# <i>ln -s net.lo /etc/init.d/net.eth1</i> |
46 |
# <i>rc-update add net.eth1 default</i> |
47 |
# <i>/etc/init.d/net.eth1 start</i> |
48 |
</pre> |
49 |
@@ -247,7 +247,7 @@ |
50 |
nameserver 123.123.123.123 |
51 |
|
52 |
<comment>Dynamic and Static Setup:</comment> |
53 |
-# <i>ln -s net.eth0 /etc/init.d/net.eth1</i> |
54 |
+# <i>ln -s net.lo /etc/init.d/net.eth1</i> |
55 |
# <i>rc-update add net.eth1 default</i> |
56 |
# <i>/etc/init.d/net.eth1 start</i> |
57 |
</pre> |
58 |
@@ -413,24 +413,28 @@ |
59 |
# <i>iptables -F</i> |
60 |
# <i>iptables -t nat -F</i> |
61 |
|
62 |
+<comment>Copy and paste these examples ...</comment> |
63 |
+# <i>export LAN=eth0</i> |
64 |
+# <i>export WAN=eth1</i> |
65 |
+ |
66 |
<comment>Then we lock our services so they only work from the LAN</comment> |
67 |
-# <i>iptables -I INPUT 1 -i eth0 -j ACCEPT</i> |
68 |
+# <i>iptables -I INPUT 1 -i ${LAN} -j ACCEPT</i> |
69 |
# <i>iptables -I INPUT 1 -i lo -j ACCEPT</i> |
70 |
-# <i>iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT</i> |
71 |
-# <i>iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT</i> |
72 |
+# <i>iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT</i> |
73 |
+# <i>iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT</i> |
74 |
|
75 |
<comment>(Optional) Allow access to our ssh server from the WAN</comment> |
76 |
-# <i>iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT</i> |
77 |
+# <i>iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT</i> |
78 |
|
79 |
<comment>Drop TCP / UDP packets to privileged ports</comment> |
80 |
-# <i>iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i> |
81 |
-# <i>iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i> |
82 |
+# <i>iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i> |
83 |
+# <i>iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i> |
84 |
|
85 |
<comment>Finally we add the rules for NAT</comment> |
86 |
-# <i>iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP</i> |
87 |
-# <i>iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT</i> |
88 |
-# <i>iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT</i> |
89 |
-# <i>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE</i> |
90 |
+# <i>iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP</i> |
91 |
+# <i>iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT</i> |
92 |
+# <i>iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT</i> |
93 |
+# <i>iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE</i> |
94 |
<comment>Tell the kernel that ip forwarding is OK</comment> |
95 |
# <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i> |
96 |
# <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i> |
97 |
@@ -486,7 +490,7 @@ |
98 |
|
99 |
<p> |
100 |
All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING |
101 |
-[-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port |
102 |
+[-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port |
103 |
to forward to]</c>. iptables does not accept hostnames when port forwarding. |
104 |
If you are forwarding an external port to the same port on the internal |
105 |
machine, you can omit the destination port. See the iptables(8) page for more |
106 |
@@ -494,29 +498,33 @@ |
107 |
</p> |
108 |
|
109 |
<pre caption="Running the iptables commands"> |
110 |
+<comment>Copy and paste these examples ...</comment> |
111 |
+# <i>export LAN=eth0</i> |
112 |
+# <i>export WAN=eth1</i> |
113 |
+ |
114 |
<comment>Forward port 2 to ssh on an internal host</comment> |
115 |
-# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22</i> |
116 |
+# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i ${WAN} -j DNAT --to 192.168.0.2:22</i> |
117 |
|
118 |
<comment>FTP forwarding to an internal host</comment> |
119 |
-# <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.56</i> |
120 |
+# <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i ${WAN} -j DNAT --to 192.168.0.56</i> |
121 |
|
122 |
<comment>HTTP forwarding to an internal host</comment> |
123 |
-# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.56</i> |
124 |
+# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56</i> |
125 |
|
126 |
<comment>VNC forwarding for internal hosts</comment> |
127 |
-# <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i eth1 -j DNAT --to 192.168.0.2</i> |
128 |
-# <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i eth1 -j DNAT --to 192.168.0.3:5900</i> |
129 |
+# <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
130 |
+# <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.168.0.3:5900</i> |
131 |
<comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment> |
132 |
|
133 |
<comment>Bittorrent forwarding</comment> |
134 |
-# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i eth1 -j DNAT --to 192.168.0.2</i> |
135 |
+# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
136 |
|
137 |
<comment>Game Cube Warp Pipe support</comment> |
138 |
-# <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i eth1 -j DNAT --to 192.168.0.56</i> |
139 |
+# <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56</i> |
140 |
|
141 |
<comment>Playstation2 Online support</comment> |
142 |
-# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i> |
143 |
-# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i> |
144 |
+# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i> |
145 |
+# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i> |
146 |
</pre> |
147 |
|
148 |
<note> |
149 |
@@ -760,7 +768,7 @@ |
150 |
# <i>emerge qmail</i> |
151 |
<comment>make sure the output of `hostname` is correct</comment> |
152 |
# <i>ebuild /var/db/pkg/*-*/qmail-1.03-r*/*.ebuild config</i> |
153 |
-# <i>iptables -I INPUT -p tcp --dport smtp -i ! eth0 -j REJECT</i> |
154 |
+# <i>iptables -I INPUT -p tcp --dport smtp -i ! ${LAN} -j REJECT</i> |
155 |
# <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i> |
156 |
# <i>ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd</i> |
157 |
<!-- |
158 |
@@ -811,7 +819,7 @@ |
159 |
</chapter> |
160 |
|
161 |
<chapter> |
162 |
-<title>Debugging</title> |
163 |
+<title>Troubleshooting</title> |
164 |
|
165 |
<section> |
166 |
<title>Useful Tools</title> |
167 |
|
168 |
|
169 |
|
170 |
-- |
171 |
gentoo-doc-cvs@g.o mailing list |