Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Daniel Pielmeier <daniel.pielmeier@××××××××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Setting up a home router
Date: Sun, 14 Jan 2007 19:32:36
Message-Id: 6142e6140701141127ke803445jb5d9a89f8fa523a@mail.gmail.com
1 Hi,
2
3 I have a similar problem like Dale in this thread [gentoo-user] Need
4 help networking two machines, but i think it is not exactly the same.
5
6 I was trying to set up a home router following the
7 gentoo-home-router-guide
8 http://www.gentoo.org/doc/de/home-router-howto.xml
9 with shorewall as firewall following the two-interfaces-guide
10 http://www.shorewall.net/two-interface.htm.
11
12 I can connect from the router to the internet.
13 I can log in from the router to the desktop per ssh and back.
14 I have set up an rsync on the router and rsync works from the desktop.
15 I have set up dnsmasq on the server and dns is working on the desktop.
16 I can ping between router and desktop and from the router to the internet
17
18 I have set up an ntp on the router but ntp from the desktop gives me.
19 14 Jan 20:25:53 ntpdate[31522]: no server suitable for synchronization found
20
21 I can't ping from the desktop to the internet.
22 ping www.gentoo.org
23 PING www.gentoo.org (38.99.64.202) 56(84) bytes of data.
24
25 --- www.gentoo.org ping statistics ---
26 13 packets transmitted, 0 received, 100% packet loss, time 11999ms
27
28 As you can see the address is resolved but i get 100% packet loss.
29 Until now i have spent much time on this issues, so i hope to solve
30 these problems with your help.
31 I have added the configurations which may help you to discover my
32 problem below. First the router configuration and then the desktop
33 configuration.
34 I hope i did not forget anything as it is very much, but if anything
35 you need is missing please ask for it.
36
37 Thanks Daniel
38
39
40
41 > router: gentoo-vdr configuration
42
43
44 lspci
45
46 eth0
47 02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169
48 Gigabit Ethernet (rev 10)
49
50 eth1
51 02:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
52 RTL-8139/8139C/8139C+ (rev 10)
53
54
55 ifconfig
56
57 eth0 Link encap:Ethernet HWaddr 00:11:F0:00:0D:96
58 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
59 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
60 RX packets:198008 errors:0 dropped:0 overruns:0 frame:0
61 TX packets:194409 errors:0 dropped:0 overruns:0 carrier:0
62 collisions:0 txqueuelen:1000
63 RX bytes:50101373 (47.7 Mb) TX bytes:129993047 (123.9 Mb)
64 Interrupt:18 Base address:0xc000
65
66 eth1 Link encap:Ethernet HWaddr 00:10:DC:2B:D4:CF
67 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
68 RX packets:77637 errors:0 dropped:0 overruns:0 frame:0
69 TX packets:63189 errors:0 dropped:0 overruns:0 carrier:0
70 collisions:0 txqueuelen:1000
71 RX bytes:93609244 (89.2 Mb) TX bytes:7282392 (6.9 Mb)
72 Interrupt:19
73
74 lo Link encap:Local Loopback
75 inet addr:127.0.0.1 Mask:255.0.0.0
76 UP LOOPBACK RUNNING MTU:16436 Metric:1
77 RX packets:1236 errors:0 dropped:0 overruns:0 frame:0
78 TX packets:1236 errors:0 dropped:0 overruns:0 carrier:0
79 collisions:0 txqueuelen:0
80 RX bytes:86198 (84.1 Kb) TX bytes:86198 (84.1 Kb)
81
82 ppp0 Link encap:Point-to-Point Protocol
83 inet addr:88.67.24.46 P-t-P:88.67.16.1 Mask:255.255.255.255
84 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
85 RX packets:163 errors:0 dropped:0 overruns:0 frame:0
86 TX packets:118 errors:0 dropped:0 overruns:0 carrier:0
87 collisions:0 txqueuelen:3
88 RX bytes:12249 (11.9 Kb) TX bytes:8557 (8.3 Kb)
89
90
91 route
92
93 Kernel IP routing table
94 Destination Gateway Genmask Flags Metric Ref Use Iface
95 dslb-088-067-01 * 255.255.255.255 UH 0 0 0 ppp0
96 localhost * 255.255.255.0 U 0 0 0 eth0
97 loopback * 255.0.0.0 U 0 0 0 lo
98 default dslb-088-067-01 0.0.0.0 UG 0 0 0 ppp0
99
100
101 shorewall-config
102
103 /etc/shorewall/interfaces
104
105 #ZONE INTERFACE BROADCAST OPTIONS
106 net ppp0 - tcpflags,norfc1918
107 loc eth0 detect tcpflags,detectnets
108
109
110 /etc/shorewall/masq
111
112 #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
113 ppp0 eth0
114
115
116 /etc/shorewall/policy
117
118 #SOURCE DEST POLICY LOG LIMIT:BURST
119 # Policies for traffic originating from the local LAN (loc)
120 #
121 # If you want to force clients to access the Internet via a proxy server
122 # on your firewall, change the loc to net policy to REJECT info.
123 loc net ACCEPT
124 loc $FW REJECT info
125 loc all REJECT info
126
127 # Policies for traffic originating from the firewall ($FW)
128 #
129 # If you want open access to the Internet from your firewall, change the
130 # $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
131 # This may be useful if you run a proxy server on the firewall.
132 $FW net ACCEPT
133 $FW loc REJECT info
134 $FW all REJECT info
135
136 # Policies for traffic originating from the Internet zone (net)
137 #
138 net $FW DROP info
139 net loc DROP info
140 net all DROP info
141
142 # THE FOLLOWING POLICY MUST BE LAST
143 all all REJECT info
144
145
146 /etc/shorewall/rules
147
148 #ACTION SOURCE DEST PROTO DEST SOURCE
149 ORIGINAL RATE USER/
150 # PORT PORT(S)
151 DEST LIMIT GROUP
152 #SECTION ESTABLISHED
153 #SECTION RELATED
154 SECTION NEW
155 ACCEPT loc $FW tcp 22
156 ACCEPT $FW loc tcp 22
157 ACCEPT loc $FW udp 123
158 REJECT net $FW icmp 8
159
160
161 /etc/shorewall/zones
162
163 #ZONE TYPE OPTIONS IN OUT
164 # OPTIONS OPTIONS
165 fw firewall
166 net ipsec
167 loc ipsec
168
169
170 /etc/shorewall/shorewall.conf
171
172 i have changed this from the default values
173
174 IP_FORWARDING=On
175 CLAMPMSS=Yes
176
177
178 /etc/sysctl.conf
179
180 net.ipv4.ip_forward = 1
181 net.ipv4.ip_dynaddr = 1
182 net.ipv4.conf.default.rp_filter = 1
183 net.ipv4.conf.all.rp_filter = 1
184
185
186 /etc/conf.d/net
187
188 config_eth1="adsl"
189 user_eth1="xxxxxxxxxx"
190 dns_domain_eth1=(linux )
191 config_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
192 dns_domain_eth0=(linux )
193
194
195 /etc/conf.d/hostname
196
197 HOSTNAME="gentoo-vdr"
198
199
200 /etc/hosts
201
202 127.0.0.1 localhost
203 192.168.0.1 gentoo-vdr.linux gentoo-vdr
204 192.168.0.2 gentoo.linux gentoo
205 ::1 localhost
206
207
208
209 > desktop: gentoo configuration
210
211
212 lspci
213
214 eth0
215 02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169
216 Gigabit Ethernet (rev 10)
217
218
219 ifconfig
220
221 eth0 Link encap:Ethernet HWaddr 00:13:8F:D5:C4:C0
222 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
223 inet6 addr: fe80::213:8fff:fed5:c4c0/64 Scope:Link
224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
225 RX packets:194469 errors:0 dropped:0 overruns:0 frame:0
226 TX packets:198256 errors:0 dropped:0 overruns:0 carrier:0
227 collisions:0 txqueuelen:1000
228 RX bytes:129998303 (123.9 Mb) TX bytes:50122357 (47.8 Mb)
229 Interrupt:17 Base address:0xc000
230
231 lo Link encap:Local Loopback
232 inet addr:127.0.0.1 Mask:255.0.0.0
233 inet6 addr: ::1/128 Scope:Host
234 UP LOOPBACK RUNNING MTU:16436 Metric:1
235 RX packets:129 errors:0 dropped:0 overruns:0 frame:0
236 TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
237 collisions:0 txqueuelen:0
238 RX bytes:9816 (9.5 Kb) TX bytes:9816 (9.5 Kb)
239
240 route
241
242 Kernel IP routing table
243 Destination Gateway Genmask Flags Metric Ref Use Iface
244 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
245 loopback * 255.0.0.0 U 0 0 0 lo
246 default gentoo-vdr.linu 0.0.0.0 UG 0 0 0 eth0
247
248
249 /etc/conf.d/net
250
251 config_eth0=( "192.168.0.2 broadcast 192.168.0.255 netmask 255.255.255.0" )
252 routes_eth0=("default via 192.168.0.1")
253 dns_domain_eth0=(linux )
254 dns_servers_eth0="192.168.0.1"
255 ntp_servers_eth0="192.168.0.1"
256
257
258 /etc/hosts
259
260 127.0.0.1 localhost
261 192.168.0.2 gentoo.linux gentoo
262 192.168.0.1 gentoo-vdr.linux gentoo-vdr
263 ::1 localhost
264
265 /etc/conf.d/hostname
266
267 HOSTNAME="gentoo"
268
269
270 /etc/conf.d/ntp-client
271
272 NTPCLIENT_CMD="ntpdate"
273 NTPCLIENT_OPTS="192.168.0.1"
274
275
276
277 > For those who are not familiar with shorewall here are the generated iptables on the router.
278
279 iptables -L -t nat
280
281 Chain PREROUTING (policy ACCEPT)
282 target prot opt source destination
283
284 Chain POSTROUTING (policy ACCEPT)
285 target prot opt source destination
286 ppp0_masq all -- anywhere anywhere
287
288 Chain OUTPUT (policy ACCEPT)
289 target prot opt source destination
290
291 Chain ppp0_masq (1 references)
292 target prot opt source destination
293 MASQUERADE all -- localhost/24 anywhere policy
294 match dir out pol none
295
296
297 iptables -L -t mangle
298
299 Chain PREROUTING (policy ACCEPT)
300 target prot opt source destination
301 tcpre all -- anywhere anywhere
302
303 Chain INPUT (policy ACCEPT)
304 target prot opt source destination
305
306 Chain FORWARD (policy ACCEPT)
307 target prot opt source destination
308 tcfor all -- anywhere anywhere
309
310 Chain OUTPUT (policy ACCEPT)
311 target prot opt source destination
312 tcout all -- anywhere anywhere
313
314 Chain POSTROUTING (policy ACCEPT)
315 target prot opt source destination
316 tcpost all -- anywhere anywhere
317
318 Chain tcfor (1 references)
319 target prot opt source destination
320
321 Chain tcout (1 references)
322 target prot opt source destination
323
324 Chain tcpost (1 references)
325 target prot opt source destination
326
327 Chain tcpre (1 references)
328 target prot opt source destination
329
330
331 iptables -L -t filter
332
333 Chain INPUT (policy ACCEPT)
334 target prot opt source destination
335 LOG udp -- anywhere anywhere udp
336 dpts:0:1023 LOG level warning
337 LOG tcp -- anywhere anywhere tcp
338 dpts:0:1023 LOG level warning
339 DROP udp -- anywhere anywhere udp dpts:0:1023
340 DROP tcp -- anywhere anywhere tcp dpts:0:1023
341 LOG tcp -- anywhere anywhere tcp
342 flags:FIN,SYN,RST,ACK/SYN LOG level warning
343 DROP tcp -- anywhere anywhere tcp
344 flags:FIN,SYN,RST,ACK/SYN
345 DROP icmp -- anywhere anywhere icmp echo-request
346
347 Chain FORWARD (policy DROP)
348 target prot opt source destination
349
350 Chain OUTPUT (policy ACCEPT)
351 target prot opt source destination
352
353 Chain Drop (3 references)
354 target prot opt source destination
355 reject tcp -- anywhere anywhere tcp dpt:auth
356 dropBcast all -- anywhere anywhere
357 ACCEPT icmp -- anywhere anywhere icmp
358 fragmentation-needed
359 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
360 dropInvalid all -- anywhere anywhere
361 DROP udp -- anywhere anywhere multiport
362 dports epmap,microsoft-ds
363 DROP udp -- anywhere anywhere udp
364 dpts:netbios-ns:netbios-ssn
365 DROP udp -- anywhere anywhere udp
366 spt:netbios-ns dpts:1024:65535
367 DROP tcp -- anywhere anywhere multiport
368 dports epmap,netbios-ssn,microsoft-ds
369 DROP udp -- anywhere anywhere udp dpt:1900
370 dropNotSyn tcp -- anywhere anywhere
371 DROP udp -- anywhere anywhere udp spt:domain
372
373 Chain Reject (5 references)
374 target prot opt source destination
375 reject tcp -- anywhere anywhere tcp dpt:auth
376 dropBcast all -- anywhere anywhere
377 ACCEPT icmp -- anywhere anywhere icmp
378 fragmentation-needed
379 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
380 dropInvalid all -- anywhere anywhere
381 reject udp -- anywhere anywhere multiport
382 dports epmap,microsoft-ds
383 reject udp -- anywhere anywhere udp
384 dpts:netbios-ns:netbios-ssn
385 reject udp -- anywhere anywhere udp
386 spt:netbios-ns dpts:1024:65535
387 reject tcp -- anywhere anywhere multiport
388 dports epmap,netbios-ssn,microsoft-ds
389 DROP udp -- anywhere anywhere udp dpt:1900
390 dropNotSyn tcp -- anywhere anywhere
391 DROP udp -- anywhere anywhere udp spt:domain
392
393 Chain all2all (0 references)
394 target prot opt source destination
395 ACCEPT all -- anywhere anywhere state
396 RELATED,ESTABLISHED
397 Reject all -- anywhere anywhere
398 LOG all -- anywhere anywhere LOG level
399 info prefix `Shorewall:all2all:REJECT:'
400 reject all -- anywhere anywhere
401
402 Chain dropBcast (2 references)
403 target prot opt source destination
404 DROP all -- anywhere anywhere PKTTYPE =
405 broadcast
406 DROP all -- anywhere anywhere PKTTYPE =
407 multicast
408
409 Chain dropInvalid (2 references)
410 target prot opt source destination
411 DROP all -- anywhere anywhere state INVALID
412
413 Chain dropNotSyn (2 references)
414 target prot opt source destination
415 DROP tcp -- anywhere anywhere tcp
416 flags:!FIN,SYN,RST,ACK/SYN
417
418 Chain dynamic (4 references)
419 target prot opt source destination
420
421 Chain eth0_fwd (0 references)
422 target prot opt source destination
423 dynamic all -- anywhere anywhere state INVALID,NEW
424 tcpflags tcp -- anywhere anywhere policy
425 match dir in pol none
426 loc_frwd all -- localhost/24 anywhere policy
427 match dir in pol ipsec
428
429 Chain eth0_in (0 references)
430 target prot opt source destination
431 dynamic all -- anywhere anywhere state INVALID,NEW
432 tcpflags tcp -- anywhere anywhere policy
433 match dir in pol none
434 loc2fw all -- localhost/24 anywhere policy
435 match dir in pol ipsec
436
437 Chain fw2all (0 references)
438 target prot opt source destination
439 ACCEPT all -- anywhere anywhere state
440 RELATED,ESTABLISHED
441 Reject all -- anywhere anywhere
442 LOG all -- anywhere anywhere LOG level
443 info prefix `Shorewall:fw2all:REJECT:'
444 reject all -- anywhere anywhere
445
446 Chain fw2loc (0 references)
447 target prot opt source destination
448 ACCEPT all -- anywhere anywhere state
449 RELATED,ESTABLISHED
450 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
451 Reject all -- anywhere anywhere
452 LOG all -- anywhere anywhere LOG level
453 info prefix `Shorewall:fw2loc:REJECT:'
454 reject all -- anywhere anywhere
455
456 Chain fw2net (0 references)
457 target prot opt source destination
458 ACCEPT all -- anywhere anywhere state
459 RELATED,ESTABLISHED
460 ACCEPT all -- anywhere anywhere
461
462 Chain loc2all (0 references)
463 target prot opt source destination
464 ACCEPT all -- anywhere anywhere state
465 RELATED,ESTABLISHED
466 Reject all -- anywhere anywhere
467 LOG all -- anywhere anywhere LOG level
468 info prefix `Shorewall:loc2all:REJECT:'
469 reject all -- anywhere anywhere
470
471 Chain loc2fw (1 references)
472 target prot opt source destination
473 ACCEPT all -- anywhere anywhere state
474 RELATED,ESTABLISHED
475 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
476 ACCEPT udp -- anywhere anywhere udp dpt:ntp
477 Reject all -- anywhere anywhere
478 LOG all -- anywhere anywhere LOG level
479 info prefix `Shorewall:loc2fw:REJECT:'
480 reject all -- anywhere anywhere
481
482 Chain loc2net (1 references)
483 target prot opt source destination
484 ACCEPT all -- anywhere anywhere state
485 RELATED,ESTABLISHED
486 ACCEPT all -- anywhere anywhere
487
488 Chain loc_frwd (1 references)
489 target prot opt source destination
490 loc2net all -- anywhere anywhere policy
491 match dir out pol ipsec
492
493 Chain logflags (5 references)
494 target prot opt source destination
495 LOG all -- anywhere anywhere LOG level
496 info ip-options prefix `Shorewall:logflags:DROP:'
497 DROP all -- anywhere anywhere
498
499 Chain net2all (0 references)
500 target prot opt source destination
501 ACCEPT all -- anywhere anywhere state
502 RELATED,ESTABLISHED
503 Drop all -- anywhere anywhere
504 LOG all -- anywhere anywhere LOG level
505 info prefix `Shorewall:net2all:DROP:'
506 DROP all -- anywhere anywhere
507
508 Chain net2fw (1 references)
509 target prot opt source destination
510 ACCEPT all -- anywhere anywhere state
511 RELATED,ESTABLISHED
512 reject icmp -- anywhere anywhere icmp echo-request
513 Drop all -- anywhere anywhere
514 LOG all -- anywhere anywhere LOG level
515 info prefix `Shorewall:net2fw:DROP:'
516 DROP all -- anywhere anywhere
517
518 Chain net2loc (1 references)
519 target prot opt source destination
520 ACCEPT all -- anywhere anywhere state
521 RELATED,ESTABLISHED
522 Drop all -- anywhere anywhere
523 LOG all -- anywhere anywhere LOG level
524 info prefix `Shorewall:net2loc:DROP:'
525 DROP all -- anywhere anywhere
526
527 Chain net_frwd (1 references)
528 target prot opt source destination
529 net2loc all -- anywhere localhost/24 policy
530 match dir out pol ipsec
531
532 Chain norfc1918 (2 references)
533 target prot opt source destination
534 rfc1918 all -- localhost/12 anywhere
535 rfc1918 all -- anywhere anywhere ctorigdst
536 localhost/12
537 rfc1918 all -- localhost/16 anywhere
538 rfc1918 all -- anywhere anywhere ctorigdst
539 localhost/16
540 rfc1918 all -- localhost/8 anywhere
541 rfc1918 all -- anywhere anywhere ctorigdst
542 localhost/8
543
544 Chain ppp0_fwd (0 references)
545 target prot opt source destination
546 dynamic all -- anywhere anywhere state INVALID,NEW
547 norfc1918 all -- anywhere anywhere state NEW
548 policy match dir in pol none
549 tcpflags tcp -- anywhere anywhere policy
550 match dir in pol none
551 net_frwd all -- anywhere anywhere policy
552 match dir in pol ipsec
553
554 Chain ppp0_in (0 references)
555 target prot opt source destination
556 dynamic all -- anywhere anywhere state INVALID,NEW
557 norfc1918 all -- anywhere anywhere state NEW
558 policy match dir in pol none
559 tcpflags tcp -- anywhere anywhere policy
560 match dir in pol none
561 net2fw all -- anywhere anywhere policy
562 match dir in pol ipsec
563
564 Chain reject (12 references)
565 target prot opt source destination
566 DROP all -- anywhere anywhere PKTTYPE =
567 broadcast
568 DROP all -- anywhere anywhere PKTTYPE =
569 multicast
570 DROP all -- localhost anywhere
571 DROP all -- 255.255.255.255 anywhere
572 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
573 REJECT tcp -- anywhere anywhere
574 reject-with tcp-reset
575 REJECT udp -- anywhere anywhere
576 reject-with icmp-port-unreachable
577 REJECT icmp -- anywhere anywhere
578 reject-with icmp-host-unreachable
579 REJECT all -- anywhere anywhere
580 reject-with icmp-host-prohibited
581
582 Chain rfc1918 (6 references)
583 target prot opt source destination
584 LOG all -- anywhere anywhere LOG level
585 info prefix `Shorewall:rfc1918:DROP:'
586 DROP all -- anywhere anywhere
587
588 Chain shorewall (0 references)
589 target prot opt source destination
590
591 Chain smurfs (0 references)
592 target prot opt source destination
593 LOG all -- localhost anywhere LOG level
594 info prefix `Shorewall:smurfs:DROP:'
595 DROP all -- localhost anywhere
596 LOG all -- 255.255.255.255 anywhere LOG level
597 info prefix `Shorewall:smurfs:DROP:'
598 DROP all -- 255.255.255.255 anywhere
599 LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG
600 level info prefix `Shorewall:smurfs:DROP:'
601 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
602
603 Chain tcpflags (4 references)
604 target prot opt source destination
605 logflags tcp -- anywhere anywhere tcp
606 flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
607 logflags tcp -- anywhere anywhere tcp
608 flags:FIN,SYN,RST,PSH,ACK,URG/NONE
609 logflags tcp -- anywhere anywhere tcp
610 flags:SYN,RST/SYN,RST
611 logflags tcp -- anywhere anywhere tcp
612 flags:FIN,SYN/FIN,SYN
613 logflags tcp -- anywhere anywhere tcp spt:0
614 flags:FIN,SYN,RST,ACK/SYN
615 --
616 gentoo-user@g.o mailing list

Replies

Subject Author
Re: [gentoo-user] Setting up a home router Dale <dalek@××××××××××.net>
RE: [gentoo-user] Setting up a home router "Nelson
Re: [gentoo-user] Setting up a home router Hans-Werner Hilse <hilse@×××.de>
Report Message
Find on MARC Find on Google Groups