Greetings,
I'm rebuilding a machine to function as a gateway/router to Verizon DSL.
It has two NICs eth0 and eth1 (static set to 192.168.1.1).
eth0 connects to the DSL modem.
I've setup Verizon DSL usine pppoe-setup, and it works.
I can connect from home machines to the server (192.168.1.1); while logged in to the server, I can connect to both the internet, and the home machines.
But ...
I can't connect from the home machines directly to the Internet.
I have set net.ipv4.ip_forward = 1 in /etc/sysctl.conf
I haven't setup the firewall yet (dangerous, I know) until I get the connectivity working.
I'm obviously overlooking some other configuration settings required for machines inside the network being able to connect through the gateway/router.
Thanks for any advice in advance.
Max Pyziur pyz@brama.com
You need NAT setup on the server.
ZK
On Jun 28, 2015, at 2:50 PM, Max Pyziur pyz@brama.com wrote:
Greetings,
I'm rebuilding a machine to function as a gateway/router to Verizon DSL.
It has two NICs eth0 and eth1 (static set to 192.168.1.1).
eth0 connects to the DSL modem.
I've setup Verizon DSL usine pppoe-setup, and it works.
I can connect from home machines to the server (192.168.1.1); while logged in to the server, I can connect to both the internet, and the home machines.
But ...
I can't connect from the home machines directly to the Internet.
I have set net.ipv4.ip_forward = 1 in /etc/sysctl.conf
I haven't setup the firewall yet (dangerous, I know) until I get the connectivity working.
I'm obviously overlooking some other configuration settings required for machines inside the network being able to connect through the gateway/router.
Thanks for any advice in advance.
Max Pyziur pyz@brama.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Am 28.06.2015 um 20:50 schrieb Max Pyziur:
[ ... ]
I can't connect from the home machines directly to the Internet.
I have set net.ipv4.ip_forward = 1 in /etc/sysctl.conf
I haven't setup the firewall yet (dangerous, I know) until I get the connectivity working.
Part of the firewall setup (iptables) is to configure masquerading. That's you issue, the missing masquerading of the traffic from the LAN hosts through the gateway.
I'm obviously overlooking some other configuration settings required for machines inside the network being able to connect through the gateway/router.
Thanks for any advice in advance.
Max Pyziur pyz@brama.com
Alexander
On 06/28/2015 03:20 PM, Alexander Dalloz wrote:
Am 28.06.2015 um 20:50 schrieb Max Pyziur:
Part of the firewall setup (iptables) is to configure masquerading. That's you issue, the missing masquerading of the traffic from the LAN hosts through the gateway.
I'm obviously overlooking some other configuration settings required for machines inside the network being able to connect through the gateway/router.
Thanks for any advice in advance
as others have stated, you need to use nating; you won't actually be routing traffic (unless you've been allocated a routable network. which is possible, but pretty unlikely). the script I use (stolen from some google search, I'm sure. I can't give proper attribution if pressed):
iptables --flush # Flush all the rules in filter and nat tables iptables --table nat --flush iptables --delete-chain # Delete all chains that are not in default filter and nat table iptables --table nat --delete-chain # Set up IP FORWARDing and Masquerading iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE iptables --append FORWARD --in-interface eth3 -j ACCEPT # Enables packet forwarding by kernel echo 1 > /proc/sys/net/ipv4/ip_forward
in this case eth3 would be your local, non-routed network (e.g. 10.* or 192.168.*) and eth2 would be your regular network interface (like the one plugged into your cable modem or DSL connection) it'd likely need to be customized for your environment and running it would likely destroy any firewall rules you have setup, fair warning.
On Sun, 2015-06-28 at 14:50 -0400, Max Pyziur wrote:
I haven't setup the firewall yet (dangerous, I know) until I get the connectivity working.
I'm obviously overlooking some other configuration settings required for machines inside the network being able to connect through the gateway/router.
As others have pointed out, you're either missing a NAT layer or you got a large enough IP allocation to subnet and you haven't set up routing. Probably safe to assume it's NAT.
I'd suggest at a minimum you install something like shorewall to assist in managing your firewall and IP masquerading tasks. It's available in EPEL, is very well documented, and provides enough built in sanity checks to protect you against making some silly (and some not so silly) mistakes in your firewall management.
On Sun, 28 Jun 2015, Brian Miller wrote:
On Sun, 2015-06-28 at 14:50 -0400, Max Pyziur wrote:
I haven't setup the firewall yet (dangerous, I know) until I get the connectivity working.
I'm obviously overlooking some other configuration settings required for machines inside the network being able to connect through the gateway/router.
As others have pointed out, you're either missing a NAT layer or you got a large enough IP allocation to subnet and you haven't set up routing. Probably safe to assume it's NAT.
I'd suggest at a minimum you install something like shorewall to assist in managing your firewall and IP masquerading tasks. It's available in EPEL, is very well documented, and provides enough built in sanity checks to protect you against making some silly (and some not so silly) mistakes in your firewall management.
Thanks to all for pointing me in the direction of iptables and IP masquerading.
From several sources, code, the stock CentOS iptables I've cobbled the
following /etc/sysconfig/iptables; while it works, I suspect that there are holes: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT COMMIT
I also seem to need to load iptable_nat nf_nat_ftp
via rc.local
Is this correct?
Thank you again,
Max
On 6/28/2015 3:49 PM, Max Pyziur wrote:
I also seem to need to load iptable_nat nf_nat_ftp
via rc.local
Is this correct?
only if you're running some Linux build from the 1990s.
nothing on RHEL/CentOS should need anything in rc.local
On Sun, 28 Jun 2015, John R Pierce wrote:
On 6/28/2015 3:49 PM, Max Pyziur wrote:
I also seem to need to load iptable_nat nf_nat_ftp
via rc.local
Is this correct?
only if you're running some Linux build from the 1990s.
nothing on RHEL/CentOS should need anything in rc.local
Then what is the appropriate way to ensure that these modules are loaded?
Should they be placed in the /etc/init.d/iptables script? IPTABLES_MODULES="iptable_nat ip_nat_ftp ip_conntrack ip_conntrack_ftp"
or somewhere else?
Thanks
Max
On 29/06/2015 16:59, Max Pyziur wrote:
On Sun, 28 Jun 2015, John R Pierce wrote:
On 6/28/2015 3:49 PM, Max Pyziur wrote:
I also seem to need to load iptable_nat nf_nat_ftp
via rc.local
Is this correct?
only if you're running some Linux build from the 1990s.
nothing on RHEL/CentOS should need anything in rc.local
Then what is the appropriate way to ensure that these modules are loaded?
Should they be placed in the /etc/init.d/iptables script? IPTABLES_MODULES="iptable_nat ip_nat_ftp ip_conntrack ip_conntrack_ftp"
or somewhere else?
Thanks
Max
It should do it automatically for you. Try it. Editing system init scripts is rarely recommended.
Tris
************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@bgfl.org
The views expressed within this email are those of the individual, and not necessarily those of the organisation *************************************************************
On Mon, 29 Jun 2015, Tris Hoar wrote:
On 29/06/2015 16:59, Max Pyziur wrote:
On Sun, 28 Jun 2015, John R Pierce wrote:
On 6/28/2015 3:49 PM, Max Pyziur wrote:
I also seem to need to load iptable_nat nf_nat_ftp
via rc.local
Is this correct?
only if you're running some Linux build from the 1990s.
nothing on RHEL/CentOS should need anything in rc.local
Then what is the appropriate way to ensure that these modules are loaded?
Should they be placed in the /etc/init.d/iptables script? IPTABLES_MODULES="iptable_nat ip_nat_ftp ip_conntrack ip_conntrack_ftp"
or somewhere else?
Thanks
Max
It should do it automatically for you. Try it. Editing system init scripts is rarely recommended.
It worked.
There are a lot of website guides to Linux homenetworking, some going back as far as tldp days (late 1990s, early 2000s). Understandably, there is no one that presents itself as being authoritative.
Rebuilding a CentOS box is an occasional endeavour, not a weekly one. So the reliance is on the informational sources that are there (some of which do recommend hacking rc.local or /etc/init.d/iptables), memory, and trial-and-error (typos and misspecified NICs can become time-sinks).
Tris
Max
On 06/28/2015 03:49 PM, Max Pyziur wrote:
From several sources, code, the stock CentOS iptables I've cobbled the following /etc/sysconfig/iptables; while it works, I suspect that there are holes: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0]
Some holes, yes. I'd recommend that your FORWARD table be similar to INPUT. It should DROP by default, and ACCEPT on traffic coming in the LAN interface and going out the WAN interface (and ESTABLISHED data). As it is now, a host on your WAN interface could use your system as its gateway, and you'd MASQ its traffic.
Possibly:
:FORWARD DROP [0:0] -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state NEW -i eth0 -o eth1 -j ACCEPT
Best practice is to apply both egress and ingress filters as well. You should only forward traffic to the WAN if the source address is one that you use on your LAN. You should only forward traffic to your LAN if the source is *not* an address you use in your LAN.
I think that looks like this in iptables, but I might be wrong...
:FORWARD DROP [0:0] -A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -s ! 192.168.1.0/24 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT -A FORWARD -m state --state NEW -i eth0 -o eth1 -s 192.168.1.0/24 -j ACCEPT
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Max Pyziur Sent: den 28 juni 2015 20:50 To: centos@centos.org Subject: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server
I'm rebuilding a machine to function as a gateway/router to Verizon DSL.
Hi,
May I ask why you don't just use a made-for-the-purpose-distro like Smoothwall to do this? I takes (almost) all of the pain out of configuring stuff, and is quite secure due to not having as much "junk" pre-installed as CentOS 6?
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sorin Srbu Sent: den 29 juni 2015 08:11 To: CentOS mailing list Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org]
On
Behalf Of Max Pyziur Sent: den 28 juni 2015 20:50 To: centos@centos.org Subject: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server
I'm rebuilding a machine to function as a gateway/router to Verizon DSL.
May I ask why you don't just use a made-for-the-purpose-distro like Smoothwall to do this? I takes (almost) all of the pain out of configuring stuff, and is quite
secure due
to not having as much "junk" pre-installed as CentOS 6?
Please note: I'm not criticizing, just curious about the argument behind using a regular OS to do firewall-stuff.
At Mon, 29 Jun 2015 06:14:33 +0000 CentOS mailing list centos@centos.org wrote:
Content-Language: en-US
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sorin Srbu Sent: den 29 juni 2015 08:11 To: CentOS mailing list Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org]
On
Behalf Of Max Pyziur Sent: den 28 juni 2015 20:50 To: centos@centos.org Subject: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server
I'm rebuilding a machine to function as a gateway/router to Verizon DSL.
May I ask why you don't just use a made-for-the-purpose-distro like Smoothwall to do this? I takes (almost) all of the pain out of configuring stuff, and is quite
secure due
to not having as much "junk" pre-installed as CentOS 6?
Please note: I'm not criticizing, just curious about the argument behind using a regular OS to do firewall-stuff.
The most common case is that the machine implementing the gateway/routing/firewall is also being used for other stuff. Rather that having a separate piece of equipment a 'small' part of an existing piece of equipment is being utilized. This saves on resources.
On 6/28/2015 11:11 PM, Sorin Srbu wrote:
May I ask why you don't just use a made-for-the-purpose-distro like Smoothwall to do this?
indeed, I use pfSense, running on a APU1D4 [1] router board as my firewall, and a separate home server on a HP Microserver [2]. IMHO, keeping the firewall function completely separate simplifies security.
that router board can handle 300 Mbit/sec of NAT firewall rules, since I only have 30Mbit internet, thats plenty of headroom. the Microserver has 4x3 TB SATA drives in a raidZ (ZFS) for 7.5 TiB usable.
I can muck about with the server at my leisure, and reboot it, and not affect internet routing to my wife. the firewall doesn't need mucking about with and has uptimes measured in months (time between pfSense upgrades). pfSense provides the DHCP and DNS and NTP services for the LAN.
[1] http://store.netgate.com/kit-APU1C4.aspx [2] http://www8.hp.com/h20195/v2/GetPDF.aspx/c04111079.pdf
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John R Pierce Sent: den 29 juni 2015 08:29 To: centos@centos.org Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On 6/28/2015 11:11 PM, Sorin Srbu wrote:
May I ask why you don't just use a made-for-the-purpose-distro like Smoothwall to do this?
indeed, I use pfSense, running on a APU1D4 [1] router board as my
firewall,
and a separate home server on a HP Microserver [2]. IMHO, keeping the firewall function completely separate simplifies security.
[1] http://store.netgate.com/kit-APU1C4.aspx [2] http://www8.hp.com/h20195/v2/GetPDF.aspx/c04111079.pdf
That DIY Kit was pretty cool, thanks for the info!
On 6/28/2015 11:50 PM, Sorin Srbu wrote:
That DIY Kit was pretty cool, thanks for the info!
I note everyone is moving over to the Intel Avoton/Rangley 'system on a chip', this is the Xeon Atom C2xx8 series, like this... http://store.netgate.com/ADI/RCC-VE-2440-board.aspx (other versions of Rangley come with 2-4-6 ethernet ports, and 2-4-8 cores)
these are higher performance than the APU, for somewhat more watts and dollars.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John R Pierce Sent: den 29 juni 2015 09:03 To: centos@centos.org Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On 6/28/2015 11:50 PM, Sorin Srbu wrote:
That DIY Kit was pretty cool, thanks for the info!
I note everyone is moving over to the Intel Avoton/Rangley 'system on a chip', this is the Xeon Atom C2xx8 series, like this... http://store.netgate.com/ADI/RCC-VE-2440-board.aspx (other versions of Rangley come with 2-4-6 ethernet ports, and 2-4-8
cores)
these are higher performance than the APU, for somewhat more watts and dollars.
Gotcha'. Fewer watts may be worth it in the long run, as this is a device that's always on for obvious reasons.
On 6/29/2015 12:04 AM, Sorin Srbu wrote:
Gotcha'. Fewer watts may be worth it in the long run, as this is a device that's always on for obvious reasons.
depends entirely on your performance requirements. the APU has no fans AND no vents, the case sheet metal is the heatsink. this means it won't fill up with dust over time. the lower end avoton/rangley chips have a heatsink and case vents, but not a fan, convection will move air and dust through the case.
-
Alexander Dalloz -
Brian Miller -
Gordon Messmer -
John R Pierce -
Listman -
Max Pyziur -
Robert Heller -
Sorin Srbu -
Tris Hoar -
zep