Re: Linux Router

To: Michael Madden <madden@cmsrtp.com>
Cc: Bruce Park <bpark@dolda2000.com>, <debian-user@lists.debian.org>
Subject: Re: Linux Router
From: Ken Gilmour <ken@playersonly.com>
Date: Wed, 15 Dec 2004 14:31:28 GMT
Message-id: <[🔎] 20041215143128.964448@sysop-07>
In-reply-to: <[🔎] 20041214182308.GA7173@cmsrtp.com>

Captain's Log, stardate Tue, 14 Dec 2004 12:23:08 -0600, from the fingers of Michael Madden came the words:
>> The main point is that there are so many things to do in Linux in
>> order to configure it for masquerading (Recompiling Kernel etc).
>> There also so many different commands that do exactly the same
>> thing but in different ways. If a person is starting off in
>> firewalling it's not good to overwhelm them with information.
>> With OpenBSD, you simply edit stuff that's already there, for
>> example. These are the steps i would take to setup a gateway on a
>> brand newly setup OpenBSD machine:
>>
>> Uncomment the following in /etc/sysctl.conf
>>
>> net.inet.ip.forwarding=1
>> net.inet6.ip6.forwarding=1 (if using IPv6)
>>
>> Uncomment and edit this line in /etc/pf.conf (stuff in <> needs
>> to be edited, stuff in [] is optional)
>>
>> nat [pass] on <interface> [af] from <src_addr> [port src_port] to
>> <dst_addr> [port <dst_port>] -> <ext_addr> [pool_type] [static-
>> port]
>>
>> You may then reboot the machine or just issue the following two
>> commands:
>>
>> # sysctl net.inet.ip.forwarding=1
>>
>> Or
>>
>> # sysctl net.inet6.ip6.forwarding=1 (if using IPv6)
>>
>> Then
>>
>> # pfctl -f /etc/pf.conf
>>
>> You now have a fully working NAT box.
>>
>> To perform IP forwarding uncomment the port redirect line in
>> pf.conf and modify it to your taste then issue:
>>
>> # pfctl -f /etc/pf.conf
>>
>> The default configuration for the machine has zero known security
>> holes. (have a look at www.openbsd.org for security info)
>>
>> Regards,
>>
>> Ken
>>
>
> Forgive me if I'm new to the OpenBSD approach, but I've installed
> OpenBSD 3.6 on a laptop with 2 PCMCIA cards, and I cannot get any
> of my clients behind the firewall to see beyond the firewall.
>
> My two network cards are setup as:
>
> bsdrouter# ifconfig ep1
> ep1: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
> mtu 1500 address: 00:60:97:87:8b:4d media: Ethernet 10baseT
> inet 172.16.1.100 netmask 0xffff0000 broadcast 172.16.255.255 inet6
> fe80::260:97ff:fe87:8b4d%ep1 prefixlen 64 scopeid 0x5 bsdrouter#
> ifconfig ep2
> ep2: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
> mtu 1500 address: 00:10:4b:ec:64:80 media: Ethernet 10baseT
> inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255 inet6
> fe80::210:4bff:feec:6480%ep2 prefixlen 64 scopeid 0x6
>
> I've got IP forwarding enabled:
>
> bsdrouter# cat /etc/sysctl.conf
> net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of
> packets
>
> Finally I've setup pf.conf:
>
> bsdrouter# cat /etc/pf.conf
> f="ep1"
> int_if="ep2"
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
>
> I rebooted the machine after the above network setup, and while I'm
> on the router I can see the 192.168.3.x network, the 172.16.x.x
> network, and the internet.  But my Windows machines behind the
> firewall cannot reach beyond the firewall even though the OpenBSD
> router is set as the default gateway.  On machines on the
> 172.16.x.x network, I can reach the router at 172.16.1.100 and the
> machines behind the router (if I add a route to the 172.16.x.x
> machines).
>
> Has anyone experienced this before?
>
> Thanks,
> Mike

Hi Mike

Have you set a rule to allow the NAT to pass through the box? Simply adding "pass" to your above command should do that for you.

nat pass on $ext_if from !($ext_if) -> ($ext_if:0)

Also, The macro for your external interface I assume it's not set to f="ep1" Was that just a couple of missed characters while copying and pasting? (it should read ext_if="ep1" not f="ep1")

Here is my pf.conf from one of my firewalls if it's any help to you. You might want to comment out the "Block" stuff and change the IP addresses for redirection etc.

# macros
int_if = "fxp0"
ext_if = "rl0"

tcp_services = "{ 22, 80, }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from any to $ext_if port smtp -> 10.2.0.15
#rdr pass on $int_if proto tcp from any to $int_if port 350 -> 10.2.2.202

# filter rules
block all

pass quick on lo0 all

pass in on $ext_if inet proto tcp from any to 10.2.0.15 port smtp
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

#pass in on $ext_if inet proto tcp from any to ($ext_if) \
#   port $tcp_services flags S/SA keep state

#pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

Regards,

Ken

Reply to:

References:
- Re: Linux Router
  - From: Michael Madden <madden@cmsrtp.com>

Prev by Date: Re: Not able to boot 2.6.9 kernel (solved)
Next by Date: Re: Linux Router
Previous by thread: Re: Linux Router
Next by thread: Re: Linux Router
Index(es):
- Date
- Thread