the marriage of wireless and wireful

To: debian-firewall@lists.debian.org
Subject: the marriage of wireless and wireful
From: Paul Phillips <paulp@go2net.com>
Date: Thu, 31 Aug 2000 04:45:24 +0000 (GMT)
Message-id: <[🔎] Pine.LNX.4.10.10008310442030.6719-100000@orbit>

I needed a firewall for my home network that could also incorporate my
wireless network, and I had a thinkpad 570 with a broken display.  A laptop
for a server, what fun! I'm almost done but I have a little problem.

The thinkpad (apollo) has three network interfaces:

    eth0 is 192.168.0.1 (wired network)
    ppp0 is w.x.y.z (connects to Internet via roaring penguin's PPPoE)
  wvlan0 is 192.168.1.1 (wireless network)

She is running potato, kernel 2.2.17pre20, pcmcia 3.1.19.  Hosts on the
wireless network can get everywhere OK except for the printer on the wired
network.  From apollo I can reach everything fine, including the printer.

I thought some strange ipchain was stopping me but that doesn't appear to
be it.  I think now it's some routing thinko on my part but I can't find it.
So I throw myself upon the mercy of your collective brainpower.  Why can't
192.168.1.10 get a ping response from 192.168.0.250? (Or otherwise reach it,
IOW it's not ICMP-specific.) Snooping the network interfaces on apollo
shows that the ICMP echo request is being received on wvlan0 and delivered
on eth0, but then it disappears.

Is the wireless client, the router, or the printer misconfigured?

[On an unrelated note, if you've come this far -- it's no small feat to
get all the startup stuff to run happily if all your critical networking
hardware is PCMCIA.  I thought just jimjamming /etc/init.d/pcmcia ahead
of /etc/init.d/networking would solve it, but this had issues.  For a short
term hack I made an rc2.d/S99 that re-starts networking and then restarts
named and the DHCP server.  Hideous! Shameful!]

Thanks for any juicy tidbits.  You're all spectacular heroes.

-- 
Paul Phillips      | Make a whole new religion.
Vivid              | 
<paulp@go2net.com> | 
pal, i pill push   |--------* http://www.go2net.com/people/paulp/ *--------


[The router]

root@apollo:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    w.x.y.z     0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wvlan0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         w.x.y.z         0.0.0.0         UG        0 0          0 ppp0

root@apollo:~# ipmasq -v
Interfaces found:
  ppp0  w.x.y.z/255.255.255.255
  eth0  192.168.0.1/255.255.255.0
  wvlan0        192.168.1.1/255.255.255.0
/sbin/ipchains -P input DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
/sbin/ipchains -A forward -j ACCEPT -s 192.168.1.1/255.255.255.0 -d 192.168.0.1/255.255.255.0
/sbin/ipchains -A forward -j ACCEPT -s 192.168.0.1/255.255.255.0 -d 192.168.1.1/255.255.255.0
/sbin/ipchains -A input -j ACCEPT -i lo
/sbin/ipchains -A input -j DENY -i !lo -s 127.0.0.1/255.0.0.0 -l
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 192.168.0.1/255.255.255.0
/sbin/ipchains -A input -j ACCEPT -i wvlan0 -s 192.168.1.1/255.255.255.0
/sbin/ipchains -A input -j DENY -i ppp0 -s 192.168.0.1/255.255.255.0 -l
/sbin/ipchains -A input -j DENY -i ppp0 -s 192.168.1.1/255.255.255.0 -l
/sbin/ipchains -A input -j ACCEPT -i ppp0 -d w.x.y.z/32
/sbin/ipchains -A forward -j MASQ -i ppp0 -s 192.168.0.1/255.255.255.0
/sbin/ipchains -A forward -j MASQ -i ppp0 -s 192.168.1.1/255.255.255.0
/sbin/ipchains -A output -j ACCEPT -i lo
/sbin/ipchains -A output -j ACCEPT -i eth0 -d 192.168.0.1/255.255.255.0
/sbin/ipchains -A output -j ACCEPT -i eth0 -d 224.0.0.0/240.0.0.0 -p ! tcp
/sbin/ipchains -A output -j ACCEPT -i wvlan0 -d 192.168.1.1/255.255.255.0
/sbin/ipchains -A output -j ACCEPT -i wvlan0 -d 224.0.0.0/240.0.0.0 -p ! tcp
/sbin/ipchains -A output -j DENY -i ppp0 -d 192.168.0.1/255.255.255.0 -l
/sbin/ipchains -A output -j DENY -i ppp0 -d 192.168.1.1/255.255.255.0 -l
/sbin/ipchains -A output -j ACCEPT -i ppp0 -s w.x.y.z/32
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l

[The wireless client]

orbit:~# ifconfig wvlan0
wvlan0    Link encap:Ethernet  HWaddr 00:60:1D:22:5A:E7  
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

orbit:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wvlan0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wvlan0

[The printer network hardware -- it's an HP JetDirect 170x]

     IP = 192.168.0.250
netmask = 255.255.0.0
gateway = 192.168.0.1

Reply to:

Follow-Ups:
- Re: the marriage of wireless and wireful (solution)
  - From: Paul Phillips <paulp@go2net.com>

Prev by Date: Re: Potato, DHCP and IPMASQ
Next by Date: Re: the marriage of wireless and wireful
Previous by thread: Re: What can the vanila debian potato kernel do?
Next by thread: Re: the marriage of wireless and wireful (solution)
Index(es):
- Date
- Thread