Router help request
beesond001 at hawaii.rr.com
beesond001 at hawaii.rr.com
Sat Dec 29 18:39:03 PST 2001
To all,
Thanks in advance for your help. I apologize for the long winded reply.
I think I may be able to figure this out, but I want to make sure that I
get it mostly right before I go fiddling with everything.... Here's what
I am trying to do:
(I hope this picture looks OK...)
Internet <--> router<-->Linksys 5 port workgroup hub<-| --> Sparc 20 running
Linux
| --> VA Linux box running RH Linux
| --> Wireless Access Point <--->| <-- Windows box
| <-- iMac Box
| <-- PC Laptop (Occasionally)
For the internal lan part, I will use the 192.168.1.0/24 series of
addresses. I'd like to use dhcp to assign these addresses since it makes
it easier once set up to add or delete nodes as needed once it is setup.
For a setup like this, would the following commands fix dhcpd so it
provides addresses to queries on eth1 (the internal interface) once the
dhcp daemon was started?
########################### Begin dhcpd.conf
###########################################
#
# Sample dhcpd.conf file shamelessly stolen from the
# LDP files with a few embedded questions....
#
#
subnet 192.168.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
# NIS not used here
# option nis-domain "domain.org";
# option domain-name "domain.org";
# option domain-name-servers 192.168.1.1;
option time-offset -10; # Hawaii Standard Time
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this
unless
# -- you understand Netbios very well
# option netbios-node-type 2;
# I think the next stanza means dhcpd will begin providing addresses at
192.168.1.128
# and continue through address 192.168.1.255. This doesn't make sense to
me
# because 192.168.1.255 should be the broadcast address shouldn't it? Do
I need
# to change the last address to .254, or should I leave it alone???
range dynamic-bootp 192.168.1.128 192.168.1.255;
default-lease-time 21600;
max-lease-time 43200;
#
# H-m-m-m do I need something like this, or can I use the road runner
nameserver???
# I wonder if I could just delete this section all together and use the
# 24.25.227.34 and .36 addresses that road runner provides and are
entered into the
# network config for the router itself.
#
# we want the nameserver to appear at a fixed address
host ns {
next-server marvin.redhat.com;
hardware ethernet 12:34:56:78:AB:CD;
fixed-address 207.175.42.254;
}
}
########################### End dhcpd.conf #########################
Would I need to add a route command like this to the router to get all
the non-linux
clients to be able to work??? The LDP discusses this in the dhcp
documents.
bash # route add -host 255.255.255.255 dev eth1
Now to the confusing part (confusing for me at least...)
I think I now need to run the following commands on the router as "root"
to get the rest of it working.
to set up a default route:
bash # route add default eth0 0
to route all 192.168.1.0/24 traffic to eth1:
bash # route add -net 192.168.1.0 -netmask 255.255.255.0 eth1 0
Once I've done this, what else do I need to do to get the router to
masquerade traffic in both directions(ignore the firewall for a moment)?
I would like the LAN computers to be able to access the internet and
receive their traffic back through the router.
Now for the firewall stuff. I have copied a few lines from the top of
the MonMotha Firewall 2.3.8-pre2 that I am trying to get to work with my
router. I would like to know from the experts out there if this looks
correct and whether or not I should delete the MAC_MASQ section and just
not use it... Also, is it worth the while to turn USE_SYNCOOKIES on? My
current firewall has SYNCOOKIE protection turned on, but I don't know
enough about SYNCOOKIES to know whether this is already sufficiently
addressed in the MonMotha firewall.
# Main configuration, modify to suit your setup. Help can be found at:
# http://www.mplug.org/phpwiki/index.php?MonMothaReferenceGuide
#
# set to your iptables location, must be set -- this is set
/sbin/iptables for the router -- Ben
IPTABLES="/sbin/iptables"
#
#
TCP_ALLOW="22" # TCP ports to allow
UDP_ALLOW="68 6112 6119 4000" # UDP ports to allow
INET_IFACE="eth0" # the interface your internet's on (one only), must
be set
LAN_IFACE="eth1" # the interface your LAN's on (one only)
INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24" # The internal LAN
(including DMZs but not censored hosts)
MASQ_LAN="192.168.0.0/24 192.168.1.0/24" # the internal network(s) to be
masqueraded (this is overridden by MAC_MASQ)
#
# Internal networks/hosts to use static NAT (format is <internal ip or
network>:<external ip>) (this is overridden by MAC_SNAT)
#
SNAT_LAN=""
#
#
# What to do with packets we don't want: DROP, REJECT, TREJECT (Reject
with tcp-reset for TCP),
# LDROP (log and drop), LREJECT (log and reject), LTREJECT (log and
reject with tcp-reset),
# ULDROP (ULOG and DROP)
DROP="TREJECT"
#
DENY_ALL="" # Internet hosts to explicitly deny from accessing your
system at all
DENY_HOSTWISE_TCP="" # Specific hosts to deny access to specific TCP
ports; format is "IP>PORT"
DENY_HOSTWISE_UDP="" # Specific hosts to deny access to specific UDP
ports; format is "IP>PORT"
# People you don't want to have anything to do with (equivlent of my old
TK_DROP). This is a bidirectional drop.
BLACKHOLE=""
BLACKHOLE_DROP="DROP" # What to do for the blackholes (same options as
DROP directive above)
ALLOW_ALL="" # Internet hosts to explicitly allow full access to your
system
ALLOW_HOSTWISE_TCP="" # Specific hosts allowed access to specific TCP
ports; format is "IP>PORT"
ALLOW_HOSTWISE_UDP="" # Specific hosts allowed access to specific UDP
ports; format is "IP>PORT"
TCP_FW="" # TCP port forwards, form is "SPORT:DPORT>IP"
UDP_FW="" # UDP port forwards, form is "SPORT:DPORT>IP"
MANGLE_TOS_OPTIMIZE="TRUE" # TOS "optimizations" on or off (TRUE/FALSE
toggle)
ENABLE="Y" # Set to 'Y' when it's configured; this is for your own
saftey
# Flood Params. You will still recieve the packets and the bandwidth
will be used, but this will cause floods to be
# ignored (useful against SYNFLOODS especially)
# Limit on logging (for LTREJECT, LREJECT and LDROP, the packet will
always take the policy regardless of logging)
LOG_FLOOD="2/s"
#
# GLOBAL limit on SYN packets (servers will probably need even higher
sustained rates as this isn't on a per IP basis)
SYN_FLOOD="20/s"
#
#
PING_FLOOD="1/s" # GLOBAL limit on ICMP echo-requests to reply to
#
# Outbound filters (they work, but are of limited functionality),
probably better to use a proxy here
# Internal hosts allowed to be forwarded out on TCP
# (do not put this/these host/s in INTERNAL_LAN, but do define their
method of access [snat, masq] if not a public ip)
ALLOW_OUT_TCP=""
#
#
# Below here is experimental (please report your successes/failures)
# MAC addresses permitted to use masquerading, leave blank to not use
#VALinux box 1 & 2, Sparc box, wireless hub, windoze box, macintosh
#
MAC_MASQ="00:90:27:A5:72:22 00:90:27:A5:72:11 8:0:20:81:2D:E6
00:90:D1:01:28:1C 00:90:D1:05:E0:C3 "
#
#
# MAC addresses permitted to use static NAT, leave blank to not use
(format is <MAC Address>:<external ip>)
MAC_SNAT=""
#
#
# How many hops packets need to make once they get on your LAN (null
disables the mangling) (requires patch from patch-o-matic)
TTL_SAFE=""
#
USE_SYNCOOKIES="FALSE" # TCP SynCookies on or off (TRUE/FALSE toggle)
RP_FILTER="TRUE" # Turns rp_filter on or off on all interfaces
(TRUE/FALSE toggle)
ACCEPT_SOURCE_ROUTE="FALSE" # Turns accept_source_route on or off on
all interfaces (TRUE/FALSE toggle)
PROXY="" # Redirect for Squid or other transparent proxy. Syntax to
specify the proxy is "host:port".
# Set to true if you run a DHCP server. DHCP clients do not need this.
# This allows broadcasts to the server from potential clients on the LAN
to succeede.
# MUST DEFINE LAN_IFACE IF YOU USE THIS!
#
DHCP_SERVER="TRUE"
#
#
BAD_ICMP="5 9 10 15 16 17 18" # ICMP messages to NOT allow in from
internet
# Only touch these if you're daring (PREALPHA stuff, as in basically
non-functional)
# Interface your DMZ is on (leave blank if you don't have one) MUST
DEFINE LAN_IFACE IF YOU USE THIS!
DMZ_IFACE=""
#
#
# Output an identifier message..
#
echo "This is it...MonMotha's Firewall 2.3.8-pre2!"
echo "All your h4x0rZ belong to Linux/Netfilter!"
#
Thanks again,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20011230/282a445d/attachment-0001.htm>
More information about the LUAU
mailing list