Router help request

beesond001 at hawaii.rr.com beesond001 at hawaii.rr.com
Sat Dec 29 18:39:03 PST 2001


To all,

	Thanks in advance for your help.  I apologize for the long winded reply. 
 I think I may be able to figure this out, but I want to make sure that I 
get it mostly right before I go fiddling with everything....  Here's what 
I am trying to do:

(I hope this picture looks OK...) 


Internet <--> router<-->Linksys 5 port workgroup hub<-| --> Sparc 20 running 
Linux
									| --> VA Linux box running RH Linux
									| --> Wireless Access Point <--->| <-- Windows box
														   | <-- iMac Box	 
														   | <-- PC Laptop (Occasionally)									


For the internal lan part, I will use the 192.168.1.0/24 series of 
addresses.  I'd like to use dhcp to assign these addresses since it makes 
it easier once set up to add or delete nodes as needed once it is setup.  
 


	For a setup like this, would the following commands fix dhcpd so it 
provides addresses to queries on eth1 (the internal interface) once the 
dhcp daemon was started?


########################### Begin dhcpd.conf 
###########################################
#
# Sample dhcpd.conf file shamelessly stolen from the 
# LDP files with a few embedded questions....
#
#

subnet 192.168.1.0 netmask 255.255.255.0 {
# --- default gateway
	option routers			192.168.1.1;
	option subnet-mask		255.255.255.0;

# NIS not used here
#	option nis-domain			"domain.org";
#	option domain-name		"domain.org";
#	option domain-name-servers	192.168.1.1;

	option time-offset		-10;	# Hawaii Standard Time
#	option ntp-servers		192.168.1.1;
#	option netbios-name-servers	192.168.1.1;

# --- Selects point-to-point node (default is hybrid). Don't change this 
unless
# --  you understand Netbios very well
#	option netbios-node-type 2;


# 	I think the next stanza means dhcpd will begin providing addresses at 
192.168.1.128 
#	and continue through address 192.168.1.255.  This doesn't make sense to 
me 
#	because 192.168.1.255 should be the broadcast address shouldn't it?  Do 
I need
#	to change the last address to .254, or should I leave it alone???


 	range dynamic-bootp 192.168.1.128 192.168.1.255;
	default-lease-time 21600;
	max-lease-time 43200;

#
#  	H-m-m-m do I need something like this, or can I use the road runner 
nameserver???
# 	I wonder if I could just delete this section all together and use the 
#	24.25.227.34 and .36 addresses that road runner provides and are 
entered into the 
#	network config for the router itself.  
#

	# we want the nameserver to appear at a fixed address
	host ns {
		next-server marvin.redhat.com;
		hardware ethernet 12:34:56:78:AB:CD;
		fixed-address 207.175.42.254;
	}
}

########################### End dhcpd.conf #########################



	Would I need to add a route command like this to the router to get all 
the non-linux 
clients to be able to work???  The LDP discusses this in the dhcp 
documents.  

bash # route add -host 255.255.255.255 dev eth1


	Now to the confusing part (confusing for me at least...)

I think I now need to run the following commands on the router as "root" 
to get the rest of it working.

to set up a default route:
bash # route add default eth0 0


to route all 192.168.1.0/24 traffic to eth1:
bash # route add -net 192.168.1.0 -netmask 255.255.255.0 eth1 0

Once I've done this, what else do I need to do to get the router to 
masquerade traffic in both directions(ignore the firewall for a moment)?  
I would like the LAN computers to be able to access the internet and 
receive their traffic back through the router. 


	Now for the firewall stuff.  I have copied a few lines from the top of 
the MonMotha Firewall 2.3.8-pre2 that I am trying to get to work with my 
router. I would like to know from the experts out there if this looks 
correct and whether or not I should delete the MAC_MASQ section and just 
not use it...  Also, is it worth the while to turn USE_SYNCOOKIES on?  My 
current firewall has SYNCOOKIE protection turned on, but I don't know 
enough about SYNCOOKIES to know whether this is already sufficiently 
addressed in the MonMotha firewall. 

  


# Main configuration, modify to suit your setup.  Help can be found at:
#    http://www.mplug.org/phpwiki/index.php?MonMothaReferenceGuide
#
# set to your iptables location, must be set -- this is set 
/sbin/iptables for the router -- Ben
IPTABLES="/sbin/iptables"
#
#		 
TCP_ALLOW="22"					# TCP ports to allow
UDP_ALLOW="68 6112 6119 4000"			# UDP ports to allow
INET_IFACE="eth0"				# the interface your internet's on (one only), must 
be set
LAN_IFACE="eth1"				# the interface your LAN's on (one only)
INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24"	# The internal LAN 
(including DMZs but not censored hosts)
MASQ_LAN="192.168.0.0/24 192.168.1.0/24"	# the internal network(s) to be 
masqueraded (this is overridden by MAC_MASQ)
#
# Internal networks/hosts to use static NAT (format is <internal ip or 
network>:<external ip>) (this is overridden by MAC_SNAT)
#
SNAT_LAN=""				
#
#
# What to do with packets we don't want: DROP, REJECT, TREJECT (Reject 
with tcp-reset for TCP),
# LDROP (log and drop), LREJECT (log and reject), LTREJECT (log and 
reject with tcp-reset),
# ULDROP (ULOG and DROP)
DROP="TREJECT"	
#				
DENY_ALL=""					# Internet hosts to explicitly deny from accessing your 
system at all
DENY_HOSTWISE_TCP=""				# Specific hosts to deny access to specific TCP 
ports; format is "IP>PORT"
DENY_HOSTWISE_UDP=""				# Specific hosts to deny access to specific UDP 
ports; format is "IP>PORT"

# People you don't want to have anything to do with (equivlent of my old 
TK_DROP).  This is a bidirectional drop.
BLACKHOLE=""					
BLACKHOLE_DROP="DROP"				# What to do for the blackholes (same options as 
DROP directive above)
ALLOW_ALL=""					# Internet hosts to explicitly allow full access to your 
system
ALLOW_HOSTWISE_TCP=""				# Specific hosts allowed access to specific TCP 
ports; format is "IP>PORT"
ALLOW_HOSTWISE_UDP=""				# Specific hosts allowed access to specific UDP 
ports; format is "IP>PORT"
TCP_FW=""					# TCP port forwards, form is "SPORT:DPORT>IP"
UDP_FW=""					# UDP port forwards, form is "SPORT:DPORT>IP"
MANGLE_TOS_OPTIMIZE="TRUE"			# TOS "optimizations" on or off (TRUE/FALSE 
toggle)
ENABLE="Y"					# Set to 'Y' when it's configured; this is for your own 
saftey

# Flood Params.  You will still recieve the packets and the bandwidth 
will be used, but this will cause floods to be 
# ignored (useful against SYNFLOODS especially)

# Limit on logging (for LTREJECT, LREJECT and LDROP, the packet will 
always take the policy regardless of logging)
LOG_FLOOD="2/s"	
#	
# GLOBAL limit on SYN packets (servers will probably need even higher 
sustained rates as this isn't on a per IP basis)			
SYN_FLOOD="20/s"
#
#			
PING_FLOOD="1/s"				# GLOBAL limit on ICMP echo-requests to reply to
#
# Outbound filters (they work, but are of limited functionality), 
probably better to use a proxy here
# Internal hosts allowed to be forwarded out on TCP 
# (do not put this/these host/s in INTERNAL_LAN, but do define their 
method of access [snat, masq] if not a public ip)

ALLOW_OUT_TCP=""

#
#			
# Below here is experimental (please report your successes/failures)
# MAC addresses permitted to use masquerading, leave blank to not use
#VALinux box 1 & 2, Sparc box, wireless hub, windoze box, macintosh 
#
MAC_MASQ="00:90:27:A5:72:22 00:90:27:A5:72:11 8:0:20:81:2D:E6 
00:90:D1:01:28:1C 00:90:D1:05:E0:C3 "
#
#
# MAC addresses permitted to use static NAT, leave blank to not use 
(format is <MAC Address>:<external ip>)
MAC_SNAT=""
#
#
# How many hops packets need to make once they get on your LAN (null 
disables the mangling) (requires patch from patch-o-matic)			
TTL_SAFE=""
#				
USE_SYNCOOKIES="FALSE"				# TCP SynCookies on or off (TRUE/FALSE toggle)
RP_FILTER="TRUE"				# Turns rp_filter on or off on all interfaces 
(TRUE/FALSE toggle)
ACCEPT_SOURCE_ROUTE="FALSE"			# Turns accept_source_route on or off on 
all interfaces (TRUE/FALSE toggle)
PROXY=""					# Redirect for Squid or other transparent proxy. Syntax to 
specify the proxy is "host:port".

# Set to true if you run a DHCP server. DHCP clients do not need this.
# This allows broadcasts to the server from potential clients on the LAN 
to succeede. 
# MUST DEFINE LAN_IFACE IF YOU USE THIS! 
#
DHCP_SERVER="TRUE"
#
#			
BAD_ICMP="5 9 10 15 16 17 18"			# ICMP messages to NOT allow in from 
internet

# Only touch these if you're daring (PREALPHA stuff, as in basically 
non-functional)
# Interface your DMZ is on (leave blank if you don't have one) MUST 
DEFINE LAN_IFACE IF YOU USE THIS!
DMZ_IFACE=""				
#
#
#  Output an identifier message..
#
echo  "This is it...MonMotha's Firewall 2.3.8-pre2!"
echo  "All your h4x0rZ belong to Linux/Netfilter!"
#


Thanks again, 

Ben 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20011230/282a445d/attachment-0001.htm>


More information about the LUAU mailing list