<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Re: [luau] Re:Router help request</TITLE>
<META NAME="GENERATOR" CONTENT="StarOffice/5.2 (Linux)">
<META NAME="CREATED" CONTENT="20011229;15304200">
<META NAME="CHANGEDBY" CONTENT="Ben Beeson">
<META NAME="CHANGED" CONTENT="20011229;16390200">
</HEAD>
<BODY>
<PRE>To all,
Thanks in advance for your help. I apologize for the long winded
reply. I think I may be able to figure this out, but I want to make
sure that I get it mostly right before I go fiddling with
everything.... Here's what I am trying to do:
(I hope this picture looks OK...)
Internet <--> router<-->Linksys 5 port workgroup hub<-| --> Sparc 20
running Linux
| --> VA Linux box running RH Linux
| --> Wireless Access Point <--->| <-- Windows box
| <-- iMac Box
| <-- PC Laptop (Occasionally)
For the internal lan part, I will use the 192.168.1.0/24 series of
addresses. I'd like to use dhcp to assign these addresses since it
makes it easier once set up to add or delete nodes as needed once it is
setup.
For a setup like this, would the following commands fix dhcpd so it
provides addresses to queries on eth1 (the internal interface) once the
dhcp daemon was started?
########################### Begin dhcpd.conf
###########################################
#
# Sample dhcpd.conf file shamelessly stolen from the
# LDP files with a few embedded questions....
#
#
subnet 192.168.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
# NIS not used here
# option nis-domain "domain.org";
# option domain-name "domain.org";
# option domain-name-servers 192.168.1.1;
option time-offset -10; # Hawaii Standard Time
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change
this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
# I think the next stanza means dhcpd will begin providing addresses
at 192.168.1.128
# and continue through address 192.168.1.255. This doesn't make sense
to me
# because 192.168.1.255 should be the broadcast address shouldn't it?
Do I need
# to change the last address to .254, or should I leave it alone???
range dynamic-bootp 192.168.1.128 192.168.1.255;
default-lease-time 21600;
max-lease-time 43200;
#
# H-m-m-m do I need something like this, or can I use the road runner
nameserver???
# I wonder if I could just delete this section all together and use
the
# 24.25.227.34 and .36 addresses that road runner provides and are
entered into the
# network config for the router itself.
#
# we want the nameserver to appear at a fixed address
host ns {
next-server marvin.redhat.com;
hardware ethernet 12:34:56:78:AB:CD;
fixed-address 207.175.42.254;
}
}
########################### End dhcpd.conf #########################
Would I need to add a route command like this to the router to get all
the non-linux
clients to be able to work??? The LDP discusses this in the dhcp
documents.
bash # route add -host 255.255.255.255 dev eth1
<FONT FACE="Courier, monospace"><FONT SIZE=2> Now to the confusing part (confusing for me at least...)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>I think I now need to run the following commands on the router as
"root" to get the rest of it working.</FONT></FONT>
</PRE><P STYLE="margin-bottom: 0in">
<FONT FACE="Courier, monospace"><FONT SIZE=2>to set up a default route:</FONT></FONT></P>
<PRE><FONT FACE="Courier, monospace"><FONT SIZE=2>bash # route add default eth0 0</FONT></FONT>
<FONT SIZE=2><FONT FACE="Courier, monospace">to route all 192.168.1.0/24 traffic to eth1:</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>bash # route add -net 192.168.1.0 -netmask 255.255.255.0 eth1 0</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>Once I've done this, what else do I need to do to get the router to
masquerade traffic in both directions(ignore the firewall for a
moment)? I would like the LAN computers to be able to access the
internet and receive their traffic back through the router. </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2> Now for the firewall stuff. I have copied a few lines from the top of
the MonMotha Firewall 2.3.8-pre2 that I am trying to get to work with
my router. I would like to know from the experts out there if this
looks correct and whether or not I should delete the MAC_MASQ section
and just not use it... Also, is it worth the while to turn
USE_SYNCOOKIES on? My current firewall has SYNCOOKIE protection turned
on, but I don't know enough about SYNCOOKIES to know whether this is
already sufficiently addressed in the MonMotha firewall. </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2> </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Main configuration, modify to suit your setup. Help can be found at:</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># http://www.mplug.org/phpwiki/index.php?MonMothaReferenceGuide</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># set to your iptables location, must be set -- this is set
/sbin/iptables for the router -- Ben</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>IPTABLES="/sbin/iptables"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>TCP_ALLOW="22" # TCP ports to allow</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>UDP_ALLOW="68 6112 6119 4000" # UDP ports to allow</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>INET_IFACE="eth0" # the interface your internet's on (one only),
must be set</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>LAN_IFACE="eth1" # the interface your LAN's on (one only)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24" # The internal LAN
(including DMZs but not censored hosts)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>MASQ_LAN="192.168.0.0/24 192.168.1.0/24" # the internal network(s) to
be masqueraded (this is overridden by MAC_MASQ)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Internal networks/hosts to use static NAT (format is <internal ip or
network>:<external ip>) (this is overridden by MAC_SNAT)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>SNAT_LAN="" </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># What to do with packets we don't want: DROP, REJECT, TREJECT (Reject
with tcp-reset for TCP),</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># LDROP (log and drop), LREJECT (log and reject), LTREJECT (log and
reject with tcp-reset),</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># ULDROP (ULOG and DROP)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>DROP="TREJECT" </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>DENY_ALL="" # Internet hosts to explicitly deny from accessing your
system at all</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>DENY_HOSTWISE_TCP="" # Specific hosts to deny access to specific TCP
ports; format is "IP>PORT"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>DENY_HOSTWISE_UDP="" # Specific hosts to deny access to specific UDP
ports; format is "IP>PORT"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># People you don't want to have anything to do with (equivlent of my
old TK_DROP). This is a bidirectional drop.</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>BLACKHOLE="" </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>BLACKHOLE_DROP="DROP" # What to do for the blackholes (same options
as DROP directive above)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>ALLOW_ALL="" # Internet hosts to explicitly allow full access to
your system</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>ALLOW_HOSTWISE_TCP="" # Specific hosts allowed access to specific
TCP ports; format is "IP>PORT"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>ALLOW_HOSTWISE_UDP="" # Specific hosts allowed access to specific
UDP ports; format is "IP>PORT"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>TCP_FW="" # TCP port forwards, form is "SPORT:DPORT>IP"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>UDP_FW="" # UDP port forwards, form is "SPORT:DPORT>IP"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>MANGLE_TOS_OPTIMIZE="TRUE" # TOS "optimizations" on or off
(TRUE/FALSE toggle)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>ENABLE="Y" # Set to 'Y' when it's configured; this is for your own
saftey</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Flood Params. You will still recieve the packets and the bandwidth
will be used, but this will cause floods to be </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># ignored (useful against SYNFLOODS especially)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Limit on logging (for LTREJECT, LREJECT and LDROP, the packet will
always take the policy regardless of logging)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>LOG_FLOOD="2/s" </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># GLOBAL limit on SYN packets (servers will probably need even higher
sustained rates as this isn't on a per IP basis) </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>SYN_FLOOD="20/s"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>PING_FLOOD="1/s" # GLOBAL limit on ICMP echo-requests to reply to</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Outbound filters (they work, but are of limited functionality),
probably better to use a proxy here</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Internal hosts allowed to be forwarded out on TCP </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># (do not put this/these host/s in INTERNAL_LAN, but do define their
method of access [snat, masq] if not a public ip)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>ALLOW_OUT_TCP=""</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Below here is experimental (please report your successes/failures)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># MAC addresses permitted to use masquerading, leave blank to not use</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#VALinux box 1 & 2, Sparc box, wireless hub, windoze box, macintosh </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>MAC_MASQ="00:90:27:A5:72:22 00:90:27:A5:72:11 8:0:20:81:2D:E6
00:90:D1:01:28:1C 00:90:D1:05:E0:C3 "</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># MAC addresses permitted to use static NAT, leave blank to not use
(format is <MAC Address>:<external ip>)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>MAC_SNAT=""</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># How many hops packets need to make once they get on your LAN (null
disables the mangling) (requires patch from patch-o-matic) </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>TTL_SAFE=""</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>USE_SYNCOOKIES="FALSE" # TCP SynCookies on or off (TRUE/FALSE
toggle)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>RP_FILTER="TRUE" # Turns rp_filter on or off on all interfaces
(TRUE/FALSE toggle)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>ACCEPT_SOURCE_ROUTE="FALSE" # Turns accept_source_route on or off on
all interfaces (TRUE/FALSE toggle)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>PROXY="" # Redirect for Squid or other transparent proxy. Syntax to
specify the proxy is "host:port".</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Set to true if you run a DHCP server. DHCP clients do not need this.</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># This allows broadcasts to the server from potential clients on the
LAN to succeede. </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># MUST DEFINE LAN_IFACE IF YOU USE THIS! </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>DHCP_SERVER="TRUE"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>BAD_ICMP="5 9 10 15 16 17 18" # ICMP messages to NOT allow in from
internet</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Only touch these if you're daring (PREALPHA stuff, as in basically
non-functional)</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Interface your DMZ is on (leave blank if you don't have one) MUST
DEFINE LAN_IFACE IF YOU USE THIS!</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>DMZ_IFACE="" </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2># Output an identifier message..</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>echo "This is it...MonMotha's Firewall 2.3.8-pre2!"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>echo "All your h4x0rZ belong to Linux/Netfilter!"</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>#</FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>Thanks again, </FONT></FONT>
<FONT FACE="Courier, monospace"><FONT SIZE=2>Ben </FONT></FONT>
</PRE>
</BODY>
</HTML>