[solved] Setting up a router

[adtf]

Hi

I am trying to set up an router using Ubuntu Server 11.10. I edited the interfaces file as follows (replacing the xxx with the relevant details!)

# set up the local loopback interface
auto lo
iface lo inet loopback

# Setup External interface

auto eth0
iface eth0 inet static
address xxx.xxx.xxx.xxx
netmask xxx.xxx.xxx.xxx
gateway xxx.xxx.xxx.xxx
nameserver xxx.xxx.xxx.xxx
nameserver xxx.xxx.xxx.xxx

# Setup internalnetwork interface

auto eth1
iface eth1 inet static
address 192.168.2.1
network 192.168.2.0
netmask 255.255.255.0
broadcast 192.168.2.255

After saving the file I tried to restart the networking
$ sudo /etc/init.d/networking restart

I then get the message
* Reconfiguring network interfaces
/etc/network/interfaces: duplicate option
ifdown: couldn't read interface file /etc/network/interfaces
/etc/network/interfaces: duplicate option
ifdown: couldn't read interface file /etc/network/interfaces


If I restore the backup interfaces file it reads it!

[adtf]

It does help to read the instructions carefully!! Just realised the nameserver should be in /etc/resolv.conf and not in interfaces!!

[adtf]

Now I have the next problem - ip forwarding an masquerading. I have edited created nat.sh as per instructions in the Router documentation.

The code is as follows:

echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

EXTIF="eth0"
INTIF="eth1"
#INTIF2="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"

#================================================= =====================
#== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: "
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo "----------------------------------------------------------------------"
echo -en "ip_tables, "
$MODPROBE ip_tables
echo -en "nf_conntrack, "
$MODPROBE nf_conntrack
echo -en "nf_conntrack_ftp, "
$MODPROBE nf_conntrack_ftp
echo -en "nf_conntrack_irc, "
$MODPROBE nf_conntrack_irc
echo -en "iptable_nat, "
$MODPROBE iptable_nat
echo -en "nf_nat_ftp, "
$MODPROBE nf_nat_ftp
echo "----------------------------------------------------------------------"
echo -e " Done loading modules.\n"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " Clearing any existing rules and setting default policy.."

iptables-restore <<-EOF
*nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT
-A FORWARD -j LOG
COMMIT
EOF

echo -e "\nrc.firewall-iptables v$FWVER done.\n"

I can access the internet from the linux server, I can "see" the test client from the server and "see" the server from the clint, but cannot access the internet from the client. Any suggestions would be greatly apreciated!

[redhead]

You need to add a rule for the initial package, you have hte RELATED/ESTABLISHED covered, but what about the NEW flag ??

[adtf]

Hi Redhead could you be more specific ie the exats code? I am totally new to this sort of thing and have been throwen in the deepend with this and floundering some what!

[adtf]

I eventually used the code found in this http://ubuntuforums.org/showthread.php?t=119787 and it is working.

Now how do I mark it as solved?

[redhead]

Well, just as a teaser, her is a firewall script I created some years ago, it is no longer in use, since some of the rules in it no longer apply to iptables, but I use it as a reference for someone to read through it and get an idear of how/what thoughts go into setting up a firewall.

And I've marked the thread with solved, on the OPs request.