A hardware issue - was Re: [clug] Firewall settings on NetGear modem/router?

Alex Satrapa alexsatrapa at mac.com
Tue Jun 30 01:52:39 GMT 2009 

On 30/06/2009, at 09:42 , Felix Karpfen wrote:

> But my assertion that the router - in its present environment - will
> never connect to the Internet is solidly based.

Ah, Grasshopper, you have much to unlearn!

Let's assume for a moment that everyone else in the world has no  
problem using a domestic ADSL2+ modem/router: for them it is a case of  
plugging things in and turning them on. What are you doing that is  
different, which results in your setup not working?

Here's how I connected my computer to the Internet via an ADSL modem/ 
router:
1) Plug in the ADSL equipment, make sure the ADSL sync comes up
2) Plug in the computer, connect the Ethernet port on the computer to  
the Ethernet port on the route
3) Turn the computer on, wait for it to boot, verify that it obtained  
an IP address in the 192.168.x.x, 172.x.x.x or 10.x.x.x ranges (*not*  
169.x.x.x range which is self-assigned).
4) Open a web browser and point it at 192.168.1.1 (or whatever your  
router uses as its default address), log in as admin/admin
5) In the WAN configuration page, enter the username/password as given  
by my ISP
6) In the Router configuration page, change the administrator account  
to [redacted]/[redacted] so that someone out there on the Internet  
can't fiddle with my configuration using malicious JavaScript/AJAX
7) there is no step 7

An important point here is that your computer no longer connects  
directly to the Internet. Your computer will be on a private  
(unroutable) address behind a NAT firewall. You do not run PPPoE from  
your computer: the router is doing that now. The router is effectively  
replacing your dialup modem, your PPP service, and all your IPtables  
rules. You no longer configure your computer to connect to the  
Internet through your ISP, you configure your computer to connect to  
the Internet the way the router tells it to. This happens by having  
your computer accept an address, default route and DNS servers using  
DHCP, just as if you were connected to an Ethernet LAN.

You have to unlearn everything that you needed to learn in order to  
connect via dialup. Clear your IPtables rules (default policy ACCEPT,  
delete all rules) and do not fiddle with IPtables until you have a  
working connection which you can then break. "iptables -L" should show  
this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


The "route" command should show something like this:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref     
Use Iface
192.168.228.0   *               255.255.255.0   U     0      0         
0 eth0
default         192.168.228.2   0.0.0.0         UG    0      0         
0 eth0

Note the "Gateway" listed for the default route: we'll use this in a  
moment. My gateway is 192.168.228.2 - yours will be different.

The "ifconfig" command should show something like this:

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           inet addr:192.168.228.132  Bcast:192.168.228.255  Mask: 
255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:xxxx errors:0 dropped:0 overruns:0 frame:0
           TX packets:xxxx errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           ...

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:317 errors:0 dropped:0 overruns:0 frame:0
           TX packets:317 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:29891 (29.1 KiB)  TX bytes:29891 (29.1 KiB)

Note that there are only two interfaces defined on my computer: the  
universal "local" interface, and the eth0 interface representing the  
physical Ethernet port connected to the router.

Now use ping to check that the "gateway" listed in the "route" output  
is accessible:

% ping 192.168.228.2
PING 192.168.228.2 (192.168.228.2) 56(84) bytes of data.
64 bytes from 192.168.228.2: icmp_seq=1 ttl=128 time=0.171 ms
64 bytes from 192.168.228.2: icmp_seq=2 ttl=128 time=0.148 ms

Now check that you can lookup a common web site such as lists.samba.org:

% host lists.samba.org
lists.samba.org     	A	66.70.73.150

Finally, check that ping works (this won't work if you're on Velocity  
in Canberra, they block ICMP at their border router):

% ping -c1 lists.samba.org
PING lists.samba.org (66.70.73.150) 56(84) bytes of data.
64 bytes from mail.samba.org (66.70.73.150): icmp_seq=1 ttl=128  
time=360 ms

--- lists.samba.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 360.328/360.328/360.328/0.000 ms


Once you have a connection that you can use to browse the web from  
your computer, only then do you start fiddling with port forwarding  
from the router to servers on your computer or adding rules to your  
iptables.

Alex

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 220 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/linux/attachments/20090630/78076f37/PGP.bin

More information about the linux mailing list