A hardware issue - was Re: [clug] Firewall settings on NetGear
modem/router?
Alex Satrapa
alexsatrapa at mac.com
Tue Jun 30 01:52:39 GMT 2009
On 30/06/2009, at 09:42 , Felix Karpfen wrote:
> But my assertion that the router - in its present environment - will
> never connect to the Internet is solidly based.
Ah, Grasshopper, you have much to unlearn!
Let's assume for a moment that everyone else in the world has no
problem using a domestic ADSL2+ modem/router: for them it is a case of
plugging things in and turning them on. What are you doing that is
different, which results in your setup not working?
Here's how I connected my computer to the Internet via an ADSL modem/
router:
1) Plug in the ADSL equipment, make sure the ADSL sync comes up
2) Plug in the computer, connect the Ethernet port on the computer to
the Ethernet port on the route
3) Turn the computer on, wait for it to boot, verify that it obtained
an IP address in the 192.168.x.x, 172.x.x.x or 10.x.x.x ranges (*not*
169.x.x.x range which is self-assigned).
4) Open a web browser and point it at 192.168.1.1 (or whatever your
router uses as its default address), log in as admin/admin
5) In the WAN configuration page, enter the username/password as given
by my ISP
6) In the Router configuration page, change the administrator account
to [redacted]/[redacted] so that someone out there on the Internet
can't fiddle with my configuration using malicious JavaScript/AJAX
7) there is no step 7
An important point here is that your computer no longer connects
directly to the Internet. Your computer will be on a private
(unroutable) address behind a NAT firewall. You do not run PPPoE from
your computer: the router is doing that now. The router is effectively
replacing your dialup modem, your PPP service, and all your IPtables
rules. You no longer configure your computer to connect to the
Internet through your ISP, you configure your computer to connect to
the Internet the way the router tells it to. This happens by having
your computer accept an address, default route and DNS servers using
DHCP, just as if you were connected to an Ethernet LAN.
You have to unlearn everything that you needed to learn in order to
connect via dialup. Clear your IPtables rules (default policy ACCEPT,
delete all rules) and do not fiddle with IPtables until you have a
working connection which you can then break. "iptables -L" should show
this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The "route" command should show something like this:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
192.168.228.0 * 255.255.255.0 U 0 0
0 eth0
default 192.168.228.2 0.0.0.0 UG 0 0
0 eth0
Note the "Gateway" listed for the default route: we'll use this in a
moment. My gateway is 192.168.228.2 - yours will be different.
The "ifconfig" command should show something like this:
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.228.132 Bcast:192.168.228.255 Mask:
255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:xxxx errors:0 dropped:0 overruns:0 frame:0
TX packets:xxxx errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:317 errors:0 dropped:0 overruns:0 frame:0
TX packets:317 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:29891 (29.1 KiB) TX bytes:29891 (29.1 KiB)
Note that there are only two interfaces defined on my computer: the
universal "local" interface, and the eth0 interface representing the
physical Ethernet port connected to the router.
Now use ping to check that the "gateway" listed in the "route" output
is accessible:
% ping 192.168.228.2
PING 192.168.228.2 (192.168.228.2) 56(84) bytes of data.
64 bytes from 192.168.228.2: icmp_seq=1 ttl=128 time=0.171 ms
64 bytes from 192.168.228.2: icmp_seq=2 ttl=128 time=0.148 ms
Now check that you can lookup a common web site such as lists.samba.org:
% host lists.samba.org
lists.samba.org A 66.70.73.150
Finally, check that ping works (this won't work if you're on Velocity
in Canberra, they block ICMP at their border router):
% ping -c1 lists.samba.org
PING lists.samba.org (66.70.73.150) 56(84) bytes of data.
64 bytes from mail.samba.org (66.70.73.150): icmp_seq=1 ttl=128
time=360 ms
--- lists.samba.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 360.328/360.328/360.328/0.000 ms
Once you have a connection that you can use to browse the web from
your computer, only then do you start fiddling with port forwarding
from the router to servers on your computer or adding rules to your
iptables.
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 220 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/linux/attachments/20090630/78076f37/PGP.bin
More information about the linux
mailing list