DSL Router Howto anyone?
florin at bnv-bamberg.de
Sun Jul 1 14:24:17 PDT 2001
> There's some problems with your iptables rules in there:
> - First off, you only select the packets to masquerade by source
> IP address. The source IP can be easily forged. Always select
> by incoming interface (eg. -i eth0). You might want to turn
> return path filtering on (rp_filter) too, so the kernel drops
> packets with "obviously" wrong source addresses right away (ie.
> if an answer to an incoming packet would be routed through
> another interface than it came in on).
> - You enable forwarding for all packets with source 10.1.1.0/24.
> However, as you have neither default policies instated nor a
> last "catch-all" rule in place, all packets will be forwarded
> anyway, so there's no point in this rule. You might want to
> instate a default forwarding policy of drop.
Thanks for the hints!
You say it, the rules are far from best (close to worst ;) Actually, that
was my first attempt to make it run, and after having spent almost a day
on a stupid mistake (echo "1" > /proc/sys/net/ipv4/...), I was glad it
worked and didn't touch it again. I was going to update the rules one
However, it runs, and it's simple.
> The installation of Iptables seemed quite special to me. It didn't
> make any trouble, but it looked like some software which could
> lead to trouble -- I happened to guess the correct settings, but
> I'm far from understanding the software deeply, so you're
> basically on your own ... :-/
> Why special? It's just missing a ./configure script. But there's
> not much to configure anyway.
Everything beyond configure && make && make install is special ;)
> First, do a
> make pending-patches
> to apply the pending patches (ie. those which will be included in
> future kernels). I would not apply any patches from patch-o-matic
> unless you really know what you're doing. TCPMSS is a good idea,
> some of the other patches may not be. After compiling the patched
> kernel build iptables with make && make install. What's leading to
> trouble here? ;)
It was the patch-o-matic that was very suspect to me -- it left the worst
impression from the whole installation process. I didn't have any
problems, since I only applied the first two or three patches and then got
bored of poker and rejected all remaining packages. As you sad it, one
should better not apply that patches -- seems like I had a good intuition.
ip-filtering is one of the things which I do top-down (=> first use, then
understand) -- at least for the moment.
> Oh, you write that you don't know what's the TCPMSS line is all
> about. MSS (= maximum segment size) is a feature of TCP to let the
> other side know what the maximum packet resp segment size is. The
> --clamp-mss-to-pmtu calculates the correct size automagically and
> fills in the MSS field in the TCP header. If you have set the
> correct MTU values for all your interfaces using ifconfig, you
> don't need this: everything will work ok without it. It's not a
> bad thing, but things work without it, too.
Yes, that makes it more clear. Let me guess why I need to set the segment
size: the dsl interface won't accept segments greater than 1492, but the
ethernet inferface _will_ send them. So, the packages being to big are
Since you seem to be quite familiar with networking issues, I have one
more question: if I have two similar NICs in my computer, which one is
eth0 and which is eth1?
Does it matter where I plug which cable (the one being the DSL link, the
other one the HUB link)?
> More info in the Advanced Routing HOWTO:
> Last thing: I'm surprised there's no mentioning of Rusty's
> Unreliable Guides in there (at netfilter.gnumonks.org like
> iptables itself). They are quite good. ;)
Actually, the iptables-HOWTO is one of Rusty's Guides. To be honest, I
don't know where I got it from, I just downloaded it somewhere. After
writing the micro-howto I searched for it again with google.com, copied
the shortest URL and pasted it into the document. And yes, Rusty's
Unreliable Guides _are_ excellent ;)
Unsubscribe: send email to lfs-discuss-request at linuxfromscratch.org
and put unsubscribe in the subject header of the message
More information about the lfs-dev