DSL Router Howto anyone?

Florin Boariu florin at bnv-bamberg.de
Sun Jul 1 14:24:17 PDT 2001

> There's some problems with your iptables rules in there:
>  - First off, you only select the packets to masquerade by source
>    IP address. The source IP can be easily forged. Always select
>    by incoming interface (eg. -i eth0). You might want to turn
>    return path filtering on (rp_filter) too, so the kernel drops
>    packets with "obviously" wrong source addresses right away (ie.
>    if an answer to an incoming packet would be routed through
>    another interface than it came in on).
>  - You enable forwarding for all packets with source
>    However, as you have neither default policies instated nor a
>    last "catch-all" rule in place, all packets will be forwarded
>    anyway, so there's no point in this rule. You might want to
>    instate a default forwarding policy of drop.

Thanks for the hints!

You say it, the rules are far from best (close to worst ;) Actually, that
was my first attempt to make it run, and after having spent almost a day
on a stupid mistake (echo "1" > /proc/sys/net/ipv4/...), I was glad it
worked and didn't touch it again. I was going to update the rules one

However, it runs, and it's simple.

> <quote>
> The installation of Iptables seemed quite special to me. It didn't
> make any trouble, but it looked like some software which could
> lead to trouble -- I happened to guess the correct settings, but
> I'm far from understanding the software deeply, so you're
> basically on your own ... :-/
> </quote>
> Why special? It's just missing a ./configure script. But there's
> not much to configure anyway.

Everything beyond configure && make && make install is special ;)

> First, do a
>   make pending-patches
> to apply the pending patches (ie. those which will be included in
> future kernels). I would not apply any patches from patch-o-matic
> unless you really know what you're doing. TCPMSS is a good idea,
> some of the other patches may not be. After compiling the patched
> kernel build iptables with make && make install. What's leading to
> trouble here? ;)

It was the patch-o-matic that was very suspect to me -- it left the worst
impression from the whole installation process. I didn't have any
problems, since I only applied the first two or three patches and then got
bored of poker and rejected all remaining packages. As you sad it, one
should better not apply that patches -- seems like I had a good intuition.

ip-filtering is one of the things which I do top-down (=> first use, then
understand) -- at least for the moment.

> Oh, you write that you don't know what's the TCPMSS line is all
> about. MSS (= maximum segment size) is a feature of TCP to let the
> other side know what the maximum packet resp segment size is. The
> --clamp-mss-to-pmtu calculates the correct size automagically and 
> fills in the MSS field in the TCP header. If you have set the
> correct MTU values for all your interfaces using ifconfig, you
> don't need this: everything will work ok without it. It's not a
> bad thing, but things work without it, too.

Yes, that makes it more clear. Let me guess why I need to set the segment
size: the dsl interface won't accept segments greater than 1492, but the
ethernet inferface _will_ send them. So, the packages being to big are
droped. Right?

Since you seem to be quite familiar with networking issues, I have one
more question: if I have two similar NICs in my computer, which one is
eth0 and which is eth1?

Does it matter where I plug which cable (the one being the DSL link, the
other one the HUB link)?
> More info in the Advanced Routing HOWTO:
> http://www.ds9a.nl/2.4Routing/HOWTO/cvs/2.4routing/output/2.4routing-16.html#ss16.7

> Last thing: I'm surprised there's no mentioning of Rusty's
> Unreliable Guides in there (at netfilter.gnumonks.org like
> iptables itself). They are quite good. ;)

Actually, the iptables-HOWTO is one of Rusty's Guides. To be honest, I
don't know where I got it from, I just downloaded it somewhere. After
writing the micro-howto I searched for it again with google.com, copied
the shortest URL and pasted it into the document. And yes, Rusty's
Unreliable Guides _are_ excellent ;)


Unsubscribe: send email to lfs-discuss-request at linuxfromscratch.org
and put unsubscribe in the subject header of the message

More information about the lfs-dev mailing list