Find the answer to your Linux question:
Results 1 to 6 of 6
Hi! I just switched my home server from Windows Server 2008 (trial) to Gentoo Linux. I was thinking about actually buying WS2k8 Standard, but after several serious issues I'm now ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2008
    Posts
    3

    Question Iptables for a PPPoE server with NAT


    Hi!

    I just switched my home server from Windows Server 2008 (trial) to Gentoo Linux. I was thinking about actually buying WS2k8 Standard, but after several serious issues I'm now giving linux a try.

    Well, I have ADSL (using PPPoE) set up and after installing dnsmasq and spending some time with different iptables examples and its man page, I think I've got NAT / IP masquerading set up safe and proper.

    I know on the packet level how packet filtering and NAT routing work, but this is my first contact with iptables, so I'd be happy if someone could comment on my config and correct me where I'm wrong!

    --

    1.
    I'm using a switch for everything, including the PPPoE modem, so ppp0 (the dialup connection) is actually going through eth0. Does this mean that if I set up a rule for eth0 this also applies to ppp0?

    --

    2.
    Assuming that the answer to 1. is yes, I set up the following rules for inbound (INPUT) packets in the 'filter' table:

    Code:
    # Allow all inbound traffic from local and intranet
    -A INPUT -s 192.168.124.0/24 -j ACCEPT
    -A INPUT -s 127.0.0.1 -j ACCEPT
    
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Example for opening up a port
    #-A INPUT -i ppp0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
    #-A INPUT -i ppp0 -p tcp -m state --state NEW --dport 443 -j ACCEPT
    
    # Rejected anything else
    -A INPUT -j REJECT --reject-with icmp-port-unreachable
    To my understanding, that should block anything that doesn't originate from the local network. The commented lines are what I would use to open up a port if I wanted to run a web server on the NAT router itself.
    Do you see anything fundamentally wrong?

    --

    3.
    Again assuming that the answer to question 1. is yes, I set up the rules to route between my home network and the internet like this:

    Code:
    -A FORWARD -s 192.168.124.0/24 -o ppp0 -j ACCEPT
    -A FORWARD -i ppp0 -d 192.168.124.0/24 -j ACCEPT
    It works, but how does my server know where to route packets that target an internet IP? I never touched a routing table at all.

    --

    4. Finally, that's the only entry in my "nat" table:
    Code:
    -A POSTROUTING -o ppp0 -j MASQUERADE
    Can't believe that this is all I have to do, but yet it seems so.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by Cygon View Post
    1.
    I'm using a switch for everything, including the PPPoE modem, so ppp0 (the dialup connection) is actually going through eth0. Does this mean
    that if I set up a rule for eth0 this also applies to ppp0?
    The firewall should be applied to the interface that the traffic is traveling through. Since the dialup is on the router your firewall rules apply to nothing. If your system is connected to the router with ethernet then your firewall rules should be applied to that interface.


    2.
    Do you see anything fundamentally wrong?
    Yes, see above for all your questions.

    Take a look at this site for IPTABLES Tutorial

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jul 2008
    Posts
    3
    Sorry, but I can't quite follow that. Maybe a simple misunderstanding.

    My linux system *is* the router. This is my setup:
    - Linux system with one network port (eth0) connect to a network switch
    - PPPoE modem (not router) connected to the same network switch

    The linux system acts as the DHCP server, DNS caching server and NAT router for my network. The 'ppp0' connection is thus only a virtual network interface that sends all data fed to it through eth0 to the DSL modem.

    Inbound traffic from the internet arrives through ppp0 (which means the data already passed eth0 as PPPoE (non-TCP/IP) packets). Since a NAT router forwards client requests as if they originated from itself, the answer packets are addressed to the NAT router, thus my rules should apply.

    An nmap scan of the system - both locally and from an actual internet server - confirms that all ports are "filtered".

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    This is how I understand your setup;

    <internet> - <PPoE> - <Switch> - <Linuux> - <LAN>


    In this case the Linux box does not touch the PPoE modem thus your firewall only has eth* interfaces and thus the rules only apply to eth* interfaces and any ppp0 interface you have configured will never be used.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Jul 2008
    Posts
    3
    To be accurate, it's

    Code:
    <internet> -- <pppoe modem> --- switch --- <linux server>
                                    | | |
                                    | | |
                                <windows pcs>
    My firewall rule uses the network address (192.168.124/0) instead of the network interface (eth0), so it will filter any IP packets not originating from my local subnet.

    This is how I understand it:

    Example a) A local windows PC connected to the switch tries to contact an internet IP. It sends the packet to the gateway (my linux box). Rule "-A INPUT -s 192.168.124.0/24 -j ACCEPT" applies and accept the packet. My linux box examines the packet and sees that it needs routing. Thus, the -A FORWARD -s 192.168.124.0/24 -o ppp0 -j ACCEPT rule applies and the packet is modifies so it looks like it came from the server (DNAT) before sending it to ppp0. Later, the answer arrives from ppp0, addressed to the NAT server (again, my linux box), so the INPUT rules apply. The packet matches the -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT rule and thus is accepted. My NAT notices this corresponds to a NAT client and routes it back to the windows PC. Job done.

    Example b) Someone on the internet tries to contact my PC (eg. port 4662 - edonkey). The packet arrives on ppp0 and targets my linux box. None of the INPUT rules apply, so the final catch-all rule applies: -A INPUT -j REJECT --reject-with icmp-port-unreachable. The packet is rejected.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Again you do not have your ppoe directly connected to your linux box so there is no ppo interface. The only interface you have is eth0. Everything passes through that interface and that interface only. You cannot setup a ppp0 interface as you do not have one on the link box. Since there is only one interface you should be using PREROUTE and POSTROUTE rules not FORWARD.

    Please read the Tutrial I gave you for setting up IPTABLES.

    What type of switch is this you have?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •