Sabayon Community

[msdobrescu]

Hello,

I am sure there are many well documented pages over the Internet concerning my problem, but I am too dumb to make something useful out of them.

I need to configure masquerading through a Sabayon machine for a second PC, that needs access to the Internet too.
I have a PPPoE connection on the Sabayon PC, where, by default, I have installed ufw (and active).
Basically, I would like to have everything closed (deny all incoming packets from the Internet) except for some common protocols (like HTTP, FTP).
I achieve this goal if I use ufw, but it denies the access to the Internet for the other PC.
Additionally, if I disable ufw, it works, but it doesn't remember the masquerading after reboot.
Also, the masquerading seems to be added again and again to each iptables restart (like it does reload the rules, until the next reboot).

What should I do? Is there someone having a similar configuration, to give me some steps or point of interest to set whatever it is needed for this? I don't dare to ask for a script...

Thank you.

[msdobrescu]

Digging further, I think that al the rules added to the ipconfig should be saved and restored automatically by the init.d scripts.
Am I right.
On my system don't. Is this a bug?

[Jomiel]

Hi there,
I don't know much of networking, but I am using a mobile connection from my smartphone most of the time. I managed to share the Internet through ethernet to my second pc by changing the settings in nm-applet -> edit connections -> yourConnection -> edit -> IPv4 Settings -> Method to shared to other computers.
I don't need to change anything in ufw. I'm not shure if that helps you anywhere, but if it does I'm happy^^.

cheers
Jomiel

[msdobrescu]

Is there mtu mangling included?

[Jomiel]

The MTU setting is handeled by networkmanager. Default is automatic. Never changed that,but is possible

[msdobrescu]

OK, but what applet are you talking about?
My default KDE aplet does not have such settings.

[Jomiel]

The default network icon is the nm-applet (networkmanager-applet). In case you didn't disabled the networkmanager you should have it.

[msdobrescu]

Do you mean this? https://packages.sabayon.org/show/netwo ... ,standard/

[Jomiel]

Looks like there is no nm-applet in KDE installed. I talked with a friend of mine who uses KDE and he says that there is a pretty similar plasmoid, which is buggy. So he uses the nm-applet for gnome https://packages.sabayon.org/show/nm-applet,84631,sabayonlinux.org,amd64,5,standard.

cheers
Jomiel

[BHReach]

Here is a very simple firewall I use to share Internet with all computers on my LAN.

I have 2 routers on different subnets (very important to be on different subnets). Internet router has 192.168.1.1 IP and connects to the Internet, LAN router has 192.168.0.1 IP and manages my LAN.

On the computer that connects directly to the Internet router:

wlan1 connects to Internet router and has 192.168.1.144 IP address.

eth0 connects to LAN router and has 192.168.0.5 IP address.

iptables commands I use to share Internet with computers on my LAN, the LAN computers need to have their default gateway set to 192.168.0.5 (eth0):

Code: Select all

# Clear iptables
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
iptables -X

# Block all INPUT by default.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Accept all INPUT from lan and lo, plus anything ESTABLISHED or RELATED
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept pings for configuration purposes, afterwards comment out this line, run iptable commands and restart the firewall.
iptables -A INPUT -p icmp -j ACCEPT

# Internet (wlan1 connected to WAN) shared with lan through eth0
# Translate traffic from lan to wan (bridge)
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT


You can put those commands in a file and make it executable (I use /etc/iptables.commands). Run it automatically on startup and anytime you want to restart the firewall.

Code: Select all

chmod +x /etc/iptables.commands
/etc/iptables.commands

Check the firewall with:

Code: Select all

iptables -L -v
iptables -L -v -t nat


I have this running on a Slackware box but since it is pure iptables, it should work for any Linux.

I created /etc/rc.d/rc.firewall, Slackware's equivalent to SL /etc/init.d/firewall and use it to start, stop and restart my firewall.

Here is how that works in case you are interested.

After running the iptables commands and have my firewall working, I do the following (only need to do this once when you install the system):

Code: Select all

/usr/sbin/iptables-save >/etc/firewall.conf

I found this generic firewall script (/etc/rc.d/rc.firewall):

Code: Select all

#! /bin/sh
#
# /etc/rc.d/rc.firewall
#
# Firewall Howto:
# Run
#
# /etc/iptables.commands
#
# to create a firewall
#
# Save the firewall
#
# /usr/sbin/iptables-save >/etc/firewall.conf
#
# chmod +x /etc/rc.d/rc.firewall
# /etc/rc.d/rc.firewall restart


case "$1" in
 start)
      echo "Starting firewall (Issuing iptables commands)."
      /usr/sbin/iptables-restore</etc/firewall.conf
         ;;
 stop)
      echo "Stopping firewall (Flushing iptables)"
      /usr/sbin/iptables -P INPUT ACCEPT
      /usr/sbin/iptables -P OUTPUT ACCEPT
      /usr/sbin/iptables -P FORWARD ACCEPT
      /usr/sbin/iptables -F
      /usr/sbin/iptables -F -t nat
      /usr/sbin/iptables -F -t mangle
      /usr/sbin/iptables -X
               ;;
 restart)
      echo "Restarting Firewall:"
      /usr/sbin/iptables -P INPUT ACCEPT
      /usr/sbin/iptables -P OUTPUT ACCEPT
      /usr/sbin/iptables -P FORWARD ACCEPT
      /usr/sbin/iptables -F
      /usr/sbin/iptables -F -t nat
      /usr/sbin/iptables -F -t mangle
      /usr/sbin/iptables -X
      /usr/sbin/iptables-restore</etc/firewall.conf
        ;;
    *)
     echo "Usage: /etc/rc.d/rc.firewall {start|stop|restart}"
     exit 1
              ;;
esac
exit 0


I am not a networking expert but was able to get this working. It's not that hard, anybody should be able to do it.