I want to install arch on a friend's router pc (which was running fli4l).
She wants to have some cron stuff on it (dial out these times only and so on) which fli4l seems not to be able to handle.
So arch should do the job. I know how to setup her ISDN connection, but I don't have any clue about the routing stuff. Is this all done via iptables?
Could someone give me a hint; what arch stuff/packages are needed to be installed for this purpose anyway?
If you name me some docs or google keywords I would be happy already Just don't know in which direction I need to go with my arch router, I never was into that routing stuff yet..
Is this router pc going to be used for a local network or just standalone?
If you need it for the network you also need to setup NAT (network address translation - unless you have several public IPs). All can be done with iptables or dialup daemon itself (I've never used dialup or isdn on linux, only on freebsd and it was a loooong time ago :-)).
Do you have some public IP or is this DHCP? What software do you use for isdn configuration? Does it have NAT built in ?
Maybe even iptables is not a must in your case.
For a quick overview of networking setup with some examples take a look here:
http://www.yolinux.com/TUTORIALS/LinuxT … rking.html
It is a local network with few pcs which want to share the internet connection. So you're right, I have to do NAT.
I use ipppd to connect and I don't think it is able to do more than setting up the ppp connection. also some ports should be forwarded from outside to a box inside, like ssh.
I don't need DHCP inside, but I don't have a static ip outside. On every dial a new IP is assigned. This is done in the ipppd scripts.
Ok. It should be easy. I assume you have isdn (as ippp0) and one ethernet card (eth0) configured (modules, etc...). etc/relsov.conf (DNSes) should also be automatically configured by ipppd or you can set up your own manually.
Your /etc/rc.conf should look like this:
HOSTNAME="routerpc" MODULES=(...your network modules.... iptable_filter iptable_nat ip_nat_ftp ip_nat_irc ...other modules...) lo="lo 127.0.0.1" # eth0 is LAN (switch) # ippp0 is the internet # all computers on the LAN should have IPs starting # from 192.168.222 (you can change 222 to something else # just remember you have to change it everywhere in the configs) eth0="eth0 192.168.222.1 netmask 255.255.255.0 broadcast 192.168.222.255" INTERFACES=(lo eth0) gateway="default gw 192.168.222.1" #not important, default route should be set by ipppd http://linuxcommand.org/man_pages/ipppd8.html ROUTES=(!gateway) DAEMONS=(syslog-ng network iptables ...other daemons...)
in /etc/sysctl.conf add
First line is not really necessary because forwarding is already turned on by default in /etc/conf.d/iptables but it's good to have them in one place.
Now you need to configure NAT/firewall. There are several ways to do this. You can configure and save rules in /etc/iptables/iptables.rules (default - used by iptables in DAEMONS), copy and modify some /etc/rc.d/ script and configure iptables in it, or use ipppd script (there should be somewhere ip-up script or something like this which is executed automatically on successful connection - an advantage is that it gets parameters from ipppd like IP, interface etc.).
The configuration below is for the first method.
As root run:
iptables -F -t filter iptables -X -t filter iptables -F -t nat iptables -X -t nat iptables -F -t mangle iptables -X -t mangle iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT ACCEPT
If you run the following rule it will open the router pc to the internet (all ports). If you only have www, ftp or ssh services running on the router (man netstat) it should be quite safe:
iptables -t filter -A INPUT -j ACCEPT
and the forwarding rules:
iptables -t filter -A FORWARD -s 192.168.222.0/24 -d 0/0 -j ACCEPT iptables -t filter -A FORWARD -d 192.168.222.0/24 -s 0/0 -j ACCEPT
I'm not quite sure what you want to forward "from outside to a box inside" ? Do you really want to forward ports from router pc to some pc inside LAN or you just want to have sshd port on the router accessible from the internet and/or LAN? Or... ? Anyway, read netfilter tutorials and you'll figure it out.
general NAT for isdn:
iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
save generated rules in a file:
iptables-save > /etc/iptables/iptables.rules
You can restart the router box now or only start/restart ipppd, network and iptables daemons.
All PCs in the LAN should have IPs from the range of 192.168.222.2 to 192.168.222.254, netmask 255.255.255.0 and gateway set to 192.168.222.1.
This is only the minimum config. I suggest reading tutorials from http://www.netfilter.org to configure more filters.
Wow, this is awesome, thank you a very lot! This is more then enough to give me a good start :-)
I will try it out, although it will be a week or so till I can set up that machine.
What I ment was there is a box inside the lan which should be accessible by ssh from outside. But you're right, I will figure it out myself. Now I know everything I need to.
Now I understand you want to forward like this
lan pc1 (sshd) :22 <------ router pc :22 <----- isdn <------ internet <---- some pc 1 (ssh client)
So you need to forward connections to port 22 on the router to the machine inside LAN. You can change the ports and setup sshd and/or ssh client for different ports if you want. You can also setup sshd on the router and lan pc so you won't need port forwarding just double ssh :-)
Some examples of port forwarding using iptables are here:
http://www.siliconvalleyccie.com/linux- … -intro.htm
You also need to open at least one port on the router (the one that you're going to forward to the lan pc) to the internet. You can start with
iptables -t filter -A INPUT -j ACCEPT
(open all ports on the router) and then step by step tighten your firewall.