You are not logged in.

#1 2013-01-28 11:26:28

Lockheed
Member
Registered: 2010-03-16
Posts: 1,427

Bridge connection problem.

I'm trying to connect a bridge connection between my laptop and USB connected android phone using this guide:
http://blog.mycila.com/2010/06/reverse- … id-22.html

My internet interface is wlan0, not eth0.

However, I run into problem:

$ sudo ifconfig wlan0 0.0.0.0
$ sudo ifconfig usb0 0.0.0.0
$ sudo brctl addbr br0 
$ sudo brctl addif br0 wlan0
can't add wlan0 to bridge br0: Operation not supported

I also tried doing it this way:

On PC:

sudo ifconfig usb0 192.168.42.1
# enable routing
sysctl net.ipv4.ip_forward=1
# enable nat
iptables -t nat -I POSTROUTING -s 192.168.42.129 -j MASQUERADE -o wlan0

And issue this command on the phone:

route add -net default gw 192.168.42.1

But I can't even ping localhost from the phone

# ping 192.168.42.129
PING 192.168.42.129 (192.168.42.129) 56(84) bytes of data.
^C
--- 192.168.42.129 ping statistics ---
161 packets transmitted, 0 received, 100% packet loss, time 160105ms

# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
^C
--- localhost ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms

# busybox ping localhost
PING localhost (127.0.0.1): 56 data bytes

Last edited by Lockheed (2013-01-28 11:37:21)


Laptop: ThinkPad W500, C2D P9500, 8GB, Radeon RV635 (HD3650), Arch | Server/fw: Zotac AQ01, A4-5000 Kabini, 4GB, Arch/pfSense VM

Offline

#2 2013-01-28 13:05:03

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Bridge connection problem.

Ya, you can not attach a Wireless device to a bridge device. You can however use some iptables magic to redirect all packets from your Wireless interface to and from your bridge device.

So..., you want to connect your phone to your laptop with ethernet over USB, and you want the laptop to provide Internet to the phone?

Okay then, configure the phone with an IP address and usb0 on the laptop with an IP address in the same subnet (a diffrent subnet then what your wlan0 interface is on). Then configure NAT from the usb0 subnet or interface to the wlan0 subnet or interface.

Last edited by hunterthomson (2013-01-28 13:07:21)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#3 2013-02-04 15:56:08

Lockheed
Member
Registered: 2010-03-16
Posts: 1,427

Re: Bridge connection problem.

hunterthomson wrote:

So..., you want to connect your phone to your laptop with ethernet over USB, and you want the laptop to provide Internet to the phone?

That is correct.

hunterthomson wrote:

Then configure NAT from the usb0 subnet or interface to the wlan0 subnet or interface.

On that, I am lost. Can you tell me how do I do that exactly?


Laptop: ThinkPad W500, C2D P9500, 8GB, Radeon RV635 (HD3650), Arch | Server/fw: Zotac AQ01, A4-5000 Kabini, 4GB, Arch/pfSense VM

Offline

#4 2013-02-06 09:04:45

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Bridge connection problem.

This wiki has a NAT example
https://wiki.archlinux.org/index.php/Si … l_Firewall

Personally I use arno-iptables-firewall
https://aur.archlinux.org/packages/arno … -firewall/
https://aur.archlinux.org/packages/syst … -firewall/

The config for arno-iptables-firewall has all the NAT and port forwarding covered.

###############################################################################
# Internal (LAN) interface settings                                           #
###############################################################################

# Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
# should be space separated. Remark this if you don't have any internal network
# interfaces. Note that by default ALL traffic is accepted from these
# interfaces.
# -----------------------------------------------------------------------------
INT_IF="br0 br1 ppp0 ppp1 usb0 usb1"

# Specify here the internal IPv4 subnet(s) which is/are connected to the
# internal interface(s). For multiple interfaces(!) you can either specify
# multiple subnets here or specify one big subnet for all internal interfaces.
# Note that this variable is mainly used for antispoofing.
# -----------------------------------------------------------------------------
INTERNAL_NET="10.1.3.0/24"

# Set this variable to 0 to disable antispoof checking for the internal nets
# (EXPERT SETTING!)
# -----------------------------------------------------------------------------
INTERNAL_NET_ANTISPOOF=1

# (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
# on your internal subnet. You only need to set this option if you want to use
# the MAC filter AND you use a non-standard broadcast address
# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses (if you have multiple
# internal nets) should be space separated.
# -----------------------------------------------------------------------------
#INT_NET_BCAST_ADDRESS=""


###############################################################################
# DMZ (aka DeMilitarized Zone) settings                                       #
###############################################################################

# Put in the following variable the network interfaces that are DMZ-classified.
# You can also use this interface if you want to shield your Wireless network
# from your LAN.
# -----------------------------------------------------------------------------
DMZ_IF=""

# Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
# For multiple interfaces(!) you can either specify multiple subnets here or
# specify one big subnet for all DMZ interfaces.
# -----------------------------------------------------------------------------
DMZ_NET=""

# Set this variable to 0 to disable antispoof checking for the dmz nets
# (EXPERT SETTING!)
# -----------------------------------------------------------------------------
DMZ_NET_ANTISPOOF=1

###############################################################################
# NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!)                          #
###############################################################################

# Enable this if you want to perform NAT (masquerading) for your internal
# network (LAN) (eg. share your internet connection with your internal
# net(s) connected to eg. INT_IF)
# -----------------------------------------------------------------------------
NAT=1

# (EXPERT SETTING!) In case you would like to use SNAT instead of
# MASQUERADING then uncomment and set the IP or IPs here of your static
# external address(es). Note that when multiple IPs are specified, SNAT
# multiroute is enabled (load balancing over multiple external (internet)
# interfaces, check the README file for more info). Note that the order of IPs
# should match the order of interfaces (they belong to) in $EXT_IF!
# -----------------------------------------------------------------------------
#NAT_STATIC_IP="193.2.1.1"

# (EXPERT SETTING!) Use this variable only if you want specific subnets or
# hosts to be able to access the internet. When no value is specified, your
# whole internal net will have access. In both cases it's obviously only
# meaningful when NAT is enabled. Note that you can also use this variable if
# you want to use NAT for your DMZ.
# -----------------------------------------------------------------------------
NAT_INTERNAL_NET="$INTERNAL_NET"

# (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
# or protocols on your gateway using NAT forwards.
# -----------------------------------------------------------------------------
NAT_LOCAL_REDIRECT=0

# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
# an internal client through (D)NAT. Note that you can also use these
# variables to forward ports to DMZ hosts.
#
# TCP/UDP form:
#       "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
#        {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
#
# IP form:
#       "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
#        {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
#
# TCP/UDP port forward examples:
# Simple (forward port 80 to internal host 192.168.0.10):
#       NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
# Advanced (forward port 20 & 21 to 192.168.0.10 and
#           forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
#       NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
#
# IP protocol forward example:
#        (forward protocols 47 & 48 to 192.168.0.10)
#        NAT_FORWARD_IP="47,48>192.168.0.10"
#
# NOTE 1: {~port} is optional. Use it to redirect a specific port to a
#         different port on the internal client.
# NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
#         (inet) IP addresses.
# (IPv4 Only)
# -----------------------------------------------------------------------------
NAT_FORWARD_TCP=""
NAT_FORWARD_UDP=""
NAT_FORWARD_IP=""

# TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols
# from the gateway to an internal client. Note that you can also use these
# variables to forward ports to DMZ hosts.
#
# TCP/UDP form:
#       "SRCIP1,SRCIP2,...>DESTIP1{~port} \
#        SRCIP3,...>DESTIP2{~port}"
#
# IP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~PROTO \
#        SRCIP3,...>DESTIP2~PROTO"
#
# TCP/UDP port forward examples:
# Simple (IPv6 forward port 80 to internal host 2001:db8::2):
#       INET_FORWARD_TCP="::/0>2001:db8::2~80"
# Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10):
#       INET_FORWARD_TCP="0/0>192.168.0.10~80"
# Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net):
#       INET_FORWARD_UDP="2000::/3>2001:db8::/32"
#
# IP protocol forward example:
#        (forward protocol 58 (ICMPv6) to 2001:db8::2)
#       INET_FORWARD_IP="::/0>2001:db8::2~58"
#
# (IPv6 and non-NAT'ed IPv4 Only)
# -----------------------------------------------------------------------------
INET_FORWARD_TCP=""
INET_FORWARD_UDP=""
INET_FORWARD_IP=""

OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#5 2013-02-13 16:34:40

Lockheed
Member
Registered: 2010-03-16
Posts: 1,427

Re: Bridge connection problem.

Is that the /etc/arno-iptables-firewall/firewall.conf file? Should I just copy-paste it?


Laptop: ThinkPad W500, C2D P9500, 8GB, Radeon RV635 (HD3650), Arch | Server/fw: Zotac AQ01, A4-5000 Kabini, 4GB, Arch/pfSense VM

Offline

#6 2013-02-17 12:57:37

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Bridge connection problem.

Yes that is the firewall.conf

No you do not need to cut & past that. That is the config. It is near the top of the file.

Last edited by hunterthomson (2013-02-17 12:59:02)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#7 2013-02-19 10:41:47

Lockheed
Member
Registered: 2010-03-16
Posts: 1,427

Re: Bridge connection problem.

Ok, but can you tell me what do I need to change in the conf to bridge wlan0 with usb0?


Laptop: ThinkPad W500, C2D P9500, 8GB, Radeon RV635 (HD3650), Arch | Server/fw: Zotac AQ01, A4-5000 Kabini, 4GB, Arch/pfSense VM

Offline

#8 2013-02-19 11:25:36

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Bridge connection problem.

Well, you don't need to create a bridge. You just need to NAT between wlan0 and usb0.

In the firewall.conf simply put wlan0 as an exit interface and usb0 as an internal interface.

Here is the beginning of my firewall.conf which contains all of the setting relevant to this. I have many more interfaces then just wlan0, so don't worry about the ppp and br interfaces.

###############################################################################
# You should put this config-file in /etc/arno-iptables-firewall/             #
###############################################################################

# --------------------------- Configuration file ------------------------------
#                       -= Arno's iptables firewall =-
#         Single- & multi-homed firewall script with DSL/ADSL support
#
# (C) Copyright 2001-2012 by Arno van Amersfoort
# Co-authors : Lonnie Abelbeck & Philip Prindeville
# Homepage   : http://rocky.eld.leidenuniv.nl/
# Freshmeat  : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email      : arnova AT rocky DOT eld DOT leidenuniv DOT nl
#              (note: you must remove all spaces and substitute the @ and the .
#              at the proper locations!)
# -----------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.

# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
# more details.

# You should have received a copy of the GNU General Public License along with
# this program; if not, write to the Free Software Foundation Inc., 59 Temple
# Place - Suite 330, Boston, MA 02111-1307, USA.
# -----------------------------------------------------------------------------


###############################################################################
# External (internet) interface settings                                      #
###############################################################################

# The external interface(s) that will be protected (and used as internet
# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
# be space separated.
# -----------------------------------------------------------------------------
EXT_IF="eth0 wlan0 tun0"

# Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
# and/or (IPv6) DHCPv6 (from your ISP)
# -----------------------------------------------------------------------------
EXT_IF_DHCP_IP=1

# (EXPERT SETTING!) Here you can specify your external(!) IPv4 subnet(s). You
# should only use this if you for example have a corporate network and/or
# running a DHCP server on your external(!) interface. Home users should
# normally NOT touch this setting. Multiple subnets should be space separated.
# Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
# -----------------------------------------------------------------------------
#EXTERNAL_NET=""

# (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts 
# on your external subnet. You only need to set this option if you want to use 
# the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
# address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses should be space separated.
# -----------------------------------------------------------------------------
#EXT_NET_BCAST_ADDRESS=""

# Enable this if THIS MACHINE is running an IPv4 DHCP(BOOTP) server for a subnet
# on the external(!) interface. Note that you don't need this for internal
# subnets, as for these nets everything is accepted by default. Don't forget to 
# configure the EXTERNAL_NET variable, to make this work. (IPv4 Only)
# -----------------------------------------------------------------------------
EXTERNAL_DHCP_SERVER=0

# Enable this if THIS MACHINE is running an IPv6 DHCPv6 server for a Link-Local
# address on the external(!) interface. Note that you don't need this for internal
# subnets, as for these nets everything is accepted by default. (IPv6 Only)
# -----------------------------------------------------------------------------
EXTERNAL_DHCPV6_SERVER=0


###############################################################################
# Internal (LAN) interface settings                                           #
###############################################################################

# Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
# should be space separated. Remark this if you don't have any internal network
# interfaces. Note that by default ALL traffic is accepted from these
# interfaces.
# -----------------------------------------------------------------------------
INT_IF="br0 br1 ppp0 ppp1 usb0 usb1"

# Specify here the internal IPv4 subnet(s) which is/are connected to the
# internal interface(s). For multiple interfaces(!) you can either specify
# multiple subnets here or specify one big subnet for all internal interfaces.
# Note that this variable is mainly used for antispoofing.
# -----------------------------------------------------------------------------
INTERNAL_NET="10.1.3.0/24"

# Set this variable to 0 to disable antispoof checking for the internal nets
# (EXPERT SETTING!)
# -----------------------------------------------------------------------------
INTERNAL_NET_ANTISPOOF=1

# (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
# on your internal subnet. You only need to set this option if you want to use
# the MAC filter AND you use a non-standard broadcast address
# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses (if you have multiple
# internal nets) should be space separated.
# -----------------------------------------------------------------------------
#INT_NET_BCAST_ADDRESS=""


###############################################################################
# DMZ (aka DeMilitarized Zone) settings                                       #
###############################################################################

# Put in the following variable the network interfaces that are DMZ-classified.
# You can also use this interface if you want to shield your Wireless network
# from your LAN.
# -----------------------------------------------------------------------------
DMZ_IF=""

# Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
# For multiple interfaces(!) you can either specify multiple subnets here or
# specify one big subnet for all DMZ interfaces.
# -----------------------------------------------------------------------------
DMZ_NET=""

# Set this variable to 0 to disable antispoof checking for the dmz nets
# (EXPERT SETTING!)
# -----------------------------------------------------------------------------
DMZ_NET_ANTISPOOF=1

###############################################################################
# NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!)                          #
###############################################################################

# Enable this if you want to perform NAT (masquerading) for your internal
# network (LAN) (eg. share your internet connection with your internal
# net(s) connected to eg. INT_IF)
# -----------------------------------------------------------------------------
NAT=1

# (EXPERT SETTING!) In case you would like to use SNAT instead of
# MASQUERADING then uncomment and set the IP or IPs here of your static
# external address(es). Note that when multiple IPs are specified, SNAT
# multiroute is enabled (load balancing over multiple external (internet)
# interfaces, check the README file for more info). Note that the order of IPs
# should match the order of interfaces (they belong to) in $EXT_IF!
# -----------------------------------------------------------------------------
#NAT_STATIC_IP="193.2.1.1"

# (EXPERT SETTING!) Use this variable only if you want specific subnets or
# hosts to be able to access the internet. When no value is specified, your
# whole internal net will have access. In both cases it's obviously only
# meaningful when NAT is enabled. Note that you can also use this variable if
# you want to use NAT for your DMZ.
# -----------------------------------------------------------------------------
NAT_INTERNAL_NET="$INTERNAL_NET"

# (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
# or protocols on your gateway using NAT forwards.
# -----------------------------------------------------------------------------
NAT_LOCAL_REDIRECT=0

# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
# an internal client through (D)NAT. Note that you can also use these
# variables to forward ports to DMZ hosts.
#
# TCP/UDP form:
#       "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
#        {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
#
# IP form:
#       "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
#        {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
#
# TCP/UDP port forward examples:
# Simple (forward port 80 to internal host 192.168.0.10):
#       NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
# Advanced (forward port 20 & 21 to 192.168.0.10 and
#           forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
#       NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
#
# IP protocol forward example:
#        (forward protocols 47 & 48 to 192.168.0.10)
#        NAT_FORWARD_IP="47,48>192.168.0.10"
#
# NOTE 1: {~port} is optional. Use it to redirect a specific port to a
#         different port on the internal client.
# NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
#         (inet) IP addresses.
# (IPv4 Only)
# -----------------------------------------------------------------------------
NAT_FORWARD_TCP=""
NAT_FORWARD_UDP=""
NAT_FORWARD_IP=""

# TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols
# from the gateway to an internal client. Note that you can also use these
# variables to forward ports to DMZ hosts.
#
# TCP/UDP form:
#       "SRCIP1,SRCIP2,...>DESTIP1{~port} \
#        SRCIP3,...>DESTIP2{~port}"
#
# IP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~PROTO \
#        SRCIP3,...>DESTIP2~PROTO"
#
# TCP/UDP port forward examples:
# Simple (IPv6 forward port 80 to internal host 2001:db8::2):
#       INET_FORWARD_TCP="::/0>2001:db8::2~80"
# Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10):
#       INET_FORWARD_TCP="0/0>192.168.0.10~80"
# Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net):
#       INET_FORWARD_UDP="2000::/3>2001:db8::/32"
#
# IP protocol forward example:
#        (forward protocol 58 (ICMPv6) to 2001:db8::2)
#       INET_FORWARD_IP="::/0>2001:db8::2~58"
#
# (IPv6 and non-NAT'ed IPv4 Only)
# -----------------------------------------------------------------------------
INET_FORWARD_TCP=""
INET_FORWARD_UDP=""
INET_FORWARD_IP=""

OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#9 2013-02-19 11:51:23

Lockheed
Member
Registered: 2010-03-16
Posts: 1,427

Re: Bridge connection problem.

Ok, so here's my conf:

###############################################################################
# You should put this config-file in /etc/arno-iptables-firewall/             #
###############################################################################

# --------------------------- Configuration file ------------------------------
#                       -= Arno's iptables firewall =-
#         Single- & multi-homed firewall script with DSL/ADSL support
#
# (C) Copyright 2001-2012 by Arno van Amersfoort
# Co-authors : Lonnie Abelbeck & Philip Prindeville
# Homepage   : http://rocky.eld.leidenuniv.nl/
# Freshmeat  : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email      : arnova AT rocky DOT eld DOT leidenuniv DOT nl
#              (note: you must remove all spaces and substitute the @ and the .
#              at the proper locations!)
# -----------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.

# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
# more details.

# You should have received a copy of the GNU General Public License along with
# this program; if not, write to the Free Software Foundation Inc., 59 Temple
# Place - Suite 330, Boston, MA 02111-1307, USA.
# -----------------------------------------------------------------------------


###############################################################################
# External (internet) interface settings                                      #
###############################################################################

# The external interface(s) that will be protected (and used as internet
# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
# be space separated.
# -----------------------------------------------------------------------------
EXT_IF="eth0 wlan0"

# Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
# and/or (IPv6) DHCPv6 (from your ISP)
# -----------------------------------------------------------------------------
EXT_IF_DHCP_IP=1

# (EXPERT SETTING!) Here you can specify your external(!) IPv4 subnet(s). You
# should only use this if you for example have a corporate network and/or
# running a DHCP server on your external(!) interface. Home users should
# normally NOT touch this setting. Multiple subnets should be space separated.
# Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
# -----------------------------------------------------------------------------
#EXTERNAL_NET=""

# (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts 
# on your external subnet. You only need to set this option if you want to use 
# the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
# address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses should be space separated.
# -----------------------------------------------------------------------------
#EXT_NET_BCAST_ADDRESS=""

# Enable this if THIS MACHINE is running an IPv4 DHCP(BOOTP) server for a subnet
# on the external(!) interface. Note that you don't need this for internal
# subnets, as for these nets everything is accepted by default. Don't forget to 
# configure the EXTERNAL_NET variable, to make this work. (IPv4 Only)
# -----------------------------------------------------------------------------
EXTERNAL_DHCP_SERVER=0

# Enable this if THIS MACHINE is running an IPv6 DHCPv6 server for a Link-Local
# address on the external(!) interface. Note that you don't need this for internal
# subnets, as for these nets everything is accepted by default. (IPv6 Only)
# -----------------------------------------------------------------------------
EXTERNAL_DHCPV6_SERVER=0


###############################################################################
# Internal (LAN) interface settings                                           #
###############################################################################

# Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
# should be space separated. Remark this if you don't have any internal network
# interfaces. Note that by default ALL traffic is accepted from these
# interfaces.
# -----------------------------------------------------------------------------
INT_IF="usb0 usb1"

# Specify here the internal IPv4 subnet(s) which is/are connected to the
# internal interface(s). For multiple interfaces(!) you can either specify
# multiple subnets here or specify one big subnet for all internal interfaces.
# Note that this variable is mainly used for antispoofing.
# -----------------------------------------------------------------------------
INTERNAL_NET="10.1.3.0/24"

# Set this variable to 0 to disable antispoof checking for the internal nets
# (EXPERT SETTING!)
# -----------------------------------------------------------------------------
INTERNAL_NET_ANTISPOOF=1

# (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
# on your internal subnet. You only need to set this option if you want to use
# the MAC filter AND you use a non-standard broadcast address
# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses (if you have multiple
# internal nets) should be space separated.
# -----------------------------------------------------------------------------
#INT_NET_BCAST_ADDRESS=""


###############################################################################
# DMZ (aka DeMilitarized Zone) settings                                       #
###############################################################################

# Put in the following variable the network interfaces that are DMZ-classified.
# You can also use this interface if you want to shield your Wireless network
# from your LAN.
# -----------------------------------------------------------------------------
DMZ_IF=""

# Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
# For multiple interfaces(!) you can either specify multiple subnets here or
# specify one big subnet for all DMZ interfaces.
# -----------------------------------------------------------------------------
DMZ_NET=""

# Set this variable to 0 to disable antispoof checking for the dmz nets
# (EXPERT SETTING!)
# -----------------------------------------------------------------------------
DMZ_NET_ANTISPOOF=1

###############################################################################
# NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!)                          #
###############################################################################

# Enable this if you want to perform NAT (masquerading) for your internal
# network (LAN) (eg. share your internet connection with your internal
# net(s) connected to eg. INT_IF)
# -----------------------------------------------------------------------------
NAT=1

# (EXPERT SETTING!) In case you would like to use SNAT instead of
# MASQUERADING then uncomment and set the IP or IPs here of your static
# external address(es). Note that when multiple IPs are specified, SNAT
# multiroute is enabled (load balancing over multiple external (internet)
# interfaces, check the README file for more info). Note that the order of IPs
# should match the order of interfaces (they belong to) in $EXT_IF!
# -----------------------------------------------------------------------------
#NAT_STATIC_IP="193.2.1.1"

# (EXPERT SETTING!) Use this variable only if you want specific subnets or
# hosts to be able to access the internet. When no value is specified, your
# whole internal net will have access. In both cases it's obviously only
# meaningful when NAT is enabled. Note that you can also use this variable if
# you want to use NAT for your DMZ.
# -----------------------------------------------------------------------------
NAT_INTERNAL_NET="$INTERNAL_NET"

# (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
# or protocols on your gateway using NAT forwards.
# -----------------------------------------------------------------------------
NAT_LOCAL_REDIRECT=0

# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
# an internal client through (D)NAT. Note that you can also use these
# variables to forward ports to DMZ hosts.
#
# TCP/UDP form:
#       "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
#        {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
#
# IP form:
#       "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
#        {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
#
# TCP/UDP port forward examples:
# Simple (forward port 80 to internal host 192.168.0.10):
#       NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
# Advanced (forward port 20 & 21 to 192.168.0.10 and
#           forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
#       NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
#
# IP protocol forward example:
#        (forward protocols 47 & 48 to 192.168.0.10)
#        NAT_FORWARD_IP="47,48>192.168.0.10"
#
# NOTE 1: {~port} is optional. Use it to redirect a specific port to a
#         different port on the internal client.
# NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
#         (inet) IP addresses.
# (IPv4 Only)
# -----------------------------------------------------------------------------
NAT_FORWARD_TCP=""
NAT_FORWARD_UDP=""
NAT_FORWARD_IP=""

# TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols
# from the gateway to an internal client. Note that you can also use these
# variables to forward ports to DMZ hosts.
#
# TCP/UDP form:
#       "SRCIP1,SRCIP2,...>DESTIP1{~port} \
#        SRCIP3,...>DESTIP2{~port}"
#
# IP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~PROTO \
#        SRCIP3,...>DESTIP2~PROTO"
#
# TCP/UDP port forward examples:
# Simple (IPv6 forward port 80 to internal host 2001:db8::2):
#       INET_FORWARD_TCP="::/0>2001:db8::2~80"
# Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10):
#       INET_FORWARD_TCP="0/0>192.168.0.10~80"
# Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net):
#       INET_FORWARD_UDP="2000::/3>2001:db8::/32"
#
# IP protocol forward example:
#        (forward protocol 58 (ICMPv6) to 2001:db8::2)
#       INET_FORWARD_IP="::/0>2001:db8::2~58"
#
# (IPv6 and non-NAT'ed IPv4 Only)
# -----------------------------------------------------------------------------
INET_FORWARD_TCP=""
INET_FORWARD_UDP=""
INET_FORWARD_IP=""


###############################################################################
# General settings                                                            #
###############################################################################

# (EXPERT SETTING!) Location of the iptables-binary (use 'locate iptables' or
# 'whereis iptables' to manually locate it), required for (default) IPv4 support
# -----------------------------------------------------------------------------
IP4TABLES="/usr/sbin/iptables"

# (EXPERT SETTING!) Location of the ip6tables-binary (use 'locate ip6tables' or
# 'whereis ip6tables' to manually locate it), required for IPv6 support
# -----------------------------------------------------------------------------
IP6TABLES="/usr/sbin/ip6tables"

# (EXPERT SETTING!) Location of the environment file
# -----------------------------------------------------------------------------
ENV_FILE="/usr/share/arno-iptables-firewall/environment"

# (EXPERT SETTING!) Location of plugin binary & config files
# -----------------------------------------------------------------------------
PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins"
PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"

# Most people don't want to get any firewall logs being spit to the console.
# This option makes the kernel ring buffer only log messages with level
# "panic".
# -----------------------------------------------------------------------------
DMESG_PANIC_ONLY=1

# Enable this if you want TOS mangling (RFC)
# -----------------------------------------------------------------------------
MANGLE_TOS=0

# Enable this if you want to set the maximum packet size via the
# Maximum Segment Size(through MSS field)
# -----------------------------------------------------------------------------
SET_MSS=1

# Enable this if you want to increase the TTL value by one in the prerouting
# chain. This hides the firewall when performing eg. traceroutes to internal
# hosts. (IPv4 only!)
# -----------------------------------------------------------------------------
TTL_INC=0

# (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
# the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
# (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
# support. Don't mess with this unless you really know what you are doing!
# (IPv4 only!)
# -----------------------------------------------------------------------------
#PACKET_TTL="64"

# Enable this to support the IRC-protocol.
# -----------------------------------------------------------------------------
USE_IRC=0

# (EXPERT SETTING!) Loosen the forward chain for the external interface(s).
# Enable it to allow the use of protocols like UPnP. Note that it *could* be
# less secure.
# -----------------------------------------------------------------------------
LOOSE_FORWARD=0

# (EXPERT SETTING!) Enable (1) to allow IPv6 Link-Local addresses to be
# forwarded between interfaces. (IPv6 Only)
# -----------------------------------------------------------------------------
FORWARD_LINK_LOCAL=0

# (EXPERT SETTING!) Disable (0) to not drop all IPv6 packets with
# Routing Header Type 0. Enabled by default. (IPv6 Only)
# -----------------------------------------------------------------------------
IPV6_DROP_RH_ZERO=1

# (EXPERT SETTING!) Enable this if you want to drop packets originating from a
# private address.
# Note: To enable logging of dropped private addresses set RESERVED_NET_LOG=1
# -----------------------------------------------------------------------------
RESERVED_NET_DROP=0

# (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack
# ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!)
# -----------------------------------------------------------------------------
DRDOS_PROTECT=0

# Enable (1) if you want to enable mixed IPv4/IPv6 traffic support
# Disable (0) if you want to enable only IPv4 traffic support
# -----------------------------------------------------------------------------
IPV6_SUPPORT=0

# This option fixes problems with SMB broadcasts when using nmblookup
# -----------------------------------------------------------------------------
NMB_BROADCAST_FIX=0

# Set this to 0 to suppress "assuming module is compiled in kernel" messages
# -----------------------------------------------------------------------------
COMPILED_IN_KERNEL_MESSAGES=1

# (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD
# chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that
# when there are no rule(s) available (yet), the packet will be DROPPED. In
# practice this rule only does something while the firewall is starting. Once
# it's started and all rules are in place, the default policy doesn't do
# anything anymore. People that use eg. NFS and let their clients boot from NFS
# (diskless client systems) probably want to disable this option to fix
# "NFS server not responding" etc. errors on their clients.
# -----------------------------------------------------------------------------
DEFAULT_POLICY_DROP=1

# (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP
# traffic should be ACCEPTED. (multiple(!) interfaces should be space
# separated). Be warned that anything TO and FROM these interfaces is allowed
# (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world
# (internet)! And of course putting one of your external interfaces here would
# be extremely stupid.
# -----------------------------------------------------------------------------
TRUSTED_IF=""

# (EXPERT SETTING!) Put here the interfaces that should trust
# each other (accept forward traffic). You can use | (piping-sign) to create
# seperate interface groups. And (again) of course putting one of your external
# interfaces here would be extremely stupid.
# -----------------------------------------------------------------------------
IF_TRUSTS=""

# Location of the custom iptables rules file (if any).
# -----------------------------------------------------------------------------
CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"

# Location of the local (user/global) configuration file, if used
# -----------------------------------------------------------------------------
LOCAL_CONFIG_FILE=""

# (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and
# iptables-restore to add rules in batch rather than one-by-one. Much slower
# when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
# -----------------------------------------------------------------------------
DISABLE_IPTABLES_BATCH=0

# (EXPERT SETTING!) Set this (to 1) to enable tracing
# -----------------------------------------------------------------------------
TRACE=0

###############################################################################
# Logging options - All logging is rate limited to prevent log flooding       #
###############################################################################

# Enable logging for explicitly blocked hosts.
# -----------------------------------------------------------------------------
BLOCKED_HOST_LOG=1

# Enable logging for various stealth scans (reliable).
# -----------------------------------------------------------------------------
SCAN_LOG=1

# Enable logging for possible stealth scans (less reliable).
# -----------------------------------------------------------------------------
POSSIBLE_SCAN_LOG=1

# Enable logging for TCP-packets with bad flags.
# -----------------------------------------------------------------------------
BAD_FLAGS_LOG=1

# Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce
# INVALID packets being logged because of lost (legimate) connections. When
# debugging any problems, you should enable it (temporarily)!
# -----------------------------------------------------------------------------
INVALID_TCP_LOG=0

# Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce
# INVALID packets being logged because of lost (legimate) connections. When
# debugging any problems, you should enable it (temporarily)!
# -----------------------------------------------------------------------------
INVALID_UDP_LOG=0

# Enable logging of invalid ICMP packets. Keep disabled (0) by default to reduce
# INVALID packets being logged because of lost (legimate) connections. When
# debugging any problems, you should enable it (temporarily)!
# -----------------------------------------------------------------------------
INVALID_ICMP_LOG=0

# Enable (1) logging of source IPs with reserved or private addresses.
# -----------------------------------------------------------------------------
RESERVED_NET_LOG=0

# Enable logging of fragmented packets.
# -----------------------------------------------------------------------------
FRAG_LOG=1

# Enable logging of denied local (OUTPUT) connections.
# -----------------------------------------------------------------------------
INET_OUTPUT_DENY_LOG=1

# Enable logging of denied LAN output (FORWARD) connections.
# -----------------------------------------------------------------------------
LAN_OUTPUT_DENY_LOG=1

# Enable logging of denied LAN INPUT connections.
# -----------------------------------------------------------------------------
LAN_INPUT_DENY_LOG=1

# Enable logging of denied DMZ output (FORWARD) connections.
# -----------------------------------------------------------------------------
DMZ_OUTPUT_DENY_LOG=1

# Enable logging of denied DMZ input (FORWARD) connections.
# -----------------------------------------------------------------------------
DMZ_INPUT_DENY_LOG=1

# Enable logging of dropped FORWARD packets.
# -----------------------------------------------------------------------------
FORWARD_DROP_LOG=1

# Enable logging of dropped IPv6 Link-Local forwarded packets.
# Note: requires FORWARD_LINK_LOCAL=0 (IPv6 Only)
# -----------------------------------------------------------------------------
LINK_LOCAL_DROP_LOG=1

# Enable logging of dropped ICMP-request packets (ping).
# -----------------------------------------------------------------------------
ICMP_REQUEST_LOG=1

# Enable logging of dropped "other" ICMP packets.
# -----------------------------------------------------------------------------
ICMP_OTHER_LOG=1

# Enable logging of normal connection attempts to privileged TCP ports.
# -----------------------------------------------------------------------------
PRIV_TCP_LOG=1

# Enable logging of normal connection attempts to privileged UDP ports.
# -----------------------------------------------------------------------------
PRIV_UDP_LOG=1

# Enable logging of normal connection attempts to unprivileged TCP ports.
# -----------------------------------------------------------------------------
UNPRIV_TCP_LOG=1

# Enable logging of normal connection attempts to unprivileged UDP ports.
# -----------------------------------------------------------------------------
UNPRIV_UDP_LOG=1

# Enable logging of IPv4 IGMP packets
# -----------------------------------------------------------------------------
IGMP_LOG=1

# Enable logging of normal connection attempts to "other-IP"-protocols (non
# TCP/UDP/ICMP/IGMP).
# -----------------------------------------------------------------------------
OTHER_IP_LOG=1

# Enable logging for ICMP flooding.
# -----------------------------------------------------------------------------
ICMP_FLOOD_LOG=1

# (EXPERT SETTING!) The location of the dedicated firewall log file. When
# enabled the firewall script will also log start/stop etc. info to this file
# as well. Note that in order to make this work, you should also configure
# syslogd to log firewall messages to this file (see LOGLEVEL below for further
# info).
# -----------------------------------------------------------------------------
#FIREWALL_LOG="/var/log/firewall.log"

# (EXPERT SETTING!) Current log-level ("info": default kernel syslog level)
# "debug": can be used to log to /var/log/firewall.log, but you have to configure
# syslogd accordingly (see included syslogd.conf examples).
# -----------------------------------------------------------------------------
LOGLEVEL="info"

# Put in the following variables which hosts you want to log certain incoming
# connection attempts for.
# TCP/UDP port format (LOG_HOST_INPUT_xxx):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (LOG_HOST_INPUT_IP):
#       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# -----------------------------------------------------------------------------
LOG_HOST_INPUT_TCP=""
LOG_HOST_INPUT_UDP=""
LOG_HOST_INPUT_IP=""

# Put in the following variables which hosts you want to log certain outgoing
# connection attempts for.
# TCP/UDP port format (LOG_HOST_OUTPUT_xxx):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (LOG_HOST_OUTPUT_IP):
#       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# -----------------------------------------------------------------------------
LOG_HOST_OUTPUT_TCP=""
LOG_HOST_OUTPUT_UDP=""
LOG_HOST_OUTPUT_IP=""

# Put in the following variables which services you want to log incoming
# connection attempts for.
# -----------------------------------------------------------------------------
LOG_INPUT_TCP=""
LOG_INPUT_UDP=""
LOG_INPUT_IP=""

# Put in the following variables which services you want to log outgoing
# connection attempts for.
# -----------------------------------------------------------------------------
LOG_OUTPUT_TCP=""
LOG_OUTPUT_UDP=""
LOG_OUTPUT_IP=""

# Put in the following variable which hosts you want to log incoming connection
# (attempts) for.
# -----------------------------------------------------------------------------
LOG_HOST_INPUT=""

# Put in the following variable which hosts you want to log outgoing connection
# (attempts) to.
# -----------------------------------------------------------------------------
LOG_HOST_OUTPUT=""


###############################################################################
# sysctl based settings (EXPERT SETTINGS!)                                    #
###############################################################################

# Enable for synflood protection (through /proc/.../tcp_syncookies).
# -----------------------------------------------------------------------------
SYN_PROT=1

# Enable this to reduce the ability of others DOS'ing your machine.
# -----------------------------------------------------------------------------
REDUCE_DOS_ABILITY=1

# Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
# -----------------------------------------------------------------------------
ECHO_IGNORE=0

# Enable to log packets with impossible addresses to the kernel log.
# -----------------------------------------------------------------------------
LOG_MARTIANS=0

# Only disable this if you're NOT using forwarding (required for NAT etc.) for
# increased security.
# Note: If enabled and IPV6 enabled, local IPv6 autoconf will be disabled.
# -----------------------------------------------------------------------------
IP_FORWARDING=1

# (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and
# you do not use autoconf to obtain your IPv6 address.
# Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only)
# -----------------------------------------------------------------------------
IPV6_AUTO_CONFIGURATION=1

# Enable if you want to accept ICMP redirect messages. Should be set to "0" in
# case of a router.
# -----------------------------------------------------------------------------
ICMP_REDIRECT=0

# Enable/modify this if you want to be a able to handle a larger (or smaller)
# number of simultaneous connections. For high traffic machines I recommend to
# use a value of at least 16384 (note that a higher value (obviously) also uses
# more memory).
# -----------------------------------------------------------------------------
CONNTRACK=16384

# Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,
# as some routers are still not compatible with this.
# -----------------------------------------------------------------------------
ECN=0

# Enable to drop connections from non-routable IPs, eg. prevent source
# routing. By default the firewall itself also provides rules against source
# routing. Note than when you use eg. VPN (Freeswan), you should probably
# disable this setting.
# -----------------------------------------------------------------------------
RP_FILTER=1

# Protect against source routed packets. Attackers can use source routing to
# generate traffic pretending to be from inside your network, but which is
# routed back along the path from which it came, namely outside, so attackers
# can compromise your network. Source routing is rarely used for legitimate
# purposes, so normally you should always leave this enabled(1)!
# -----------------------------------------------------------------------------
SOURCE_ROUTE_PROTECTION=1

# Here we set the local port range (ports from which connections are
# initiated from our site). Don't mess with this unless you really know what
# you are doing!
# -----------------------------------------------------------------------------
LOCAL_PORT_RANGE="32768 61000"

# Here you can change the default TTL used for sending packets. The value
# should be between 10 and 255. Don't mess with this unless you really know
# what you are doing!
# -----------------------------------------------------------------------------
DEFAULT_TTL=64

# In most cases pmtu discovery is ok, but in some rare cases (when having
# problems) you might want to disable it.
# -----------------------------------------------------------------------------
NO_PMTU_DISCOVERY=0


###############################################################################
# Firewall policies for the LAN (EXPERT SETTINGS!)                            #
###############################################################################

###############################################################################
# LAN_xxx = LAN->localhost(this machine) input access rules                   #
#                                                                             #
# Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the      #
# default policy for this chain is accept (unless denied through              #
# LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)!                                     #
###############################################################################

# Enable this to allow for ICMP-requests(ping) from your LAN
# -----------------------------------------------------------------------------
LAN_OPEN_ICMP=1

# Put in the following variables the TCP/UDP ports or IP protocols TO
# (remote end-point) which the LAN hosts are permitted to connect to.
# -----------------------------------------------------------------------------
LAN_OPEN_TCP=""
LAN_OPEN_UDP=""
LAN_OPEN_IP=""

# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which LAN hosts are NOT permitted to connect to.
# -----------------------------------------------------------------------------
LAN_DENY_TCP=""
LAN_DENY_UDP=""
LAN_DENY_IP=""

# Put in the following variables the TCP/UDP ports or IP
# protocols TO (remote end-point) which certain LAN hosts are
# permitted to connect to.
#
# TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (LAN_INPUT_HOST_OPEN_xxx):
#       "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
# -----------------------------------------------------------------------------
LAN_HOST_OPEN_TCP=""
LAN_HOST_OPEN_UDP=""
LAN_HOST_OPEN_IP=""

# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which certain LAN hosts are NOT permitted to connect to.
#
# TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (LAN_INPUT_HOST_DENY_xxx):
#       "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
# -----------------------------------------------------------------------------
LAN_HOST_DENY_TCP=""
LAN_HOST_DENY_UDP=""
LAN_HOST_DENY_IP=""


###############################################################################
# LAN_INET_xxx = LAN->internet access rules (forward)                         #
#                                                                             #
# Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are NOT      #
# used, the default policy for this chain is accept (unless denied            #
# through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)!                   #
###############################################################################

# Enable this to allow for ICMP-requests(ping) for LAN->INET
# -----------------------------------------------------------------------------
LAN_INET_OPEN_ICMP=1

# Put in the following variables the TCP/UDP ports or IP
# protocols TO (remote end-point) which the LAN hosts are
# permitted to connect to via the external (internet) interface.
# -----------------------------------------------------------------------------
LAN_INET_OPEN_TCP=""
LAN_INET_OPEN_UDP=""
LAN_INET_OPEN_IP=""

# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which the LAN hosts are NOT permitted to connect to
# via the external (internet) interface. Examples of usage are for blocking
# IRC (TCP 6666:6669) for the internal network.
# -----------------------------------------------------------------------------
LAN_INET_DENY_TCP=""
LAN_INET_DENY_UDP=""
LAN_INET_DENY_IP=""

# Put in the following variables which LAN hosts you want to allow to certain
# hosts/services on the internet. By default all services are allowed.
#
# TCP/UDP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~port \
#        SRCIP3,...>DESTIP2~port"
#
# IP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
#        SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple:
#       (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
#       LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced:
#       (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
#        allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
#       LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80"
#
# IP protocol example:
#       (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))
#       LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
# -----------------------------------------------------------------------------
LAN_INET_HOST_OPEN_TCP=""
LAN_INET_HOST_OPEN_UDP=""
LAN_INET_HOST_OPEN_IP=""

# Put in the following variables which DMZ hosts you want to deny to certain
# hosts/services on the internet.
#
# TCP/UDP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~port \
#        SRCIP3,...>DESTIP2~port"
#
# IP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
#        SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
#       LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
#           deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
#       LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80"
#
# IP protocol example:
#       (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):
#       LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
# -----------------------------------------------------------------------------
LAN_INET_HOST_DENY_TCP=""
LAN_INET_HOST_DENY_UDP=""
LAN_INET_HOST_DENY_IP=""


###############################################################################
# Firewall policies for the DMZ (EXPERT SETTINGS!)                            #
###############################################################################

###############################################################################
# DMZ_xxx      = DMZ->localhost(this machine) input access rules              #
###############################################################################

# Enable this to allow ICMP-requests(ping) from the DMZ
# -----------------------------------------------------------------------------
DMZ_OPEN_ICMP=1

# Put in the following variables which DMZ hosts are permitted to connect to
# certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)
# services are blocked for DMZ hosts.
# -----------------------------------------------------------------------------
DMZ_OPEN_TCP=""
DMZ_OPEN_UDP=""
DMZ_OPEN_IP=""

# Put in the following variables which DMZ hosts you want to allow for certain
# services. By default all (local) services are blocked for DMZ hosts.
# TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (DMZ_HOST_OPEN_IP):
#       "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
# -----------------------------------------------------------------------------
DMZ_HOST_OPEN_TCP=""
DMZ_HOST_OPEN_UDP=""
DMZ_HOST_OPEN_IP=""


###############################################################################
# INET_DMZ_xxx = Internet->DMZ access rules (forward)                         #
#                                                                             #
# Note: As of Version 2.0.0 the default policy has changed to DROP            #
# Previous to Version 2.0.0 the default policy was ACCEPT                     #
###############################################################################

# Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
# -----------------------------------------------------------------------------
INET_DMZ_OPEN_ICMP=0

# Put in the following variables which INET hosts are permitted to connect to
# certain the TCP/UDP ports or IP protocols in the DMZ.
# -----------------------------------------------------------------------------
INET_DMZ_OPEN_TCP=""
INET_DMZ_OPEN_UDP=""
INET_DMZ_OPEN_IP=""

# Put in the following variables which INET hosts are NOT permitted to connect
# to certain the TCP/UDP ports or IP protocols in the DMZ.
# -----------------------------------------------------------------------------
INET_DMZ_DENY_TCP=""
INET_DMZ_DENY_UDP=""
INET_DMZ_DENY_IP=""

# Put in the following variables which INET hosts you want to allow to certain
# hosts/services on the DMZ net. By default all services are dropped.
#
# TCP/UDP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~port \
#        SRCIP3,...>DESTIP2~port"
#
# IP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
#        SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
#       INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
#           allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
#       INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
#
# IP protocol example:
#       (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )
#       INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
# -----------------------------------------------------------------------------
INET_DMZ_HOST_OPEN_TCP=""
INET_DMZ_HOST_OPEN_UDP=""
INET_DMZ_HOST_OPEN_IP=""

# Put in the following variables which INET hosts you want to deny to certain
# hosts/services on the DMZ net.
#
# TCP/UDP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~port \
#        SRCIP3,...>DESTIP2~port"
#
# IP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
#        SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
#       INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80"
# Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
#           deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
#       INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
#
# IP protocol example:
#       (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):
#       INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
# -----------------------------------------------------------------------------
INET_DMZ_HOST_DENY_TCP=""
INET_DMZ_HOST_DENY_UDP=""
INET_DMZ_HOST_DENY_IP=""


###############################################################################
# DMZ_INET_xxx = DMZ->internet access rules (forward)                         #
#                                                                             #
# Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are NOT      #
# used, the default policy for this chain is accept (unless denied            #
# through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)!                   #
###############################################################################

# Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
# -----------------------------------------------------------------------------
DMZ_INET_OPEN_ICMP=1

# Put in the following variables the TCP/UDP ports or IP
# protocols TO (remote end-point) which the DMZ hosts are
# permitted to connect to via the external (internet) interface.
# -----------------------------------------------------------------------------
DMZ_INET_OPEN_TCP=""
DMZ_INET_OPEN_UDP=""
DMZ_INET_OPEN_IP=""

# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which the DMZ hosts are NOT permitted to connect to
# via the external (internet) interface. Examples of usage are for blocking
# IRC (TCP 6666:6669) for the internal network.
# -----------------------------------------------------------------------------
DMZ_INET_DENY_TCP=""
DMZ_INET_DENY_UDP=""
DMZ_INET_DENY_IP=""

# Put in the following variables which DMZ hosts you want to allow to certain
# hosts/services on the internet. By default all services are allowed.
#
# TCP/UDP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~port \
#        SRCIP3,...>DESTIP2~port"
#
# IP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
#        SRCIP3,...>DESTIP2~sprotocol"
#
# TCP/UDP examples:
# Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
#       DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
#           allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
#       DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
#
# IP protocol example:
#       (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):
#       DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
# -----------------------------------------------------------------------------
DMZ_INET_HOST_OPEN_TCP=""
DMZ_INET_HOST_OPEN_UDP=""
DMZ_INET_HOST_OPEN_IP=""

# Put in the following variables which DMZ hosts you want to deny to certain
# hosts/services on the internet.
#
# TCP/UDP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~port \
#        SRCIP3,...>DESTIP2~port"
#
# IP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
#        SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
#       DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
#           deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
#       DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
#
# IP protocol example:
#       (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
#       DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
# -----------------------------------------------------------------------------
DMZ_INET_HOST_DENY_TCP=""
DMZ_INET_HOST_DENY_UDP=""
DMZ_INET_HOST_DENY_IP=""


###############################################################################
# DMZ_LAN_xxx  = DMZ->LAN access rules (forward)                              #
###############################################################################

# Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
# -----------------------------------------------------------------------------
DMZ_LAN_OPEN_ICMP=0

# Put in the following variables which DMZ hosts you want to allow to certain
# hosts/services on the LAN (net).
#
# TCP/UDP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~port \
#        SRCIP3,...>DESTIP2~port"
#
# IP form:
#       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
#        SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
#       DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and
#           allow port 80 for DMZ host 5.6.7.8 (only) on LAN host
#           1.2.3.4):
#       DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
#
# IP protocol example:
#       (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
#       DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
# -----------------------------------------------------------------------------
DMZ_LAN_HOST_OPEN_TCP=""
DMZ_LAN_HOST_OPEN_UDP=""
DMZ_LAN_HOST_OPEN_IP=""


###############################################################################
# Firewall policies for the external (inet) interface (default policy = drop) #
###############################################################################

# Put in the following variable which hosts (subnets) you want have full access
# via your internet (EXT_IF) connection(!). This is especially meant for
# networks/servers which use NIS/NFS, as these protocols require all ports
# to be open.
# NOTE: Don't mistake this variable with the one used for internal nets.
# -----------------------------------------------------------------------------
FULL_ACCESS_HOSTS=""

# Put in the following variable which TCP/UDP ports you don't want to
# see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that
# to make this properly work you also need to set "EXTERNAL_NET"!
# -----------------------------------------------------------------------------
BROADCAST_TCP_NOLOG=""
#BROADCAST_UDP_NOLOG="67 68"

# Put in the following variables which hosts you want to allow for certain
# services.
# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_OPEN_IP):
#       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
#
# ICMP protocol format (HOST_OPEN_ICMP):
#       "host1 host2 ...."
# -----------------------------------------------------------------------------
HOST_OPEN_TCP=""
HOST_OPEN_UDP=""
HOST_OPEN_IP=""
HOST_OPEN_ICMP=""

# Put in the following variables which hosts you want to DENY(DROP) for certain
# services (and logged).
# to DENY(DROP) for certain hosts.
# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_DENY_IP):
#       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
#
# ICMP protocol format (HOST_DENY_ICMP):
#       "host1 host2 ...."
# -----------------------------------------------------------------------------
HOST_DENY_TCP=""
HOST_DENY_UDP=""
HOST_DENY_IP=""
HOST_DENY_ICMP=""

# Put in the following variables which hosts you want to DENY(DROP) for certain
# services but NOT logged.
# TCP/UDP port format (HOST_DENY_xxx_NOLOG):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_DENY_IP_NOLOG):
#       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
#
# ICMP protocol format (HOST_DENY_ICMP_NOLOG):
#       "host1 host2 ...."
# -----------------------------------------------------------------------------
HOST_DENY_TCP_NOLOG=""
HOST_DENY_UDP_NOLOG=""
HOST_DENY_IP_NOLOG=""
HOST_DENY_ICMP_NOLOG=""

# Put in the following variables which hosts you want to REJECT (instead of
# DROP) for certain TCP/UDP ports.
# TCP/UDP port format (HOST_REJECT_xxx):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# -----------------------------------------------------------------------------
HOST_REJECT_TCP=""
HOST_REJECT_UDP=""

# Put in the following variables which hosts you want to REJECT (instead of
# DROP) for certain services but NOT logged.
# TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# -----------------------------------------------------------------------------
HOST_REJECT_TCP_NOLOG=""
HOST_REJECT_UDP_NOLOG=""

# Put in the following variables which services THIS machine is NOT
# permitted to connect TO (remote end-point) via the external (internet)
# interface. For example for blocking IRC (tcp 6666:6669).
# -----------------------------------------------------------------------------
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
DENY_IP_OUTPUT=""

# Put in the following variables to which hosts THIS machine is NOT
# permitted to connect TO for certain services (remote end-point)
# via the external (internet) interface. In principle you can also
# use this to put your machine in a "virtual-DMZ" by blocking all traffic
# to your local subnet.
# TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
#       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_DENY_IP_OUTPUT):
#       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# -----------------------------------------------------------------------------
HOST_DENY_TCP_OUTPUT=""
HOST_DENY_UDP_OUTPUT=""
HOST_DENY_IP_OUTPUT=""

# Enable (1) to make the default policy allow for IPv4 ICMP (ping) for INET access
# Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
# -----------------------------------------------------------------------------
OPEN_ICMP=0

# Disable (0) to make the default policy drop IPv6 ICMPv6 for INET access
# Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
# -----------------------------------------------------------------------------
OPEN_ICMPV6=1

# Put in the following variables which ports or IP protocols you want to leave
# open to the whole world.
# -----------------------------------------------------------------------------
OPEN_TCP=""
OPEN_UDP=""
OPEN_IP=""

# Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
# everyone (and logged). Also use these variables if you want to log connection
# attempts to these ports from everyone (also trusted/full access hosts).
# In principle you don't need these variables, as everything is already blocked
# (denied) by default, but just exists for consistency.
# -----------------------------------------------------------------------------
DENY_TCP=""
DENY_UDP=""

# Put in the following variables which ports you want to DENY(DROP) for
# everyone but NOT logged. This is very useful if you have constant probes on
# the same port(s) over and over again (code red worm) and don't want your logs
# flooded with it.
# -----------------------------------------------------------------------------
DENY_TCP_NOLOG=""
DENY_UDP_NOLOG=""

# Put in the following variables the TCP/UDP ports you want to REJECT (instead
# of DROP) for everyone (and logged).
# -----------------------------------------------------------------------------
REJECT_TCP=""
REJECT_UDP=""

# Put in the following variables the TCP/UDP ports you want to REJECT (instead
# of DROP) for everyone but NOT logged.
# -----------------------------------------------------------------------------
REJECT_TCP_NOLOG=""
REJECT_UDP_NOLOG=""

# Put in the following variable which hosts you want to block (blackhole,
# dropping every packet from the host).
# -----------------------------------------------------------------------------
BLOCK_HOSTS=""

# Blocked Hosts are by default blocked in both Inbound and Outbound directions.
# If only Inbound blocking is desired, set to 0 to disable bidirectional blocking.
# -----------------------------------------------------------------------------
BLOCK_HOSTS_BIDIRECTIONAL=1

# Uncomment & specify here the location of the file that contains a list of
# hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
# w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
# should always contain a carriage-return (enter)!
# -----------------------------------------------------------------------------
#BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"

Service status:

$ 0.status arno-iptables-firewall.service
arno-iptables-firewall.service - A secure stateful firewall for both single and multi-homed machine
	  Loaded: loaded (/usr/lib/systemd/system/arno-iptables-firewall.service; enabled)
	  Active: active (exited) since Tue 2013-02-19 12:45:30 CET; 38s ago
	Main PID: 7781 (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/arno-iptables-firewall.service

which is a bit confusing as it says 'active' and 'exited' at the same time...


and then I get into my phone through adb shell, and I run:

root@android:/ # su
root@android:/ # netcfg usb0 dhcp
action 'dhcp' failed (Timer expired)

So apparently something is wrong,


Laptop: ThinkPad W500, C2D P9500, 8GB, Radeon RV635 (HD3650), Arch | Server/fw: Zotac AQ01, A4-5000 Kabini, 4GB, Arch/pfSense VM

Offline

#10 2013-02-19 12:44:24

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Bridge connection problem.

Okay well if you want to use DHCP you will need to configure that on your computer to dish out IP's in the 10.1.3.0/24 subnet.

Personally, I always configure static IP's on VM's, my phone, and stuff. One less thing to troubleshoot.

In ether case the end result will need to be usb0 on your computer and usb0 on your phone with IP's in the 10.1.3.0/24 network.

Something equivalent to this..
Computer: ifconfig usb0 10.1.3.1 netmask 255.255.255.0 up
Andriod: ifconfig usb0 10.1.3.2 netmask 255.255.255.0 up

I keep saying 10.1.3.0/24 becuase you have in your config.

# Specify here the internal IPv4 subnet(s) which is/are connected to the
# internal interface(s). For multiple interfaces(!) you can either specify
# multiple subnets here or specify one big subnet for all internal interfaces.
# Note that this variable is mainly used for antispoofing.
# -----------------------------------------------------------------------------
INTERNAL_NET="10.1.3.0/24"

Don't concern yourself with the systemctl status info. A better way to make sure the script is setting the rules you want is to grep through `iptables -nvL` output.

Last edited by hunterthomson (2013-02-20 03:49:00)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#11 2013-02-19 14:00:13

Lockheed
Member
Registered: 2010-03-16
Posts: 1,427

Re: Bridge connection problem.

Well, I don't really care for dhcp. I was just following the guide, but I'm happy to drop it if it's simpler to do it on static IPs.
But how does the procedure change if I go the non-dhcp way?


Laptop: ThinkPad W500, C2D P9500, 8GB, Radeon RV635 (HD3650), Arch | Server/fw: Zotac AQ01, A4-5000 Kabini, 4GB, Arch/pfSense VM

Offline

#12 2013-02-19 22:14:23

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Bridge connection problem.

Well it dose not change that much.

Just plugin the phone.

On the computer... the equivalent of this

ifconfig usb0 10.1.3.1 netmask 255.255.255.0 up

On the phone... the equivalent of this

ifconfig usb0 10.1.3.2 netmask 255.255.255.0 up
route add default gw 10.1.3.1
echo "nameserver 8.8.8.8" > /etc/resolv.conf
#
# See if you can ping your computer
# you should be able to but even if it fails try to ping google too.
ping 10.1.3.1
#
# And make sure you can ping google
ping 8.8.8.8
ping google.com

Basically, just manually set the IP's on your computer and phone. Then set the default gateway on the phone to be the IP addr your computer has for usb0. Finally, set google's public DNS servers as your DNS server ( i.e. 8.8.8.8)

Here is a netcfg config you could use on the phone.

/etc/network.d/usb0-static

CONNECTION='usb0 static'
DESCRIPTION='A static ip connection to computer over usb0'
INTERFACE='usb0'
IP='static'
ADDR='10.1.3.2'
GATEWAY='10.1.3.1'
DNS=('8.8.8.8')

Last edited by hunterthomson (2013-02-19 22:19:25)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#13 2013-02-21 15:19:26

Lockheed
Member
Registered: 2010-03-16
Posts: 1,427

Re: Bridge connection problem.

removed.

Last edited by Lockheed (2013-02-21 15:31:33)


Laptop: ThinkPad W500, C2D P9500, 8GB, Radeon RV635 (HD3650), Arch | Server/fw: Zotac AQ01, A4-5000 Kabini, 4GB, Arch/pfSense VM

Offline

Board footer

Powered by FluxBB