This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newbie-ish Setup Help Pls.

I'm very new to astaro, but not to routeing and for the life of me I can get this working correctly. Right now, I have two interfaces set up 'Internal' (eth0), and wan (eth2). Internal is set to 10.32.1.1/24 while wan is set to dhcp (and has since grabbed the address 192.168.2.2 w/ a GW of 192.168.2.1 from my local router). I plan to add another interface (which will be called wifi, but i'm not yet there). So, From my host on internal, which has the IP of 10.32.1.2 I can't do anything besides contact 10.32.1.1 and 192.168.2.2 --  Once I log into the shell on the firewall box, I do what I could do from the host (10.32.1.2) with the addition of being able to ping 192.168.2.1 (which I couldn't from the host). When I look in /var/log/kernel I see that my trouble is coming from all of my packets being dropped. The messages look like this for traffic originating from the shell on the firewall:
date (none) kernel: TCP Drop: IN= OUT=eth2 SRC=192.168.2.2 DST=SOME.EXTERNAL.IP PROTO=TCP .....
or like this for traffic from the host to the outside world:
date (none) kernel: UDP Drop: IN=eth0 OUT=eth2 SRC=10.32.1.2 DST=192.168.2.1  PROTO=TCP .....

Prior to this point, i've also created a single NAT rule that is:
name: internal_masq
Match:  Internal_Interfce_ -> All/ All
SRC translation: MASQ_wan
DST translation: None

Since nothing has worked, I then also tried creating three Rules that read
No     From   Service  To    Action
1  Internal_Network   Any   Any    Allow
2  wan_Network         Any   Internal_Interface_ Allow
3  wan_Network         Any    Any Log Drop

I'm sure what i'm doing is a  common setup (home cablemodem setup (soon to have another wifi interface)) so could someone please help me out or point me in the right direction?

This thread was automatically locked due to age.

0 BarryG over 21 years ago

Turn on all the ICMP features if you want to ping the firewall.

Also, with the INT ALL ALL rule, you should now be able to ping your local router from INT net now.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 VelvetFog over 21 years ago

[ QUOTE ]
Since nothing has worked, I then also tried creating three Rules that read
No From Service To Action
1 Internal_Network Any Any Allow
2 wan_Network Any Internal_Interface_ Allow
3 wan_Network Any Any Log Drop

[/ QUOTE ] Keep rule #1, but get rid of the other two. They don't really do anything for you.

ASL log drops a bunch of stuff by default, so you don't want to create any additional log drop rules. It just makes for very large filter and kernel logs every day.
Cancel
Vote Up 0 Vote Down

Cancel
0 jaga0 over 21 years ago in reply to VelvetFog

I changed rule #1 to read:
1   Any   Any   Any   Allow
and disabled all other rules. I still can't get anywhere, and for instance when I try to nc to 192.168.2.1 on port 80, i get:

2004-Apr 15 07:52:09 (none) kernel: TCP Drop: IN= OUT=eth2 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=40139 DF PROTO=TCP SPT=4135 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

Any other tips? Do I have to do something to activate the rules (besides making them 'green'?)

Two other things i've noticed that are 'wrong', but I have no explanation for them are
1)  I'm getting what appear to be dropped and logged dns packets from my router to my asl box at the rate of about one every two seconds. I've tried rebooting the router, the asl box and it keeps happening. They came continionusly through the night even though the network wasn't in use. The messages look like this:
2004-Apr 15 08:02:46 (none) kernel: UDP Drop: IN=eth2 OUT= MAC=08:00:09:ee:5e:b4:00:90:4b:34:72:58:08:00 SRC=192.168.2.1 DST=192.168.2.2 LEN=45 TOS=0x00 PREC=0x00 TTL=64 ID=112 PROTO=UDP SPT=53 DPT=1029 LEN=25
2004-Apr 15 08:02:50 (none) kernel: UDP Drop: IN=eth2 OUT= MAC=08:00:09:ee:5e:b4:00:90:4b:34:72:58:08:00 SRC=192.168.2.1 DST=192.168.2.2 LEN=45 TOS=0x00 PREC=0x00 TTL=64 ID=115 PROTO=UDP SPT=53 DPT=1029 LEN=25
2004-Apr 15 08:02:54 (none) kernel: UDP Drop: IN=eth2 OUT= MAC=08:00:09:ee:5e:b4:00:90:4b:34:72:58:08:00 SRC=192.168.2.1 DST=192.168.2.2 LEN=45 TOS=0x00 PREC=0x00 TTL=64 ID=118 PROTO=UDP SPT=53 DPT=1029 LEN=25

2)  If/When I enable the DNS proxy for the Internal_Network, I am no longer able to get to the https web admin from the Internal_Network. The message I get on my windows box (browser) is connection timed out.

In the effort of supplying all of the necessary info, here is my livelog nat rules:



Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
5971  436K LOCAL      all  --  *      *       0.0.0.0/0            0.0.0.0/0
2902  237K HA         all  --  *      *       0.0.0.0/0            0.0.0.0/0
2902  237K HARDENING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2902  237K PSD_MATCHER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2902  237K FIX_CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2902  237K AUTO_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  730 48781 USR_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  730 48781 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOCAL      all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 HARDENING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 PSD_MATCHER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FIX_CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 AUTO_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 USR_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
5939 1537K LOCAL      all  --  *      *       0.0.0.0/0            0.0.0.0/0
2870 1338K HA         all  --  *      *       0.0.0.0/0            0.0.0.0/0
2870 1338K HARDENING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2870 1338K FIX_CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2870 1338K AUTO_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    4   240 USR_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    4   240 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain AUTO_FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 8 code 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 0 code 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 8 code 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 0 code 0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:1024:65535 dpts:33000:34000
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 11 code 0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Chain AUTO_INPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    6   480 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 8 code 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 0 code 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 11 code 0
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            255.255.255.255    tcp spt:68 dpt:67
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            255.255.255.255    udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  eth0   *       10.32.1.0/24         10.32.1.1          tcp spt:68 dpt:67
    0     0 ACCEPT     udp  --  eth0   *       10.32.1.0/24         10.32.1.1          udp spt:68 dpt:67
1818  113K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22
    0     0 LOGDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22
  339 73322 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1024:65535 dpt:443
    0     0 LOGDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1024:65535 dpt:443
    3  1002 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:68 dpt:67
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:25
    6   456 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Chain AUTO_OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    8   608 ACCEPT     udp  --  *      *       0.0.0.0/0            192.5.41.209       udp spts:1024:65535 dpt:123
    1    60 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 0 code 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 8 code 0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:1024:65535 dpts:33000:34000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:222
    0     0 ACCEPT     tcp  --  *      eth0    10.32.1.1            255.255.255.255    tcp spt:67 dpt:68
    0     0 ACCEPT     udp  --  *      eth0    10.32.1.1            255.255.255.255    udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      eth0    10.32.1.1            10.32.1.0/24       tcp spt:67 dpt:68
    0     0 ACCEPT     udp  --  *      eth0    10.32.1.1            10.32.1.0/24       udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:53:65535 dpt:53
  645 35113 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:53:65535 dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:25
2211 1302K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Chain FIX_CONNTRACK (3 references)
pkts bytes target     prot opt in     out     source               destination

Chain HA (2 references)
pkts bytes target     prot opt in     out     source               destination

Chain HARDENING (3 references)
pkts bytes target     prot opt in     out     source               destination

Chain LOCAL (3 references)
pkts bytes target     prot opt in     out     source               destination
3069  200K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
3069  200K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Chain LOGACCEPT (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOGDROP (5 references)
pkts bytes target     prot opt in     out     source               destination
  734 49021 LOG_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  734 49021 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOGREJECT (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          reject-with icmp-port-unreachable

Chain LOG_CHAIN (2 references)
pkts bytes target     prot opt in     out     source               destination
    4   240 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
  730 48781 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        ah   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        2    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0

Chain PSD_ACTION (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PSD_MATCHER (2 references)
pkts bytes target     prot opt in     out     source               destination

Chain USR_FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain USR_INPUT (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain USR_OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain PREROUTING (policy ACCEPT 1182 packets, 204K bytes)
pkts bytes target     prot opt in     out     source               destination
1178  203K SPOOF_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1178  203K NAT_PRE    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 698 packets, 38131 bytes)
pkts bytes target     prot opt in     out     source               destination
  692 37741 NAT_POST   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 703 packets, 38427 bytes)
pkts bytes target     prot opt in     out     source               destination
  696 37981 NAT_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain NAT_OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain NAT_POST (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      eth2    10.32.1.1            0.0.0.0/0

Chain NAT_PRE (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain SPOOF_DROP (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  eth0   *       10.32.1.1            0.0.0.0/0
    0     0 DROP       all  --  eth0   *       10.32.1.1            0.0.0.0/0
    0     0 LOG        all  --  eth0   *       192.168.2.0/25       0.0.0.0/0
    0     0 DROP       all  --  eth0   *       192.168.2.0/25       0.0.0.0/0
    0     0 LOG        all  --  eth2   *       192.168.2.2          0.0.0.0/0
    0     0 DROP       all  --  eth2   *       192.168.2.2          0.0.0.0/0
    0     0 LOG        all  --  eth2   *       10.32.1.0/24         0.0.0.0/0
    0     0 DROP       all  --  eth2   *       10.32.1.0/24         0.0.0.0/0

and for reference my Network->Interfaces looks like this:
Up Internal (Standard ethernet interface) on eth0 (3Com Corporation3C905B Fast Etherlink XL 10/100 )
10.32.1.1 / 255.255.255.0
Gateway: none

Up wan (Standard ethernet interface) on eth2 (Hewlett-Packard CompanyJ2585B DeskDirect 10/100VG NIC ) 192.168.2.2 / 255.255.255.128
Gateway: 192.168.2.1

Down wifi (Standard ethernet interface) on eth1 (LinksysNetwork Everywhere Fast Ethernet 10/100 model NC100 )
???.???.???.??? / ???.???.???.???
Gateway: none

(i'm not [yet] using wifi, I just wanted to keep things simple for now).

I have no additional static routes defined, my NAT/Masqueradeing screen contains only one entry:
internal_masq Internal_Interface__ -> All / All   MASQ__wan None

All ICMP options are 'on', and all proxies are off.

I hope i'm not being too verbose, but I don't know what else to do. I've read a bunch of the docs, and i'm currently going through the manual for a second time. I know I'm missing something stupid and simple, but I can't find it. Thanks in advance for any advice.
Cancel
Vote Up 0 Vote Down

Cancel
0 VelvetFog over 21 years ago

Your masquerading rule is wrong. You should be masquerading your Internal network, not your Internal interface. Your rule should look like this:

INTERNAL_MASQ Internal_Network__ -> All / All MASQ__External None

You would create the proper masquerading rule as follows:

Name: internal_masq
Match: Internal_Network_ -> All/ All
SRC translation: MASQ_wan
DST translation: None
Cancel
Vote Up 0 Vote Down

Cancel
0 jaga0 over 21 years ago in reply to VelvetFog

Ahh, thank-you so much. My last question is: when setting up the dns proxy, how do I tell it to use the dns server found via dhcp from interface wan?
Cancel
Vote Up 0 Vote Down

Cancel
0 VelvetFog over 21 years ago in reply to jaga0

[ QUOTE ]
Ahh, thank-you so much. My last question is: when setting up the dns proxy, how do I tell it to use the dns server found via dhcp from interface wan?

[/ QUOTE ]Now you have come across a known flaw in ASL. It won't let you automatically do that. The workaround is to enter the ISP provided DNS server addresses manually as forwarding addresses in the DNS proxy. If you do not know these IP addresses, you can either connect a Windows PC to the broadband modem, and discover them that way, or you can look at your ISP's help web pages or call their help desk. Once you have the IP addresses for their primary and secondary DNS server, you are safe to enter them manually in your DNS proxy config. These addresses do not get changed very often. Your ISP is likely to keep them the same for many years.
Cancel
Vote Up 0 Vote Down

Cancel
0 jaga0 over 21 years ago in reply to VelvetFog

ok, no problem. Just thought I was overlooking something else. Is there a delay in the when you enter settings via webmin and they become active? It seems to take a minute or so for things to change sometimes. Also, can the dhcp server serve two interfaces w/ different ip blocks?
Cancel
Vote Up 0 Vote Down

Cancel
0 VelvetFog over 21 years ago in reply to jaga0

In ASL v4, the DHCP server can only supply one of your networks.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 21 years ago in reply to VelvetFog

FYIs,
Instead of hooking up a PC, you can look at the DHCPC lease file on astaro... it has the DNS servers even though they aren't used for anything.

On ASL 3.x, it's in:
/var/chroot-dhcpc/etc/dhcpc/dhcpcd-eth1.info
(assuming WAN is eth1)

Barry
Cancel
Vote Up 0 Vote Down

Cancel