Slackware 10 +pppoe +iptables howto

F

fiftybmg

Member
Joined
Mar 9, 2005
Messages
15
Reaction score
0
I took an old P166, two 16bit 10Mb/s cards, Slackware 10 +pppoe, and turned it into a dedicated iBurst firewall. Max throughput on download to internal machines was 76K, with the average about 26, which is good enough for me.

I'd be happy to share my config setup with anyone that would like to try it.

[email protected]
 
solution to be posted here

I wasn't going to write up the howto if there was no interest, but since I've had two requests for info, the howto will be posted later this evening.
 
Me too - I currently have 3 puters running - my smoothwall, slackware and winXP.
If I could ditch the smoothwall in favour of using slack that would be pretty cool and my puter room would be cooler too :) (and quieter)
 
slackware +pppoe +iptables basic config 4kernel 2.4.22

FIrst, it's necessary to recompile the kernel with all the relevant modules. The important config settings in the kernel are :

#
# Networking support
#
CONFIG_NET=y

#
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
# CONFIG_NETLINK_DEV is not set
CONFIG_UNIX=y
# CONFIG_NET_KEY is not set
CONFIG_INET=y
# CONFIG_IP_MULTICAST is not set
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set

#
# IP: Virtual Server Configuration
#
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
# CONFIG_DECNET is not set
CONFIG_BRIDGE=m
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_BRIDGE_NETFILTER=y

#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
# CONFIG_IP_NF_NAT_LOCAL is not set
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set

Once the kernel is up and running, you need to make sure the 2 ethernet cards are up and running. Mine are 16bit ISA, and need to be fed irq and an address. The intranet connected card [ which should be plugged into your local hub ] needs to be assigned an IP address, and the other machines need to have that IP as their default gateway :

Excute 'route add default gw 192.168.x.x ' [ Use whatever ip you like here ] on each machine on the hub.

The ethernet card on the iBurst modem side does not need an IP address assigned to it.

Slackware has the pppoe package by default, or at least it's on the CD if you didn't install it first time round.

Run adsl-setup as root, and make sure that your iBurst username is [email protected], or else authentication won't work. Also be sure to give the right interface to the setup script, eth0 or eth1, depending on what you've setup.

At this time, if you run adsl-start, assuming everything is plugged in and powered up, it should connect. If the session is terminated, it shouldn't affect the connection, at least it doesn't for me.

Do an ifconfig ppp0 as root, and you should have an ip assigned. Note the DNS ip's, and configure the machines on your hub with these 2 DNS entries, and the gateway IP 192.168.x.x, for example.

At this time, from a machine on the hub, you should be able to ping the gateway, and ping the IP of the ppp0 interface.

You'll need to have your /etc/rc.d/rc.firewall read as follows to begin with :

#!/bin/sh
#
echo -e "\n\nLoading rc.firewall ..\n"
#
#----------------------------------------------------------
# EXECUTABLE LOCATIONS
#----------------------------------------------------------
#
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#
#----------------------------------------------------------
# INTERFACE DEFINITIONS
#----------------------------------------------------------
#
EXTIF="ppp0"
INTIF="eth0"
#
echo " External Interface set to $EXTIF"
echo " Internal Interface set to $INTIF"
#
#----------------------------------------------------------
# ENABLING DYNAMIC IP ADDRESS RECOGNITION
#----------------------------------------------------------
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
#----------------------------------------------------------
# echo " Clearing any existing rules and setting default policy.."
#----------------------------------------------------------
#
echo " Flushing INPUT chain "
$IPTABLES -F INPUT
echo " Flushing OUTPUT chain "
$IPTABLES -F OUTPUT
echo " Flushing FORWARD chain "
$IPTABLES -F FORWARD
echo " Flushing NAT chain "
$IPTABLES -t nat -F
echo " Flushing MANGLE chain "
$IPTABLES -t mangle -F
#
#----------------------------------------------------------
# PERFORM MASQ ON OUTBOUND VIA ppp0
#----------------------------------------------------------
#
echo " Enabling MASQUERADE functionality on $EXTIF "
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#----------------------------------------------------------
# DECLARE FORWARDING RULES BETWEEN $EXTIF AND $INTIF
#----------------------------------------------------------
#
echo " Forwarding from $EXTIF to $INTIF"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
#
echo " Forwarding from $INTIF to $EXTIF"
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#
echo " Setting the forward policy to ACCET established, related"
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# IP FORWARDING IS ALREADY DONE IN RC.IP_FORWARD on slackware
#
# echo "1" > /proc/sys/net/ipv4/ip_forward
#
# #
echo -e "\nrc.firewall version $FWVER done.\n"

Run the script as root.

I was experiencing an intermittent slowdown, where the connection would start at around 15k, then settle down to 2 on a download, but this was a problem on my hub. I identified that the hub was dropping packets at around 40%. I replaced the hub, and speed is around 26k on average.

IPtraf showed 111k on the input side, but the machine was only downloading at 2 on the other side of the hub

One very important thing : I set the mtu to 1432 on all the hub connected cards, which is what it is on ppp0. I suggest you do the same, or else packet fragmentation will slow the connection down. PCI network cards might also make things go faster, but that's a trial-and-see thing.

You should add more rules to the firewall that will be specific to your network requirements.

I hope this helps. If anything is not clear, email me at [email protected] and I'll try explain as best I can.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X