Help I'm changing my ISP :(

Talk about anything you like here: as long as it's technical, doesn't fit into the other categories and is within the rules. Questions and discussions about operating systems, programming, websites, hosting, ADSL etc. are particularly welcome here.
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Sun Jun 10, 2007 10:51 am

mstombs wrote:Well I have no means to test but am sure it is possible, maybe even with just one command of the style:

Code: Select all

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE
which says - add a rule to the nat table that anything leaving the modem on the wan interface (assuming ppp0) that comes only from your private LAN should be NATed.

I'm assuming as per other threads that your modem has a WAN IP on the DSL ppp0 interface, but also a local LAN IP so you can connect your wireless devices, without special routing.

Change the -A (add) to -D (delete) to delete the rule (or reboot, this is not 'sticky')
You have no idea how greatful I am, that works a treat xD I so owe you a beer, or a few!!!!

So does that basically mean that the wireless group is now NAT/Masqueraded and the wired side is No-NAT?? Amezzin!! I'm turning my Wii on now :rofls: :lol:

[cherring crowd] .... It works!! [/cherring crowd]

Go now! You can't be that smart; it's not fair!!!! :( :cry:

oO( I wanna be a linux master :cry: )
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Post by mstombs » Sun Jun 10, 2007 2:09 pm

He He - I am not Linux master - but I do have access to a real one! I also hope you aren't celebrating too early - there may be obscure knock on effects... can you check all the static IPs services are not affected?
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Sun Jun 10, 2007 3:00 pm

Well I am accessing my server from my girlfriend's connection right now, I can get my webmail and downloads from here; VPN connection is also working etc etc. I was having some obscure problems with my VoIP router, but that was before I tried the command you suggested; I think that maybe down to routing (again).

ImageI guess the only way you can get into something and learn it well, is when things go wrong, or you want things to work in an obscure way... I think I will have to wait till support for Windows XP stops and then I shall move to a linux operating system permanently... I won't be going anywhere near Windows Pista.
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Mon Jun 11, 2007 1:59 am

Maybe "Legume" will pop in here and help out.
Aww - too late, looks like you've got it sorted.

In fact don't take anything I say as right - I just realised that in another thread (which I can't find now) that I thought studioeng had one IP - should have noticed what he said there wouldn't work without a block.

One minor tweak to the MASQUERADE rule, for those with static addresses is to use SNAT instead like

Code: Select all

iptables -t nat -A POSTROUTING -o ppp0 --src 192.168.1.0/24  -j SNAT --to-source 1.2.3.4
You could then choose which of your addresses get used and could have more than one rule mapping different private addresses to different real addresses.

Another benefit of SNAT over MASQUERADE is that if ppp goes down SNAT won't clean up the connection tracking table, so connections have a chance to carry on as normal when it's back.

The router will send ICMP net unreachables when ppp is down though. I use a rule which blocks these, but it's a bit of a hack - if your ISP sends them while you are down then I am not sure of the consequences. It doesn't look like mine does (or the other ends didn't get them when I tested). With the blocking rule and SNAT I can just carry on through a brief ppp down/up event. Use this at your own risk though - I may have to revert it when I notice what it breaks sometime in the future :-)

Code: Select all

iptables -I OUTPUT -p icmp --icmp-type network-unreachable -j DROP
Another thing to consider are firewall rules - these may need tweaking to run servers or setting if you unchecked firewall. Leaving windows boxes exposed to the internet is not a good idea.

Andy.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Post by mstombs » Mon Jun 11, 2007 8:44 am

I'm listening and learning...
legume wrote:
...
The router will send ICMP net unreachables when ppp is down though. I use a rule which blocks these, but it's a bit of a hack - if your ISP sends them while you are down then I am not sure of the consequences. It doesn't look like mine does (or the other ends didn't get them when I tested). ...
why care what the ISP sends while you are down. Do you mean when up and you mistype an address, would be quicker for browser to know unreachable than to wait and timeout?
Another thing to consider are firewall rules - these may need tweaking to run servers or setting if you unchecked firewall. Leaving windows boxes exposed to the internet is not a good idea.
...
Not 100% sure but I think modem core logic controlled firewall is dependent on NAT, so if you turn NAT off you effectively turn off modem firewall. Or maybe in my testing I only see the port forwards etc which only make sense with NAT disappear. Or maybe firewall rules would be reapplied if saved and rebooted?
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Mon Jun 11, 2007 9:24 am

With my experience over the last couple of months of using No-NAT, I have had the firewall on the router enabled (ticked), and I need to set port forwards to the relevant servers/pc; with the firewall disabled (unticked) all ports are open on any server/pc which is connected to the router.

So in effect, I need to set some rules twice, or create an 'AllowAll' rule, which will pass all ports to a specfic host and then use that hosts own firewall (if applicable).
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Tue Jun 12, 2007 12:40 am

why care what the ISP sends while you are down. Do you mean when up and you mistype an address, would be quicker for browser to know unreachable than to wait and timeout?
I was worried that if the ISP sends some sort of unreachable then the other end would disconnect and my end would still think the tcp connection was up and not work for ages until it timed out. I tried again and for me it seems OK - but that's just me on Entanet with a short disconnect.

Since the blocking rule is in OUTPUT it won't see any ICMPs sent from the wan to the lan, just those generated on the router.

On a sidenote I notice that by default some ICMP headed for the wan are blocked in OUTPUT , I think this is a workaround for an old netfilter bug, where it would leak the lan side address in the *unreachable.

As for the firewall rules I guess studioeng is right - a seperate check box so I don't think it's related to nat. I have it off as I firewall elsewhere, but I did add back a rule for INPUT to protect the router, which is something to consider doing if you disable firewall.

Code: Select all

iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -i ppp0 -j DROP
If you change INPUT to FORWARD that will protect the lan - but then that's what the checkbox does anyway(both). I think it will be the same for your ip passthrough script.

I'll have another look tomorrow and see what I think - I haven't upgraded to 2.3 yet I have a solwise 600e and see it didn't work for someone - also I don't have dhcp on the box that the router is connected to. I can still try roughly and see what needs to be done for multicast.

Andy.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Post by mstombs » Tue Jun 12, 2007 8:52 am

[Note: Apologies for diverting thread, but info is related to above, changing ISP that allows static IPs and running with no-NAT.]

My half-bridge script, really only needed for dynamic IPs, turns off NAT via a cm_cli command which results in a system log entry

Code: Select all

Jun 11 22:46:56 | Firewall NAT service stopped
and the firewall checkbox in pppoa setup is cleared, and cannot be ticked!

The only rules left in are your recommendation from other threads:

Code: Select all

/var # iptables -L -v
Chain INPUT (policy ACCEPT 4 packets, 1800 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 107 packets, 42026 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    ppp0   !89.243.xxx.yyy      anywhere

Chain OUTPUT (policy ACCEPT 33 packets, 4589 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    ppp0    anywhere             anywhere

/var # iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 23 packets, 2812 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 9 packets, 578 bytes)
 pkts bytes target     prot opt in     out     source               destination
So guess it working for me due to the FORWARD ACCEPT rules (The only device I have connected is a firewall NAT router). Any advice on reducing unnecessary traffic and 'securing' the modem gratefully received.
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Wed Jun 13, 2007 1:13 am

My half-bridge script, really only needed for dynamic IPs
Still useful for those with a single static IP, my gateway still changes on ppp up/down even if the address doesn't.
Firewall NAT service stopped
and the firewall checkbox in pppoa setup is cleared, and cannot be ticked!
Oh, I see you still have some traffic counted on your output - make sure counters rise or check

Code: Select all

 cat /proc/net/firewall_start
says Current Firewall State is 1. If you echo 0 to that then no iptables rules work anymore (and you disable conntrack) ,though they still show if you -L -vn them.
Chain FORWARD (policy ACCEPT 107 packets, 42026 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any ppp0 !89.243.xxx.yyy anywhere
One thing - when the script clears everything it will also clear the mss clamping rule that gets added here, which could mess things up for people who set mtu/mru < 1500.
Any advice on reducing unnecessary traffic and 'securing' the modem gratefully received
In theory I don't think much should hit the modem while it doesn't have a real address - in practice it maybe worth putting a rule in INPUT that drops anything coming in ppp0 and looking at the counters. If your ISP does multicast then IGMP will hit INPUT, but you could have a seperate rule to drop that if you wanted - I'll post in the other thread some stuff on multicast.

iptables does have a LOG target which could be used to see what if anything hits the router - but the one time I tried it on mine I almost locked myself out, so am not sure it plays nicely with the way logging/remote logging is set up.

Andy.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Post by mstombs » Wed Jun 13, 2007 9:36 am

legume wrote: ...
Firewall NAT service stopped
and the firewall checkbox in pppoa setup is cleared, and cannot be ticked!
Oh, I see you still have some traffic counted on your output - make sure counters rise or check

Code: Select all

 cat /proc/net/firewall_start
says Current Firewall State is 1. If you echo 0 to that then no iptables rules work anymore (and you disable conntrack) ,though they still show if you -L -vn them.
...

Counters are frozen (same values a day later), and

Code: Select all

/var # cat /proc/net/firewall_start
Current Firewall State is 0.
So maybe need "BIG FAT WARNING" on use of the script, without additional firewall commands!

Iptables firewall can be turned bacl on with

Code: Select all

/var # echo 1 >/proc/net/firewall_start
/var # cat /proc/net/firewall_start
Current Firewall State is 1.
One thing - when the script clears everything it will also clear the mss clamping rule that gets added here, which could mess things up for people who set mtu/mru < 1500
curiously it comes back next time the connection drops

Code: Select all

/var # iptables -L -vn
Chain INPUT (policy ACCEPT 104 packets, 8064 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 147 packets, 46840 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      ppp0   !89.243.zz.yyy        0.0.0.0/0
    1    52 TCPMSS     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 88 packets, 13152 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Thu Jun 14, 2007 8:14 pm

So maybe need "BIG FAT WARNING" on use of the script, without additional firewall commands!
I suppose anyone wanting a real address passed through shouldn't expect/want to be firewall/NATed anyway. It's a shame that it needs to be on at all or rather it's a shame iptables seems to use conntrack even if you use only stateless rules (I guess it's just because it's compiled in or an old version, I tested the most recent version built as modules and it doesn't conntrack if you only use stateless rules - but will carry on tracking if you use and then delete one).

It's handy that the mss rule gets turned back on - when ppp comes up AFAIK, so depending on when the script clears the rules or whether ppp is running already, users may get it or not, but drop/reconnect after the script should mean it's there. I don't think it will work without turning firewalling back on aswell.

I suppose the only other side effect of firewall off is leakage of private addresses to the WAN.

I thought of another way to block these - It would need policer compiled in though, if it and sch_ingress (both tiny) were in instead of rshaper for QOS then I think you could filter with QOS rules :-)

I must admit making tc rules is a total pain and you would need to enable TI QOS and need it to behave like other classfull linux qdiscs do, so nothings certain. It's possible with policers to arrange for them to drop selected traffic irrespective of rate by specifying an impossibly small MTU in the rule.

Andy.
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Thu Jun 14, 2007 8:44 pm

I may be just being stupid or lazy now, and I expect it is already written up somewhere; but is there a command, like iptables for example; which would allow me to stop the web config of the router being accessed from the WAN side (but perfectly accessable from the LAN side), much the same as if the Firewall it ticked; so I can untick firewall and not worry about port forwarding.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Post by mstombs » Thu Jun 14, 2007 8:49 pm

After a couple of days use I think I can say no firewall is not a big problem for me - only 12 OUTPUT packets blocked, despite a couple of gig forwarded. The TCPMSS rule seems to have caught more - if I read this corretly?

Code: Select all

/var # iptables -L -vn
Chain INPUT (policy ACCEPT 7482 packets, 3483K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 2660K packets, 1914M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      ppp0   !89.243.xx.yyy        0.0.0.0/0
11926  600K TCPMSS     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 1484 packets, 779K bytes)
 pkts bytes target     prot opt in     out     source               destination
   12   756 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Thu Jun 14, 2007 10:17 pm

After a couple of days use I think I can say no firewall is not a big problem for me - only 12 OUTPUT packets blocked, despite a couple of gig forwarded. The TCPMSS rule seems to have caught more - if I read this corretly?
Yea you are reading correctly.

I suppose you would see more if you were doing P2P and then shut down everything apart from the router.

I wonder if you would catch anything by putting a similar rule in INPUT to catch incoming from ppp0. Can't think what they would be if your ISP doesn't do multicast. I tried LOG again - carefully this time - it doesn't like it. I made a rule to log ping to the router from LAN and it increases response time to 40ms from 0.6. If I specified log level debug and set all logging levels to debug it wasn't so bad - but it still didn't work. I have read that it could be to do with dmesg setup - but there is no dmesg.

Andy.
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Thu Jun 14, 2007 11:14 pm

I know that with No-NAT I can forward the same ports to the different static IPs, and setting up each port forward manually would be ... tedious at best. Is it possible to issue an iptables command which will forward all ports to a specific host; yet leave other hosts protected behind the router firewall?
Post Reply