[Firehol-support] Unable to let internal network access the internet via cable modem

Costa Tsaousis costa at tsaousis.gr
Tue Feb 11 07:29:40 GMT 2003 

John Zastrow said:
> Hi Costa,
>
> Thanks for your help. Yep, my cable modem is not
> PPPoE, so your latter solution worked. I have to
> switch where you wrote
>
> internet eth1 lan
>
> to
>
> interface eth1 lan

Sorry for this.

> tho. Now it works, but I think it's slow, even though
> the router machine is a big Athlon 2Ghz with lotsa
> memory.

What do you mean slow? How much time does it need?
Please run:

time /etc/init.d/firehol start

and send me the output.

> As I said, I'm on redhat, and ole RH likes to store
> things in /sbin without that path added to root's
> environment. So, in the firehol script v1.89 on lines
> 82 and 83, I simply added /sbin/ before the two
> sysctl's and the script stopped complaining. I think
> that's appropriate (?).

This is strange. I use RH8 myself that this situation never came up.
My root path has /sbin in it.

Any case, thanks for reporting this, I have corrected firehol.

> Couple of suggestions: It would be handy to have a
> checklist of things to make sure that your system is
> setup properly in the 'Troubleshooting' section. That
> is, what iptables modules one needs, how to very that
> the new rules are running, where firehol will look for
> various prograns... just basic things. Then newbies
> like myself can ask more informed questions.

MODULES:
FireHOL requires only two modules (iptables and ip_conntrack) but
depending on the services you use in your config file, it may need more.
If a module is missing, FireHOL will give you a warning, so you will know
that something is wrong. To see this warning just write in your config:

require_kernel_module blahblah

RUNNING RULES:
/etc/init.d/firehol status

You can also check the iptables statements produced for each rule by
entering interactive mode:

/etc/init.d/firehol explain

In this mode you type rules and FireHOL displays the iptables rules - it
does not affect your firewall.

EXTERNAL COMMANDS:
I normally verify that everything is working on RH71 to RH8 and Debian
(supported by the community). But, yes! I should have given a list of
commands it needs.


> The second suggesion is to provide a handful more of
> the canned scripts that would be useful to various
> types of people (dial up users and cable users like
> myself are likely to be the most). Maybe the community
> could provide them to you as examples of setups that
> people are using.

You are right, although I tried in the tutorial to tell you the basics of
building a configuration file. May be is still not complete or is
confusing.

> Now that I have a wide-open
> connection thanks to your help, I can iteratively lock
> it down and know after each step if I've broken it or
> not.
>
> I would also recommend making the samples more
> prominent, like in the docs themselves. Maybe I'm more
> blind than I thought. But, I only stumbled into the
> sample .conf files while looking for something else.

It is a good idea to put examples in the web.

> Thanks for the work and the help. I intend to use
> firehol on other boxes now that i understand it
> better.  Later,
> -John

Thanks!

Costa


>
> --- Costa Tsaousis <costa at tsaousis.gr> wrote:
>> Hi John,
>>
>> If your cable connection uses PPPoE (like ADSL) use
>> this:
>>
>> -- snip --
>>
>> interface eth0 dsl
>>     client dhcp accept
>>
>> interface ppp+ internet
>>     client all accept
>>
>> internet eth1 lan
>>     policy accept
>>
>> router lan2internet inface eth1 outface ppp+
>>     masquerade
>>     route all accept
>>
>> --- snip ---
>>
>> If your cable modem routes traffic directly to your
>> eth0, use this:
>>
>> -- snip --
>>
>> interface eth0 internet
>>     client all accept
>>
>> internet eth1 lan
>>     policy accept
>>
>> router lan2internet inface eth1 outface eth0
>>     masquerade
>>     route all accept
>>
>> --- snip ---
>>
>> The difference of the two, is that DSL has a PPP
>> device, while cable
>> normally does not have any PPP.
>>
>> Read the docs to further restrict your firewall.
>>
>> I don't however get where the sysctl error is. Can
>> you help me?
>>
>> Costa
>>
>>
>> John Zastrow said:
>> > Howdy,
>> >
>> > I've got the classic situation: eth0 on the linux
>> box
>> > connected to a cable modem with dynamic IPs. eth1
>> > points to the internal network, which is currently
>> one
>> > machine. That machine gets its IP from dhcpd and
>> sees
>> > eth1 (192.168.1.1) as its gateway. Linux box is
>> > running Redhat8.
>> >
>> > I would like to route to the internal machine full
>> > access to the linux box and internet, so I tried
>> the
>> > firehol stock home_adsl config as a start (though
>> I
>> > had to change the path for sysctl to /sbin/sysctl
>> to
>> > stop firehol from complaining).
>> >
>> > Now the linux box sees the internet just fine
>> through
>> > eth0. The internal box is getting its IP and I can
>> ssh
>> > into the linux through eth1 just fine. But, the
>> > internal machine cannot see the internet. I also
>> tried
>> > working through the tutorial config, but that
>> didn't
>> > either.
>> >
>> > Nothing seems to be complaining, so it's obviously
>> a
>> > config problem. Where do I start troubleshooting
>> this?
>> >  The troubleshooting section is a little lite in
>> this
>> > regard.
>> >
>> > TIA,
>> > -John
>> >
>> > __________________________________________________
>> > Do you Yahoo!?
>> > Yahoo! Mail Plus - Powerful. Affordable. Sign up
>> now.
>> > http://mailplus.yahoo.com
>> >
>> >
>> >
>>
> -------------------------------------------------------
>> > This SF.NET email is sponsored by:
>> > SourceForge Enterprise Edition + IBM + LinuxWorld
>> = Something 2 See!
>> > http://www.vasoftware.com
>> > _______________________________________________
>> > Firehol-support mailing list
>> > Firehol-support at lists.sourceforge.net
>> >
>>
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>>
>>
>>
>>
>>
>>
> -------------------------------------------------------
>> This SF.NET email is sponsored by:
>> SourceForge Enterprise Edition + IBM + LinuxWorld =
>> Something 2 See!
>> http://www.vasoftware.com
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.sourceforge.net
>>
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com

More information about the Firehol-support mailing list