Hi, i partitioned my box into two subnets however after lots of fault finding i tracked the problem down to my firewall. In its default configuration it wasnt routing packets between the two subnets 192.168.2.0/24 and 192.168.1.0/24.
root@router:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:01:D1:6E:1C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:54760 errors:0 dropped:0 overruns:0 frame:0
TX packets:52930 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39378475 (37.5 MiB) TX bytes:39261731 (37.4 MiB)
Interrupt:4
eth0.0 Link encap:Ethernet HWaddr 00:16:01:D1:6E:1C
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23632 errors:0 dropped:0 overruns:0 frame:0
TX packets:30392 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3107186 (2.9 MiB) TX bytes:35813611 (34.1 MiB)
eth0.1 Link encap:Ethernet HWaddr 00:16:01:D1:6E:1C
inet addr:91.75.35.30 Bcast:91.75.35.31 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14717 errors:0 dropped:0 overruns:0 frame:0
TX packets:12574 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:16575882 (15.8 MiB) TX bytes:2224804 (2.1 MiB)
eth0.2 Link encap:Ethernet HWaddr 00:16:01:D1:6E:1C
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15323 errors:0 dropped:0 overruns:0 frame:0
TX packets:9980 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18665798 (17.8 MiB) TX bytes:981835 (958.8 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
From my limited iptables experience i believe i need to enter the commands to allow packets between interfaces:
root@router:~# iptables -A FORWARD -i eth0.0 -o eth0.2 -j ACCEPT
root@router:~# iptables -A FORWARD -i eth0.2 -o eth0.0 -j ACCEPT
That worked, and now i can ping from my server which is 192.168.1.5 and can ping out to computers on the other subnet. Computers on the eth0.0 subnet can ping out onto the internet without problems, however i cannot get packets out onto the internet from the server which is on the eth0.2 subnet.
So in sumary, would anyone be kind enough to tell me what commands should be entered for OpenWRT Kamikazi to allow eth0.2 packets out onto the internet, and secondly, here would i edit the actual commands to ensure they came up during init scripts?
Many thanks in advance,
Chris
Dump of default, uneditied kamikazi scripts:
root@router:~# cat /etc/firewall.user
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
# The following chains are for traffic directed at the IP of the
# WAN interface
iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan
### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
# iptables -A input_wan -p tcp --dport 22 -j ACCEPT
### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT
root@router:~# cat /etc/init.d/firewall
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
## Please make changes in /etc/firewall.user
START=45
start() {
include /lib/network
scan_interfaces
config_load /var/state/network
config_get WAN wan ifname
config_get WANDEV wan device
config_get LAN lan ifname
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N input_wan
iptables -N output_rule
iptables -N forwarding_rule
iptables -N forwarding_wan
iptables -t nat -N NEW
iptables -t nat -N prerouting_rule
iptables -t nat -N prerouting_wan
iptables -t nat -N postrouting_rule
iptables -N LAN_ACCEPT
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WA NDEV" -j RETURN
iptables -A LAN_ACCEPT -j ACCEPT
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
[ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
# allow
iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss -to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
[ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
# allow
iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW
iptables -t nat -A PREROUTING -j prerouting_rule
[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_w an
iptables -t nat -A POSTROUTING -j postrouting_rule
[ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN & & \
iptables -t nat -A NEW -j DROP
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -n "$WAN" -a -e /etc/config/firewall ] && {
export WAN
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/ firewall | ash
}
}
stop() {
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
}
Ok quick question where would i do the same to make sure routes are added during boot? I cant find an /etc/rc.local file or similair where i can easily add the rotues. I see in X-WRT there is a page for routes but i cant hunt the actual script file down.