New modem and iptables...

Antonio antonio.montagnani at gmail.com
Tue Oct 23 12:01:32 UTC 2007 

2007/10/23, John Summerfield <debian at herakles.homelinux.org>:
> Antonio wrote:
> > 2007/10/22, John Summerfield <debian at herakles.homelinux.org>:
> >> Antonio wrote:
> >>> 2007/10/22, John Summerfield <debian at herakles.homelinux.org>:
> >>>> Antonio wrote:
> >>>>> 2007/10/21, John Summerfield <debian at herakles.homelinux.org>:
> >>>>>> Antonio wrote:
> >>>>>>> I installed a new modem ADSL2+ that doesn' t need pppo any longer
> >>>>>>> because it starts connection by himself
> >>>>>>>
> >>>>>> I expect your "modem" is actually a router, and that you can just turn
> >>>>>> your Linux firewall off. The router performs firewall and NAT functions
> >>>>>> that are perfectly adequate for most people.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>>
> >>>>>> Cheers
> >>>>>> John
> >>>>>>
> >>>>>> -- spambait
> >>>>>> 1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
> >>>>>>
> >>>>>>
> >>>>> no...when I say modem,I mean modem, even if can start connection by itself...
> >>>>> What is funny is that it has a DHCP server even if it has just a
> >>>>> single Ethernet port  :-)
> >>>> I have a so-called modem, but it really is a router. Like yours, it has
> >>>> a single ethernet port. Mine's an iconnect 622, and it does pppoe,
> >>>> pppoa, dhcp, dns relay and some other stuff. However, I set it to
> >>>> bridging mode and do the pppoe myself.
> >>>>
> >>>> If you want to persuade me it's a modem, better name it;-)
>
>
> >>
> > And for english mother tongue folks....
> > http://www.dlink.co.uk/?go=jN7uAYLx/oIJaWVUDLYZU93ygJVYLelXSNvhLPG3yV3oVo5+h6ltbNlwaaRp7TosAmu5j3cf/YENBs7k2aXlLkcVsezb
>
> No need, Seamonkey's translate button did better than I expected, and
> from there I found English manuals.
>
> It's time to define terms.
> "modem" is a contraction of the English words "modulate" and
> "demodulate." A modem's function is to translate digital signals from
> the computer (originally an RS-242C serial port, but the definition got
> bent a little with ADSL) to a form compatible with an analogue phone
> line. Basically, electronic versions of sounds - ever listened to a
> modem dialing?
>
> ADSL modems have to do a little more, that's where the VPI and VCI stuff
> come in.
>
> Once it's doing authentication, despite what Dlink asserts, it's no
> longer a modem, it's a router and _it_ has your public Internet address.
> It also does NAT (otherwise you couldn't have a private IP address on
> your peecees). Because it's doing NAT, nobody outside your LAN can
> connect to your systems. For most users, that's a good thing.
>
> If you want to run your own servers (say, for incoming email as I do),
> then you must put it into bridged mode, and do the PPPoE stuff, firewall
> and NAT in your PC.
>
> A more capable router woould be able to forward incoming connexions,
> maybe to different machines: At work, I have incoming ssh directed
> directly to my desktop where there are fewer users and I don't have to
> worry about ignorant users having weak passwords.
>
>
> Since this device really is a router and it's running its own DHCP
> server, it's highly likely that all the computers
>
>
> Your DSL-320T should be giving you a 192.168.1.x IP address, and your
> default route should be via 192.168.1.1.
>
>
> Just to be clear, I think you have this setup:
> [inet](a)----(b)[DSL-320T](c)----(d)[linuxbox](e)---[switch]-[f][others]
>
> If your device is functioning as a modem, there should be public IP
> addresses at (a) and (d)
>
> If as a router, then the public IP addresses will be at (a) and (b).
>
> Note that (a) doesn't have to be a public IP address, some IAPs use
> private ones there..
>
> I presume you're either using DHCP on Linuxbox to hand out IP addresses,
> or doing it manually. (e) and (f) would have private IP address - I see
> you're using 192.168.0.x addresses.
>
> It's a mystery to me why you'd have an IP address of 87.14.136.149.
>
> Could you do this:
>
> traceroute js.id.au
> and post the results?
>
> Unfortunately, I use shorewall firewall and my firewalls are a good deal
> more complicated than you need, so I can't just post mine as an example/
>
>
>
>
>
> --
>
> Cheers
> John
>
> -- spambait
> 1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
>
> Please do not reply off-list
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

traceroute js.id.au
traceroute to js.id.au (58.6.192.22), 30 hops max, 40 byte packets
 1  192.168.100.1 (192.168.100.1)  46.106 ms  49.939 ms  53.804 ms
 2  * host21-35-static.42-88-b.business.telecomitalia.it (88.42.35.21)
 61.902 ms *
 3  r-mi224-vl19.opb.interbusiness.it (80.20.6.31)  69.686 ms  73.523
ms  77.453 ms
 4  crs-mi002-r-mi255.opb.interbusiness.it (151.99.99.161)  82.330 ms
86.228 ms  91.149 ms
 5  r-mi223-vl3.opb.interbusiness.it (151.99.75.149)  94.052 ms
98.191 ms  101.851 ms
 6  mil52-ibs-resid-3-it.mil.seabone.net (195.22.196.149)  106.975 ms
47.624 ms  51.540 ms
 7  pao1-chi1-racc1.pao.seabone.net (195.22.206.244)  228.412 ms
225.677 ms  229.537 ms
 8  g4-2-0.plapx-ar3.ix.singtel.com (198.32.176.188)  251.959 ms
251.667 ms  252.106 ms
 9  203.208.148.90 (203.208.148.90)  404.591 ms  414.906 ms  419.282 ms
10  * * *
11  * * *
12  59.154.58.6 (59.154.58.6)  444.200 ms  443.307 ms  435.046 ms
13  gi3-1-0.dsl-lns3.wa.westnet.com.au (202.72.130.158)  440.717 ms
451.093 ms  444.900 ms
14  dsl-58-6-192-22.wa.westnet.com.au (58.6.192.22)  461.703 ms
461.020 ms  453.018 ms

Now I am using PPoE because I suceeded to change setting on the modem
(using M$ Explorer, I don't know why but Save and Reboot doesn't work
in Firefox!!!).

Yes my Linux Box is a Firewall and DHCP server for the network, even
if there is another router acting as a wireless access point giving
IP's (another set of course)
My iptables rules are:
# Generated by iptables-save v1.2.6a on Fri Feb 21 09:27:33 2003
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
#-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Fri Feb 21 09:27:33 2003
# Generated by iptables-save v1.2.6a on Fri Feb 21 09:27:33 2003
*mangle
:PREROUTING ACCEPT [9:432]
:INPUT ACCEPT [3:234]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9:684]
:POSTROUTING ACCEPT [17:1292]
COMMIT
# Completed on Fri Feb 21 09:27:33 2003
# Generated by iptables-save v1.2.6a on Fri Feb 21 09:27:33 2003
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
COMMIT
# Completed on Fri Feb 21 09:27:33 2003

It is funny what happened because I changed my old modem (that had
standard setting from my ISP, using PPoE) to an ADSL2+ modem (D-link I
mean) and I thought that unplugging the old one and plugging the new
one should make system works with no break, but it was not
true!!!....I guess that also many Windows users shoul kill the
Internet connection created  and let the modem manage connection!!!!
As usual many useless pages on the manual, but no word about PPoE,
bridging etc.....

Tnx for help

-- 
Antonio Montagnani
Skype : antoniomontag

More information about the users mailing list