I notcied you started by calling the ADSL device a modem then later called it a router. Assuming it's a BT account then we'll assume it's amodem.. they're not given to giving their mostly Windows user base proper hardware(but that's a completely different black helicopter theory)
I assume you have windows machines on your LAN too which is the reason for segregating them from the modem via the Linux machine with dual NICs
Is the modem actually Ethernet? I thought they were just cheap USB jobbies? You also mention the modem gives out IP addresses which sounds more like a router performing DHCP. Anyway I'm a bit confused about your setup but here goes...
Here's my old iptables setup from when I used to have an on demand dialup:
# iptables setup # deny MS broadcast crap beyond the LAN iptables -A INPUT -d ! 192.168.0.0/24 -p tcp --dport 139 -j REJECT # allow localhost iptables -A INPUT -s 127.0.0.1 -j ACCEPT # allow LAN iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # allow www iptables -A INPUT -p tcp --dport 80 -j ACCEPT # allow SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT # allow inbound DCC iptables -A INPUT -s ! 192.168.0.0/24 -p tcp --dport 6789 -j ACCEPT iptables -I INPUT 1 -s ! 192.168.0.0/24 -p tcp --dport 6790 -j ACCEPT iptables -I INPUT 1 -s ! 192.168.0.0/24 -p tcp --dport 6881:6889 -j ACCEPT # reject everything else iptables -A INPUT -p tcp --syn -j DROP # enable NAT iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --dport 6789 -j DNAT --to-destination 192.168.0.2:6789 iptables -t nat -A PREROUTING -p tcp --dport 6790 -j DNAT --to-destination 192.168.0.7:6790
(I don't use this any more as I use the router for everything) check your IP addresses as I used 192.168.0.0/24 here and ignore any of the 'allow' stuff you don't want to get battered by from the internet. I also set forwarding on (dunno whether this actually does anything but I'm superstitious like that and always set it on):
guy@focusrite:~$ cat /etc/network/options ip_forward=no <--- I had this set to 'yes' spoofprotect=yes syncookies=no
then set everything else on the LAN to use the Dialup machine's LAN IP as the gateway. Worked for me with a modem for ages, I assume it'd work with a DSLmodem too. Of course... you could always get a cheap router from broadbandbuyer.co.uk for about £25 quid and then just point the whole LAN at that for DHCP and everything which'd solve any Windows accessibility probs for inbound rogue traffic. (That's my understanding and I'm sticking to it!). Works for me on a £50 quid D-Link router and the mother-in-law on her cheapo £25 jobbie!
G
Mr. Adam Allen. wrote:
On Tue, 2005-10-25 at 18:55 +0100, Ted.Harding@nessie.mcc.ac.uk wrote:
<snip>
Here the situation is that, if I put a second NIC in any of the machines as eth1, give it IP address 192.168.1.3 (since this is the first in line of IP addresses which the modem gives out) and also manually install a default route to the net 192.168.1.0 via eth1, then from that machine I can also readily access the outside world.
However, I have not managed to configure the machines so as to route through the ADSL machine via its eth1 in a similar way to ppp0. Say machine C has the ADSL modem on eth1, and machines A, B and C are linked over a network on eth0 for each. The C can see the Net, while A and B can not.
<snip>
Have you done anything on machine C with iptables to MASQUERADE on the ADSL eth1 interface? Something like:
echo "1">/proc/sys/net/ipv4/ip_forward iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
It may be that kppp does this automatically for ppp0 on-demand, or this has been configured manually before.
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!