Distroname and release: Debian Squeeze

Iptables with PPPoE

So you have an PPPoE connection and you want to use iptables as accesspoint to the internet? Maybe instead of a router? Then you should continue reading. Before we start.
First you must have some information ready. You will need them later on.
- Username & Password from your ISP (Internet Provider).
- 2 Ethernet adapters, and you will need to know the IPs of them.
- A 2.4.x kernel or above.

Make sure you are using a 2.4.x kernel or above.
$uname -r
2.6.8-1-686-smp
This is not in a dept guide to iptables. Look here for this.

Installation

First install these 3 packages. pppoe, pppoeconf & iptables.
#apt-get install pppoe pppoeconf iptables

PPPoE configuration

You must have plugged your modem to one of your NIC's before doing this step.
Remember to have your ISP information with you at this point.

As always it is a good idea to backup the original files, if you screw something up.
#cp /etc/ppp/peers/dsl-provider /etc/ppp/peers/dsl-provider.bak
Start the PPPoE configuration This should be rather simple, just follow the steps from here!
#pppoeconf
Then we have to edit the options file
/etc/ppp/options

name 
mtu 1492
mru 1492
noipdefault
defaultroute
Restart ppp after the changes
#/etc/init.d/ppp restart
The linux box configured with ppp and should now be online!

Setting up iptables.

Please take note at this line in iptables. I had a lot of problems with unstable connection, but this fixed it.

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

This script allows everything out an everything in.
This is only a sample script to get the internet working after the configuration
iptablesscript.sh
#!/bin/sh
#########################################################
#							#
#	Firewall Script Lasse m. with IP-Tables.	#
#	http://linuxlasse.net				#
#	Open all ports by default...			#
#							#
#########################################################

# STOP FORWADING
echo "Stopping IP-Tables"
echo 0 > /proc/sys/net/ipv4/ip_forward
sleep 1

## NETWORK INTERFACES
WAN_NIC=ppp0
LAN_NIC='eth1'

## LOAD MODULES IF NEEDED
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_nat
modprobe ipt_MASQUERADE

## FLUSHING / CLEANING UP EARLIER RULES
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F
iptables --delete-chain
iptables -F

## RULES
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

## ENABLE MASQUERADE AND FORWARDING
iptables -t nat -A POSTROUTING -o $WAN_NIC -j MASQUERADE

## ENABLE THE TCP MSS, BECAUSE OF ADSL ICKY-NESS
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

## ALLOW TRAFFIC
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Starting IP-Tables"
echo 1 > /proc/sys/net/ipv4/ip_forward
Execute the new script, so we allow traffic through iptables
sh iptablesscript.sh
Now all clients behind this ppp box, should be able to access the internet. Of course only if the default gateway on the client is configured to use the LAN IP of ethernet card on the debian ppp box.

Checking the configuration

Try to ping from the box running ppp and iptables or from a client behind the iptables firewall.
$ping google.com
PING google.com (216.239.57.99) 56(84) bytes of data.
64 bytes from 216.239.57.99: icmp_seq=1 ttl=235 time=208 ms
64 bytes from 216.239.57.99: icmp_seq=2 ttl=235 time=271 ms
64 bytes from 216.239.57.99: icmp_seq=3 ttl=235 time=322 ms
64 bytes from 216.239.57.99: icmp_seq=4 ttl=235 time=224 ms
If it aint working a possible error might be because the routings are wrong on the ppp box running iptables. The default route must be the IP of the ppp adapter!

Use the command route to check.
#route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
If this isn't right you can change the routing. First remove the default gateway. Secondly add the default gateway.
#route del default gw 192.168.0.1
#route add default gw 123.456.789.123
This will change the gateway from 192.168.0.1 to 123.456.789.123.

Tips

Enable iptables at bootup:
To do this, we need to create a startup script.
#cp iptablesscript.sh /etc/init.d/firewall
#chmod 755 /etc/init.d/firewall
Ok, now we will tell debian, that it shall boot it in runlevel 2, 3, 4 & 5 and stop it in runlevel 0, 1 & 6.
#update-rc.d firewall start 20 2 3 4 5 . stop 20 0 1 6 . 

Do not trust the authors words! POC, tests and experience is key

Copyright LinuxLasse.net 2009 - 2024 All Rights Reserved.

Valid HTML 4.01 Strict Valid CSS!