Distroname and release: Debian Squeeze
Iptables with PPPoE
So you have an PPPoE connection and you want to use iptables as accesspoint to the internet? Maybe instead of a router? Then you should continue reading. Before we start.First you must have some information ready. You will need them later on.
- Username & Password from your ISP (Internet Provider).
- 2 Ethernet adapters, and you will need to know the IPs of them.
- A 2.4.x kernel or above.
Make sure you are using a 2.4.x kernel or above.
$uname -r 2.6.8-1-686-smpThis is not in a dept guide to iptables. Look here for this.
Installation
First install these 3 packages. pppoe, pppoeconf & iptables.#apt-get install pppoe pppoeconf iptables
PPPoE configuration
You must have plugged your modem to one of your NIC's before doing this step.Remember to have your ISP information with you at this point.
As always it is a good idea to backup the original files, if you screw something up.
#cp /etc/ppp/peers/dsl-provider /etc/ppp/peers/dsl-provider.bakStart the PPPoE configuration This should be rather simple, just follow the steps from here!
#pppoeconfThen we have to edit the options file
/etc/ppp/options
name
mtu 1492
mru 1492
noipdefault
defaultroute
Restart ppp after the changes
#/etc/init.d/ppp restartThe linux box configured with ppp and should now be online!
Setting up iptables.
Please take note at this line in iptables. I had a lot of problems with unstable connection, but this fixed it.iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
This script allows everything out an everything in.
This is only a sample script to get the internet working after the configuration
iptablesscript.sh
#!/bin/sh
#########################################################
# #
# Firewall Script Lasse m. with IP-Tables. #
# http://linuxlasse.net #
# Open all ports by default... #
# #
#########################################################
# STOP FORWADING
echo "Stopping IP-Tables"
echo 0 > /proc/sys/net/ipv4/ip_forward
sleep 1
## NETWORK INTERFACES
WAN_NIC=ppp0
LAN_NIC='eth1'
## LOAD MODULES IF NEEDED
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_nat
modprobe ipt_MASQUERADE
## FLUSHING / CLEANING UP EARLIER RULES
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F
iptables --delete-chain
iptables -F
## RULES
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
## ENABLE MASQUERADE AND FORWARDING
iptables -t nat -A POSTROUTING -o $WAN_NIC -j MASQUERADE
## ENABLE THE TCP MSS, BECAUSE OF ADSL ICKY-NESS
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
## ALLOW TRAFFIC
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Starting IP-Tables"
echo 1 > /proc/sys/net/ipv4/ip_forward
Execute the new script, so we allow traffic through iptables
sh iptablesscript.shNow all clients behind this ppp box, should be able to access the internet. Of course only if the default gateway on the client is configured to use the LAN IP of ethernet card on the debian ppp box.
Checking the configuration
Try to ping from the box running ppp and iptables or from a client behind the iptables firewall.$ping google.com PING google.com (216.239.57.99) 56(84) bytes of data. 64 bytes from 216.239.57.99: icmp_seq=1 ttl=235 time=208 ms 64 bytes from 216.239.57.99: icmp_seq=2 ttl=235 time=271 ms 64 bytes from 216.239.57.99: icmp_seq=3 ttl=235 time=322 ms 64 bytes from 216.239.57.99: icmp_seq=4 ttl=235 time=224 msIf it aint working a possible error might be because the routings are wrong on the ppp box running iptables. The default route must be the IP of the ppp adapter!
Use the command route to check.
#route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1If this isn't right you can change the routing. First remove the default gateway. Secondly add the default gateway.
#route del default gw 192.168.0.1 #route add default gw 123.456.789.123This will change the gateway from 192.168.0.1 to 123.456.789.123.
Tips
Enable iptables at bootup:To do this, we need to create a startup script.
#cp iptablesscript.sh /etc/init.d/firewall #chmod 755 /etc/init.d/firewallOk, now we will tell debian, that it shall boot it in runlevel 2, 3, 4 & 5 and stop it in runlevel 0, 1 & 6.
#update-rc.d firewall start 20 2 3 4 5 . stop 20 0 1 6 .