working SIM install, network problems - update
Rodney Myers
rdmyers at mtpalomar.net
Sun Dec 7 23:06:06 CET 2008
On Dec 6, 2008, at 9:41 PM, Joel Newkirk wrote:
> On Sat, 6 Dec 2008 20:00:36 -0800, Rodney Myers
> <rdmyers at mtpalomar.net>
> wrote:
>>
>> On Dec 4, 2008, at 3:57 AM, clare johnstone wrote:
>>
>>> At this stage I can do
>>> ssh root at 192.168.0.202
>>>
>>> Normally it will argue and I have to edit the file ~/.ssh/known
>>> hosts
>>> by removing the line it is objecting to. It will then agree to the
>>> ssh.
>>> Most people automate that process to avoid the editing etc but that
>>> is a matter of taste only. Once you have things going without
>>> trouble
>>> you can automate a lot of things.
>>>
>>> good luck,
>>> clare
>>
>> Thank you for your scripts. I "think" I edited them to correlate
>> them to my network;
>>
>> 192.168.1.0/24
>>
>> I now can ssh into the OM, and set the time to my local "America/
>> Los_Angeles". One step ahead.
>>
>> I can ping the debian machine, and everything on my lan, but nothing
>> outside the lan.
>
> [snip]
>
>> My interpretation of ths scripts;
>>
>> cat bin/OM-config
>> #!/bin/sh
>> /sbin/ifconfig usb0 192.168.0.200 netmask 255.255.255.0
>> /sbin/route add -host 192.168.0.202/32 dev usb0
>>
>> rodney at riverside:~$ cat bin/om-network
>> #!/bin/sh
>> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
>> iptables -F
>> iptables -A INPUT -s 192.168.0.202 -i usb0 -d 192.168.0.200 -j
>> ACCEPT
>> iptables -A INPUT -s 192.168.0.200 -i eth+ -d 192.168.0.202 -j
>> ACCEPT
>> iptables -A INPUT -s 192.168.1.0/24 -i eth+ -d 192.168.0.202 -j
>> ACCEPT
>> iptables -A INPUT -s 192.168.1.0/24 -i eth+ -d 192.168.2.0/24 -j
>> ACCEPT
>>
>> iptables -A FORWARD -s 192.168.0.202 -i usb0 -d 192.168.2.0/24 -o
>> eth+
>> -j ACCEPT
>> iptables -A FORWARD -s 192.168.1.0/24 -i eth+ -d 192.168.0.202 -o
>> usb0
>> -j ACCEPT
>>
>> iptables -A OUTPUT -d 192.168.1.0/24 -o eth+ -j ACCEPT
>> iptables -A OUTPUT -d 192.168.0.202 -o usb0 -j ACCEPT
>> iptables -A POSTROUTING -t nat -j MASQUERADE -s 192.168.0.0/24
>
> Is this the complete firewall script?? There's several things
> missing, and
> a couple possible errors. (since you only posted ifconfig info for
> usb0 on
> the host I can't tell if the 192.168.2.0/24 are typos, or correct with
> missing rules) Now, since you say you can ping everything on the
> LAN, and
> have only the two FORWARD rules listed, I'm going to assume a typo
> and that
> you have just 192.168.1.0/24 in play.
No. I took what Clare had written, and was attempting to get working
with my LAN. My lan is 192.168.1.*/24, not 192.168.2.* (probably a
typo, but want to make sure)
Correct, in pinging everything on my lan. Once I was ssh'd into the
OM, I could ping ever computer on my lan, from the router, wireless
access point, the 2 wireless computers, and the debian (wired) computer.
> A few points:
>
> You have rules to accept INPUT from 192.168.1.0/24 for destIP
> 192.168.0.202, but this should never be the case - INPUT is only
> packets
> with an IP on 'this' machine as destination, OUTPUT is packets from
> 'this'
> machine, FORWARD is packets from somewhere else TO somewhere else
> that are
> just being FORWARDed by 'this' machine.
>
> "iptables -F" flushes all rules from the 'filter' table's chains -
> INPUT,
> OUTPUT and FORWARD. But it doesn't touch the 'nat' table (PREROUTING,
> POSTROUTING, and OUTPUT chains) unless you separately invoke
> "iptables -t
> nat -F", and it doesn't set/change the default chain policies. I'm
> not
> sure if this is really what you want to do anyway - doesn't the host
> already have a set of firewall rules in place? If so you're likely
> better
> off adding rules to permit the FR instead of flushing everything
> that's
> already in place.
>
> Presuming the host communicates fine to begin with, instead of ALL
> of the
> iptables commands above, try these (NOTE there's NOT an 'iptables -
> F' to
> flush the existing rules, we're just appending additional rules):
>
> iptables -A INPUT -i usb0 -s 192.168.0.202 -j ACCEPT
> iptables -A FORWARD -i usb0 -s 192.168.0.202 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o usb0 -j ACCEPT
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
>
> The first rule lets the FR talk to the host, the second lets it talk
> /through/ the host to whatever else is reachable, the third lets the
> response to that traffic back through to the FR (we're invoking the
> connection-tracking state engine where replies, like web pages when
> you
> browse, are ESTABLISHED connections, while RELATED connections
> includes
> things like ICMP dest unreachable being 'related' to an attempted
> connection, FTP data being 'related' to FTP control port 21, RTP
> related to
> SIP for VOIP, etc), fourth lets the host talk to the FR, fifth NATs
> any
> packets from the FR that are going out on the LAN so that they
> appear to be
> from the host, and replies will route correctly back to the host.
No "firewall running on the debian machine. At this time.
> The OUTPUT rule should only be needed if your host has a REALLY tight
> firewall: often the OUTPUT chain is left in an 'allow all' state,
> with few
> or no rules and 'ACCEPT' policy. ("iptables -p OUTPUT ACCEPT" sets
> this,
> the policy is listed after the chain name OUTPUT when you list the
> rules
> with something like "iptables -vnL OUTPUT") OUTPUT rules are really
> only
> useful when you don't trust the host itself, IE on a multiuser system,
> shared server, etc.
>
> Finally, if there is already a complex set of rules in place, you may
> benefit from using INSERT instead of APPEND - just replace all '-A'
> with
> '-I' and it will insert rules at the start of the chain, or '-I
> INPUT 4'
> for example to insert a new rule #4, the current rule #4 becoming #5
> etc.
> If there's any REJECT or DROP rules in the chain, inserting these at
> the
> top will ensure that the FR traffic gets through without puzzling
> out which
> rule might be stopping you.
>
> j
>
> --
> Joel Newkirk
Thanks. I will experiment a bit more.
--
Rodney D. Myers <rdmyers.42 at gmail.com>
ICQ#: AIM#: YAHOO:
18002350 mailman452 mailman42_5
They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety.
Ben Franklin - 1759
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://lists.openmoko.org/pipermail/community/attachments/20081207/5db358c0/attachment.pgp
More information about the community
mailing list