Posted by Ed on 07/12/2005 @ 8:12 PM
If you haven't read through steps 1-4.
STEP 1
STEP 2
STEP 3
STEP 4
Depending on what WRAP board you got, you have either 1, 2 or 3 ethernet devices. For simplicity purposes, I'll assume you're using the two device board and have a network topology similar to mine. internet -> wrap <- lan ...
First thing is to set up the network interfaces. This is done through /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
Here we set eth0 to be the interface connected to your "modem"
and operates via dhcp. If it's static then you mimic the section that I have setup for the LAN interface. If you have pppoe then hopefully you already know how to set that up because I've never touched it and never will.
Then we have to setup some basic iptables rules. There are several ways of playing with iptables. You can do it the right way and have it work via the iptables init.d script or you can write your own init.d script and set it up to load the iptables rules or you can use some program todo the rules for you.
first off, we want to use SNAT, not MASQUERADE for dhcp, because SNAT is just much better.
At the top of your script you setup, add this to determine the ip dhcp gives you.
AWK=/usr/bin/awk
IFCONFIG=/sbin/ifconfig
EXTIF="eth0"
EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo "IP detected as $EXTIP"
So now $EXTIP contains the dhcp assigned ip, set up some basic SNAT rule
iptables -t nat -A POSTROUTING -i eth1 -s 192.168.1.0/24 -o eth0 -j SNAT --to $EXTIP
This SNATs the entire subnet for your LAN, assuming you are using the class C 192.168.1... You can instead specify each node you want, but they'll all follow the same format. Note: if you use the subnet method, be sure to specify a specific ip allowed to access your WRAP's ssh server to login, if you're on an unsecure network or using wifi, it can't hurt.
Then we want to add a rule to forward established connections across interfaces
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
Ok, add any other rules related to your network for DNAT'ing or accepting traffic on ports you want open and DROP everything else. When you are finished, if you decided to make your own init.d script, make sure you symlink this to the rc2.d directory after your network init.d script is run (so the interfaces are actually up)
Again, this is a very basic and simplistic way to deal with iptables, for real security, you'll want to be much more thorough and specific with what gets forwarded and what gets dropped and such. You may also want to play with iproute2 and traffic shaping. How to use any of these tools and it's syntax is beyond the scope of this sad tutorial. Just make sure you have your ssh server running on a port your WRAP box is accepting on, and make sure it's only listening on the lan interface, unless you want internet access to it.
Well, by now you should have networking, compression, ro/rw updating, lilo, and just about everything else set up and ready to be written to the cf disk. Follow the tutorial linked in Step 1 on formatting and writing lilo and the fs to the cf disk. With any luck, you'll get things done on the first bootup. Otherwise it's null modem cable time and serial consoles to debug. Hope this series of tutorials helped some.