Disable firewall?

[Gunnarsson]

Hey

I've got my bubba behind a router with a firewall and I want to use both the LAN and WAN port on my bubba.

My plan is to use the bubba to connect 2 networks with different subnets to etch other, but the firewall keeps giving me problems with not being able to access things from the WAN side.
So how do I disable the firewall completely?

Thanks in advance

[Ubi]

chkconfig --level 2345 bubba-firewall off
iptables -P INPUT ACCEPT

[Gunnarsson]

chkconfig --level 2345 bubba-firewall off

bash: chkconfig: command not found

[andersa]

/etc/init.d/bubba-firewall stop

[Ubi]

Sorry Andersa, but no.

/etc/init.d/bubba-firewall stop does NOT stop the firewall!!! Even if it did work, you'd still get an active firewall after every reboot.

chkconfig is not installed by default

Code: Select all

 apt-get install chkconfig

[Gordon]

Code: Select all

iptables -F     # clears all rules
iptables -X     # deletes all user defined tables

# Same rules for the nat tables (I'm assuming you don't want masquerading)
iptables -t nat -F
iptables -t nat -X

# Set the policy to accept on all tables
iptables -P INPUT  ACCEPT
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD  ACCEPT

# Now you have a completely open firewall

If you run `/etc/init.d/bubba-firewall stop` it will save this open configuration and restore it next time bubba-firewall is started. This may serve your need but you should also make note that you can flunk this through the Bubba web interface.

You might also consider enabling the rc.local script and insert the given lines to reset whatever may have been set by the bubba-firewall configuration.

A note on the previous hint to disable the bubba-firewall script: what this script also does is enable forwarding. i.e. disabling the script will leave the system open on both interfaces but it will then not allow passing traffic from either end to the other. In this case also you might fix this by using the rc.local script

Code: Select all

# Enable forward
echo "1" > /proc/sys/net/ipv4/ip_forward

[Gunnarsson]

Thanks for the help.
But I can't find chkconfig. What sources.list line should I use to find it?

[Gunnarsson]

bump

[carl]

Code: Select all

update-rc.d bubba-firewall remove

But remember that any routing in the unit is depending on certain constructs in the firewall

[Gordon]

Code: Select all

update-rc.d bubba-firewall remove

But remember that any routing in the unit is depending on certain constructs in the firewall

Not true...

Routing depends on both devices that are trying to communicate knowing what path to follow to reach the other side. The (TCP/)IP protocol is rather stupid in this concept, so how this ever got to be the de facto standard is kind of a mystery. Probably we have the same company that brought us the non-routable NetBios protocol to thank for the wide spreading of this bad concept (Yes: HIM).

If both subnets to which the B3 is connected are aware what that other subnet is and that the B3 is connected to both of them, the B3 will pass on this traffic undisturbed as long as the value stored in /proc/sys/net/ipv4/ip_forward is 1 (default is 0 though; see my earlier post).

Now a problem rises if you have repeated instances of the same subnet declaration. From each of these subnets you can then send a packet to a different numbered subnet, but the device that is expected to send a response will not know which path to choose because they all look the same. In fact, this is how Microsoft destroyed the usability of Novell's IPX protocol. This was a self-routing protocol that required to specific knowledge of networking, but Microsoft built NT (which is the base of all current Windows) to use the exact same internal address when sending messages, which is kind of similar to declaring yourself as 127.0.0.1; everyone trying to respond will in fact be sending it to themselves and you will never receive any answer.

A similar problem rises with your home network, which will typically have an address range of 10.x.x.x or 192.168.x.x (or less common 172.16-31.x.x). Nothing on the internet will ever be able to route anything back to you if you'd use this as a senders address. This is where advanced routing comes in, using the firewalls capability to do Network Address Translation (NAT). NAT will either change the destination of the packet or it may change the source (aka Masquerading if it changes the source to its own - public - IP).

To make a long story short: you do not need any firewall rules to allow forwarding. Firewall rules are required if you want to control what may or may not be forwarded. Masquerading is required if you want to access a site or device that you cannot tell how to route back to your private IP.

[Gunnarsson]

Damn. Thats complicated.
I just want to use the Bubba 2 as an gateway between two IP-subnets. 192.168.0.* and 83.241.1.*
The only thing that will be connected to the 83.*-network is my voip box. It will not work unless it gets a public ip. Some stupid thing the provider did to make me put it first in my network.
So I tried to simulate a public ip from the bubba LAN-port and put the WAN-side in my router. And it worked.
The problem with that was that all my access to the bubba would go through the WAN-port and create problems with the firewall.

How should i do to get the bubba to act as a gateway
It already got the firewall protection from my router so its safely inside my network.

Thanks for all your help

[Gordon]

Damn. Thats complicated.

Just think of it as fingerposts. When you get to a crossing you can read them and decide if you want to follow one or ignore them all and stick to the main road (defaultroute). Now fingerposts are not that precise, so depending on the size of the city you want to go to you will not end up in the exact same place if you start from another place but you'll be close. What you should be aware of however,is that some of the directions you may see on a fingerpost may not get you anywhere near the same location as pointed to by another fingerpost somewhere else in the country; e.g. "center".

On the subject of your home network: I fail to see the purpose of configuring the B3 as an open router between your two subnets (I even doubt that the 83.241.1.x will be fully protected). Apparently you have no need for intercommunication between these two subnets, so you should just cascade the routers and let them both masquerade. It's the simplest solution that requires the least amount of configuring on both routers.

[Gunnarsson]

The purpose is to this setup is to trick the voIP unit that its connected directly to the internet. The voIP provider sent me this cheap Netgear router where i also can connect my phone and they want me to use this as my main router... I think not So instead of using it as my main router I want to connect it to the WAN-port on the bubba and would like the bubba to give a IP via DHCP to trick the voIP unit that its connected directly to the internet.
I have no need to be able to access the voIP unit from my network. I only want the unit to be able to access my network (and the internet via my router)

I've tried it and it works but when I tried it I used the LAN port to the voIP unit and the WAN to my network. And with the bubba connected to my network on the WAN-side I don't get access to everything..

I drew a picture

[Gordon]

Right.... And you think that what I said before was complicated

So, essentially what you're saying is that you want to double NAT the VOIP unit and you actually managed to get this setup to work with the one little problem that you had to reverse the network connections on the Bubba. Can I assume that while testing you only tried to place an outbound call and not verified that anyone else can actually call you?

Good place to start would be here: http://www.voip-info.org/wiki/view/NAT+and+VOIP
Check out the "Workaround" section for what you should pass on to the VOIP unit.

Note that if you configure your main router to DNAT directly to the IP address that you assigned to the VOIP router, it will try to locate that address on the internet and not in your home. You must therefore DNAT to the Bubba and have the Bubba next DNAT that traffic to the VOIP unit. Definitely have a look at iptable's mangle table to tweak the quality of service when doing this, because you may experience hickups while talking.

Your next problem will be to enable DHCP on the Bubba WAN interface to feed the VOIP unit its IP address. Since the Bubba uses the DHCP functionality of Dnsmasq which only supports a single segment, that will require you to install a different DHCP server (go for isc-dhcp-server).

+++++++++++

Seriously? I don't think this is the way to handle the issue properly. It will be far less complicated and more reliable if you'd reverse the network topology. Swap the Computer and the VOIP unit and swap the network cables on the Bubba. Configure the main router to use that public IP range (what's on that anyway?) as its LAN. There's no need to make the entire range 83.247.1.x unreachable, just set a netmask of 255.255.255.248 for a maximum of six valid IP addresses in that range (83.247.10.7 will be the broadcast address).

Serious serious? Forget all the above and put the VOIP router directly on the internet connection. If you want to keep the old router and leave everything as is, plug its WAN port into the new router's LAN port. Verify that both routers don't define the same LAN IP range and if they do, change one of them. Optionally scrap the old router and connect the Bubba WAN port to the new router (but I'm thinking you like that the old router acts as a switch also).

[Ubi]

I agree with the serious-serious option. Also, ditching that second router will save you power consumption, which can actually be a lot.