this post was submitted on 24 Jun 2023
10 points (100.0% liked)

Linux

48413 readers
1282 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hi!

I'm trying to make a DIY router. I used configs from some online guides (the nftables one is from the project's website), but nothing happens when I connect a different machine. I know that description doesn't say much, so I'd like to know how can I check what's actually wrong. My system (Guix) config is below:

(use-modules (gnu))
(use-service-modules cups desktop networking ssh xorg sysctl linux dns)

(define wan "enp0s29u1u5")

(define lan "enp0s25")

(define dnsmasq-config
  "# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
port=53
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# By  default,  dnsmasq  will  send queries to any of the upstream
# servers it knows about and tries to favour servers to are  known
# to  be  up.  Uncommenting this forces dnsmasq to try each query
# with  each  server  strictly  in  the  order  they   appear   in
# /etc/resolv.conf
strict-order
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
#     as the domain part matches this setting.
# 2) Sets the \"domain\" DHCP option thereby potentially setting the
#    domain of all systems configured by DHCP
# 3) Provides the domain part for \"expand-hosts\"
#domain=thekelleys.org.uk
domain=example.com

# Set Listen address
listen-address=127.0.0.1 # Set to Server IP for network responses

dhcp-range=192.168.3.25,192.168.3.50,24h
dhcp-option=option:router,192.168.3.1
dhcp-option=option:ntp-server,192.168.3.5
dhcp-option=option:dns-server,192.168.3.5
dhcp-option=option:netmask,255.255.255.0
")

(define nftables-config
  (format #f
	  "flush ruleset

define DEV_PRIVATE = ~a
define DEV_WORLD = ~a
define NET_PRIVATE = 192.168.0.0/16

table ip global {

    chain inbound_world {
        # accepting ping (icmp-echo-request) for diagnostic purposes.
        # However, it also lets probes discover this host is alive.
        # This sample accepts them within a certain rate limit:
        #
        # icmp type echo-request limit rate 5/second accept

        # allow SSH connections from some well-known internet host
        ip saddr 81.209.165.42 tcp dport ssh accept
    }

    chain inbound_private {
        # accepting ping (icmp-echo-request) for diagnostic purposes.
        icmp type echo-request limit rate 5/second accept

        # allow DHCP, DNS and SSH from the private network
        ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
    }

    chain inbound {
        type filter hook input priority 0; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }

        # allow loopback traffic, anything else jump to chain for further evaluation
        iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

        # the rest is dropped by the above policy
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }

        # connections from the internal net to the internet or to other
        # internal nets are allowed
        iifname $DEV_PRIVATE accept

        # the rest is dropped by the above policy
    }

    chain postrouting {
        type nat hook postrouting priority 100; policy accept;

        # masquerade private IP addresses
        ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
    }
}
" lan wan))

(operating-system
 (locale "en_GB.utf8")
 (timezone "Europe/Warsaw")
 (keyboard-layout (keyboard-layout "pl" "legacy" #:options '("ctrl:nocaps")))
 (host-name "router")

 (kernel-arguments
  (list
   "modprobe.blacklist=pcspkr,snd_pcsp"))
 
 ;; The list of user accounts ('root' is implicit).
 (users (cons* (user-account
                (name "formbi")
                (comment "Formbi")
                (group "users")
                (home-directory "/home/formbi")
                (supplementary-groups '("wheel" "netdev" "audio" "video")))
               %base-user-accounts))

 ;; Packages installed system-wide.  Users can also install packages
 ;; under their own account: use 'guix search KEYWORD' to search
 ;; for packages and 'guix install PACKAGE' to install a package.
 (packages
  (append (list (specification->package "nss-certs"))
                   %base-packages))

 ;; Below is the list of system services.  To search for available
 ;; services, run 'guix system search KEYWORD' in a terminal.
 (services
  (append (list
	   (service xfce-desktop-service-type)
	   (service guix-publish-service-type
		    (guix-publish-configuration
		     (port 2137)
		     (advertise? #t)))
	   (service earlyoom-service-type
		    (earlyoom-configuration
		     (avoid-regexp "emacs")
		     (minimum-available-memory 5)
		     (minimum-free-swap 20)))

           (service openssh-service-type)
           (service cups-service-type)

	   (service dnsmasq-service-type)

	   (extra-special-file "/etc/dnsmasq.conf"
			       (plain-file "dnsmasq.conf" dnsmasq-config))

	   (service nftables-service-type
		    (nftables-configuration
		     (ruleset (plain-file "nftables.conf" nftables-config))))


	   (set-xorg-configuration
            (xorg-configuration (keyboard-layout keyboard-layout))))

          ;; This is the default list of services we
          ;; are appending to.
	  (modify-services
	   %desktop-services
	   
	   (sysctl-service-type
	    config =>
	    (sysctl-configuration
	     (settings (append '(("vm.swappiness" . "10")
				 ("net.ipv4.ip_forward" . "1"))
			       %default-sysctl-settings))))

	   (network-manager-service-type
	    config =>
	    (network-manager-configuration
					;(dns "dnsmasq")
	     ))
	   
	   (guix-service-type
	    config =>
	    (guix-configuration
	     (discover? #t))))))
 
 (bootloader (bootloader-configuration
              (bootloader grub-bootloader)
              (targets (list "/dev/sda"))
              (keyboard-layout keyboard-layout)))
 (swap-devices (list (swap-space
                      (target (uuid
                               "a32aa366-c966-460f-9592-2a08c5cad947")))))

 ;; The list of file systems that get "mounted".  The unique
 ;; file system identifiers there ("UUIDs") can be obtained
 ;; by running 'blkid' in a terminal.
 (file-systems (cons* (file-system
                       (mount-point "/")
                       (device (uuid
                                "30b3a834-f23e-42ad-addf-0cde5538a96f"
                                'ext4))
                       (type "ext4")) %base-file-systems)))
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 year ago

Are you not up to giving pfSense a try, which is a cut down version of FreeBSD?