Hi!
I'm trying to make a DIY router. I used configs from some online guides (the nftables one is from the project's website), but nothing happens when I connect a different machine. I know that description doesn't say much, so I'd like to know how can I check what's actually wrong. My system (Guix) config is below:
(use-modules (gnu))
(use-service-modules cups desktop networking ssh xorg sysctl linux dns)
(define wan "enp0s29u1u5")
(define lan "enp0s25")
(define dnsmasq-config
"# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
port=53
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
strict-order
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the \"domain\" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for \"expand-hosts\"
#domain=thekelleys.org.uk
domain=example.com
# Set Listen address
listen-address=127.0.0.1 # Set to Server IP for network responses
dhcp-range=192.168.3.25,192.168.3.50,24h
dhcp-option=option:router,192.168.3.1
dhcp-option=option:ntp-server,192.168.3.5
dhcp-option=option:dns-server,192.168.3.5
dhcp-option=option:netmask,255.255.255.0
")
(define nftables-config
(format #f
"flush ruleset
define DEV_PRIVATE = ~a
define DEV_WORLD = ~a
define NET_PRIVATE = 192.168.0.0/16
table ip global {
chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept
# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}
chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept
# allow DHCP, DNS and SSH from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}
chain inbound {
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }
# the rest is dropped by the above policy
}
chain forward {
type filter hook forward priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept
# the rest is dropped by the above policy
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}
}
" lan wan))
(operating-system
(locale "en_GB.utf8")
(timezone "Europe/Warsaw")
(keyboard-layout (keyboard-layout "pl" "legacy" #:options '("ctrl:nocaps")))
(host-name "router")
(kernel-arguments
(list
"modprobe.blacklist=pcspkr,snd_pcsp"))
;; The list of user accounts ('root' is implicit).
(users (cons* (user-account
(name "formbi")
(comment "Formbi")
(group "users")
(home-directory "/home/formbi")
(supplementary-groups '("wheel" "netdev" "audio" "video")))
%base-user-accounts))
;; Packages installed system-wide. Users can also install packages
;; under their own account: use 'guix search KEYWORD' to search
;; for packages and 'guix install PACKAGE' to install a package.
(packages
(append (list (specification->package "nss-certs"))
%base-packages))
;; Below is the list of system services. To search for available
;; services, run 'guix system search KEYWORD' in a terminal.
(services
(append (list
(service xfce-desktop-service-type)
(service guix-publish-service-type
(guix-publish-configuration
(port 2137)
(advertise? #t)))
(service earlyoom-service-type
(earlyoom-configuration
(avoid-regexp "emacs")
(minimum-available-memory 5)
(minimum-free-swap 20)))
(service openssh-service-type)
(service cups-service-type)
(service dnsmasq-service-type)
(extra-special-file "/etc/dnsmasq.conf"
(plain-file "dnsmasq.conf" dnsmasq-config))
(service nftables-service-type
(nftables-configuration
(ruleset (plain-file "nftables.conf" nftables-config))))
(set-xorg-configuration
(xorg-configuration (keyboard-layout keyboard-layout))))
;; This is the default list of services we
;; are appending to.
(modify-services
%desktop-services
(sysctl-service-type
config =>
(sysctl-configuration
(settings (append '(("vm.swappiness" . "10")
("net.ipv4.ip_forward" . "1"))
%default-sysctl-settings))))
(network-manager-service-type
config =>
(network-manager-configuration
;(dns "dnsmasq")
))
(guix-service-type
config =>
(guix-configuration
(discover? #t))))))
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(targets (list "/dev/sda"))
(keyboard-layout keyboard-layout)))
(swap-devices (list (swap-space
(target (uuid
"a32aa366-c966-460f-9592-2a08c5cad947")))))
;; The list of file systems that get "mounted". The unique
;; file system identifiers there ("UUIDs") can be obtained
;; by running 'blkid' in a terminal.
(file-systems (cons* (file-system
(mount-point "/")
(device (uuid
"30b3a834-f23e-42ad-addf-0cde5538a96f"
'ext4))
(type "ext4")) %base-file-systems)))
thanks for your response!
1: the cable was indeed bad (it was brand new, so I wasn't suspecting it), but something else is still wrong
2: sorry for just pasting, I'm not really sure how to interpret it client:
server:
2a: I'm using network manager, it has worked so far. When I try to connect to the wired network manually (normally it does it automatically), nmtui says
Could not activate connection: Activation failed: IP configuration could not be reserved (no available address, timeout, etc.)
. Dnsmasq is running, but I don't know hot to check where is't listening (I tried looking it up, but didn't find anything).2b: http://ix.io/4z3X/text
3: it only shows the dummy docker thing; when I connect to the wi-fi hotspot in my phone, it does appear and I can ping it
4: I'm not sure, the nftables config is pasted in the original post