Are you sure you have IP Masquerading compiled into the kernel? As I
understand it (and I could be *way* off, I admit),
1) If your Linux box makes a proper PPP connection, it doesn't need IP
Masq to "surf" (this is a fact, e.q. Windows)
2) If the kernel doesn't have IP Masq compiled in but *does* have IP
Forwarding enabled, it will simply forward packets from one interface to
another without "masquerading" them.
Any other voices of reason?
peace favor your sword
-----Original Message-----
From: Rod Moffitt
Sent: Monday, June 21, 1999 12:22 PM
To: Kirk Lawson
Cc: 'MASQ@SMTP <[EMAIL PROTECTED]>'; 'LINUX-DI@SMTP
<[EMAIL PROTECTED]>'
Subject: RE: Masq&Diald: When 'initial' traffic t
On Mon, 21 Jun 1999, Kirk Lawson wrote:
>
> What Linux distro. are you using, specifically, what version and
kernel?
>
Sorry about that - I am using 2.0.36 with the ipportfw and egcs
patches...
- Rod
> peace favor your sword
>
> -----Original Message-----
> From: Rod Moffitt
> Sent: Monday, June 21, 1999 11:56 AM
> To: LKLawson; 'MASQ@SMTP <[EMAIL PROTECTED]>'; 'LINUX-DI@SMTP
> <[EMAIL PROTECTED]>'
> Subject: Masq&Diald: When 'initial' traffic that
>
> Original Subject:
> Masq&Diald: When 'initial' traffic that brings up link is UDP
>
> Masq&Diald: When 'initial' traffic that brings up link is UDP kernel
DOES
> not masq - it merely forwards...
>
-------------------------------------------------------------------------
>
> I recently helped a friend out who used a modem to access the net. They
> recently picked up a second machine for their kid and as such wanted a
> LAN. I of course recognized the situation (since it was mine a few
years
> ago!) and offered to not only help setup a LAN, yet add a firewall so
> that
> BOTH of the computers could access the LAN - and to boot that this
> magical
> firewall could automatically detect when you wanted to get on the
> Internet and dial up for you. They of course loved the idea and that is
> what I spent the good part of last week and this last weekend doing.
>
> Now the problem - of course the Masq stuff was easy since I merely
cloned
> most of my rules. In addition the diald stuff was easy since all I had
> to do was modify the 'connect' chat script. And of course when I tested
> it
> from the firewall it worked great! If I pinged a host the link would
come
> up and the Masquerading worked great!
>
> Now the bad news, when I tried it from one of the Win95 hosts it didn't
> work so great. When the 'initial' traffic that caused diald to get ppp
up
> was UDP (say an initial DNS lookup for a web site, or for a
> Starcraft-battlenet connection) Masquerading did not occur - the kernel
> merely forward the packets out! Take a look at a snapshot of the
> following
> kernel logs (W.X.Y.Z is the address of the Win95 host, A.B.C.D and
> E.F.G.H
> are addresses of DNS hosts) where DNS packets where not properly
> Masqueraded, instead they were merely forwarded.
>
> Now Masquerading did work for all packet types from the firewall
machine.
> In addition this whole scenario worked for me nearly two years ago when
I
> did not have my static IP as I do today, and I never saw this type of
> problem.
>
> I checked the How-to and FAQs (BTW the masq mailing list archives are
NOT
> searchable - this would be a real time saver). When scanning the diald
> FAQ
> (http://www.loonie.net/~eschenk/diald/diald-faq-6.html#ss6.11) it says
> that TCP connections are not to be used 'to bring up the link' yet UDP
> are
> (it has to with not being able to change the address of a TCP
> connection),
> therefore this problem seems to be the inverse?!?!
>
> Anyone have an idea?
>
>
> Jun 19 20:12:32 router kernel: IP fw-out deny ppp0 UDP W.X.Y.Z:61232
> A.B.C.D:53 L=65 S=0x00 I=4096 F=0x0000 T=31
> Jun 19 20:12:47 router kernel: IP fw-out deny ppp0 UDP W.X.Y.Z:61233
> E.F.G.H:53 L=65 S=0x00 I=4352 F=0x0000 T=31
> Jun 19 20:13:02 router kernel: IP fw-out deny ppp0 UDP W.X.Y.Z:61232
> A.B.C.D:53 L=65 S=0x00 I=4608 F=0x0000 T=31
> Jun 19 20:13:22 router kernel: IP fw-out deny ppp0 UDP W.X.Y.Z:61233
> E.F.G.H:53 L=65 S=0x00 I=4864 F=0x0000 T=31
>
>
> Here are my masquerading rules:
>
> ipfwadm -F -f
> ipfwadm -F -p deny
>
> echo "masquerade-forwarding from $PRIVATE_NET"
> ipfwadm -F -a accept -m -W $PUBLIC_INT -S $PRIVATE_NET
>
> echo "masquerade-forwarding on $DIALD_INT from $PRIVATE_NET"
> ipfwadm -F -a accept -m -W $DIALD_INT -S $PRIVATE_NET
>
> ipfwadm -F -a deny -o
>
>
> --
>
> ============ Geek Technology at its best: http://nuked.org
> ===============
>
``````````````````````````````````````````````````````````````````````````
> Rod Moffitt ICQ# 6696644 Linux: multi-platform, multi-tasking,
> [EMAIL PROTECTED] multi-user, fast & free!
> http://www.linux.org
> PGP RSA KeyID 570A0731 Protect your privacy!
> http://www.pgpi.com
> http://rodmoffitt.org Net, s/w & h/w consulting:
> http://vissitt.com
>
..........................................................................
>
> ========= Where loved ones are remembered: http://memoriam.org
> ===========
>
> Last yeer I kudn't spel Engineer. Now I are won.
>
>
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-diald"
in
> the body of a message to [EMAIL PROTECTED]
>
--
============ Geek Technology at its best: http://nuked.org
===============
``````````````````````````````````````````````````````````````````````````
Rod Moffitt ICQ# 6696644 Linux: multi-platform, multi-tasking,
[EMAIL PROTECTED] multi-user, fast & free!
http://www.linux.org
PGP RSA KeyID 570A0731 Protect your privacy!
http://www.pgpi.com
http://rodmoffitt.org Net, s/w & h/w consulting:
http://vissitt.com
..........................................................................
========= Where loved ones are remembered: http://memoriam.org
===========
Last yeer I kudn't spel Engineer. Now I are won.
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
