/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ I am trying to set up IP Masqing, and I can't get past step 3 of the troubleshooting part of the HOWTO. I have two machines. I am running redhat linux 6.2 w/kernel 2.2.16 installed on both boxes. I have recompiled the kerenel with the correct settings. One is the masq server(snarf) with two internet cards. eth0 is the outside interface. It is configured using DHCP, and it works. (I can access the internet with it.) eth1 is the interface to the internal server. It has an IP of 192.168.0.1 and 255.255.255.0 as subnet. I can ping 192.168.0.1 (eth1) from snarf with no problem. The Masq'ed machine (orko) has an IP of 192.168.0.2 and a subnet of 255.255.255.0. From orko, I can ping 192.168.0.2 (it's own interface.) I cannot, however, get orko or snarf to ping each other. I checked the configurations of orko and snarf as the HOWTO said, but they seem to be correct. There is a link between the computers. (The NICs and the switch all have lights on.) I checked the archives and someone reccomended using a crossover cable, but I don't think this is necessary when they are connected with a switch. There is nothing wrong with the cables or the cards. I have used all of them to access the internet. All the information is below. Sorry if this has been answered before, but I could not find it in the archives. Also, I'm sorry for the long e-mail, but I should probably give you all the info or you won't be able to help me. Thanks in advance. Arun internal MASQ'ed computer(orko): [root@orko /root]# ifconfig eth0 Link encap:Ethernet HWaddr 00:10:5A:27:35:13 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:23431 dropped:0 overruns:4 frame:35967 TX packets:96 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0x1000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:52 errors:0 dropped:0 overruns:0 frame:0 TX packets:52 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 MASQ server(snarf): [root@snarf /root]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:DA:CE:FC:76 inet addr:64.192.48.165 Bcast:64.192.48.167 Mask:255.255.255.252 UP BROADCAST RUNNING MTU:1500 Metric:1 RX packets:105 errors:0 dropped:0 overruns:0 frame:0 TX packets:120 errors:0 dropped:0 overruns:0 carrier:4 collisions:0 txqueuelen:100 Interrupt:11 Base address:0xdc80 eth1 Link encap:Ethernet HWaddr 00:50:DA:8A:B9:AD inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:205 errors:0 dropped:0 overruns:0 frame:0 TX packets:90 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:10 Base address:0xdc00 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:19 errors:0 dropped:0 overruns:0 frame:0 TX packets:19 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 [root@snarf /root]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 64.192.48.164 0.0.0.0 255.255.255.252 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 64.192.48.166 0.0.0.0 UG 0 0 0 eth0 [root@snarf /root]# cat /proc/sys/net/ipv4/ip_forward 1 [root@snarf /root]# ipchains -M -L IP masquerading entries My firewall script is below. It is the one from the IP-MASQ HOWTO website with a few changes. #!/bin/sh # # rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS # # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented out from loading. # Needed to initially load modules # /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # #/sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for for multiple users behind the Linux MASQ server. If you are going to play # Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #/sbin/modprobe ip_masq_vdolive #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default in 2.2.x kernels # # This used to be a compile-time option but the behavior was changed in 2.2.12 # echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following # option. This enables dynamic-ip address hacking in IP MASQ, making the life # with Diald and similar programs much easier. # echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable the LooseUDP patch which some Internet-based games require # # If you are trying to get an Internet game to work through your IP MASQ box, # and you have set it up to the best of your ability without it working, try # enabling this option (delete the "#" character). This option is disabled # by default due to possible internal machine UDP port scanning # vunerabilities. # #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # /sbin/ipchains -M -S 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or BOOTP # such as ADSL or Cablemodem users, it is necessary to use the following # before the deny command. The "bootp_client_net_if_name" should be replaced # the name of the link that the DHCP/BOOTP server will put an address on to? # This will be something like "eth0", "eth1", etc. # # This example is currently commented out. # # /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in the 192.168.0.x # network with a 255.255.255.0 or a "24" bit subnet mask. # # Please change this network number and subnet mask to match your internal LAN setup # /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
