/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hi, I'm having trouble getting MASQ to work. My environment is RedHat 6.2 (i.e.
2.2.14-5).
I've been reading and implementing by the HOWTO. I tried to search the archives
but I don't really know what to search for. The HOWTO makes me believe I don't
have to ftp any files or recompile my kernel, because RH6.2 is masq ready out of
the box. ??? Is that true ???
I don't have my DSL line yet, but I'm trying to prepare. So in my closed
environment I have 3 computers:
1) (client) at 192.168.0.10
2) (gateway) at 192.168.0.1 and 10.0.0.1
3) (external) at 10.0.0.10 - this is my pretend internet machine
My idea was that I'd get it all working, then when my DSL arrives I'll change
the address of 10.0.0.1 to whatever my provider issues me (and use 10.0.0.10 for
something else)
My client can ping my gateway @ 192.168.0.1, my gateway can ping both networks
(i.e. it can ping 10.0.0.10 & 192.168.0.10), and my external can ping the
gateway @ 10.0.0.1
When I try to ping from my client (192.168.0.10) to my external (10.0.0.10) I
get : "request timed out"
If I bring down the 10.0.0.1 NIC on my gateway then I get:
ping 10.0.0.10
Pinging 10.0.0.10 with 32 bytes of data:
Reply from 192.168.0.1: Destination net unreachable.
Reply from 192.168.0.1: Destination net unreachable.
Reply from 192.168.0.1: Destination net unreachable.
Reply from 192.168.0.1: Destination net unreachable.
So it looks as if its trying to do the MASQ but it can't reach the 10.0.0.0
network, but when I bring up the card I get the "request timed out" error
Here is the output of "route -n", I noticed there is no entry for 10.0.0.1 on
eth1.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
My /etc/rc.d/rc.firewall looks like this (copied from the HOWTO):
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels
using IPCHAINS
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
# are shown below but are commented out from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
#/sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to
play
# Quake I, II, and III, use the second example.
#
# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
# ----- kernel that has bugs in it. Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
/etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#CRITICAL: Enable automatic IP defragmenting since it is disabled by default in
2.2.x kernels
#
# This used to be a compile-time option but the behavior was changed
in 2.2.12
#
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
following
# option. This enables dynamic-ip address hacking in IP MASQ, making the
life
# with Diald and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable the LooseUDP patch which some Internet-based games require
#
# If you are trying to get an Internet game to work through your IP MASQ box,
# and you have set it up to the best of your ability without it working, try
# enabling this option (delete the "#" character). This option is disabled
# by default due to possible internal machine UDP port scanning
# vunerabilities.
#
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or
BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the following
# before the deny command. The "bootp_client_net_if_name" should be
replaced
# the name of the link that the DHCP/BOOTP server will put an address on
to?
# This will be something like "eth0", "eth1", etc.
#
# This example is currently commented out.
#
#
#/sbin/ipchains -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0
68 -p udp
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example for an internal LAN address in the
192.168.0.x
# network with a 255.255.255.0 or a "24" bit subnet mask.
#
# Please change this network number and subnet mask to match your
internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ
Jay Strauss
[EMAIL PROTECTED]
(h) 773.935.5326
(c) 312.617.0264
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
