/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hi
> I've been reading and implementing by the HOWTO. I tried to search the
> archives
> but I don't really know what to search for. The HOWTO makes me believe I
> don't
> have to ftp any files or recompile my kernel, because RH6.2 is masq ready
> out of
> the box. ??? Is that true ???
>
I believe so. If you're entirely unsure, recompile the kernel. It isn't that
difficult or scarey, really.
> I don't have my DSL line yet, but I'm trying to prepare. So in my closed
> environment I have 3 computers:
> 1) (client) at 192.168.0.10
> 2) (gateway) at 192.168.0.1 and 10.0.0.1
> 3) (external) at 10.0.0.10 - this is my pretend internet machine
>
> My idea was that I'd get it all working, then when my DSL arrives I'll
> change
> the address of 10.0.0.1 to whatever my provider issues me (and use
> 10.0.0.10 for
> something else)
>
You could try setting up conventional routing, i.e. a non-NAT (or
non-IP-Masq) setup to check that your TCP/IP networking is in order before
trying masquerading.
> My client can ping my gateway @ 192.168.0.1, my gateway can ping both
> networks
> (i.e. it can ping 10.0.0.10 & 192.168.0.10), and my external can ping the
> gateway @ 10.0.0.1
>
This is what's confusing me a bit. I'd thought you had a netmask or routing
issue, but the former can't be if 10.0.0.10 can ping 10.0.0.1 *and*
192.168.0.10 can ping 192.168.0.1.
> When I try to ping from my client (192.168.0.10) to my external
> (10.0.0.10) I
> get : "request timed out"
>
This seems to indicate that either:
a) your gateway isn't the 'client's' default gateway (or gateway for the
10/8 net) or
b) your gateway isn't forwarding packets.
> If I bring down the 10.0.0.1 NIC on my gateway then I get:
>
What do you mean by 'bring down'?
> ping 10.0.0.10
>
> Pinging 10.0.0.10 with 32 bytes of data:
>
> Reply from 192.168.0.1: Destination net unreachable.
<snip>
> So it looks as if its trying to do the MASQ but it can't reach the
> 10.0.0.0
> network, but when I bring up the card I get the "request timed out" error
>
Strange.. My assumptions above are probably wrong, in this case. Ping is
something of a strange beast, though. Have you tried to telnet from
192.168.0.10 to 10.0.0.10? For ping to work your kernel needs support for
it. Perhaps the RH6.2 kernel requires a module to be loaded?
> Here is the output of "route -n", I noticed there is no entry for 10.0.0.1
> on
> eth1.
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0
> eth0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
> eth1
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
>
That doesn't matter, you've got a route pointing to eth1 for the 10/8 net
directly attached. If the subnet masks on 10.0.0.1 and 10.0.0.10 are both
255.0.0.0 everything's fine.
> My /etc/rc.d/rc.firewall looks like this (copied from the HOWTO):
> #!/bin/sh
> /sbin/depmod -a
> /sbin/modprobe ip_masq_ftp
> #/sbin/modprobe ip_masq_raudio
> #/sbin/modprobe ip_masq_irc
> #/sbin/modprobe ip_masq_quake
> #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
> #/sbin/modprobe ip_masq_cuseeme
> #/sbin/modprobe ip_masq_vdolive
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_always_defrag
> #echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
> /sbin/ipchains -M -S 7200 10 160
> #/sbin/ipchains -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67
> -d 0/0
> 68 -p udp
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ
>
All of this looks alright. Check your modules directory for ip_masq_icmp and
try loading it. Alternatively, add the following lines:
/sbin/ipchains -A input -j ACCEPT -l
/sbin/ipchains -A output -j ACCEPT -l
and append a '-l' to the masquerading statement you already have. Then
(after having run the masquerading script) do a 'tail -f /var/log/messages'
on the gateway and try pinging and telnetting from 192.168.0.10 to
10.0.0.10. See what is logged.
HTH
Tobias
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
