/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Thanks to all who answered my question. I got it to work. Solution: 1) Add a default route on the gateway machine: route add default gw 10.0.0.10 metric 1 (which I have since changed to my ISPs gateway address) 2) Disconnect modem connection to internet (my 192.168.0.10 machine had a modem and was dialed to my dialup ISP) Thanks Jay Jay Strauss [EMAIL PROTECTED] (h) 773.935.5326 (c) 312.617.0264 -----Original Message----- From: Jay Strauss <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Friday, August 11, 2000 6:27 PM Subject: Can't reach external network from interal network >Hi, I'm having trouble getting MASQ to work. My environment is RedHat 6.2 (i.e. >2.2.14-5). > >I've been reading and implementing by the HOWTO. I tried to search the archives >but I don't really know what to search for. The HOWTO makes me believe I don't >have to ftp any files or recompile my kernel, because RH6.2 is masq ready out of >the box. ??? Is that true ??? > >I don't have my DSL line yet, but I'm trying to prepare. So in my closed >environment I have 3 computers: >1) (client) at 192.168.0.10 >2) (gateway) at 192.168.0.1 and 10.0.0.1 >3) (external) at 10.0.0.10 - this is my pretend internet machine > >My idea was that I'd get it all working, then when my DSL arrives I'll change >the address of 10.0.0.1 to whatever my provider issues me (and use 10.0.0.10 for >something else) > >My client can ping my gateway @ 192.168.0.1, my gateway can ping both networks >(i.e. it can ping 10.0.0.10 & 192.168.0.10), and my external can ping the >gateway @ 10.0.0.1 > >When I try to ping from my client (192.168.0.10) to my external (10.0.0.10) I >get : "request timed out" >If I bring down the 10.0.0.1 NIC on my gateway then I get: >ping 10.0.0.10 > >Pinging 10.0.0.10 with 32 bytes of data: > >Reply from 192.168.0.1: Destination net unreachable. >Reply from 192.168.0.1: Destination net unreachable. >Reply from 192.168.0.1: Destination net unreachable. >Reply from 192.168.0.1: Destination net unreachable. > >So it looks as if its trying to do the MASQ but it can't reach the 10.0.0.0 >network, but when I bring up the card I get the "request timed out" error > >Here is the output of "route -n", I noticed there is no entry for 10.0.0.1 on >eth1. >Kernel IP routing table >Destination Gateway Genmask Flags Metric Ref Use Iface >192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 >192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 >10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1 >127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > >My /etc/rc.d/rc.firewall looks like this (copied from the HOWTO): >#!/bin/sh ># ># rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels >using IPCHAINS ># ># Load all required IP MASQ modules ># ># NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules ># are shown below but are commented out from loading. > ># Needed to initially load modules ># >/sbin/depmod -a > > ># Supports the proper masquerading of FTP file transfers using the PORT method ># >/sbin/modprobe ip_masq_ftp > > ># Supports the masquerading of RealAudio over UDP. Without this module, ># RealAudio WILL function but in TCP mode. This can cause a reduction ># in sound quality ># >#/sbin/modprobe ip_masq_raudio > > ># Supports the masquerading of IRC DCC file transfers ># >#/sbin/modprobe ip_masq_irc > > ># Supports the masquerading of Quake and QuakeWorld by default. This modules is ># for for multiple users behind the Linux MASQ server. If you are going to >play ># Quake I, II, and III, use the second example. ># ># NOTE: If you get ERRORs loading the QUAKE module, you are running an old ># ----- kernel that has bugs in it. Please upgrade to the newest kernel. ># >#Quake I / QuakeWorld (ports 26000 and 27000) >#/sbin/modprobe ip_masq_quake ># >#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) >#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 > > ># Supports the masquerading of the CuSeeme video conferencing software ># >#/sbin/modprobe ip_masq_cuseeme > > >#Supports the masquerading of the VDO-live video conferencing software ># >#/sbin/modprobe ip_masq_vdolive >#CRITICAL: Enable IP forwarding since it is disabled by default since ># ># Redhat Users: you may try changing the options in >/etc/sysconfig/network from: ># ># FORWARD_IPV4=false ># to ># FORWARD_IPV4=true ># >echo "1" > /proc/sys/net/ipv4/ip_forward > > >#CRITICAL: Enable automatic IP defragmenting since it is disabled by default in >2.2.x kernels ># ># This used to be a compile-time option but the behavior was changed >in 2.2.12 ># >echo "1" > /proc/sys/net/ipv4/ip_always_defrag > > ># Dynamic IP users: ># ># If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this >following ># option. This enables dynamic-ip address hacking in IP MASQ, making the >life ># with Diald and similar programs much easier. ># >#echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > ># Enable the LooseUDP patch which some Internet-based games require ># ># If you are trying to get an Internet game to work through your IP MASQ box, ># and you have set it up to the best of your ability without it working, try ># enabling this option (delete the "#" character). This option is disabled ># by default due to possible internal machine UDP port scanning ># vunerabilities. ># >#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose > > ># MASQ timeouts ># ># 2 hrs timeout for TCP session timeouts ># 10 sec timeout for traffic after the TCP/IP "FIN" packet is received ># 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) ># >/sbin/ipchains -M -S 7200 10 160 > > ># DHCP: For people who receive their external IP address from either DHCP or >BOOTP ># such as ADSL or Cablemodem users, it is necessary to use the following ># before the deny command. The "bootp_client_net_if_name" should be >replaced ># the name of the link that the DHCP/BOOTP server will put an address on >to? ># This will be something like "eth0", "eth1", etc. ># ># This example is currently commented out. ># ># >#/sbin/ipchains -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 >68 -p udp > > ># Enable simple IP forwarding and Masquerading ># ># NOTE: The following is an example for an internal LAN address in the >192.168.0.x ># network with a 255.255.255.0 or a "24" bit subnet mask. ># ># Please change this network number and subnet mask to match your >internal LAN setup ># >/sbin/ipchains -P forward DENY >/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ > > >Jay Strauss >[EMAIL PROTECTED] >(h) 773.935.5326 >(c) 312.617.0264 _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
