/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Hello all- I'm sorry if this has been hashed out over a bazillion times. I attempted to search through the archives for relavent info, but came up with very little. I have a LinuxPPC machine (based roughly on RedHat 5.2 I belive) with my own built 2.2.18pre19 kernel. It has IP MASQ and Forwarding turned on. (At least, in /proc/net I have the files: ip_fwchains, ip_fwnames, ip_masq, and ip_masquerade which I read somewhere means I have all my compile time options correct.) On the linux box, I have three ethernet interfaces. I'm using 2: eth2 for a DHCP connection to a DSL box and eth1 connected to a switch then to my internal network. My ideal network (right now it's in the testing/debugging stage) would look like this. LinuxPPC box connected to the DSL line getting it's IP dynamicaly using pump on eth2. Internal network with a bunch of windoze and macs behind the Linux box on eth1, also getting their IP's dynamicaly, but this time from the LinuxPPC box. The internal network gets addys of 192.168.0.20 - 200. .19 and below are servers and/or printers. I've got dhcpd working well. My test clients pick up correct IP addresses, and set their router/gateway to 192.168.0.1 which is the IP addy for the LinxuPPC box. IP MASQ is another story. Going through the steps as outlined in the How to: Step 1: >From the client, ping it's IP address--works fine. The client (192.168.0.20) can ping itself just fine. Step 2: On the LinuxPPC machine, ping it's internal IP--works fine. Ping 192.168.0.1 Step 3: >From the client, ping the internal IP of the LinuxPPC box. Ping 192.168.0.1 from 192.168.0.20 works ok. Step 4: >From the client, ping the external IP of the LinuxPPC box. Ping 208.166.201.27 from 192.168.0.20 works OK. Step 5: >From the client, ping an external IP to the LinuxPPC box. Ping 208.166.201.1 (router at ISP) from 192.168.0.20 FAILS. In one thread, it was suggested that a simple telnet session be tried--also fails. Some other notes: At this point, from the LinuxPPC box, I have full internet connectivity, I can ping both external addys (like the IPS router) as well as the interanl client. I am not seeing anything in /var/log/messages. This distresses me becuase it doesn't even give me some good points to start searching the mail archives. I am running the simple ruleset straight from the HowTo, uncommenting the lines relating to users with Dynamic IP addresses. ifconfig looks something like this: eth1 Link encap:Ethernet HWaddr FF:FF:FF:FF:FF:FF inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:34 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:24 Base address:0x480 eth2 Link encap:Ethernet HWaddr 00:C0:F0:22:2C:71 inet addr:208.166.201.27 Bcast:208.166.201.255 Mask:255.255.255.0 EtherTalk Phase 2 addr:65280/58 UP BROADCAST RUNNING MTU:1500 Metric:1 RX packets:190 errors:0 dropped:0 overruns:0 frame:0 TX packets:44 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:25 Base address:0x400 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 EtherTalk Phase 2 addr:0/0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 route -n looks like this: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 208.166.201.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 208.166.201.1 0.0.0.0 UG 0 0 0 eth2 This is all after a fresh re-boot. (I had been playing with the routing tables attempting to get things working, but since I really don't have a clue what I'm doing with routing, I just reverted back to whatever is auto-generated by the little elves inside my box. :) The whole rc.firewall ruleset I've been using for inital testing follows: #!/bin/sh # # rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS # # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented out from loading. # Needed to initially load modules # /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # /sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for for multiple users behind the Linux MASQ server. If you are going to play # Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #/sbin/modprobe ip_masq_vdolive #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following # option. This enables dynamic-ip address hacking in IP MASQ, making the life # with Diald and similar programs much easier. # echo "1" > /proc/sys/net/ipv4/ip_dynaddr # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # /sbin/ipchains -M -S 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or BOOTP # such as ADSL or Cablemodem users, it is necessary to use the following # before the deny command. The "bootp_client_net_if_name" should be replaced # the name of the link that the DHCP/BOOTP server will put an address on to? # This will be something like "eth0", "eth1", etc. # # This example is currently commented out. # # /sbin/ipchains -A input -j ACCEPT -i eth2 -s 0/0 67 -d 0/0 68 -p udp # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in the 192.168.0.x # network with a 255.255.255.0 or a "24" bit subnet mask. # # Please change this network number and subnet mask to match your internal LAN setup # /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ At this point, I'm out of ideas or places to look. It seems almost all pages regarding this topic point you back eventually to the same HowTo. If anyone knows of something I'm obviously doing wrong, or can at least tell me how to glean some more info for troubleshooting, I'd be very very happy. I know this must work... Also, once I do have an answer, and report back to the list, is there an appropriate title I should put on the e-mail so that when others are searching the list they are more likely to find it? Thanks in advance. Cheers! -Joe Rhodes "Contrary to popular belief, UNIX is very user friendly. It's just very picky about who its friends are." _____________________________________________________________________________________ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
