/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
[EMAIL PROTECTED] wrote:
> My symptom is this: eth0 can't ping the gateway, but ppp0 can.
>
> My setup is this: rh 7.1 with kernel 2.4.2-2 has ppp0 which dials up my isp, and
> eth0 which is connected to my local internal network.
>
> My client is win95, and can ping eth0 and ppp0, but not the gateway
>
> My network looks like this:
> eth0 Link encap:Ethernet HWaddr 00:20:18:39:1A:25
> inet addr:172.16.99.66 Bcast:172.16.99.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:644 errors:0 dropped:0 overruns:0 frame:0
> TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> Interrupt:7 Base address:0x6800
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:26 errors:0 dropped:0 overruns:0 frame:0
> TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
>
> ppp0 Link encap:Point-to-Point Protocol
> inet addr:207.114.217.148 P-t-P:207.114.217.11 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> RX packets:1500 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1524 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
>
> netstat -rn
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 207.114.217.11 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0
> 172.16.99.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
> 0.0.0.0 207.114.217.11 0.0.0.0 UG 40 0 0 ppp0
>
> >From the ppp0 interface I am able to ping the gateway:
>
> PING 207.114.217.11 (207.114.217.11) from 207.114.217.148 : 56(84) bytes of
> data.
> 64 bytes from 207.114.217.11: icmp_seq=0 ttl=255 time=115.574 msec
> 64 bytes from 207.114.217.11: icmp_seq=1 ttl=255 time=119.924 msec
> 64 bytes from 207.114.217.11: icmp_seq=2 ttl=255 time=119.931 msec
>
> --- 207.114.217.11 ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max/mdev = 115.574/118.476/119.931/2.071 ms
>
> A sypmtom of the problem occurs when I ping the gateway from eth0:
>
> PING 207.114.217.148 (207.114.217.148) from 172.16.99.66 eth0: 56(84) bytes of
> data.
> >From 172.16.99.66: Destination Host Unreachable
> >From 172.16.99.66: Destination Host Unreachable
> >From 172.16.99.66: Destination Host Unreachable
>
> --- 207.114.217.148 ping statistics ---
> 3 packets transmitted, 0 packets received, +3 errors, 100% packet loss
>
> So, from what I've gathered from the IP-MASQ howto, FAQ, and mail archives, I
> think I've got something wrong with my IP forwarding configuration.
> This is what's in my rc.firewall - I've already had a couple of typos that I
> found. I'm hoping someone else can explain what else I've done wrong :)
> /etc/rc.d/rc.firewall:
>
> /sbin/depmod -a
> /sbin/insmod ip_tables
> /sbin/insmod ipt_REJECT
> /sbin/insmod ip_conntrack
> /sbin/insmod iptable_nat
> /sbin/insmod ip_nat_ftp
> /sbin/insmod ip_conntrack_ftp
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> /sbin/iptables -A FORWARD -j DROP
> /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> A iptables -t nat -L give this:
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- anywhere anywhere
> MASQUERADE all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Unfortunately I don't know what it means :(
>
> Any help would be greatly appreciated.
>
> David Knapp
> [EMAIL PROTECTED]
i'm not surprised that the ping from 172.16 doesn't work.
isn't that a private ip address? it needs to be masqueraded
before it can go anywhere. have you configured your kernel
to masquerade icmp packets? does the linux-2.4 kernel have
that as an option? 2.2 certainly needed it. if that doesn't
help, try asking on the netfilter mailing list.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
