/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hi all,
Half year ago i did some elemetary experiments (on a sun sparc20, rh6.2 with
2.2.16) with ipchains which look very promissing.
Now i can continue my test and have an intel box and one of the quad
ethernet cards available.
This time i use RH 7.0 on an intel box, and somehow, i can't get the masq
part running
I skimmed through masq-howto 1.95, securing & optimizing Linux ((openna.com)
and the trinityos doc.
I started with a fresh kernel 2.2.19 and build it accordingly to the HOWTO.
First test with the firwalling aspect of ipchains worked as described and
aspected.
However, i can't get the masquerading part, working.
Started with 2.2.19, moved to 2.2.18 and now using 2.2.16, with still the
same results
I reduced the configuration considerably:
hardware:
one (linux) labtop (192.169.1.100) connected to the local lan
(192.168.1.xxx)
firewall connected with eth0 (192.168.1.1) to the local lan, and eth1
(138.203.176.170) to the company lan (138.203.176.xxx)
I use this test script for testing: (taken from trinityOS)
=====================================================
#!/bin/sh
#
echo "Enabling IP MASQ, MASQ timeouts, MASQ modules and simple firewalling"
#
echo "load all needed modules (if not in the kernel)"
modprobe ip_masq_ftp
echo "adding multicast route..."
route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
echo "Enabling IP Masqurading..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Starting policies..."
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward REJECT
echo "Flusging old rules..."
ipchains -F input
ipchains -F output
ipchains -F forward
echo "extanding masq timeouts..."
ipchains -M -S 7200 10 60
echo "enabling IP Masq..."
ipchains -A forward -s 192.168.1.0/24 -j MASQ
echo "Done..."
======================================================
This yields:
Enabling IP MASQ, MASQ timeouts, MASQ modules and simple firewalling
load all needed modules (if not in the kernel)
adding multicast route...
Enabling IP Masqurading...
Starting policies...
Flusging old rules...
extanding masq timeouts...
enabling IP Masq...
Done...
Chain input (policy ACCEPT):
Chain forward (policy REJECT):
target prot opt source destination ports
MASQ all ------ 192.168.1.0/24 anywhere n/a
Chain output (policy ACCEPT):
=====================================================
On my laptop, i get these results:
show status ethernet interface
eth0 Link encap:Ethernet HWaddr 00:10:A4:05:01:21
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:49 errors:0 dropped:0 overruns:0 frame:0
TX packets:76 errors:0 dropped:0 overruns:0 carrier:12
collisions:0 txqueuelen:100
Interrupt:3 Base address:0x300
show routing tables
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0
eth0
ping laptop ethernet interface...
PING 192.168.1.100 (192.168.1.100) from 192.168.1.100 : 56(84) bytes of
data.
64 bytes from lt (192.168.1.100): icmp_seq=0 ttl=255 time=0.1 ms
64 bytes from lt (192.168.1.100): icmp_seq=1 ttl=255 time=0.0 ms
64 bytes from lt (192.168.1.100): icmp_seq=2 ttl=255 time=0.0 ms
64 bytes from lt (192.168.1.100): icmp_seq=3 ttl=255 time=0.0 ms
64 bytes from lt (192.168.1.100): icmp_seq=4 ttl=255 time=0.0 ms
--- 192.168.1.100 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.1 ms
ping firewall local ethernet interface...
PING 192.168.1.1 (192.168.1.1) from 192.168.1.100 : 56(84) bytes of data.
64 bytes from rmd (192.168.1.1): icmp_seq=0 ttl=255 time=0.5 ms
64 bytes from rmd (192.168.1.1): icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from rmd (192.168.1.1): icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from rmd (192.168.1.1): icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from rmd (192.168.1.1): icmp_seq=4 ttl=255 time=0.4 ms
--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.5 ms
ping firewall external (office) ethernet interface...
PING 138.203.176.170 (138.203.176.170) from 192.168.1.100 : 56(84) bytes of
data.
64 bytes from aop (138.203.176.170): icmp_seq=0 ttl=255 time=0.5 ms
64 bytes from aop (138.203.176.170): icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from aop (138.203.176.170): icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from aop (138.203.176.170): icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from aop (138.203.176.170): icmp_seq=4 ttl=255 time=0.4 ms
--- 138.203.176.170 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.5 ms
ping remote hosts (company gateway) ...
PING 138.203.176.101 (138.203.176.101) from 192.168.1.100 : 56(84) bytes of
data.
>From lt (192.168.1.100): Destination Host Unreachable
>From lt (192.168.1.100): Destination Host Unreachable
>From lt (192.168.1.100): Destination Host Unreachable
>From lt (192.168.1.100): Destination Host Unreachable
>From lt (192.168.1.100): Destination Host Unreachable
--- 138.203.176.101 ping statistics ---
5 packets transmitted, 0 packets received, +5 errors, 100% packet loss
done
==============================================================
This shows that basic routing is OK.
Needless to say that from the firwall machine self, the host 138.203.176.101
is reachable.
Finally performing tcpdump -i eth0 shows incoming packets (icmp, telnet
....) from my labtop, but tcpdump on eth1 does not show the expected
traffic.
So i trimmed down the hardware and masq-configuration to absolute minimum,
and performed the test described in the howto, chapter 5,
but still i am stuck. Probably i missed something silly
Hope that someone can give me a clue.....
(Excuses for the long mail, but i tried to provide all the relevant info.)
Kind regards, SDHans Witvliet Alcatel Telecom NL, TTAC
Tel: ++31.70.3079.182 Fax: ++31.70.3079.494
email:[EMAIL PROTECTED]
Unix/Linux Systems support
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
